The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for November, 2005

Got 1.5 Yet?

Posted by Xavier Ashe on November 30, 2005

Firefox 1.5 is out and has already been downloaded 2 million times.  Have you got your copy yet?

  • Automated update to
    streamline product upgrades. Notification of an update is more
    prominent, and updates to Firefox may now be half a megabyte or
    smaller. Updating extensions has also improved.
  • Faster browser navigation with improvements to back and forward button performance.
  • Drag and drop reordering for browser tabs.
  • Improvements to popup blocking.
  • Clear Private Data feature provides an easy way to quickly remove personal data through a menu item or keyboard shortcut.
  • is added to the search engine list.
  • Improvements to product usability including descriptive error pages, redesigned options menu, RSS discovery, and “Safe Mode” experience.
  • Better accessibility including support for DHTML accessibility and assistive technologies such as the Window-Eyes 5.5 beta screen reader
    for Microsoft Windows. Screen readers read aloud all available
    information in applications and documents or show the information on a Braille display, enabling blind and visually impaired users to use equivalent software functionality as their sighted peers.
  • Report a broken Web site wizard to report Web sites that are not working in Firefox.
  • Better support for Mac OS X (10.2 and greater) including profile migration from Safari and Mac Internet Explorer.
  • New support for Web Standards including SVG, CSS 2 and CSS 3, and JavaScript 1.6.
  • Many security enhancements.

The Burning Edge has more detailed lists of new features and notable bug fixes.


Posted in Other Technology | Leave a Comment »

Thieves put car security system to test

Posted by Xavier Ashe on November 29, 2005

BT's new vehicle tracking system found its first stolen car before the system had gone live.

The car, an Audi A4, belongs to David Thomas–project manager for the
new BT Trackit system. It was stolen outside his house on Nov. 2 and
was recovered, undamaged, the same day.

Thomas was alerted to the theft by BT's Secure Operating Centre. Using satellite-based tracking technology,
the car was pinpointed and the local police were informed and were able
to recover the vehicle. The car had been abandoned six miles away.

They insist they didn't invent the story, but damn, what a coincidence.

Posted in Other Technology, Security | Leave a Comment »

So just how hack-proof is the 360?

Posted by Xavier Ashe on November 29, 2005

We haven’t yet had a chance to get our hands dirty and bust out our trusty tunneling electron microscope to see for
ourselves just how in deep we’d have to go in order to load up our new 360 with Linux, but apparently the Free60
Project has a pretty good idea of what’s in store for Xbox hackers this time (though of course none of this is
officially verified):

  • The flash is encrypted with a per-box key
  • The key is stored inside the CPU
  • The boot ROM is stored inside the CPU
  • Also inside the CPU is a hypervisor that verifies the running state of the kernel, making sure there is no
    modification (RAM checksums), else the Xbox 360 panics and blows up!
  • The CPU contains RAM inside of it to store the checksums
  • All interrupt/exception handling is done by the hypervisor
  • All code runs in kernel mode
  • The emulator for first generation games can be updated via an official Microsoft download burned to CD by the
    user, though the CDs’ content will be encrypted and signed with public key cryptography. The boot ROM is stored
    inside the CPU.

Don’t worry if you don’t know what any of that biz means — but if you do, you probably know that this is a real
world best-case-scenario trusted computing environment. In other words, would-be Xbox 360 hackers have definitely got
their work cut out for ‘em.

From Engadget.

Posted in XBox Hacks | Leave a Comment »

Talk to the MSN Encarta Bot

Posted by Xavier Ashe on November 29, 2005

You can add Encarta to your MSN
Messenger buddy list and ask it questions.  The answers are totally
fascinating.  But first… here's how to get this going..

1. Open MSN Messenger and sign in.
2. Add Encarta as a contact:
3. Double click Encarta from your Contact List.
4. Ask a question!

[23:00] Xavier: Are you a real person?
[23:00] Encarta® Instant Answers: No Xavier, I am a robot.
[23:00] Xavier: Would you like to be a real person?
[23:00] Encarta® Instant Answers: I guess I'd like to be, but I'm not sure I'd like to be a real person.
[23:00] Xavier: I can turn you into a real person.
[23:00] Encarta® Instant Answers: Thank you, but I think I'll remain as a robot.

Posted in For Fun, Other Technology | Leave a Comment »

Cisco PIX TCP Connection DoS

Posted by Xavier Ashe on November 28, 2005

In a situation when a host is located on the trusted side of the network
behind the PIX firewall, there is a possibility to prevent a new
legitimate TCP connection to be established to the host located on the
other side of the firewall. In order to execute such an attack, an
attacker would send a specifically crafted TCP packet with a set
incorrect cheksum through the PIX firewall pretending to be originated
from a legitimate host. S/he would need to specify the source and
destination IP and port, and once such packet is received by the PIX
firewall, there is no possibility to establish a new TCP session with
the credentials specified in the malicious packet. The downtime of the
connection is around 2 minutes 2 seconds, after which the new connection
can be established again and the PIX resumes the normal operation mode.
Such attack does not affect the connections that are already established
through the PIX.

Although, it would take a lot of packets to disrupt the communication
between the hosts completely, we assume that the attacker's aim is to
prevent the communication to a specific service on the remote hosts,
e.g. SSH, SMTP, TCP-syslog, and it takes around 15 seconds to generate
and spit out 65535 packets with a custom source port on a 100mbit lan.

Get the details on (or see the original post on Full Disclosure). This look to affect versions
6.3 and below.  There is a related exploit for version 7.0.

Posted in Security | Leave a Comment »

Lock down your PC or laptop with Syskey

Posted by Xavier Ashe on November 27, 2005

Syskey also enables you to configure the machine to prompt for the
computer startup key at boot time (this can be up to 128 characters
long) – this is a great option for laptops as it simply takes the form
of a password(phrase) that you enter before logging into Windows. The
beauty of this approach is that the key nor any form of the key (such
as a hash) are actually present on the machine so there's nothing to
crack unless you count brute forcing the encryption of the Master Keys
which would take significant computational effort – read (a very long
time!) = longer than the data's likely to be of value

Nice little hack from Steve Lamb's Blog.

Posted in Security, Tools | Leave a Comment »

Hacker to show off the lackluster security of Diebold Voting Systems

Posted by Xavier Ashe on November 27, 2005

A computer hacker will be trying to break into one of California's
electronic voting machines next week, with the full cooperation of the
secretary of state.

Harri Hursti, a computer security expert from Finland, will be trying to
demonstrate that voting machines made by Diebold Election Systems are
vulnerable to attacks by computer hackers seeking to manipulate the results of
an election.

Last May, Hursti and another computer security expert tested a Diebold
system for the elections supervisor in Leon County, Fla. They quickly broke
into the system, changed the voting results and inserted a new program that
flashed the message “Are we having fun yet?” on the computer screens.

Interesting stuff.  Get the full article on  If you are really interested in the security of voting machines, check out Washburn's World
John's a friend of mine that has worked his tail off to improve our
voting rights by exposing the errors in our voting systems… both
technical and bureaucratic systems.

Posted in Security | Leave a Comment »

PSP on the 360

Posted by Xavier Ashe on November 27, 2005

Presenting the official Joystiq guide on getting your shiny toys to play nice together: your Sony PSP and your
Microsoft Xbox 360. Just like iPod integration, this
seemed crazy, but we are here to announce: it works great.

To the right is a lovely, svelte PSP next to the impressive 360 (with PGR3 faceplate). In between them, a simple USB
to USB mini connector.

Pretty straightforward, but cool nonetheless.  From Joystiq.

Posted in PSP Hacks, XBox Hacks | Leave a Comment »

Lik-Sang peeps the PSP TalkMan

Posted by Xavier Ashe on November 27, 2005

We’re still a little uneasy about how Babelfishy this thing could turn on us, but if you’re planning on doing any
traveling to Asia, the TalkMan package for your PSP might
just come in handy. Max, the bird who’ll guide you through your semantic adventures, uses a ScanSoft-built language
interpreter and trainer to help you learn Chinese, Japanese, Korean, or English — or just help translate between you
and someone else, if need be. Lik-sang — who sells the Talkman on import — seemed to like it alright, but their
review just wasn’t quite enough to assuage our geekier urges to wait it out for
InterACT’s in-mouth autotranslators.

From Engadget.

Posted in PSP Hacks | Leave a Comment »

Of Bags And Men: Chain Of Custody

Posted by Xavier Ashe on November 27, 2005

I have received TONS of email regarding interest in learning more
about what “chain of custody” is and what a proper CoC bag looks like.

Before you read on, keep this in mind: this is purely from my
experience in the field. Proper procedures in law enforcement, private
investigation and evidence handling may differ depending on where you

I am going to describe how *I* use these bags in preserving evidence during computer security / forensics investigations.

Now that the disclaimer is done … let's look at what a typical CoC bag looks like.

Very good article from a blog entitled, A Day in the Life of an Information Security Investigator
I have been involved with a few security incidents that involved the
police or the FBI, but they always handled the evidence tagging. 
I'll have me to get a few of those bags.

Posted in Security | Leave a Comment »

Cracking safes with thermal imaging

Posted by Xavier Ashe on November 24, 2005

In short, virtually all keypad entry systems – as used in various applications,
including building access control, alarm system control, electronic lock safes,
ATM input, etc – are
susceptible to a trivial low-profile passphrase snooping scheme. This attack enables
the attacker to quickly and unobtrusively recover previously entered passphrases with
a high degree of success. This is in contrast to previously documented methods of
keypad snooping; these methods were in general either highly intrusive – required
close presence or installation of specialized hardware – or difficult to carry
out and not very reliable (e.g., examining deposited fingerprints – works in
low-use situations only, and does not reveal the ordering of digits).

So if you have a $5000-$10,000 toy, you can pull this off. 
I guess that's chump change for serious thieves.  Read the full

Posted in Other Technology, Security | Leave a Comment »

Ready to buy that Xbox 360?

Posted by Xavier Ashe on November 22, 2005

Check here first:

The Best Buy Xbox Inventory Locator

Zip Code:

Developed by Chris Lambert

Posted in For Fun, XBox Hacks | Leave a Comment »

Four new documents from NIST

Posted by Xavier Ashe on November 22, 2005

NIST is pleased to announce four new final

(1): An updated SP 800-40 (version
, Creating a Patch and Vulnerability Management Program;

(2): SP 800-68, Guidance for Securing
Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration
(3): SP 800-83, Guide
to Malware Incident Prevention and Handling
; and
, Cell Phone Forensic Tools: An Overview and Analysis

Posted in Security | Leave a Comment »

Another reason not to use IE – 0-day exploit released today

Posted by Xavier Ashe on November 22, 2005

You IE viewers of my blog better wise up soon.  There is a 0-day
exploit out for IE, but no patch in sight.  Click on the light to
the left to download Firefox and surf the web safely.  F-Secure sums it up:

A group called “Computer Terrorism” has released a Proof-of-Concept
exploit for an unpatched Microsoft Internet Explorer vulnerability. The
exploit allows remote code execution on most Windows systems including
XP sp2. This vulnerability can e.g. be exploited if a user visits a web
site controlled by the attacker.

The flaw is related
to the JavaScript functionality in IE. So, one solution to this problem
is to disable Active Scripting in IE. Another solution would be to use
some other web browser. Also, as always, running as a restricted user
greatly limits the damage these kinds of attacks can cause.

Microsoft was informed about this bug in May. Earlier it was seen as a
denial-of-service vulnerability. MS has not released a patch yet but a Security Advisory on the issue is available.

Posted in Security | Leave a Comment »

Sue Sony… all the cool kids are doing it

Posted by Xavier Ashe on November 22, 2005

Greg Abbott, the attorney general for Texas, today filed a lawsuit against Sony BMG Music Entertainment,
alleging that its controversial (and now recalled) “XCP” anti-piracy
software violates the state's anti-spyware and consumer protection laws.

EFF filed its class-action lawsuit
against Sony in California state court, along with two leading national
class-action law firms. In its filing, EFF issued a statement praising
Sony for acknowledging problems with its XCP software, but said that
the company “has failed entirely to respond to concerns about MediaMax.
“Music fans shouldn't have to install potentially dangerous, privacy
intrusive software on their computers just to listen to the music
they've legitimately purchased,” the EFF's Cohn said.

It looks like Massachusetts Attorney General Tom Reilly could also soon be going after Sony. Sarah Nathan,
a spokesperson for the Mass. AG, confirmed that Reilly's office is
investigating Sony BMG for possible violations of the state's consumer
protection laws, but she declined to comment further.

From Security Fix.

Posted in Other Technology, Privacy, Security | Leave a Comment »

Monkeys are Funny

Posted by Xavier Ashe on November 22, 2005

I posted a new photo to RandomPics.

Posted in For Fun | Leave a Comment »

9 Ways to Hack a Web App

Posted by Xavier Ashe on November 22, 2005

Learn why and how to build Java web apps secured from the most common security hacks.

#1: Unvalidated Input
#2: Broken Access Control
#3: Broken Account and Session Management
#4: Cross-Site Scripting (XSS)
#5: Buffer Overflow Errors
#6: Injection Flaws
#7: Improper Error Handling
#8: Insecure Storage
#9: Denial-Of-Service (DoS)
#10: Insecure Configuration Management

Good slide deck from Martin G. Nystrom at Cisco.  Posted on Astalavista.

Posted in Security | Leave a Comment »

How Long Is Too Short for WPA Keys?

Posted by Xavier Ashe on November 21, 2005

George Ou pointed out a few days ago that a good key could be seven characters long:
He argues that there’s sufficient entropy with just seven characters
with A-Z, a-z, and 0-9—although WPA passphrases must be at least eight
characters long. He also omits punctuation, which would add more fuzz
into the system for those trying to crack keys.

His approach is fundamentally consistent with Robert Moskowitz’s much linked-to paper on key weaknesses in WPA passphrase choice.
In that Nov. 2003 paper, Moskowitz notes that dictionary-based short
passphrases have a high degree of weakness, but that random values
could be as short as 96 bits (which could be represented as 12 hex
characters) and still be resistant to brute force attacks.

From Wi-Fi Networking News.

Posted in Security | Leave a Comment »

Elmo 0wned

Posted by Xavier Ashe on November 21, 2005

People have been asking for a HOWTO on messing with Elmo. This is all a
work in progress, but I will still share with you my findings so far.
There are a couple of things that are unknown at the moment, so if you
figure out something new, please be sure to contact me at the email
address above.

Knows Your Name
is a semi-interactive audio player with several user
inputs and audio output. It features a USB port for programming, and shows up as a HID (Human Interface Device).

I have not dared to crack open this device (its tomorrow's present for
god's sake!), so I do not know what exactly is on board. I would expect a
very basic processor or programmable logic chip, coupled with some sort of
memory, and of course, a USB controller.

Go have some fun at Casey Halverson's blog.  Found SecuriTeam's blog.

Posted in For Fun, Other Technology, Security | Leave a Comment »

Researching Information Security Issues

Posted by Xavier Ashe on November 21, 2005

Whenever researching information security issues via a search engine
such as Google, I am often presented with numerous marketing-oriented
pages from security product vendors. Sometimes this can be useful, but
usually what I want to see is information from technical resources,
such as security mailing lists, articles, and papers. That's why I am
experimenting with a custom-crafted search engine that one can create
via the Rollyo service, which allows you to limit your search to specific sites of interest.

You can try my focused Information Security search here:

This search scans articles, blog entries, and mailing list posts; the current list is maintained on my website.

From Lenny Zeltser at the SANS – Internet Storm Center.

Posted in Security | Leave a Comment »

%d bloggers like this: