Back to Top

Sunday, January 28, 2007

Mixed links and commentary

A very nice T-Shirt. I especially like the Comments (0) part ;-)

There has been some controversy over a recently released service which claims to tell you if your credicard number of social-security number has been compromised. While I understand (and agree with) all the arguments brought against it, I would like to point out that the risk of exposing the data can be reduced by storing its (salted) hash and not storing any relation between them (like this CC# and SS# belong to the same person) even if this was available in the source. I find it curious that nowhere in their FAQ is this mentioned, which leads me to believe that they are not using it, in which case panic, panic, panic since your security companies are dumb! (A side not: hashing, even with salt, is not the ultimate solutions since if somebody breaks into their site they will probably have access to the salt(s) and the key space is small - 9 digits for SS# and 15-19 digits for CC# - so that a brute-force attack is feasible). This is a dumb idea.

On episode 211 of .NET Rocks they interviewed Raymond Chen, a very smart programmer / blogger (and now book author) from Microsoft. Worth listening to!

Via Limite Exposure: a long list of online network tools. I didn't had time to look at them all, but I very much liked the homepage of Team Cymru with many useful tools and explanations of the lesser known aspects of networking, the robtex swiss army knife which includes a linkable GIF (yes GIF, not Javascript or Flash!) that displays information about the user (you can see an example below) and, which lists different sites offering online traceroute services by country. PeeringDB is also very interesting, but it seems that IPSs (event the big players) from Romania are not well covered (most probably because this is a system which builds upon individuals contributing and not automatic datamining). And last but not least: Vendor/Ethernet MAC Address Lookup and Search.


Being a keyboard junky myself, this seems a very interesting product!

Java is (currently) the ultimate cross-platform application platform, but also the ultimate cross-platform exploitation engine. So follow SANS's advice and make sure that you update / remove the old version. On a related note: Microsoft came out with something called WPF/E (Windows Presentation Foundation/Everywhere) which is something similar to Flash. What is very interesting is that the download is small (much like the Flash player), no managed code (ergo no need for a 22MB .NET framework) and support for alternative platforms (both in browsers - ie. Firefox - and platforms - they currently support Mac OSX but plans to support Linux are already announced). What is exciting about it is that they included the WMV / WMA decoder in it, so there is an other largely available technology to distribute multimedia content on the web! (Listen to the Hanselminutes show covering it)

A russian researcher (I put the work in quotes because he is more of a teen whose biggest wish is to brag) claims to created an undetectable rootkit called Unreal. My thoughts are:

  • EP_X0FF and the likes should get a first life. Somebody who is incapable of logical reasoning, who calls killing an utility bypassing it and tries to chat with anybody he believes to be a girl is not somebody who should be taken seriously (and neither should their product).
  • It is surprisingly how little attention the practice of running as limited user (as opposed to Administrator) gets both from security companies who don't even mention it in their list of steps you can take to be more safe and from Microsoft itself. It is even more surprising if you think about the fact that running as limited user eliminates the possibility of getting infected by (kernel) rootkits and makes your security products immune to tampering from malware, so that they don't have to use dirty and risky hacks to achieve this. Not yet convinced? Think about this: you get all this security for free (if you purchased Windows :-D), most programs have no or very little problem running under limited accounts and Microsoft has now a free program which can be used to quickly diagnose problems with ill-behaved programs.
  • There is of course the whole issue of ethical conflict, an other reason to ignore EP_XOFF and the likes.
  • There will never be a generic detection for rootkits, because any detection will have to run in the same security domain as the rootkit (we suppose that the tool is used after the fact). Much like the good old DOS days and the advice is the same: boot from a clean media (floppy in the old days, CD-ROM today) and do a scan from there. The big difference is however that we have the technological possibility to confine the malware: it is called protected mode. All you have to do is to run an operating system capable of using it (which is true for all the current ones, including Windows, Linux, the BSD variants, Mac OSX, etc) and configure it properly so that you don't use the Administrator / root account!

In conclusion, my plea to the security companies is: if you are serious about user education, start educating them about running as non-privileged users!


  1. Anonymous2:13 PM

    blabla blabla nothing constructive , code something like rku then you can talk about something you dont know

  2. Anonymous6:15 PM

    Im from the sysinternals forum, im with you, and there is no need to be a "wiz coder", to have logical reasoning!!!, check your post and with that you will see my reply.