vitaly mclain

I don’t know if anyone still reads this blog, and I don’t blame them, but I’ve wanted to start writing again for some time. I’ve tried to keep this blog technology/infosec oriented, but I may shift gears and add new content. I think it may need a redesign, too. And, of course, I have to come up with something to write about that’s at least somewhat worth reading. In keeping with the spirit of not making posts without real content, I wanted to share an interesting incident that occurred last week.

I got up one morning  and noticed it was somewhat cold in my apartment. It’s been very cold here in Chicago, and when the temperatures are in the single digits, I start to feel it in my studio. Wanting to warm the place up a little bit, I turned on my space heater. It’s a small model, not meant for a large space, but it does its job. However, within a few minutes, I noticed it turned off, without the power indicator LED turning off. Then it turned back on. Then off. The cycle kept happening.

My little space heater has several safety sensors, designed to make sure it doesn’t set me on fire, and I thought that perhaps one of them was going bad. Ah, well, it wasn’t too cold, anyway. Later on, I turned on my TV. I hit the “Guide” button on my cable remote and it was barely working. Some numbers on the keypad would somewhat work, while others didn’t at all.  I blamed that on batteries, but thought it was odd that it happened all of a sudden, and that some things worked better than others.

As I went to later turn the TV off, I noticed the power button on my remote was stuck. That happens every once in a while, and it’s usually just an annoynace, because the TV will randomly turn off. So I unstuck it and then it struck me. The remote was, basically, acting as a little IR jammer. We tend to think of IR as very low power and not capable of much, but it’s a technology that’s used all over the place. And here, it was doing two things. First of all, it was preventing my cable remote from working correctly, by interfering with that IR signal. Second of all, it was bouncing IR rays around. When a stray one would hit my space heater, it would turn off. The reason is that the sensor used to tell if something has fallen onto the heater is IR based, and so a stray ray was throwing it off. It wasn’t consistently hitting the sensor, so it would only turn off every once in a while.

And if you’ve made it this far in the post and are curious about IR/IrDA in general, you might want to check out Major Malfunction’s presentation on IrDA security.

Just a quick post about Tor (”The Onion Router“), which has been getting a lot of buzz as of late. I support the intent of the project, and the project overall, but there are a few shortcomings. One of these, in my mind, is that it’s too easy to block. Trackers aggregate all current exit nodes and offer up their IPs as a text file. Exit nodes, the last leaf of the onion, are the point of egress for all Tor traffic and so blocking those IPs will effectively block all of Tor.

Google around and you’ll find several TOR DNS black lists. I wrote a quick and dirty script to block Tor from a web site, utilizing Apache’s built-in htaccess mechanism. You can get it here if doesn’t show up correctly below.

#!/bin/bash

export HT=/path/to/webroot/.htaccess
export URL=http\:\/\/anonymizer\.blutmagie\.de\:2505\/ip_list_exit.php\/Tor_ip_list_EXIT\.csv

wget ${URL} 2>/dev/null

# turn off dir listings; you can leave out if done globally
# you should ideally disable more than just this
echo “Options -Indexes” > ${HT}
# put your 403 error document in 403.html
echo “ErrorDocument 403 /403.html” >> ${HT}
echo “order allow,deny” >> ${HT}

for ipaddr in `cat Tor_ip_list_EXIT.csv`; do
echo “deny from ${ipaddr}” >> ${HT}
done

echo “allow from all” >> ${HT}

rm Tor_ip_list_EXIT.csv

I would not suggest using it, as it does no sanity checks and relies on a site which I have no control over. However, it took only a few minutes and does block Tor effectively. It’s an illustration of how trivial Tor is to block. I set up a cron job to run it every 15 minutes and now the site gives 403s to Tor nodes (it’s not this site, so feel free to read this with Tor all you want.)

This is fine for those wanting to stop abusive Tor users, but what about when China and other such nations start adding Tor exit nodes to their country’s content filters? As soon as this happens, the main purpose behind Tor will become moot.

But I’m not sure how to fix this — more decentralization? Anyone have thoughts on this?

Due to several factors, I’ve neglected my blog for months, but I figured I’d try posting again.

I haven’t done much lately that’s really worth writing about (tech-related, that is), but having a few days off gave me extra time to play with a few things.

That’s where the ‘Devices on your network’ part comes in: with various holidays and general impulses we tend to acquire new devices, many of which are network-ready. I recently got a Nintendo Wii, and while I was using various Internet features on it, I figured I might as well try to see how it works on the back-end.

Since I don’t have a whole lot of my space in my apartment, my network setup is simple. My access point/router is a Buffalo WHR-G54S, a little white box which utilizes the typical Broadcom chipset and runs embedded Linux. (This model has been replaced by a new model, with a new chipset, which is supposed to be better.) This thing has 4Mb of flash, which means I can get rid of its crappy firmware and install DD-WRT. (As an aside, if you are considering buying a router to flash with DD-WRT, be aware that many routers only have 2Mb of flash and only allow a stripped-down version of DD-WRT to be installed. )

Anyway, by turning on SSH access to DD-WRT, I got a limited Linux environment. I wanted to sniff traffic coming from and to the Wii and this was the only place to do it without reconfiguration or ARP poisoning. I reached for tcpdump, but was also hoping to run some “specialty” sniffers, like the suite of dsniff tools.

Here are a few things I learned along the way. They’re only useful if you happen to try this in DD-WRT or similar environment, as most of these problems probably would not happen on a proper OS:

1. Before you start installing stuff, think about storage. Remember, you don’t have more than 4Mb flash on most routers, so I tried to stay out of flash/RAM altogether. I opted for creating a share on a Windows box and mounting it from the router. Just create a share on your machine, set up security for one user and mount it with a command such as:
   

   # smbmount //ip.of.share/sharename /tmp/smbshare -ousername=username,password=password

   If you get errors: 1) Make sure you created the mountpoint (# mkdir /tmp/smbshare) and 2) make sure the smbfs module is loaded into the kernel:

   # insmod /lib/modules/`uname -r`/smbfs.o

   Oh, and, JFFS2 support has to be enabled, even if you don’t plan on using it. JFFS2 is a journaling file system for flash-devices and isn’t used if you’re installing everything into a share. However, it is used if you want to permanently install the packages on the router. It can be enabled through the web interface.

2. Neither of the tools I wanted came with DD-WRT (I have the ‘vpn’ version, not sure if another version includes this.) Luckily, a package manager named ‘ipkg’ is included. And even better, I found both the packages I was looking for, which is great because a C compiler does not seem to be included. Since DD-WRT and OpenWRT are very similar, MOST packages work fine. Installation is easy as well, just use:
   

   # ipkg -d smbfs install <url>

   When the binaries get installed (usually in /tmp/smbshare/usr/sbin), you can try running them — initially to figure out which libraries are missing. This package manager is more of a glorified wget and so it’s completely oblivious to dependencies. Luckily, you can download most of the required stuff (libpcap, libnet, libnids, etc) from that same site as the packages. But then, you still get errors. It takes a few minutes, but they’re fairly intuitive to get through. For example, a program might be looking for libnet9.0.0.so, but your version is called libnet9.0.so. I tried symlinking, but while no error is given, symlinks don’t seem to work. I just wound up making another copy of the library and naming it to whatever the program was looking for. Another caveat: since your downloaded libraries are installed in /tmp/smbshare/usr/lib, your binaries won’t know where to look for them. You have to add that path to the list of directories all programs look for libraries in:

   # export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/tmp/smbshare/usr/lib

   Of course, this may disappear after your next reboot (or randomly, it seems), so you may want to add it to some start-up script, along with the rest of the stuff.

3. DD-WRT may have borrowed OpenWRT’s kernel, but I don’t think the userland is that similiar, since several packages misbehave. Dsniff refuses to run:
   

   /tmp/smbshare/usr/sbin # ./dsniff
   ./dsniff: can’t resolve symbol ‘errx’
   /tmp/smbshare/usr/sbin # ./urlsnarf
   ./urlsnarf: can’t resolve symbol ‘warnx’
   /tmp/smbshare/usr/sbin #

   At this point, I am not sure if it’s a problem with the C libraries or some other library or what, and I’ve mostly concentrated on tcpdump. Too bad: I think tools like urlsnarf and webmitm would have been useful. Anyway, that’s another post.

   In short, I settled on this:

   # ./tcpdump -vvv -s 1500 -w wii.pcap host Wii

   It’s important to set a high or unlimited snaplen (I used 1500) while capturing or it will only capture small fragments of a packet.

   I then looked at the PCAP file using Wireshark and found some semi-interesting things, which I might make into another post.

Every gaming console today has some sort of online presence and many other consumer devices (DVRs, home theater receivers, etc) can connect to a network. Sniffing their traffic is often an interesting way to see how they grab information, update themselves and see whether they “call home”.

I am curious whether anyone has ever done this for other consumer devices and seen anything interesting?

I have a RadioShack PRO-89 scanner radio, which can’t do trunking and certainly isn’t digital. Until I can get a new one, I can at least tune to my local police districts’ (19/23) frequency (465.05Mhz, see RadioReference.) This is all I really care about, anyway. The area covered includes Lakeview, Wrigleyville, parts of Buena Park, Lincoln Park, Uptown and other neighborhoods of Chicago.

Around 2:12am, I decided to make a crime map with about an hour’s worth of data. It was mostly quiet, with a few bursts of activity. I probably got 90% of the calls, though within those I may have messed up some addresses and such. I put in updates to the ones that were somewhat interesting (see the one on Lake Shore…). I also left out a few pieces of info such as apartments.

Makes you appreciate (most of) the stuff cops do. There is a decent amount of violent crime that required their intervention, though during lulls they go busting parties. It’s a lot more interesting to listen to it rather than look at the map, but there are a few funny calls on it.

Update: I deleted the map by accident. 

I should note that I got the idea by looking at ChicagoCrime.org.

I was looking at Q101’s site a few days ago and found their list of songs they recently played. What’s more is that they archive the list for a few days. I copied the data into Excel but couldn’t figure out how to do much with it. I wanted to be able to see, for example, how many times a certain band was played. This is especially interesting because of their recent claims of being “on shuffle”, though lately this is rarely mentioned on air. I get the feeling they now only hit “shuffle” every once in a while, though I am not sure they ever were really doing a true shuffle.

I didn’t do much with it for a few days, but today I was pointed towards PivotTables/PivotCharts in Excel. If you’ve never used this feature, I highly recommend trying it out. Just choose “PivotTable and PivotChart Report…” from the Data menu. After a few minutes it’s easy to get a hang of and it produces meaningful statistics instantly.

I haven’t done much with it, yet, but the first thing I did look at was how many times bands were played. In my several days worth of data (4.5 I think), there seems to be an exclusive “30 or over club” — only seven bands were played 30 times or more:

1. FINGER ELEVEN => 30
2. NINE INCH NAILS => 30
3. NIRVANA => 30
4. INCUBUS => 31
5. THE KILLERS => 32
6. LINKIN PARK => 34
7. RED HOT CHILI PEPPERS => 39

Not really surprising, but interesting nonetheless. If I find anything interesting in the data, I may post about it.

Just a quick post.

I was looking around milw0rm and found a paper called “Buffer Truncation Abuse in Microsoft SQL Server Based Applications.” It’s by Gary O’Leary-Steele of a company called SEC-1 and talks about a theoretical approach to defeating “password reminder” sites. The technique takes advantage of incongruity between the size of SQL Server variables and those used by VB.Net, as well as how the two technologies treat white space. Worth a read.

What I think is interesting about this paper is that it shows another example of what happens when two technologies, which must interact with each other, have slightly different standards. In some cases this is unavoidable, but the loopholes it can create are always being exploited.

One good example is the “poison NULL byte” attack. This attack is possible against multiple languages (Perl and I am fairly sure PHP and others) because the underlying interpreter is written in C, which treats NULLs as delimiters, whereas languages like Perl don’t. You simply add something like %00 or \0 to the end of a string and the interpreter ends the line at that point. It allows you to get past lines of code which try to concatenate something, such as a file extension, onto your query. (The paper linked to above describes it much better; it’s worth reading.)

It should be noted that this problem can be coded around, for example by using a regular expression to get rid of NULL bytes for Perl, or defining the size of both variables in SQL Server and VB. But to do so, the often minuscule difference between technologies must first be well understood. Besides, careful coding isn’t the norm, and, while larger mistakes may be caught, it’s sometimes tough to spot esoteric things like this issue.

Edit: Quick edit to note something interesting I read this morning on the Dailydave list:

http://bp3.blogger.com/_aU4sjfnl3RY/Ro4EjK53JyI/AAAAAAAAAEM/DSWoKCXxXFI/s1600-h/P7060093.JPG

Does anyone want to speculate as to the 0day? I assume putting %00%00 inside strings isn’t it? :> Ooh, what about %u0000? :>

Does mono have the same bug? Are they bug for bug compliant?

Looking at the screen shot, it looks like NULL bugs plague .NET’s System.Web. It’ll be interesting to see this one hashed out some more.

I am sure there are similar problems and I’d love to hear of other examples.

I’ve been keeping busy and that, amongst other factors, has lead me to ignore this blog.

In the meantime, I’ve moved from Buffalo Grove to Chicago. I live in the Lakeview neighborhood now, on the east side of it towards the lake. I’ve set up a good portion of my studio but have yet to pick everything up. I haven’t even set-up anything but my laptop, probably until I can acquire an LCD and a KVM to switch between things. I just ordered a Buffalo WHR-G54S wireless router, which is a cheap ($40 vs $60+ for LinkSys) candidate for DD-WRT flashing, which might be interesting to mess with it. But that’s it for now…

The title might sound like I’m about to post something deep and philosophical, but this post really is about an actual road. I’ve been posting a lot of infosec stuff lately, so I thought it was time for a change.

So, what is the road to nowhere? That’s the name locals gave to Amstutz Expressway, located in Waukegan, IL. Yes, it’s an expressway — sort of, at least. Yes, there’s a reason you’ve probably never heard of it, even if you live and work in the Chicagoland area. It was built to connect downtown Waukegan to North Chicago and serve as an access road to nearby factories. The factories closed, however, and the link in North Chicago was never built. Now it’s just a very short stretch of high-speed, limited-access road that’s barely used. In fact, it’s used so little that it became a popular location for highway scenes in movies — from The Blues Brothers to Batman Begins.

I’ve been interested in this road for a while now. I’m not sure why, but I am drawn to defunct and abandoned buildings, roads or whatever else. I wasn’t ever interested enough to ever make the trip up, however. Well, this week I got the chance to see it, as the client I worked at happened to be about five minutes from the infamous road. After work, I shot up Buckley Rd. and there it was.

As expected, there wasn’t much. Traveling the whole length of the road took about five minutes. The speed limit is 50mph, and while it’s not completely abandoned, I can imagine there’s never any traffic there. I guess that’s nice if you live nearby, but the road is pretty useless. Sheridan Rd. runs alongside, on the other side of the rail road tracks, and so there is definitley no need for an expressway there. I made it to where the road merges with Sheridan Rd, not realizing it actually picks up again later. I didn’t make it to the Grand Ave. exit, where Groundhog Day was shot. But I was low on gas and time, so I am glad at I least got a taste.

There have been plans to get rid of it, as it’s blocking lakefront development, but for now this one-exit wonder is still there. I didn’t recognize it from any movies, but I am sure if I them saw now I’d be able to pick it out.

It was an interesting experience, but I certainly don’t recommend it as a tourist destination. That doesn’t stop the State of Illinois, though:

Check out the Lake Forest Metra Station used as a location for Derailed and Ocean’s Twelve. Next, make a stop at the State Financial Bank in Waukegan, seen in the crime caper The Ice Harvest. Under the Grand Avenue overpass of the Amstutz Expressway, located just outside downtown Waukegan, you’ll see the spot where the weather man’s news van was stopped by a state trooper in the hysterical Groundhog Day.

A train station, a bank, and Amstutz. Sounds like a great time. I guess at least I got 1 out of 3, though I don’t expect to see any blog posts about the first two.   (And you won’t see any from me, either, I’ve seen enough banks and train stations.)

I went to a Linux User Group (LUG) meeting recently. I haven’t been to one for 5 years or so (wasn’t a huge fan of PLUG at Purdue), but NWCLUG at Harper College in Palatine is still worth going to.

On that day there was a presentation from the CEO of Applied Watch Technologies, who concentrate on open-source IDS technology. For them, this mostly translates into the venerable Snort. Snort is a product I know a decent amount about, but it was interesting to learn about some libpcap replacements which increase performance on 1Gb+ links, FPGA hardware made for Snort, and the like.

Anyway, another product he mentioned was OSSEC HIDS, which I’ve never heard of before. It looks like a pretty complete host-based IDS, but I haven’t had a chance to play around with it. Can this be the open-source answer to Cisco Security Agent, Tripwire, or other popular commercial tools? Anyone have any experience with it?

I don’t know a lot about encryption, but I imagine it poses a challenge to try to store credentials safely. In an OS, you can use one-way hashing, because you never have to decrypt the hash, just encrypt the password someone just typed in and compare it against the stored hash. But what’s a good solution for, say, an FTP client storing passwords?

What got me thinking is seeing Trillian using a XOR cypher, then discovering that Dreamweaver uses just a simple Caesar cypher. I love how most of these programs convert the password to hex; I am wondering if this has any practical purpose or is just another obfuscation method. Other programs use Base64 or other schemes not meant for encryption.

Dreamweaver hashes, once I got both a hash and the plain-text equivalent, were pretty trivial to crack. Just consider the first letter “position 0″ and increment by one each time. Then you subtract the position from the hex value and convert to ASCII. For example, 0×43 is the letter “C” in hex. So, 434343 would mean “CBA”, because the first letter is 43-0, the next letter is 43-1, and so on. You just have to remember that you’re subtracting in hex and not decimal, so 36-8 would be 2E, not 28. Both the Windows calculator and the one in GNOME support hex math though, so it’s easy. Then you convert the string to ASCII and you’ve got the password. Not much better than ROT13.

Of course, you can let dreampass do the dirty work. If you have a bunch of STE files, you can throw them into one big one, and using the -i flag dreampass will pull out all the info for you. You may be thinking to yourself, “Hmm, I wonder if Google can find STE files and are people dumb enough to save password hashes in a publicly available file?” The answer is: I wouldn’t know.

Speaking of dreampass: I’ve put up version 0.5, which has better file parsing (will display more info), some clean-ups (now “use strict” doesn’t have to be commented) and some other tweaks. I am just starting to learn Perl so please criticize my code. I don’t think I’m going to put out too many more versions, I’m just using it to learn.

Update: Someone I knew had Dreamweaver CS3 running on their MacBook, so I asked them to export a sample STE file for me. I took a look at it and…same old hashing:

vitaly@hydrogen ~/Desktop $ ../dev/dreampass/dreampass.pl -i abc_test.ste

Server: abc.org
Username: abcabc
Password: abcabc1
AccessType: ftp
Hash: 61636564666837

So I guess dreampass will work on CS3 as well.

What I’d like to know is, what is the “best practice” method for storing passwords which must be decrypted/retrieved? I don’t know a whole lot about the field and figured someone might have run into this.