A friend of mine dropped me a note to point out that Google has released an open source web application security scanner called skipfish. I haven’t used it yet (installing as I type), and will hopefully have some thought on it soon.

It’s about time someone made this tool. Warvox uses a VoIP connection to do it’s war dialing. Because it uses VoIP, it can dial multiple numbers on parallel. It also has some good built in analysis features to find things like voicemail.

I’ve been doing some fooling around with alternate data streams lately. I’ve found two interesting things which haven’t really been given a lot of attention before.

The first  is just how ADS aware IIS is. IIS will serve up an ADS as a file. So for example, if you have a file called boring.html, which has an ADS called interesting.jpg, you can access the ADS by entering http://somedomain.com/boring.html:interesting.jpg as your URL. (I’m sorry I can’t provide an example here as I’m not using Windows to host this domain). If instead of a jpeg the ADS is server side code (like php), IIS will even execute the php code as you would expect. I suspect this is a great way for hackers to silently leak data from inside a network to the outside. All of that aside though, if you download a file from a web server which has ADS, IIS will not send the ADS along with the file – it will only send the main part of the file.

The second thing I’ve come to realize is that a lot of applications use ADS for “legitimate” reasons. The most common one is Internet explorer. Every file you download using IE has an ADS called “Zone.Identifier” attached to it. This ADS contains a ZoneID, which is a number from 0-4. The number indicates which zone the file was downloaded from. If the file was downloaded from the internet (zone 3) Windows XP SP2 and newer bring up the dialog box you see on the right, prompting the user to ensure they really want to run the app. If you want to disable this behavior, you can follow instructions found on the Microsoft website.

On a related note, I just want to quickly put in a plug for LADS – List Alternate Data Streams – it is a very good, simple, easy to use, quality program. Also, it’s free.

I recently borrowed a copy of Hacking Windows XP from a friend. (I was under the impression that it would be about, well, hacking). It’s really all about customizations that you can do to your system, through changes to the system files and registry. One useful thing it did have was a link to a very good resource editor called Resource Hacker. It’s been years since I’ve used a Windows resource editor, and I’m starting to remember how fun (and utterly time consuming) it can be to mess around with the look and feel of your Windows apps and OS. In short, Resource Hacker lets you open up an executable or library file (exe, dll, ocx, scr, or cpl), and see that various resources within it – things like text string and icons – and lets you change them. Say you don’t like an error message, just find that text string and change it. Don’t like the way an app looks? Just change the icons. Don’t like the fact that the start button says start? Change it. (It’s just a text string after all). I know someone will point out that a hex editor can do many of the same things, however a resource editor organizes the data for you making it easier to find that string you want to change (or just browse), and it should (in theory at least) keep you away from the executable code which could break the app. It also let’s you see and edit graphics. If you ever want to find a fun way to kill a lazy Sunday afternoon, I highly recommend it.

I think this isn’t a bad idea, but the implementation is inherently flawed:

the company plans to release a toolbar for major browsers that will check visited Web sites for obvious security issues. The add-on software will check for twenty signs — such as the version numbers of the Web server and the content management system — to make sure that the site has no obvious flaws.

As I said, it seems like a good idea. It’s non-invasive, and it alerts users (even non security savvy ones) that a site may be insecure. Ultimately it provides a very real and direct consequence of lax security to e-commerce sites – be secure or you may scare off customers. (And we all know that fear of affecting the bottom line is often the only thing that makes corporate entities act in favor of security). The problem is that without being invasive (think SQL injection), you can’t really tell if a site is secure. I’m afraid that this is going to turn into another one of those McAfee hackersafe style logos – just a green light that makes you feel safe without actually doing anything.

The Race to Zero is a competition which recently wrapped up at Defcon. In it, teams of contestants are given ten known pieces of malware – viruses and exploits – and are tasked with obfuscating the malware in such a way that antivirus programs cannot detect the malware. The competition was ultimately won by Mandiant which completed the task in a little over six hours. (About 36 minutes per challenge). This contest simply serves to illustrate the point that signature based antivirus scanning is a failing proposition. As I’ve said before, there are a virtually infinite number of possible malware signature out there, and trying to write an infinite number of signatures is an exercise in futility. It makes a lot more sense to enumerate good than to enumerate bad. We figured this out years ago when we started making firewalls use a default deny – we should be doing the same for antivirus.

I’m setting up a new Linux machine, and while compiling nmap, I noticed the following fly by:

   (  )   /\   _                 (
    \ |  (  \ ( \.(               )                      _____
  \  \ \  `  `   ) \             (  ___                 / _   \
 (_`    \+   . x  ( .\            \/   \____-----------/ (o)   \_
- .-               \+  ;          (  O                           \____
                          )        \_____________  `              \  /
(__                +- .( -'.- <. - _  VVVVVVV VV V\                 \/
(_____            ._._: <_ - <- _  (--  _AAAAAAA__A_/                |
  .    /./.+-  . .- /  +--  - .     \______________//_              \_______
  (__ ' /x  / x _/ (                                  \___'          \     /
 , x / ( '  . / .  /                                      |           \   /
    /  /  _/ /    +                                      /              \/
   '  (__/                                             /                  \
             NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND REPONSIBLY

Somehow, I’ve never noticed this before, but I love it. (Well, except for the misspelling of the word responsibly).

In the “duh” reporting on the moment, securityfocus reports that:

The number of signatures required to detect malicious code skyrocketed in the first half of 2008.

While I may mock them (gently of course) for reporting something which is obvious, the growth curve is impressive:

The data — part of the F-Secure’s IT Security Threat Summary — showed that the company currently requires nearly 900,000 different signatures, also referred to as “definitions” or “detections,” in its product to catch current threats, up from 500,000 signatures at the end of 2007.

The solution of course, is to stop writing signatures. There are a virtually infinite number of pieces of malware that can be written, and trying to write a signature for each and every one is an exercise in futility. We’ve seen it time and again – blacklisting does not work in the long run, it is not scalable, and is inherently reactive rather than proactive.