Thursday, March 26, 2009

New Firefox 0day in WinDBG


Here is a screenshot of the new FF 0day in WinDBG using the !exploitable extension. I am swamped with work right now, when I get a moment I try to post a more detailed writeup.

Wednesday, March 11, 2009

Deep packet inspection is not the same as snooping

"Speaking at a House of Lords event to mark the 20th anniversary of the invention of the World Wide Web, Berners-Lee said that deep packet inspection (DPI) was the electronic equivalent of opening people's mail."

No it's not. It's the equivalent of weighing mail in order to figure out how to best deliver packages. Small letters take one path through the postal system, large boxes take another. So-called "postal neutrality" laws would force the post office to route both letters and boxes the same, making the postal system less efficient.

Such "postal neutrality" laws would tilt the market in favor of delivery monopoly Federal Express. This is why the monopoly is pushing for such laws. In much the same way, monopolies like Google, eBay, and Amazon are pushing for net neutrality laws.

I'm joking about "postal neutrality", of course, but I'm not joking about net neutrality. People really do believe in regulating the Internet to help monopolies entrench themselves. People really do believe that "Vint Cerf" is some sort of wise-man saying what's good for the Internet, rather than simply a corporate shill for a monopoly (Vint Cerf is Google's most important lobbyest).

The great thing about our society is that you can encrypt your traffic if you don't want somebody to read it, and you can anonymize it through TOR for even more protection. Seems like it's a better bet to me to ensure that these freedoms are preserved, rather than fighting for a world where governments and Google can read our e-mail, but the ISPs cannot.


On an unrelated note, I'm also amused by this article that explains Deep Packet Inspection. When discussing DPI, the article claims "until now, this wasn't possible with IDS/IPS or stateful firewalls. The different is that DPI has the ability to inspect traffic at layers 2 through 7".

This isn't true. I wrote the first IPS (BlackICE Guard, now IBM Proventia). It's full layer 7, at multi-gigabit speeds. For example, one of the signatures it can block are e-mails with ZIP attachments, where the ZIP file contains a filename that has more than 4 space characters followed by a ".exe" extension. (Viruses put lots of spaces in front the .exe extension to prevent you from seeing it). Proventia has to reassemble TCP stream, parse layer 7 protocols like SMTP, and then parse RFC822 e-mail headers, MIME, BASE64 encoding, and finaly ZIP file format.

And, you know this is true because when the event fires, the full filename appears along with the event. This would be impossible without full 7 layer inspection.

The Proventia IPS does deeper layer 7 inspection than any of the DPI discussed in the "net neutrality" debate. It has done so since 1999. That's one of its selling features: it includes the 7 layer decoded information as part of its events (which no other IPS does).

The so-called "deep" packet inspection everyone is talking about is actually pretty shallow. While inspecting HTTP headers is certainly deeper than inspecting TCP headers, they still aren't capturing and indexing everyone's traffic -- at least, not any more than google-analytics does already.

SOURCE Boston

I'll be at SOURCE Boston this week listening to talks from security professionals such as David Mortman, Adam Shostack, Dan Kaminski, and others. I am especially looking forward to panel hosted by Ryan Naraine entitled "The Partial Disclosure Dilemna."
From the website, "SOURCE Conference is the first and only conference that combines advanced technology and application security practices with the business of security in an intimate and manageable environment. "
I'll be live microblogging the conference from day to day. To read a take on SOURCE Boston from a project manager's perspective, you can follow me here: http://www.twitter.com/Errata/.

Tuesday, March 10, 2009

Setting up Firefox for Hamster

Hamster requires that your web browser have a separate configuration (proxy 127.0.0.1:1234 and possibly a homepage of http://hamster/). It will also screw up your cookies. Therefore, you need to run a separate instance of the browser.

The simplest way to do this is with "firefox -no-remote -P hamster" (works on Windows and Linux). The "-P" flag means to use the named profile. The "-no-remote" flag means to open a separate instance of Firefox - otherwise it will notice that you have an existence instance and simply add a window to it, using your existing profile.

However, Firefox uses the last opened profile by default. Thus, if you don't want Firefox to use the "hamster" profile, you have to reconfigure your normal Firefox link with the "firefox -P default" option to force it to always open the default profile.

There are also other annoyances with this method as well. I prefer a different option. I create a separate user account called "hamster". On Windows, I right-click on the icon and select "Run as" to run as Hamster. I also add the "-no-remote" flag as well, but "-P" is unnecessary, because it will use the default profile under the "hamster" account.

The Linux equivalent of "runas" is "sudo". To run Firefox under the hamster account, type:

sudo -H -u hamster firefox

You may have to edit the "/etc/sudoers" file. I add the following line so that I don't have to enter a password for the hamster account:

hamster ALL = NOPASSWD: /usr/bin/firefox

There is also the problem that the X Windows display only allows the current user. You need to allow processes running under a different account, such as by running the xhost command:

xhost +local:hamster

Thus, the ideal link for hamster would start the service (if it wasn't running), run xhost, then run sudo to launch Firefox. This assumes that the account for Hamster has already been created, and that Firefox under that account has been configured for a proxy with 127.0.0.1:1234 and a homepage of "http://hamster/".

Monday, March 09, 2009

Hamster 2.0 and Ferret 2.0

I updated my Sidejacking tools Hamster and Ferret. You can get them from the site http://hamster.erratasec.com (or, if DNS hasn't propagated yet, you can grab a zip or tar from the main site).

Biggest change is that the tools now work on Linux and Mac OS X. Previously, Ferret was cross platform but Hamster was stuck on Windows. Hamster was written to be mostly portable, but I never got around to fixing the last few bugs on Linux.

Another change is that you can launch Ferret directly from within Hamster. Just tell Hamster what Interface you want to sniff, and it will go off and do it. Kinda makes you forget that Ferret exists. You also get status updates in the screen so you can keep track of how many packets you've captured (so that you know that it's actually working).