The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for January, 2006


Posted by Xavier Ashe on January 30, 2006

Many commercial websites may be attacked to overwrite or delete stored preferences, session identifiers, authentication data, cart contents – with results ranging from minor annoyances to a possibility of fraudulent activity, depending on site design (bugs #1 and #2).

On sites where authentication data is tied on a server to a session ID, the attacker may be able to acquire credentials by tricking the visitor to authenticate within a session initiated by the attacker (bugs #1 and #2)

Some websites may be susceptible to malicious-activity-by-proxy attacks (bug #3).

There is no immediate universal threat to life as we know it, but numerous web scripts are an easy target of specific variants of the attacks described below.

Read the full paper by Michal Zalewski on Astalavista.


Posted in Security | Leave a Comment »

On a personal note

Posted by Xavier Ashe on January 28, 2006

This blog has mainly been a place where I have shared interesting stories I have found while surfing the net.  I've built a strong readership (steady 1000-1500 unique readers a day), so you must like my choice of news.  I've create a new category call “Personal Note” where, when I can find the time, I will give some reflections and insights as a security consultant implementing a SIM product (Security Information Manager).  I will still keep up the stuff you've grown to love, but am ready to give more back to the community.

This week I have been in Washington, D.C. training for the SIM product NeuSecure, the product that I will be consulting with for my new job.  The product was originally developed by a company called Guarded.Net, who was purchased by Micromuse (makers of Netcool) in the fall of 2005.  The marriage was a good fit, since gathering security data and network health data had the same topology: gather data from numerous devices and give meaningful output.  Micromuse is now in the process of being bought by IBM and will be a division of the Tivoli team.

What I want to focus on today is how amazing NeuSecure is.  I've used ArcSight and a few other SIMs and log aggregators before, so I knew what I was getting into.  However, now that I know the power under the hood, my mouth is watering to go install this puppy everywhere.  The logic is dead-on when it comes to correlating data from Firewalls, NIPS, HIPS, routers, vulnerability scanners, virus scanners, spam blockers, content filters, VPN concentrators, identity management systems, physical security, server logs, wireless APs, wireless IPS…. name it, NeuSecure can do it.  It not only puts all the data together properly, it decides what is the “bad” guy through a complex series of statistical correlation, frequency analysis, susceptibility correlation, and rules engines to find the needle in the hay stack.  Truely amazing stuff.

What's also impressive is the client list.  While I can't give you exacts, let me tell you that a good majority of federal and military organizations use NeuSecure.  In fact, we just landed a deal with the Navy and EyakTek.  Many large telecoms and Fortune 500's use it too.  And this was with Guard.Net, a small 50 person start-up.  Thank what we will be able to do at IBM!

I think that my career has progressed forward and has led me to a nice pinnacle.  I have been installing and configuring security point products my entire career.  I spent the last few years architecting those solutions.  Now I am gathering data from hundred or thousands of security point products and am able to see all the data.  It's the crown jewels of security analysis for large operations.

I would love to get some more feedback on my personal notes, so feel free to post your opinion and tell me what you think.  I will be relating more personal notes soon.  Next week I will be at an Army base on the East Coast.  I'll let you know how that goes.  I hope I didn't come across too much like a corporate cheerleader, but I'm very excited about my new job.

PS – I will be at the RSA Conference.  Come find me at the Micromuse booth!

Posted in Personal Note | Leave a Comment »

Boot Loader for PSP 2.5

Posted by Xavier Ashe on January 28, 2006

Fanjita states We finally made a more solid breakthrough with the EBOOT
loader for GTA tonight. Not only does the menu now work properly, but
I've also managed to run the uo_SNES9x emulator, and play the
Pilotwings ROM (the only one I have), on both v2.0 and v2.5.

This package allows you to run some standard PSP homebrew on any
version of Grand Theft Auto, and PSP firmware version v2.0, v2.01 and
It's an initial test of the loader, that doesn't support the
full range of homebrew, but works well enough for an initial release.

It does NOT run on v2.60 firmware.

Please note also the new name for the EBOOT Loader – eLoader.

Download the file from our Server:


Posted in PSP Hacks | Leave a Comment »

wxRipper v1.2 and wx360 v1.6

Posted by Xavier Ashe on January 25, 2006

Gael360 released a new version of his tools to dump
Xbox 360 discs with a PC DVD-drive using an hot-swap method (means
you'll have to open your drive – see previous news). This is a translation from french to english of what he said on the gueux forums about the new release:

just released a big update of my tools, you will now be able to find
the 'magic number' immediatly, without having to scan an unknown Xbox
360 DVD.

So there's no longer a difference between known and unknown games, they will all be detected/dumped the same way.

advantage of this method is that you will be able to use wx360 directly
to open the content of the DVD without having to dump it first. After
doing the hot-swap you'll just have to open wx360, select the DVD-drive
and click the DVD icon.

wxRipper will thus have a feature to find
the 'magic number' immediately, without scanning the Xbox 360 DVD. The
features related to dumping did not change.

Posted in Tools, XBox Hacks | Leave a Comment »

Nyxem worm spreading quickly

Posted by Xavier Ashe on January 25, 2006

The web counter used by the Nyxem worm now shows over 510,000 infections and keeps rising.

Our internal reporting system shows a steady stream of Nyxems being reported from all over the world, from USA to Australia.

the worm keeps this pace, Friday the 3rd of February might be nasty –
that's when the destructive payload is programmed to strike for the
first time.

From Kasperky:

We've just issued an alert for Nyxem.e,
due to the number of reports we've been receiving for the past few days
but also because of its destructive payload which activates on 3rd of
every month.

According to our data, the outbreak seems to be more
or less localized. We are still receiving reports from countries such
as the US and Germany, but the number of reports from (eg.) Russia is
becoming very small.

With the public Nyxem.e counter having well
passed 1,000,000 hits at the moment, there is no doubt that some people
will have unpleasant surprises on 3rd of February. If you do not have
an antivirus installed, you can use the Kaspersky free online scanner to check for a Nyxem.e infection before it's too late.

Sunbelt Blog does a good job of telling us why Nyxen is so bad.

Posted in Security | Leave a Comment »

Botmaster going down

Posted by Xavier Ashe on January 25, 2006

James Ancheta aka “Resjames” or “Botmaster” pleaded quilty in Los Angeles yesterday for running a botnet and selling bots.

faces up to six years in prison. He will also have to pay restitution
and give back about $60,000 and his BMW, bought with botnet money.

Ancheta was active in 2004. With another bot herder known as “SoBe”, they infected more than 400,000 computers.

They were making money by selling bots to spammers, and by signing up as affiliates in adware install programs run by Gammacash and Loudcash
(both are owned by 180Solutions nowadays). This way they earned money
every time they installed an adware program to an infected machine.

James Ancheta seems to be offline nowadays, but you can still find some of his old forum posts via Google. In this thread he has just rented a dedicated server from Sagonet, which he then used to run the irc server to control his bots.

The court papers make a fascinating read, with snippets like these:

From F-Secure.

Posted in Security | Leave a Comment »

Massive busts of warez groups reported in Europe today

Posted by Xavier Ashe on January 25, 2006

Posted in Security | Leave a Comment »

Latest IPSec standard is easier to configure

Posted by Xavier Ashe on January 23, 2006

The new set of standards, IKEv2 requires less back and forth chatter between the devices and because IKEv2 is less complex,
it is considered less vulnerable to attack.

key practical benefit is that because it is simpler, it will be easier
to configure and deploy, making IPSec VPNs more attractive to smaller
businesses that don't have the technical expertise to properly deploy
the original IKE technology.

is also good news for interoperability. Because the protocol is
simpler, IKEv2 can make it easier to establish tunnels between VPN
equipment made by different vendors. So VPNs among business partners,
suppliers and customers are easier to set up.

Looks good… I've always disliked doing IPSEC VPNs, even thought that's all I did for a year.  Read the full article on Network World.

Posted in Other Technology | Leave a Comment »

Wardriving with Nintendo DS

Posted by Xavier Ashe on January 23, 2006

I've idly used my Nintendo DS to look for hotspots with its limited WFC
applications (like MKDS), but have wanted a more dedicated scanning
application for awhile. Enter DS2Key (Forum/DL here)
– It's actually more of a wireless gamepad emulator so you can remotely
control games and applications on your PC with your DS. Having some
glitches in getting it set up, I checked out its “Wardriving” section
(left in by default from Steven Stair's DSWifilib release).. it quite
adeptly displayed signal strengths, WEP status, MAC addresses and
SSID's for 6 networks around me. My wi-fi adapters only ever came up
with 3.

Usefulness? Checking signal strengths (it
auto-refreshes) for your networks, looking for DS hotspots for on-line
play, and other (potentially more criminal) uses of course. Homebrew
stuff just keeps getting cooler.


Posted in Security | Leave a Comment »

40 Websites Offering Telephone Calling Records and Other Confidential Information

Posted by Xavier Ashe on January 20, 2006

EPIC has released a list of 40 website that sell your information, which screen shots showing what they advertise.  Download the entire list (PDF).  Here are a few:

  1. offers wireless, landline phone, and business phone records.
  2. offers call records and the actual identity of people who use screen names on AOL,,, Lavalife, and
  3. offers landline and wireless call records.
  4. offers wireless call records, and contains a representation reading “Former United States Federal Agents.”
  5. offers landline and wireless call records.

Posted in Privacy | Leave a Comment »

Windows Genuine Advantage Script Forced Offline

Posted by Xavier Ashe on January 20, 2006

Due to Microsoft's alleged claims of copyright-infringing activity, the
script has been replaced with a copy of the letter received (in other
words, unavailable). The script will remain offline for a maximum of
ten (10) days unless Microsoft provides a better explanation as to the
infringing activity, in which then it'll be taken down permanently.

I'll provide instructions and source code on how to set up your own “wga proxy” sometime today, stay awake.


From anti tgtsoft.

Posted in Security | Leave a Comment »

Strange Attractors and TCP/IP Sequence Number Analysis – One Year Later

Posted by Xavier Ashe on January 19, 2006

Over a year ago, I published a whitepaper titled
Strange Attractors and TCP/IP Sequence Number Analysis” –
an attempt to evaluate TCP/IP sequence number generators in several
mainstream operating systems by mapping the dynamics of the generated
sequence numbers into a three-dimensional phase space. We demonstrated how
this approach can be used to find many non-trivial correlation,
and discussed why the results can be directly used to perform actual
ISN prediction.
This research, among with the research from Guardent, resulted in the release of
CERT Advisory CA-2001-09
and several vendor bulletins.

The goal of this follow-up is to evaluate any subsequent security measures
implemented by the vendors in this field since the release of the original
publication, and to evalute several systems that were not covered earlier.
For the purpose of this document, we assume that the reader has read the
original publication, and has an understanding of the methodology and
terminology used.

Please note that the presented results are preliminary and should not be
considered as a reliable metric for comparing the relative strength of
the operating systems ISN generators at this time.

Read the full article.

Posted in Other Technology | Leave a Comment »

DHS Funding Open Source Security

Posted by Xavier Ashe on January 17, 2006

From eWeek:

The U.S. government's Department of Homeland Security plans
to spend $1.24 million over three years to fund an ambitious software
auditing project aimed at beefing up the security and reliability of
several widely deployed open-source products.

The grant, called the “Vulnerability Discovery and Remediation Open
Source Hardening Project,” is part of a broad federal initiative to
perform daily security audits of approximately 40 open-source software
packages, including Linux, Apache, MySQL and Sendmail.

I think this is a great use of public funds. One of the limitations of
open-source development is that it's hard to fund tools like Coverity.
And this kind of thing improves security for a lot of different
organizations against a wide variety of threats. And it increases
competition with Microsoft, which will force them to improve their OS
as well. Everybody wins.

Read the full post on Bruce Schneier's Blog.

Posted in Security | Leave a Comment »

Independent online PSP network on the way?

Posted by Xavier Ashe on January 17, 2006

While there isn't any official word
on the rumor yet, Xbox-Scene reports that a commercial online PSP gaming
network could see the light of day sometime during the second quarter of 2006. The founders of XLink Kai, the popular
tunneling service for the Xbox, and the one mostly used to hook up multiplayer-hungry Halo players, could be
planning a similar centralized network for PSP games. If the news comes out to be true, gamers desperate for some good
online multiplayer sessions on their PSPs will no longer have to wait for developers to include infrastructure mode
into their titles. Players will be able to easily match up with others through the service via ad hoc mode instead,
which means that we'll all finally have a chance to perform random acts of violence and cruelty to each other in
Liberty City over the Internet. Oh joy!

From PSP Fanboy.

Posted in PSP Hacks | Leave a Comment »

Secure Elements Joins Google Enterprise Professional Program

Posted by Xavier Ashe on January 17, 2006

Secure Elements, Inc., a leader in
enterprise vulnerability management and compliance risk reduction solutions,
today announced it has been selected to join the Google Enterprise Professional
program, further extending the power of Google search to the security risk and
compliance management realm and helping customers achieve more value from their
Google enterprise search deployments by leveraging next generation security
solutions utilizing advanced search and indexing techniques.

“The Google Enterprise Program enables Secure Elements
to provide advanced search and index capabilities with our C5 Enterprise
Vulnerability Management Suite,” said Ned Miller, chief executive officer for
Secure Elements.  “Much press has been given to how hackers can utilize search
capabilities for nefarious purposes, so we decided to identify ways to use
advanced searching to advance the state of the art for decision support
processes focused on assessment, compliance and remediation actions. Google’s
enterprise search products offer the same quality and search experience as
people receive with”

Read the full Press Release.

Posted in Security | Leave a Comment »

Stream DivX Movies to your Xbox 360

Posted by Xavier Ashe on January 17, 2006

this article shows how to stream DivX (and XviD) movies to an XBox 360 using a
Media Center. for the picky people, it doesn't actually stream DivX … it
converts to WMV on the fly to stream. the core process for accomplishing
this is taken from a thread found on the XBox forums :
Playing DivX movies without having to Re-encode, through media centre
and this might be the original post (in German) : Divx
mit Mediaencoder auf die Xbox360 streamen!
, so they get credit
for pioneering this approach. it works fine, but has the disadvantage
that you have to manually set up the encoding process on your Media Center and
then move over to the XBox 360 to watch it. so all this article really
does is provide an MCE interface so you can control everything from your XBox
360 being used as an MCE Extender. i.e. its for lazy people. it was also an
excuse for me to write a ListMaker AddIn for MCE … which i hadn't done yet.
not to mention my MCE setup doesnt have a TV Tuner and only has 32 megs of
video RAM, so i cannot play video on it at all 😦

From  Be patient, Digg effect in force.

Posted in XBox Hacks | Leave a Comment »

Best of Q&A from Webcast: Implementing Exchange Server 2003 Security

Posted by Xavier Ashe on January 17, 2006

I’ve pasted an edited and cleaned up copy of most of the Q&A from today’s webcast on Implementing Exchange Server 2003 Security (Part 1 of 2).  BIG thank you to Harold Wong and Blain Barton for handling the Q&A on the backend, and who’s work this really represents.

From Kevin Remde at Microsoft.  Here's a few of the questions that are answered:

  • “In order to security our Exchange infrastructure, we plan to install SP2 on the passive node Exchange cluster. Is there a problem for sp1 and sp2 co-exist in Exchange Clustering environment for some time?(if fail-over occur)”
  • “Was it recommended that ExBPA NOT be run on an Exchange server?”
  • “I cannot uninstall IMF v.1. I read in order to
    do it you have to login using the account that was used to install it,
    then try to uninstall it thru Add/Remove Programs? it is that a true
  • “What if I do not know which account was used? Any administrator account including local admin should be able to do it. Is there a way to know which account was used?”

Posted in Security | Leave a Comment »

WMF nDay download() Exploit Generator

Posted by Xavier Ashe on January 17, 2006

We received notification last night that a working
exploit “MS Windows Metafile (WMF) Remote File Download Exploit
Generator” has been released to the public.  The code takes advantage of the”Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution”, MS# MS06-001. The exploit code will generate a .wmf that downloads and executes a specified URL. The sad part to this story is that we have a set of 'plug & play' source code for evil-doers to spread their wares with. And only 10 days after a patch has been released. 

Additionally, as noted by reader Juha-Matti Laurio, we can expect to see variants coming very soon. The group responsible for this release is well-known for this.

From the SANS Internet Storm Center.  I did some Blingo-ing and found that it was the Unl0ck Research Team who released the WMF nDay download() Exploit Generator.

Posted in Security | Leave a Comment »


Posted by Xavier Ashe on January 17, 2006

For those of you that don’t know, Blacklisted!411 is the best hackers zine in the hacking community. Not only do they offer a handy paper version (Current Edition Volume 8 Issue 1 Winter 2005 – 2006), they also create a totally different online version to feed the need in between paper distributions.

In this issue you can find my articles entitled:
Hacking Cryptograms 101:Quid Pro Quo
Communication:Coded Conversation
and the two cryptogram challenges I created for this issue!

Direct Download (PDF MD5)

From Israel Torres.

Posted in Security | Leave a Comment »

TaoSecurity at ShmooCon

Posted by Xavier Ashe on January 17, 2006

As soon as I returned from DoD Cybercrime, I headed to ShmooCon. I attended last year but didn't speak. This year David Bianco and I presented Network Security Monitoring with Sguil.
I was very surprised by the number of people who attended our talk. I
hope you liked it. I brought about 30 books provided by various
publishers over the years, and distributed them in an ad-hoc manner at
the end of the talk. If you received a book, I would very much
appreciate seeing a review posted to

Four aspects of ShmooCon stand out.

  1. The Shmoo Group
    threw tons of manpower at this conference. I saw red shirts everywhere.
    This was welcome and unlike any other conference I've attended.
  2. The quality of the talks was very good. They were not all stellar, but the value for the money is absolutely unparalleled.
  3. I
    have not spoken with so many recognized speakers, authors, and
    researchers anywhere else. I personally shared at least a few words
    with Eric Cole, Jenifer Granick, Greg Hoglund, Brian Krebs, Dan
    Langille, Dru Lavigne, Ike Levy, Johnny Long, Mike Poor, Mike Rash,
    George Rosamond, Marcus Sachs, Ed Skoudis, and Visigoth. Several Sguil
    users were there, including #snort-gui regulars like Hanashi (with whom
    I presented), nr, snortboy, and transzorp. Many people were kind enough
    to say hello, and one even gave me a coin from his three letter .gov
  4. Many of the talks are available for sale in DVD format from Media Archives. I am sure their Web site will be updated to reflect ShmooCon soon, but I already see my talk in their catalog.

UPDATE: I typically post the source of the story, but somehow missed adding the link.  TaoSecurity is written by Richard Bejtlich and is a good blog to read on a daily basis.  The source for the story above is here and gives a good review of the funs thing to be had at ShmooCon.

Posted in Security | Leave a Comment »

%d bloggers like this: