Weekly security week wrapup 23 and 24

It’s been two weeks since the weekly security wrapup, which makes ‘weekly’ a rather week term. Lots of excuses I could utter, but they’re all saying: “been busy”, which is another way of saying “I decided that other things were more important to do”. However, here we go again.

Cheap GPUs are breaking passwords faster

Obviously, they’re good at doing stupid things fast(er), and cracking passwords is about the stupidest task possible for a computer. However, for some of the strong stuff out there, like truecrypt, it does not really matter.  Truecrypt, for instance, has a rather slow initialization routine, which takes about 10ms on an average processor, which means you can check 100 passwords/sec. If a CUDA implementation were to increase that 1 million times (10^6), you can check 10^8 passwords per second. But if you have a 10 char password (upper/lower/digits), there are roughly 10^17 possibilities. Checking 10^8 passes/s means it takes 10^17/10^8/2 ~= 10^8 seconds. Which is another way of saying 76 years. That’s longer than the average time it takes for a disk to disintegrate by itself, last time I checked. Still, using CUDA to speed things up is quite cool.


Mac Reversing: Starter’s guide

I’ve found this article on (OSX) malware analysis for beginners. It talks you through the beginning of using IDAPro and how to start analysing it. It’s excellent, but you need to keep paying attention, or you loose track quite easily.


Electric car trouble

And we’re not talking about the trouble you have driving your new electric Nissan Leaf and looking for a place to have lunch, dinner and a nap before your car is charged up. No, we’re talking about the car’s builtin firmware’s RSS reader telling all servers your current location, speed and whether you have the aircon on. That’s not funny.



Weekly security week wrapup 22

Intercepting skype

Intercepting skype in transit is quite complicated. The ‘oracle’ needed to decode the signalling traffic is quite well known and understood, resulting into legible signalling information. The primitives used in the user-to-user voice traffic are also well known, but this knowledge does not gain you any understanding of the contained traffic. Knowing you’re looking at AES and RSA doesn’t make it any more fun to start cracking.

This week we also heard some news that a Russian reverse engineer, Efim Bushmanov, has been able to reverse engineer skype to the point where it should become possible to write your own (open source perhaps) skype client. Skype (being aquired by Microsoft, conspiracy theorists unite, but that’s a different topic) does not like this one bit and brought in the big lawyers to tell Efim that he was violating the EULA.

But there are other ways to gain access to the traffic: intercept at the end-point, where the traffic has been decrypted for you. This article in the wall street journal describes quite detailed how the Egyptian government has been using this method to intercept traffic of young dissidents.

Lockheed Martin breach

All over the news: Lockheed Martin has been breached because it used the RSA tokens that had been compromised a couple of weeks before that. LM has the resources to actually detect a compromise like that, but there are way more small companies that use RSA tokens. How are they going to handle it? This is not the last breach we’ve seen that’s caused by the broken RSA tokens.

Lowcost USB Bluetooth sniffer

This is so nice, and it’s NFH (Nice for Hometinkering)-appeal is big. A small usb bluetooth sniffer, ehm, bluetooth monitor. Ordinary bluetooth devices are very difficult to get in a monitoring mode and other commercial bluetooth monitoring tools cost you an arm and a leg and your soul. This one is selling for under 100 GBP, and you can make it more cheaply if you can solder, which I cannot.

Pentester’s cheat sheet

If you’ve been doing pentesting, one of the goals is to get a shell on the machine. This article lists a number of methods to (ab)use common tools to get the shell working. It’s a nice cheat sheet.

OpenWRT 8.09.2 and ipv6

After spending quite some time with the firewall rules inside the openwrt kamikaze 8.09.2 installed on my Linksys WRT54GL, I thought that posting the end result might be handy for others.

  • step 1, install the following packages: ip6tables, kmod-ipv6, radvd, 6scripts.
  • step 2, change the following line in /etc/init.d/6tunnel
    ip tunnel add $tnlifname mode sit remote $remoteip4 local $localip4 ttl $ttl

    ip tunnel add $tnlifname mode sit remote any local $localip4 ttl $ttl

    because if you don’t the outgoing packets are to remoteip4 (, but the incoming packets are from That’s not handled properly somewhere inside the kernel/firewall/ip6tunnel config. You can see this is happening by the “ICMP protocol 41 unreachable” messages back to

So, what goes into /etc/config/6tunnel:

config 6tunnel
option tnlifname ‘6tunnel’
option remoteip4        ''
option localip4                <insert your ipv4 address>
# convert your external ipv4 address into 8 4-nibble hex digits
option prefix                ‘2002:<hex variant of ipv4>:1::1/64’
option localip6                “2002:<hex variant of ipv4>::1/16”
option ttl                64

And the last step is adding a rule admitting ipv6 packets in (/etc/config/firewall)

config rule
option '_name'                ‘6tunnel’
option src                wan
option proto                41                # ipv6
option target                ACCEPT

And just to have everything documented, this is a sample firewall script for protection of your ipv6 stuff:

# Copyright (C) 2006 OpenWrt.org
ip6tables        -F
ip6tables        -X
ip6tables        -t mangle -F
ip6tables        -t mangle -X
# Allow everything on loopback.
ip6tables        -A INPUT -i lo -j ACCEPT
ip6tables        -A OUTPUT -o lo -j ACCEPT
ip6tables        -P INPUT DROP
ip6tables        -P OUTPUT DROP
ip6tables        -P FORWARD ACCEPT
# Accept only stuff incoming if there's a SYN in there.
# We really want ESTABLISHED, RELATED, but unfortunately that's not supported (yet) in ip6tables
ip6tables        -A INPUT -i $PUBIF -p tcp ! --syn -j ACCEPT
ip6tables        -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables        -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables         -A INPUT -i $PUBIF -p tcp --dport 80 -j ACCEPT # accept HTTP
ip6tables         -A INPUT -i $PUBIF -p tcp --dport 22 -j ACCEPT # accept SSH
ip6tables         -A INPUT -i $PUBIF -p tcp --dport 25 -j ACCEPT # accept SMTP
ip6tables        -A INPUT -i br-lan -j ACCEPT
ip6tables        -A OUTPUT -o br-lan -j ACCEPT
ip6tables        -A INPUT -i $PUBIF -j LOG
ip6tables        -A INPUT -i $PUBIF -j DROP

SCADA Honeypot

I really like the idea of a SCADA honeypot. John Strand live-demoes a SCADA Honeypot. It uses several services which can later on be used to demonstrate (and lure an attacker) the life inside a SCADA universe.

You can download the SCADA Honeypot from here.

From the scadahoneynet site:

[The] goal of this project is to provide tools and to simulate a variety of industrial networks and devices. We see several uses for this project:

  • Build a HoneyNet for attackers, to gather data on attacker trends and tools
  • Provide a scriptable industrial protocol simulators to test a real live protocol implementation
  • Research countermeasures, such as device hardening, stack obfuscation, reducing application information, and the effectiveness network access controls.

Windows 7 installation

I’m an avid user of anything UNIX related: linux, freebsd, opensolaris. I even tinkered around with SCO Unix and Microsoft Xenix (but that was a rather long time ago). But, for some unknown reason I find myself longing to install a windows version.

I’ve used WinXP for a good two months, got fed up that I didn’t get any productivity out of it, and installed a linux distro on my laptop again. Same for the homeserver which was running Win 2003 server at a point in time.

It was that time of year again, so I started installing Windows 7 on the trusty laptop. And all of a sudden it has to go do production within two days of installing. I exploded in an absolute frenzy just to get everything that I might need on the road in there: UMTS connectivity (works), ssh client (two, both work), office (2007, works, duh) (as a sidenote, I love OneNote). And finally to top it all off, a virusscanner/personal firewall thing.


It didn’t work, which kind of beta, final release, from whichever firm, it would not work. The resulting install gave me a headache, as the error messages were quite strange. “Unknown error #0x80040201 occurred”. But this night (two days of tinkering and throwing things out of windows and almost throwing in the towel and installing Ubuntu again (I had to become productive again, and secure as well)) I had a light bulb over my head:

Get rid of EFS.

The Encrypting File System (EFS) is a good, sound, well implemented way to have your own files encrypted and no-one will be able to read them, unless you give them permission. Not even SYSTEM can read them.

I’ll repeat that again.

Not even SYSTEM can read them.

If you start a decompression of an EFS encrypted file, the contents will be encrypted as well. In an awful lot of cases this is exactly the behaviour you want. Because you decompress the file, you do not automatically give everyone access to it, now do you? You can do the installation all right (setup.exe does not complain). But SYSTEM cannot read the resulting files. SYSTEM needs to be able to read the files, because they’re drivers, for crying out loud.

If you remove the encryption of the downloaded installer, everything installs fine, like before, but now SYSTEM can read the files. Yay.

Therefore one piece of advice: do not use EFS on your preferred download location, then you can install the resulting stuff to your heart’s delight.

So, I feel quite good about this, now it finally works. I’m running trend micro now, we’ll see if I’ll buy after the trail, or that I’ll be running ubuntu again.

Getting things not quite done

Cleaning the mess on my desk has made me more aware, again, how much stuff one can accumulate in such short time. Getting things done is quite difficult when you have the stuff on your desk. On the other hand, if you don’t have a proper inbox, that’s what you opted for. Hmm. Increasingly I find that the method I’m currently using is not really working out for me. One of the problems is too many inboxes, a fatal accident waiting to happen to the followers of the True Way. So far that accident is waiting to happen because I have a rather diverse work environment. There’s the computer at work, the laptop, the home computer, meetings, babysitting in the park, in the train or when visiting friends and relatives. Well, not that diverse, but diverse enough to end up with more than one inbox. One on the work computer, one on the home computer and one in a paper notebook I keep around. I like the paper notebook, because I have a readable handwriting, you can scribble, and it has nice in-the-bright-sunlight-in-the-park properties and friends and relatives don’t really mind when you scribble something in your paper notebook thingy. Start using a laptop on that occasion and people are seriously upgrading your geek status.It would appear I’m not alone in this.

But paper notebooks have one main setback, you keep repeating yourself. Entering stuff from email into the paper notebook doesn’t feel like you’re accomplishing something. When you have two pages of to-dos and notes it looks quite neat. Start doing things and crossing things off (Feel good moment) it starts to look rather messy. So, after a while, you rewrite your list to get a good overview. But hey, I’m not in this world to rewrite my to-do list for the umpteenth time.

I thought about getting a nice iPhone 3GS, but that sort of appeals to my geekness more than to my I want to get stuff done-ness. Other than that, I have a hard time believing that it has the nice properties a paper notebook has.

Maybe the future will bring something like a Kindle which you can write onto and then organize it. Maybe I should get a scanner, that would at least save the rewriting. That’s two maybes that may rank a bit too high on the ‘wishful thinking scale’.

For the time being I see no other option than to muddle forward in this way.

Summer Cleaning

Today I finally got around to cleaning my desk at home. It had become cluttered with all sorts of stuff. You probably know, old bills, new bills, a used password list (only one of them has been sort of correct), leaflets received during a trade show, etc. I was wondering myself how much information about me, good and bad, could be derived from the assorted clutter.

It’s quite scary and a reminder for myself that I should be more careful when leaving stuff on my desk. I know all the risks of garbage dumpers and people coming in and slicing and dicing your personal life (been there, done that) but it takes some mental effort to be aware of your own clutter.

So, back to cleaning the desk and keeping it clean.