Security Zine
Information Security and Technology Rants and Raves
Friday, July 6, 2012
DNSChanger
Most everyone has heard about the FBI finally shutting down the DNS services which provide service to 360k clients on the internet on July 9 2012. Most of the buzz surrounding the shutdown appears to be FUD. These are all clients which were infected by at least one Trojan and never was fixed since. What other patches are missing, vulnerabilities, outdated virus definitions or complete lack of antivirus exist on these hosts? What other malware are they possibly infected with or botnets are they part of? They have had enough time for cleanup, patching, configuration, updating antivirus, and even replacement of hardware rot.
If the owners of these systems cannot provide the least bit of due diligence on these hosts, then good riddance to all of them.
Wednesday, June 13, 2012
Windows Network Location Awareness Services
Network Location Awareness Services
Sniffing some traffic shows DNS calls to dns.msftncsi.com and pulling
a ncsi.txt file from www.msftncsi.com.
This is a default global setting on all MS operating systems 2k8 and
Windows 7 and later.
So these Windows clients will query dns.msftncsi.com for www.msftncsi.com and expect an ip of 131.107.255.255.
Then pull www.msftncsi.com/ncsi.txt and expect the content "Microsoft NCSI"
All for a network status icon. If everything goes well, green. If it cannot proceed for whatever reason the icon changes.
The client expects that some intervention is involved like in a web cafe or that the network is not available.
This little amount of traffic can add up in a corporate environment with thousands of clients running this through a firewall.
From a small environment this could be tweaked to obtain IP addresses from your clients, or missing laptops to your own web server.
A possible threat may be simple arp poisoning and having the ncsi.txt be something larger than expected and perform a buffer overflow and maybe remote code execution. Just theoretical for now. No idea what Microsoft is doing with all the collected IIS logs on millions of Windows systems. But here is what to change if you want to modify your home computers or make a Group Policy in your production environment
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveDnsProbeContent
Value type REG_SZ
Value data (IP Address of your web server)
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveDnsProbeHost
Value type REG_SZ
Value data (your dns server to query)
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveWebProbePath
Value type REG_SZ
Value data (text file to pull)
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveWebProbeHost
Value type REG_SZ
Value data (fqdn of your web server)
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveWebProbeContent
Value type REG_SZ
Value data (contents of the text file)
Creation of /(text file) on your web server
Friday, January 27, 2012
Sprint
The issue remains with the preinstalled applications which cannot be removed. And those applications sharing your cell phone number to a third party.
Also in the latest upgrade which removes CarrierIQ finally, the HTC Loggers which previously had an information disclosure issue which was also patched previously http://goo.gl/Y3gsO was upgraded considerably.
Below are the finding from the two versions with comaprison to CarrierIQ, HTC Loggers, and the preinstalled applications which cannot be removed:
Carrier: Sprint
Phone: HTC EVO
OS:
Android 2.3.3
Carrier IQ:
/system/bin/iqfd
/system/bin/iqd
/system/app/IQRD.apk
/system/app/HtcIQAgent.apk
/system/app/HtcIQAgent.odex
/system/app/IQRD.apk
/system/app/IQRD.odex
/system/etc/iqprofile.pro
/system/lib/libciq_htc.so
/system/lib/libhtciqagent.so
HTC logger:
/system/bin/htc_ebdlogd
Preinstalled applications:
Amazon MP3:
unique device ID, cell tower name.
Block Buster:
unique device ID
Kindle:
unique device ID, unique SIM ID, unique IMSI, cell number.
Nascar:
unique device ID, cell number.
Nova (game):
unique device ID, cell number.
QIK video:
unique device ID, cell number, current location.
Sprint football live:
unique device ID, cell number.
Sprint TV:
unique device ID, unique IMSI, cell number.
TeleNav GPS:
unique device ID, unique SIM ID, current location, cell number.
Android: 2.3.5
Carrier IQ:
Removed :)
HTC logger(s): Updated!
/system/bin/htc_ebdlogd
/system/app/QXDM2SD.apk
/system/app/QXDM25D.odex
/system/lib/libhtcqxdm2sd.so
Preinstalled applications:
Amazon MP3; rights:
unique device ID, cell tower name.
Block Buster:
unique device ID
Kindle:
unique device ID, unique SIM ID, unique IMSI, cell number.
Nascar:
unique device ID, cell number.
Nova (Gameloft):
unique device ID, cell number.
QIK video:
unique device ID, cell number, current location.
Sprint football live:
unique device ID, cell number.
Sprint TV:
unique device ID, unique IMSI, cell number.
TeleNav GPS:
unique device ID, unique SIM ID, current location, cell number.
Wednesday, January 19, 2011
Everything Is Not All White
Wednesday, December 1, 2010
WikiLeaks: What Went Wrong..
Data classification: Private Bradley had and everyone else for that matter has more access than they needed to do their jobs.
Lack of auditing: When Private Bradley is downloading thousands of documents at a time no alerts were raised.
Modernize technical controls:
No endpoint protection: USB thumb drives are disallowed by Policy not by technical controls.
Siprnet systems have rewriteable media.
Modernize laws:
Private Bradley can be put away for espionage for a very long time. His self image of heroism is a complete fraud. Data does NOT want to be free. Trade secrets, intellectual property, state secrets, health care data, and even grades are protected for many important reasons.
Julian Assange is not a US citizen and cannot be subjected to the same fate. He also cannot be given constitutional rights to freedom of speach for the same reason. So now he is in an awkward place and the constitution also forbids any black op's to take him out like other countries would have done already.
The laws have to be modernized to defend against attacks from the like of people such as Assange to something greater than a World War I level.
The content of the documents also have to be protected by law. If this data were instead
Justin Bieber's latest release, a Hurt Locker movie, Microsoft source code, or anything with the likeness of Gene Simmons; there would have an army of lawyers attacking. Which really sheds light on who really rights the laws in the U.S.?
Follow Up:
http://www.schneier.com/blog/archives/2010/12/wikileaks_1.html