The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for August, 2005

Mytob, Zotob, Diabl0, and Coder Roundup

Posted by Xavier Ashe on August 30, 2005

The big news of the weekend was the arrest of two guys related to the Zotob worms (“Diabl0” and “Coder”).

But who are these guys really? And who's behind the other PnP worms that were found during the last two weeks?

Get the details of these guys on F-Secure's BlogSecurity Fix has information “that these two guys were a key piece in a much larger money-making conspiracy”:

Speaking at the High-Tech Crime Investigation Association's annual conference in Monterey, Calif. yesterday, Louis Reigel III, assistant director of the FBI's Cyber Division,
said Turkish police and intelligence officials told him they had
promising leads on 10 to 15 other individuals who may have been
connected with the worms.

The actual legal charges against the two are not yet known.  The Computer Crime Research Center has has bit more info:

The bureau alleges that Essebar [Diabl0] wrote both the Mytob and Zotob worms
and then sold them to Ekici [Coder]. “We believe that there was financial gain
on (Essebar's) part,” Louis Reigel, assistant director of the FBI's
Cyber Division, said in a conference call with the media. He did not
provide further details.


Posted in Security | Leave a Comment »

Majestic Photos of Katrina

Posted by Xavier Ashe on August 30, 2005

“This shot was taken by a scientist aboard the NOAA-43…since I was
flying on a different plane in the rainbands (and thus not really able
to see much, as you can see in IMG-0949), I handed my camera off to him
so that I could share what they saw there. I'm participating in the
RAINEX (hurricane rainband and intesity change experiment) project, so
I'm really lucky to be able to fly into these incredible
storms…although it is sad to know the devestation that they cause

See the full Flickr photo set.  Amazing stuff.

Posted in Main Page | Leave a Comment »


Posted by Xavier Ashe on August 30, 2005

Posted in Random Pics | Leave a Comment »

Side-band attack tips virtual Blackjack dealer's hand

Posted by Xavier Ashe on August 30, 2005

Here's a fascinating account of a “side-band” attack on online
Blackjack. At a certain point in the gameplay, the software dealer
appeared to need substantially more calculations if there was a ten in
the dealer's hole than if there wasn't. Players who timed the pause
could therefore get a partial peek at the dealer's cards and so gain an
edge over the house.

In Poker, this is called a “tell” — the propensity of a player with
junk to mop his brow, or of a player to unconsciously tap his foot when
he's bluffing. Computers are generally considered not to have tells,
because they're not sentient and hence not prone to subconscious
fidgeting, but computer tells do arise in those situations where they are doing something computationally intensive.

The code itself may have been completely correct in the sense that it
did what it was supposed to do. It was the amount of time the code
needed to execute that ended up being the tell. No different than when
a poker player twitches when holding a great hand.

The fix may have been to change the execution profile of the code
so that it made the same pause no matter what was in the hole. Talk
about a challenge for game developers. Not only does the code need to
be bug free in syntax and semantics, but they now need to worry about
the execution profile for their games.

Found on Boing Boing.

Posted in Security | Leave a Comment »

Great Quote

Posted by Xavier Ashe on August 29, 2005

“Give a man a link and he can waste an afternoon. Teach a man to Google and he can waste a lifetime.” [via]

Thanks UNEASYsilence.

Posted in For Fun | Leave a Comment »

An Illustrated Guide to IPSec

Posted by Xavier Ashe on August 29, 2005

This Tech Tip means to give bottom-up coverage of the low-level protocols
used in an IPv4 context (we provide no coverage of IPv6). This is
not a deployment guide or best-practices document — we're
looking at it strictly at the protocol level on up, rather than from
the big picture on down.

This is the first of two papers, the second of which covers key exchange,
the Security Parameters Database, and other finer points of an IPSec
configuration: in this paper we'll touch on them only

Nice explaination.  I find myself explaining technologies like
this all the time.  So, it's great to get another way to do
so.  Read the article on Steve Friedl's Tech Tips.

Posted in Other Technology, Security | Leave a Comment »

Michal Zalewski on the Wire

Posted by Xavier Ashe on August 29, 2005

Recently the eccentric security researcher Michal Zalewski published his first book,
entitled Silence on the
Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks
Because the book is everything except a security manual, Federico Biancuzzi
chose to interview Michal and learn more about his curious approach to
information security. Among other things, they discussed the need for
randomness, how a hacker mind works, unconventional uses for search engines
such as Google, and applying AI to security tools.

Great book and a great interview on… And I fell for this one last year too:

Sometime ago you played a joke claiming to have founded a company
called eProvisia LLC that provided a 100 percent guaranteed antispam service. The
very interesting fact was that its antispam technology used human beings who
manually analyzed email.

Yes, of course the company is not real; it was just a silly joke that got
out of hand (and was carried as a true story by ZDNet, Yahoo, Slashdot,
and others).

Posted in Security | Leave a Comment »

Suspected Zotob Worm Authors Arrested

Posted by Xavier Ashe on August 27, 2005

Security Fix brings us the scoop:

Two men were arrested Thursday on suspicion of releasing the “Zotob” and “Mytob
worms, variants of which have infected thousands of computers running
Microsoft's Windows operating system.  The arrests were announced today
by the Federal Bureau of Investigation.

Moroccan authorities, working with the FBI, arrested Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker “Diabl0.” Arrested in Turkey was Atilla Ekici, aka “Coder,” age 21. Both individuals will be subject to local prosecutions, the FBI said.

Posted in Security | Leave a Comment »

McAfee Secures Home Wi-Fi Networks

Posted by Xavier Ashe on August 26, 2005

The fruits of McAfee’s purchase of Wireless Security Corporation appear in Wireless Home Network Security 2006:
The $49.99 security package uses WEP, WPA Personal, or WPA2 Personal to
secure up to five personal computers and one or more access points with
virtually no user configuration. WSC, prior to its McAfee buyout,
focused on small-to-medium-sized businesses (SMBs), and had built
modules that let them automatically configure access points to work
with their proprietary security software that uses WPA Enterprise to
secure a network.

These modules come into play in WHNS 2006 as popular models
from Belkin, D-Link, Linksys, and NetGear can be reconfigured to handle
a new encryption key without any user fiddling.

I didn't know it was 2006 already.  Found on Wi-Fi Networking News.

Posted in Security, Tools | Leave a Comment »

Credent shuts down that Windows phone’s camera, Bluetooth, et. al.

Posted by Xavier Ashe on August 25, 2005

We know how wary enterprises can be of potentially subversive technologies such as cameras, Bluetooth, mass storage,
etc., infiltrating the workplace—in fact so much so that most business-class devices have taken to making two versions,
one with and one without a camera, for instance. Enter Credant’s Mobile Guardian Enterprise Edition software solution;
short of blocking people’s phones from entrance, this is one of the only policy enforcement techniques we’ve seen that
makes sense and might actually work. Based on permissions defined in your company’s domain servers, your policy-enabled
PocketPC device not only gets its data encrypted, but can have its camera, Bluetooth, or infrared communications
temporarily disabled while on site. Sounds good to us, since the last thing mobile employees want is to have to give up
functionality in their devices when they’re not even sitting in the office.

Found on Engadget.  Read more about Credant's solution at:

Posted in Security, Tools | Leave a Comment »

PSP 2.0 Firmware Update Already Decrypted?

Posted by Xavier Ashe on August 25, 2005

Some very interesting things going on in the PSP hacking world.

It would seem that someone has gotten the DATA.PSP files from the various update EBOOT.PBP files decrypted.

This is the next step in unlocking the secrets of the PSP's
firmware.  How to flash/re-flash, and modifying firmware files to
suit individual hacker's needs, etc…

A small sample

Looks like you might me able to run those homebrew apps on 2.0 soon.  Another gem from MAKE Magazine's Blog.

Posted in Other Technology, PSP Hacks | Leave a Comment »

Didn't secure your Wi-Fi? You're a terrorist!

Posted by Xavier Ashe on August 24, 2005

I was reading what I thought was another humdrum column on unsecured wi-fi.  Then it ended with a bang:

Folks, we need to get a grip here. We need to look at this issue in
the bigger picture of national security. The bigger picture means that
Smith is not guilty of anything and the owner of the unsecured Wi-Fi
connection is definitely guilty. Guilty of gross negligence and guilty
of undermining the security of our country.

same goes for anyone or any company that has unsecured Wi-Fi access.
That applies to all those pinko, commie coffee houses, parks and
wishy-washy liberals who just don't get it. Free Wi-Fi is a national
security risk, an open door for the fifth column. An unsecured Wi-Fi
point is simply a foothold for the enemies of freedom, and anyone who
owns an open Wi-Fi access point should be prosecuted for treason. And

This has to be the most interesting take on unsecured wi-fi I have
ever heard.  I wish I had this quote for last week luncheon. 
“Foothold for the enemies of freedom”…  I am still laughing as I type this.  Send him your thoughts:

Posted in For Fun, Security | Leave a Comment »

Finnish security exec arrested over bank hack

Posted by Xavier Ashe on August 24, 2005

The data security chief at the Helsinki branch of financial services
firm GE Money has been arrested on suspicion of conspiracy to steal
€200,000 from the firm's online bank account. The 26 year-old allegedly
copied passwords and e- banking software onto a laptop used by
accomplices to siphon off money from an unnamed bank.

Investigators told local paper Helsingin Sanomat
that the suspects wrongly believed that the use of an insecure wireless
network in commission of the crime would mask their tracks. This failed
when police identified the MAC address of the machine used to pull off
the theft from a router and linked it to a GE Money laptop. Police say
that stolen funds have been recovered. Four men have been arrested over
the alleged theft with charges expected to follow within the next two

Found on the The Register.

Posted in Security | Leave a Comment »

An Online MD5 Hash Database

Posted by Xavier Ashe on August 24, 2005

MD5 Hashes protect a verity of content types such as in the case of
pass phrases, session ids, etc the logic behind it is that to compute
an equivalent of MD5 of all possible plain text would be a
computational nightmare.

This computational nightmare has been
brought one step closer to becoming an hackers’/crackers’ best friend
with the introduction of the “Online MD5 Hash Database“.
The Online MD5 Hash Database does exactly as it names says, stores in
excess of 12 Million different MD5 values and their corresponding plain
text equivalents.

Found on SecuriTeam Blog.

How good the engine you say? will it was able to crack this MD5 Hash
in near “real-time”: 1870a829d9bc69abf500eca6f00241fe (wordpress). How
did it do it? well it some user has inputted the word wordpress into its Hash database.

did the same for the words: security
(e91e6348157868de9dd8b25c81aebfb9), securiteam
(1d167077e74e969b9b7d34b2d901d697) and SecuriTeam

Posted in Security | Leave a Comment »


Posted by Xavier Ashe on August 24, 2005

Over the next day and week you'll hear about the new PSP 2.0 update
from all the usual places, but don't update- really. There are a couple
new features, like a web browser, image transfer/wallpaper, some other
video and network tweaks- but it's a yawn. You'll lose all the amazing homebrew playing capability, emulators and cool applications
the PSP makers are cranking out- so don't do it- it's just not worth
it, it removes fun (until the version 2.0 firmware can play homebrew,
then it's ok to update).

Found on MAKE Blog.  Also, from one of the comments:

That only really applies if you have firmware 1.50 now. If your system
came with 1.51 or 1.52 (or you previously upgraded to either) there is
currently no homebrew available, so go ahead and upgrade.

Posted in PSP Hacks | Leave a Comment »

It all started just a week ago…

Posted by Xavier Ashe on August 24, 2005

I know many of
my readers spent a good bit of my time either cleaning Zotob infections
or quickly patching systems to avoid outbreak.  Well Mikko
over at F-Secure had quite a time and logged it in F-Secure blog

I wake up right after 02:00: Rich from Microsoft is
calling, asking if we're seeing increased PnP activity in the net.
Literally while I'm speaking with him, my phone receives an automatic
alert regarding network worm activity. Uh-oh. Better check out the

I get to my computer to see that Ero
in our US viruslab is already hard at work on the problem: there are at
least two new worms spreading aggressively. Too bad, but I have to wake
up Jusu again. He sounds wake enough and starts to make his way to the

Posted in Security | Leave a Comment »

It's a great tool… and it got ripped off.

Posted by Xavier Ashe on August 24, 2005

I am addicted to a great toolbar for FireFox called the Web Developer Toolbar.  I came across the following entry in Asa Dotzler's Blog and was called to action.  A quick email doesn't take much time.

I just read over at Blog that an IE developer tool called Web Inspector from a company called AEVITA has totally ripped off his amazing Web Developer Toolbar.

It's one thing to take inspiration from another developer, but to
steal the idea, the icons, and the documentation outright without any
credit is just plain wrong.

If you're a fan of Chris and his hugely valuable Firefox extension, I encourage you to contact Aevita and express your disapproval — especially about the blatant documentation theft.

Posted in Other Technology, Tools | Leave a Comment »

Thanks to those who attended the Luncheon

Posted by Xavier Ashe on August 19, 2005

I wanted to extend thanks to everyone who came out to the Wireless Security Luncheon today at the Westin.  You asked some very good questions.  I have posted the PowerPoint for your download.  Feel free to email me if you have any followup questions or have the need for a security consultant.

Posted in Lectures, Security | Leave a Comment »

Spot the Phish, win a prize

Posted by Xavier Ashe on August 18, 2005

Alex from Sunbelt Blog clued me in to this quiz that tests your ability to spot the phishing emails.  I don't wanna brag, but I will anyway.. I got them all correct.  Let me know how you did.

Posted in Security | Leave a Comment »

IE Users beware, new exploit, no Microsoft Patch

Posted by Xavier Ashe on August 18, 2005

Most folks who use IE are not the most security minded in the first
place.  If they were, they would be using Firefox.  Today is
case in point:  yet another IE security flaw has been revealed
with exploits already available.  Security Fix sums it up well:

The stories note that Microsoft is investigating
the reported vulnerability. Meanwhile, computer code showing exactly
how to take advantage of the flaw was published online today. The
problem resides in a file installed by Microsoft's Visual Studio .Net, but the vulnerable component is also installed by other applications, such as Microsoft Office 2000, and certain software drivers for the latest ATI computer graphics cards.

The easiest way to avoid falling victim to this flaw is simply to use another browser, like Firefox, Netscape or Opera. If you absolutely must use IE, the folks over at the SANS Internet Storm Center have a (non-Microsoft approved) “patch” that will effectively disable the vulnerable portion of the code.

Go get FireFox.  Now.

Posted in Security | Leave a Comment »

%d bloggers like this: