Phrack magazine is still alive. Issue #66 released

Read issue 66 on phrack.org. Download as tar.gz

Topics:

• Introduction
• Phrack Prophile on The PaX Team
• Phrack World News
• Abusing the Objective C runtime
• Backdooring Juniper Firewalls
• Exploiting DLmalloc frees in 2009
• Persistent BIOS infection
• Exploiting UMA : FreeBSD kernel heap exploits
• Exploiting TCP Persist Timer
• Malloc Des-Maleficarum
• A Real SMM Rootkit
• Alphanumeric RISC ARM Shellcode
• Power cell buffer overflow
• Binary Mangling with Radare
• Linux Kernel Heap Tampering Detection
• Developing MacOs X Rootkits
• How close are they of hacking your brain

Related posts:

• Phrack Issue #65 released
• Phrack #64 : Reborn

NAT is not a security feature. RSNAKE releases RFC1918 paper

I have seen a lot of people saying to others that a NAT gateway acts as a kind passive firewall and helps a little bit with (home) security. Since your ports are not directly reachable from the internet.

Now it seems that certain browsers, and with the current architecture of most RFC1918 networks, there is a high tendency for (bad) things to happen, like IP collisions. This also applies to VPN networks. This has severe implications from a security point of view. Have a look at this research published by Robert Hansen (aka RSnake)

The paper provides a description of the limitations of the attacks and the specific conditions which would make it possible. It is prudent to review the paper and see if this applies to you.

(Photo under creative commons from andy castro's photostream)

Patch apocalypse: Patch tuesday for Microsoft, Adobe, Safari and a 0-day. Oh my.

It's not a week to be happy about. Both for endusers and sysadmins. A lot of patches were released which even prompted the Symantec Threatlevel to be increased.

Adobe decided to also start their version of Patch Tuesday and the actually did: Adobe patches 13 critical Reader, Acrobat vulnerabilities (Zdnet) and check the monthly Microsoft Tuesday Coverage for June (Sourcefire). Microsoft hardly released any updates last month and it seems they wanted to make up for it this month. But they didn't release a patch for the 0-day in Directshow (Threatpost) so you might want to look at the workaround.

It's not only Microsoft woes, there was a Safari monster update (apple.com). You have to upgrade to version 4 to get rid of 5o security flaws. 50? Really?

Last but not least,Worpress released version 2.8 and Ubuntu launched several patches yesterday so install the updates.

Corporate users are advised to set up a decent patch and vulnerability management system. Have a look at the excellent NIST SP800-40v2 document. Don't just wait till the barbarians auditors are at the gate.

Home users, for those running windows, run Secunia OSI on a regular basis! It's really hard to track all those patches individually. How many non-IT people are subscribed to mailinglists?

I'm wondering in which way all those SDLC and application development best practices are paying off? I guess that complexity really is in direct opposite of security. New features anyone? Time to revert back to lynx! But it makes us wonder how linking or moving all those applications to cloud services in the future might lead to a general meltdown of the internet.

Just look at the exploited 0-day bug in the HyperVM from LXLab that led to the deletion of 100.000 website (source: ukfast.co.uk)

Related post:

• Adobe pushes out fix for Reader and Acrobat zero-day, one day ahead of schedule.
• Is your DBA installing patches? 11% never does.
• Trojans using an Excel 0-day roaming about
• Office Word 2002 SP3 Zero day revealed
• Patching madness. No rest for the sysadmins.
• Another Zero Day in Quicktime
• Patch mania, it's not just Patch Tuesday
• Massive amounts of vulnerabilities are making a lot of PCs vulnerable
• Quicktime flaw (AGAIN)
• Oracle security patches are seldom applied
• Flood of vulnerabilities coming our way
• Adobe Acrobat and Reader security patch finally released
• QuickTime update closes security hole

(Photo under creative commons from blueforce4116's photostream)

Malware: the iPhone 3.0 firmware jailbreak. Be warned.

With just moments away from the Apple's next Worldwide Developers Conference, blackhats are using this occasion to launch a malware campaign.

A lot of iPhone users are familiar with quickpwn and yellowsn0w, two tools used to jailbreak/simunlock the iPhone. With the imminent release of the iPhone 3.0 firmware, users will be looking for an update of these tools. So be warned that there is a blog claiming to have a yellowsn0w version for 3.0 but it includes malware!!! AV detection is very poor. Have a look at this malwaredatabase.net article for details.

The iPhone dev team is the original author of this tool and their blog is at http://blog.iphone-dev.org/. On their website they are warning about other websites, ranking higher in Google search results then their own. Although they only make money from google hits, they are not affiliated with the team at all. So be careful where you download your tools from. Other wbesite might popup with more evil intents. For the record, they haven't released any tools for the 3.0 version yet.

Related posts:

• Legalize iPhone Jailbreaking: Help EFF support a DMCA exemption
• iPhone Forensics video online and some recent iPhone Security Issues
• Details on the iPhone 3G release in Belgium and some security news
• VPN-1 support for the iPhone/iPod Touch
• The Belgian iPhone introduction and some new security tips
• Spoofing the iPhone's Wi-Fi Positioning System
• Webcast: iPhone Forensics Demonstration
• How to watch security conferences on your ipod
• Invasion of the (belgian) iPhone users
• Gathering information about mobile security
• Will mobile devices take over the world?
• iPhone security 101
• Get a VPN client on your Iphone or Ipod Touch

(Photo under creative commons from patrick h. lauke's photostream)

After 2 years, the German hacker-tool law has proved useless

Two years ago, Germany passed a law that criminalized the making and distribution of security tools. Although it was an attempt to implement a part of the COE Treaty into German law, it completely missed the intended purpose and hurt legitimate security research.

Looking back, noone has been prosecuted under this law and it only scared whitehat hackers or companies to move (their tools) outside of Germany.

Read the following article from theregister.co.uk which has some good details on it.

Abstract: While we can empathize with the desire to keep hacker tools out of the hands of script kiddies who intend harm, and keep black hat hackers from developing and distributing ever more sophisticated hacker tools and zero day attacks, the problem remains that these same tools can be and are used for good purposes by good people. While the statute attempts to focus on bad people with bad intent, it lacks the precision to do so.

Related posts:

• German law vs Security Tools: The fallout
• New German "anti-hacker" law

(Photo under creative commons from Chris Daniel's photostream)

Why I stopped blogging

Well, actually I didn't stop blogging. But in these last 2 months I didn't find enough time for it. Although my blog is like a child to me, but I had to de-prioritize it for a while. Why is my blog that important to me? Web 2.0 brought me into contact with some very interesting people and it's an adventure! I like being part of these communities and to share experiences and information.

But on the other hand, I wanted to start a hacker and security conference in Belgium. And with some other people, we kickstarted BruCON. As it's our first edition, most people don't know us (yet).
We are not aiming to be a big commercial event but a community driven one. Where people can come and share ideas, information and join projects. But somehow, we need a venue and the only way to get some interesting speakers is to handle some of their travel costs. So even as a non-profit organization, we need to charge some income. If I was rich and had the money, I would let everyone in for free. You would surprised at the cost of a decent venue.

Searching a venue, gathering speakers, coordination things, .... it all seems like trivial tasks but it took a lot of my time. It's not my (day) job to do this and I will never be compensated for it. But I felt that we needed a platform in Belgium where certain things can be discussed.

So amongst other things, I had to sacrifice my time to blog. Currently, things are getting back on track for BruCON and some volunteers have showed up for which I'm very grateful. So I hope to pick up blogging again. I hope I haven't lost too many readers.

So welcome back! And have a look at BruCON since it seems like it's going to be an awesome event!

(Photo under creative commons from ktpupp's photostream)