Security

Just some security things that I’ve found interesting (read: they rocked)..

5 Minutes with the Packetloop Beta – The Packetloop presentation at Ruxcon last year was one of the highlights for me, Michael Baker did a really good job of demonstrating (even last Nov) utilising compute clusters to analyse and give the security defender a heads up of large data sets. This video is a really good look at the UI and yeah, it combines a bunch of stuff I enjoy, especially visualisation, and large-data-set analysis. (Phew, got through that without saying cloud or big data!)

Android Application Assessment – A fairly extensive walkthrough of performing an app assessment against apps on Android. Nuff said.

Rubygems Site Recovers from Compromise – I’m a little slow in posting about this, but the community driven rubygems site suffered a breach due to the recent Ruby YAML issues that surfaced a couple of weeks ago. Apart from the article, I actually found their incident response process of shifting their ‘working’ log to gdocs (check it here).

How do I phish? – @Zeknox‘s (Brandon McCann) writes up a fairly in-depth look into how he performs phishing campaigns as part of penetration testing exercises. A good one to bookmark for when you need to perform these sorts of assessments yourself. (Thanks again to Rob Fuller for this).

Bill Shocker – hits 600,000+ Android phones! (Exclamationpoints). (In China only?) From what the article seems to be stating is that this malware turns the phones into a botnet of phones, although currently it appears to be using them for sending SMS’ at the profit of the attackers.

Non-Security

… and then a bunch more non-security stuff …

It’s All Academic – Andy Budd writes up a great article on the disjoint between academics and those working in the web industry. The ‘paraphrased’ conversation is great, and something that I found very odd when I shifted from academics into the industry.

The larger our past gets the smaller our present feels – A great short film that Kottke posted the other day. Great style, and, interesting message about time, and our perception of time as we age. This is certainly something I’m starting to perceive as I get older, and things get more and more difficult.

Valve & JJ Abrams Working on a Movie – I’m a gamer, well, when I have time (which, this year is looking very unlikely), and this news is fairly interesting .. but .. the cynic in me is sort of assuming it’s just gonna suck.

Mockumentary on Physically Unlikely Amusement Park Rides – .. this .. this was fantastic. I really enjoyed the style, the scientist, the ridiculous rides, and how it starts off and is ‘almost’ realistic, but then just plummets into the ‘wtf’. It sort of made me think of Cube.

Security articles I flagged (for fun or .. whatnot):

Are You Practicing Safe Coding? – Personally I have a love/hate relationship with these style of infographics, this one in particular is almost like a flattened marketing/slidedeck. Eh. Anyway, this image does hold a lot of stats in a single place, and does have a fairly open call to action to check out the rest of Veracode’s stuff. (Oh, and don’t forget that infographics are ruining the web).

HowTo: Extract ‘hidden’ API-hooking BHO DLLs – Ever had a chance to play with Volatility? If you haven’t definitely check it out. Great way to analyse volatile memory. This tute walks through trying to find a malicious browser helper object hooked into IE performing some nasty mitb stuff.

Turn a Bra Underwire into a Lock Pick – Need I say more? This is a security article AND an awesome party trick!

10 Evil User Tricks for Bypassing AV – Thanks to @mubix‘s #sharedlinks.

Cross Device Attacks using Cloud Sync (iCloud example) – Nitesh writes up another Apple-esque security article. This time looking at how whilst iOS is generally considered a secure platform, when you introduce syncing applications you introduce a weaker link in the chain, namely, a desktop computer. This is compounded when you’re using syncing applications for business processes, which are also then synced to your crappy out of date home PC. All this and more! (read the article ya slackers).

Hacker Blackmailed 350 Women into Stripping on their Webcams – .. Social engineering .. what can’t it do?

Security flaws in UPnP – millions at risk – When the R7 guys aren’t making MSF kick ass, they do security research. This is unlikely the first time you’ve heard about this issue as it’s done the rounds lately. I’m aware they offer some self-test tools now too if you want to check if you’re vulnerable.

.. The rest of these are not so security focused (but .. sort of..).

Awesome secret drawer – Watch the embedded Vimeo – this wooden chest with the hidden drawer is fantastic.

Poor Sleep Prevents Brain from Storing Memories – I have a pretty shocking memory. Sometimes I don’t sleep too well. I’m not really convinced in my case these issues are related.. but, interesting research regardless.

Eddie Adams’ Pulitzer Winning Image – This well known (and super powerful) photo from Feb 1st 1968, Vietnam. There’s not many art forms where the power of your creation is something which even you as the creator can’t bear to face. Interesting insight into the image and the impact it had on society and the photographer.

MS embracing (Open Source) Git – I found the MS article provided a much clearer picture of their intents, and their approach to open source software, especially compared to the original article.

*Phew*, burpdot is now up to version 0.5. I can’t really explain the relief I feel at getting this version out. Ever since David planted the idea of visualising Burp log files showing how URLs refer to one another he was always going on about “Hey, jQuery is easy right? Sure! You can build up a web interface right? That’ll only take you a couple of days?”. Well according to the network graph I’ve been making tiny commits to the work in progress branch for the past 2 months, only now have I merged it back in and voila.

The existing command line functionality should be exactly the same, but, if you set up your environment according to the documented dependancies then you should be able to simply run “./burpweb.rb” and open up http://localhost:8015.

Less words, more shows:

Burpdot is now up to version 0.4, it’s starting to shape up into something a little bigger than first imagined, which I guess is the way with these things. But first lets cover the simple stuff, as of 0.4, burpdot now has a new mode to output into a SQLite database file. At the moment, there’s not much point in this functionality, but new versions will use it – but lets leave that for another post. Example:

# ./burpdot.rb -i burp.log -m sqlite -o burp.db

Excitement!

Okay, not really. Anyway, before getting onto the depth option I’ll have to admit, I don’t really know much about using Graphviz. So, after a little reading I figured out a couple of over-rides that really help with burpdot (via Afterglow) generated graphs, the normalize option, the splines option, and using vpsc for overlay prevention instead of ortho. You can see these generated below.

The concept of depth is really simple, set to 1 and burpdot only extracts the domain portion of the URI, set to 2, and you get the domain and the path, set to 3 you get the domain, path and query string. By default depth is set to 2, so you get graphs as generated in previous versions. Examples:

# ./burpdot.rb -i burp.log -m csv -d 1 | ./afterglow.pl -t -c burp.properties | neato -v -Tpng -Gnormalize=true -Gsplines=true -Goverlap=vpsc -o burp-depth-1.png

# ./burpdot.rb -i burp.log -m csv -d 2 | ./afterglow.pl -t -c burp.properties | neato -v -Tpng -Gnormalize=true -Gsplines=true -Goverlap=vpsc -o burp-depth-2.png

# ./burpdot.rb -i burp.log -m csv -d 3 | ./afterglow.pl -t -c burp.properties | neato -v -Tpng -Gnormalize=true -Gsplines=true -Goverlap=vpsc -o burp-depth-3.png

It wasn’t until after I’d pushed the 0.1 version of burpdot up to git when I remembered secviz.org. If you haven’t checked it out you certainly should, it’s a great portal for people to share visualisations of log analysis/mining, in particular those related to security. I pinged Raffy, who maintains the site, on twitter, and he reminded me of Afterglow, a perl tool that he maintains which facilitates the process of generating graphs. The power of Afterglow comes from it’s powerful color properties file and plethora of options. So it made perfect sense for burpdot to be modified to output simple CSV files, which could then be consumed and processed with Afterglow.

A simple example:
# ./burpdot.rb -i burplogfile.log -m csv | ./afterglow.pl -t -c burp.properties | neato -v -Tpng -Goverlap=orthoyx -o burp.png

Which generates:

You can grab Afterglow from: http://afterglow.sourceforge.net/ and the updated burpdot from: https://github.com/xntrik/burpdot.

Update: Forgot to give epic big ups to Dave who helped get the label wrapping Perl Fu working in the burp.properties file!