The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for February, 2006

SIMCon retrieves deleted SMS messages

Posted by Xavier Ashe on February 27, 2006

SIMCon is a program that allows the user to
securely image all files on a GSM SIM card to a computer file with a
standard smart card reader. The user can subsequently analyze the
contents of the card including stored numbers and text messages.

Some of SIMCon's features:

– Read all available files on a SIM card and store in an archive file
– Analyze and interpret content of files including text messages and stored numbers
Recover deleted text messages stored on the card but not readable on phones
– Manage PIN and PUK codes
– Print report that can be used as evidence based on user selection of items
– Secure file archive using hashing
– Export items to files that can be imported in popular spreadsheet programs
– Supports international charsets

SIMCon is made for use within law enforcement and is the investigating
officer's number one choice for securing evidence on SIM cards and
present them in court. SIMCon can however be a valuable tool for others
who need to secure evidence from SIM cards, and recover items such as
deleted text messages. SIMCon is available for Microsoft Windows only.


Posted in Security, Tools | Leave a Comment »

Inside Security Rescue Toolkit

Posted by Xavier Ashe on February 24, 2006

INSERT (the Inside Security Rescue Toolkit) aims to be a multi-functional, multi-purpose disaster recovery and network analysis system. It boots from a credit card-sized CD-ROM and is basically a stripped-down version of Knoppix. It features good hardware detection, fluxbox, emelfm, links-hacked, ssh, tcpdump, nmap, chntpwd, and much more. It provides full read-write support for NTFS partitions (using captive), and the ClamAV virus scanner (including a fairly recent signature database and a GUI). It also has a network boot facility.

  • full read-write support for NTFS-partitions using captive and linux-ntfs
  • support for various file system types:
  • net based: NFS, SMBFS, CIFS, NCPFS, SSHFS, AFS
  • support for linux software RAID and LVM2
  • support for WLAN adapters
  • network analysis (e.g. nmap, tcpdump)
  • disaster recovery (e.g. gparted, gpart, partimage, testdisk, recover)
  • virus scanning (Clam Antivirus with GUI avscan)
  • computer forensics (e.g. chkrootkit, foremost, rootkit hunter)
  • surf the internet (e.g. the web browser dillo [enhanced version], the graphical FTP client gFTP)
  • network boot server to boot network boot enabled clients that cannot boot from the CD (insert-remote)
  • installation on a USB memory stick (usb-install)
    based on Linux kernel and Knoppix 4.0.2

Get it from Inside Security.

    Posted in Security, Tools | Leave a Comment »

    Interview: John the Ripper 1.7, by Solar Designer

    Posted by Xavier Ashe on February 24, 2006

    Should we use password generators?

    …Now, this may sound like there's almost no way for an average person to
    pick secure passwords and for a system administrator to enforce the use
    of strong passwords (or passphrases). Luckily, there's a tool I wrote
    to help the situation. It's
    pam_passwdqc, a password
    strength checking module for the PAM (Pluggable Authentication Modules) framework.
    pam_passwdqc works on Linux, FreeBSD 5+ (in fact, it's been integrated
    into FreeBSD), Solaris, HP-UX 11+, and reportedly on recent versions of
    IRIX. Additionally, Damien Miller has developed a
    plugin password
    strength checker for OpenBSD's /usr/bin/passwd that uses the password
    complexity checking code from pam_passwdqc.

    What new features does the latest version 1.7 of
    John the Ripper include?

    Solar Designer:
    The new “features” this time are primarily performance improvements
    possible due to the use of better algorithms (bringing more inherent
    parallelism of trying multiple candidate passwords down to processor
    instruction level), better optimized code, and new hardware capabilities
    (such as AltiVec available on PowerPC G4 and G5 processors).

    Read the full interview on SecurityFocus.

    Posted in Security | Leave a Comment »

    Official CISSP Study Guide riddled with plagiarism

    Posted by Xavier Ashe on February 23, 2006

    The official study guide for the CISSP Exam, created by (ISC)² appears to plagiarise several other works.

    The plagiarism was first noted by Dr Michael Workman, from the College of Information at Florida State University.

    In page 406 from the guide it states, “One of the main problems with
    simple substitution ciphers is that they are so vulnerable to frequency
    analysis…” It now appears this material was taken directly from the
    paper, “The Vigenere Cipher”

    Security Dump has the scoop.

    Posted in Security | Leave a Comment »

    DNS as an IDS sensor

    Posted by Xavier Ashe on February 23, 2006

    SURFnet is looking for technologies to expand the ways they can detect network traffic anomalies like botnets. Since bots started using domain names for connection with their controller, tracking and removing them has become a hard task. This research is a first glance at the usability of DNS traffic and logs for detection of this malicious network activity. Detection of bots is possible by DNS information gathered from the network by placing counters and triggers on specific events in the data analysis. In combination with NetFlow information and IP addresses of known infected systems, detection of bots of network anomalies can be made visible. Also the behavior of a bot can be documented and additional information can be gathering about the bot. Using DNS data as a supplement to the existing detection systems can give more insight in< the suspicious network traffic. With some future research, this information can be used to compile a case against particular types of bot or spyware and help dismantling a remote controlled infrastructure as a whole.

    Read the full paper (PDF)by Antoine Schonewille and Dirk-Jan van Helmond from the University of Amsterdam.  This is the second research paper I have seen in the last month dealing with DNS's role is detecting malware.  This is the kind of reasearch that helps products like NeuSecure become more accurate.

    Posted in Security | Leave a Comment »

    InqTana Bluetooth Worm

    Posted by Xavier Ashe on February 23, 2006 member Kevin has published a paper
    detailing the techniques he used in the development of the InqTana
    Bluetooth worm that targets vulnerable Mac OS X systems. There has been
    significant confusion surrounding this worm, so here are some salient

    • The concurrent release of the OS X Leap.A and InqTana.A worms is coincidental
    • There is no conspiracy, AV vendors and Apple were notified about
      Kevin's progress in developing this worm in advance of making details
      publicly available
    • Both 10.3 and 10.4 systems are vulnerable until patched with APPLE-SA-2005-05-03 and APPLE-SA-2005-06-08
    • InqTana prompts before infecting *by design*, Kevin was just trying to be nice, but the worm could easily spread silently

    Kevin's paper is available at Comments can be directed to the BlueTraq
    mailing list. Our sympathies to those organizations who were affected
    by the false-positive signatures published by overzealous AV companies.

    From the

    Posted in Security | Leave a Comment »

    Wireless Patent Fight

    Posted by Xavier Ashe on February 22, 2006

    AirDefense, the innovator that launched the wireless LAN security
    market, today announced it has invoked an interference action against a
    patent application accelerated by AirTight Networks related to
    “Monitoring a selected region of an air space associated with local
    area networks of computing devices” (U.S. patent No. 7,002,943).
    AirDefense has several pending patent applications which claim the same
    subject matter in the area of wireless intrusion protection. The
    AirDefense patents were filed in June 2002, predating the AirTight
    patent application which was filed in October 2004.

    This AirDefense press release, that was released today, comes one day after AirTight announced winning the patent:

    AirTight Networks™, the leading provider of wireless
    perimeter security solutions, today announced that the
    U.S. PTO (Patent and Trademarks Office) has issued U.S.
    patent No. 7,002,943 to AirTight Networks for a “METHOD
    This patent granted by the US PTO covers technologies that
    are key elements of wireless intrusion detection or

    This should be interesting.  I evaluated the technologies about a year ago and found AirTight to be a good step ahead of AirDefense as it came to technology and ease of use.  I was Director of Security Solutions at Microtek Systems, Inc at the time and we decided to partner with AirTight.  I was very happy with both the product and the company as a VAR.  I will rattle the cage over at AirTight and see if I can get an inside scoop.  From the looks of it, AirTight has won and AirDefense is crying foul.  I'll keep you posted.

    Posted in Security | Leave a Comment »

    eLoader "Brown Ale" Released!

    Posted by Xavier Ashe on February 22, 2006

    Break out the brewsk! Today marks the next chapter in the story of PSP Homebrew! Ditlew and our own forum moderator Fanjita have released the latest version of their groundbreaking homebrew launcher eLoader, which
    is code named “Brown Ale”. Brown Ale is the final (non-beta) version of
    eLoader v0.9.5, and all future releases will be named after beer styles
    – just to keep things fun.

    The beta release of eLoader
    showed us that homebrew was possible on 2.60 firmware, but Brown Ale
    brings it to the next level and is now on par with the 2.0 Firmware
    EBOOT Loader. That means that 2.60 users can enjoy all the homebrew
    that 2.0 users have been playing for quite some time.

    But they
    didn’t stop there. Aside from the increased compatibility and stability
    of Brown Ale, it also replaces the old 2.0 EBOOT Loader, and is an
    all-in-one program for launching homebrew on 2.0 firmware and above.
    Some new programs also work with the new eLoader such as the GBA emulator, but don’t be surprised if some programs that used to work don’t. WiFi
    is still not accessible using the GTA exploit on 2.01+ firmware so
    programs that make use of the PSP’s WiFi abilities will not work.

    Another new addition to eLoader is the built in installer which will make it a snap to install to your PSP’s memory stick. Just plug your USB connection into your PSP, turn on USB Mode and then run the eLoader program. If you need more help with this program, be sure to visit our eLoader Forum. You can find a frequently updated list of compatible homebrew programs [here].

    • Integrated release, supporting both TIFF and GTA launch methods
    • Automatic installer for Windows users
    • Stable support for all v2.0+ firmwares – no more special voodoo required to improve reliability
    • More memory for applications
    • Lots of bug fixes
    • And the much requested support for PSP-GBA

    eLoader requires the ‘Grand Theft Auto: Liberty City Stories’ UMD to be
    inserted in the PSP for 2.01 firmware and above to work


    Posted in PSP Hacks | Leave a Comment »

    Looong Week

    Posted by Xavier Ashe on February 20, 2006

    Well I survived RSA.  Had the thought occurred to me that I would be touching 20 million hands and all associated germs, I would have come armed with anti-bacterial ointment.  Unfortunately, I got the funk.  Just a touch of the cold that made Thursday and Friday real tough.

    Anyhow, RSA was decent.  I talked to lots of people that are currently evaluating SIM technology and others who, after talking with me, were interested enough to schedule a follow-up with a salesperson.  Overall I think it was a great exercise for our business.  Interesting enough, we were right across the hall from ArcSight.  They are a common competitor at various POCs and bake-offs.  I have only been working about 2 months, so I haven't got any personal stories, but every NeuSecure SE has a nasty story about ArcSight.  Either how they were just smug and unprofessional, or did something underhanded or unethical.  Now that I think about it I do have a story that happened at RSA.  Apparently a product manager from ArcSight registered at RSA with a fake name and company.  She walked up to our booth and asked for a demo.  Another SE, who didn't know her personally and did not recognize her, started giving her a demo of our product.  Our product manager walked up and DID know her face and busted her outright.  She blushed a bit and tried to play it off.  She remained professional about it, but it was so unethical.  We would have told her plenty if had been upfront, but she had to be sneaky.

    As you read in my earlier post, I became an IBM employee on Wednesday morning.  I went to the “IBM First Day” activities on Friday in San Francisco.  We had some web casts from our new director, Al Zollar.  He confirmed what we've been hearing all along, that the Micromuse acquisition is adding talent and capabilities to the Tivoli team and that he wants to keep the people that made Micromuse and NetCool a market leader.  He stressed that recent Micromuse acquisitions (that's us… the NeuSecure team) are also wanted and will be an even greater addition to Tivoli.  We also saw a standard “Welcome to IBM” that shows how awesome of a company IBM is.  Usually I roll my eyes at such a video, but it’s true.  Everyone I have talked to that works for IBM is very happy, and many of those folks came through an acquisition.  So I am looking forward to my tenure at IBM.

    I rambled on enough.  There wasn't really anything of newsworthiness at RSA.  It was good to connect to some business partners and meet lots of other security folks.  Thanks for all those that read my blog from coming by and saying hi.  It's good to know someone real is reading it and not a bunch of spiders.  Thanks.

    Posted in Personal Note | Leave a Comment »

    Offically an IBMer

    Posted by Xavier Ashe on February 15, 2006

    The powers that be have finallized the IBM acquisition Micromuse.  The Netcool suite will become part of IBM Tivoli including the SIM product NeuSecure.  You can read the full press release on Yahoo Biz.  They are about to open the doors here at RSA, so I'll post more later.

    Posted in Personal Note | Leave a Comment »

    PassMe Nintendo DS Mod Chip

    Posted by Xavier Ashe on February 13, 2006

    PassMe is a device designed by
    Natrium42 based off of the first DS passthrough made by DarkFader using
    an FPGA dev kit. It redirects the DS to a GBA Flash cart, so you can
    run your own program (roms) on the Nintendo DS. For PassMe to work it
    requires the use of a commercial NDS cart (for authentication) and a
    GBA Flash cart to hold your DS programs.

    PassMe gives you the ability to test your programs on
    the DS hardware, not just in an emulator and allows you to download
    demo's from the internet and play them on your DS. Initially.

    PassMe DID NOT work with Commercial ROM dumps, but
    only until Golden Sun Team (GST) released specially patched NDS roms
    that DO work with Pass Me and NeoFlash Magic Key (passme clone). Some
    sites that sell PassMe still say that commercial nds roms will not work
    with it just to get NINTENDO and theESA off their back.

    Posted on

    Posted in Other Technology | Leave a Comment »

    ISC2 Reception on February 15th at RSA conference

    Posted by Xavier Ashe on February 13, 2006

    (ISC)2 Reception, February 15th
    RSA goers, don’t forget to
    join (ISC)2 for a reception during the RSA Conference 2006 at the McEnry
    Convention Center in San Jose, California at the Hilton Almaden Ballroom
    (attached to the McEnry Convention Center) from 6:30 p.m – 8:00 p.m.

    Come along and:

    • Listen to Dr. Ken Knapp cover highlights from the 2005
      Auburn Study
    • Pick up a copy of the 2006 Resource Guide, Global Edition
    • Share feedback with (ISC)2 staff and board members
    • Network with fellow
    • Win prizes

    To attend, please register with Lorraine Roscoe at

    (ISC)2 Panel Discussion, February 16th
    Join us as
    top security experts discuss ‘CISOs – the next generation’ at (ISC)2's panel on
    Thursday, February 16, at 2p.m. in the Marriott – San Jose II at the McEnry
    Convention Center.

    Distinguished panelists will include:

    • Jane Scott Norris, MS, CISSP, CAP,
      CISM, CISO, U.S. Department of State
    • James R. Wade, CISSP-ISSAP, ISSMP,
      CHSIII, Executive Director and COO, International Information Integrity
      Institute (I-4)
    • Thomas E. Marshall, PhD, Associate Professor of MIS, Auburn
    • Betty Pierce, GSLC, ISSA International Ethics Committee

    The panel will review the qualifications and experience
    necessary to become a CISO and offer their views on where they believe the next
    generation of CISOs will come from.
    And don’t forget to stop by the (ISC)2 booth (#2009) for information and your
    chance to win exciting prizes. We look forward to seeing you!
    Sarah Bohne, Director of Communications & Member Services


    Posted in Security | Leave a Comment »

    RSA Bound

    Posted by Xavier Ashe on February 12, 2006

    Blogging will be a bit light as I head to San Jose for RSA.  I hope to bring you some interesting finds while at the conference.  Micromuse will have a booth, so come by and say hi.  Send an email to my blackberry if you're at the show and want to meet up.  Micromuse will be making a few anouncements about NeuSecure enhancements and maybe some news about a small company called IBM. 

    Posted in Personal Note | Leave a Comment »

    LA Police to Test GPS Darts During Car Chases

    Posted by Xavier Ashe on February 10, 2006

    Police officers in Los
    Angeles, Calif., the “car-chase capital of the world,” are testing a
    Global Positioning System (GPS)-enabled dart as part of the Los Angeles
    Police Department’s strategy to end high-speed pursuits, the Associated Press (AP) reports.

    The “dart” would be fired from a police car onto a fleeing vehicle,
    where it would stick, allowing officers to follow the vehicle at a
    safer distance.

    “Instead of us pushing them doing 70 or 80 miles and hour, this
    device allows us not to have to pursue the car,” William J. Bratton,
    LA’s chief of police, told the AP.  “It allows us to start vectoring
    where the car is.”

    How cool is that… reminds me of James Bond.  From CSO

    Posted in For Fun, Other Technology | Leave a Comment »

    Attack code published for Firefox flaw

    Posted by Xavier Ashe on February 10, 2006

    A hacker Tuesday published code that exploits a vulnerability found in the latest version of the Mozilla's Firefox browser.

    The code, which targets the Firefox 1.5 browser, was posted Tuesday on The Metasploit Project site by a hacker known as H D Moore. Metasploit is a widely used hacking tool.

    Moore said that a hacker by the name of Georgi Guninski reported the flaw to the Mozilla Foundation on Dec. 6 of last year,
    and that he had simply implemented and posted the technique described by Guninski.

    Mozilla published an advisory
    about the exploit last Wednesday as it released the Firefox
    browser, which included a patch for the flaw. According to the
    advisory, the vulnerability, which had been rated as moderate, causes a
    corruption in the browser's memory that could be exploitable to run
    arbitrary code. Specifically, calling the “QueryInterface” method of
    the built-in Location and Navigator objects of the browser could allow
    a hacker to take over a Firefox 1.5 user's system by tricking the user
    into viewing a maliciously encoded Web page.

    From Network World.

    Posted in Security | Leave a Comment »

    Treo650 Bluetooth Dial Up Networking Hack

    Posted by Xavier Ashe on February 7, 2006

    When PalmOne released the Treo 650 smartphone for Sprint PCS and Cingular, they had to obey the carries requests to disable the DUN (Dial Up Networking) profile for bluetooth. Why they did this is a matter of debate, but regardless the functionality was already there. They just disabled it. Thus I set out of figure out how they disabled it and how to fix it.

    Once digging threw the files in the 650's ROM I quickly found the “btmanager” overlays which showed the DUN option proving that it was built in. I then referenced the control to the “btmanager.prc” code and found where it was called. While tracing threw I found a subroutine that did nothing other than “hide” the control. So I just eliminated the two calls to this routine by “NOPing” them.

    Read the full article on

    Posted in Other Technology, Security | Leave a Comment »


    Posted by Xavier Ashe on February 6, 2006

    Posted in Random Pics | Leave a Comment »

    NSA's "Super Secret" toolset

    Posted by Xavier Ashe on February 6, 2006

    I posted a new photo to RandomPics.

    Posted in For Fun, Security | Leave a Comment »

    Botnet Detection and Reponse

    Posted by Xavier Ashe on February 6, 2006

    I have come across an interesting slide deck from David Dagon at Georgia Tech (Go Jackets!) titled Botnet Detection and Response.  He analyzes the DNS queries a bot makes compared to a normal user.  Very interesting stuff, considering this is the kind of stuff I do every day.  It's great to have security researchers out there that find these interesting correlations.

    Posted in Security | Leave a Comment »

    Dutch RFID e-passport cracked — US next?

    Posted by Xavier Ashe on February 6, 2006

    A Dutch television program
    “Nieuwslicht” recently worked with local security firm Riscure to successfully crack and decrypt a
    Dutch-prototype RFID passport. In this case, the data exchange between the RFID reader and passport was intercepted,
    stored, and then the password was cracked later in just 2 hours on a PC giving full access to the digitized
    fingerprint, photograph, and all other encrypted and plain text data on the RFID tag — just perfect for slapping
    together a cloned passport, eh? The flaw, at least in part, is due to the algorithm used when generating the secret key
    to protect the data. The key turns out to be predictable given that it is sequentially issued and constructed from the
    passport expiry date, birth date, passport number, and checksum. But don't kick back in superior isolationism just yet
    kid. Starting October 2006 the US will
    issue all new passports using the same ISO 14443 RFID tag and Basic Access Control encryption scheme employed by the
    Dutch e-passports (and others) and adopted by the ICAO as global standards. It's still not clear at what distance the
    exchange was intercepted — while the passive ISO 14443 tag is spec'd with a read distance of only 2-milimeters you'll
    find claims of reads at several meters. This is important 'cause the greater the read distance in say, the line at
    airport immigration control, the greater the chance of abuse. Regardless, the Dutch e-passport system is still under
    development allowing for changes, which makes us wonder, is ours? Wouldn't be the first time we've abandoned RFID
    passport plans
    due to technology concerns.

    [Via The Register and Vara (Dutch), Thanks

    From Engadget.

    Posted in Security | Leave a Comment »

    %d bloggers like this: