The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for October, 2006

Why you should protect your wireless network with WPA

Posted by Xavier Ashe on October 30, 2006


Posted in Privacy, Security | Leave a Comment »

RFID in the mail… No need to open the Envelope!

Posted by Xavier Ashe on October 23, 2006

They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an
envelope against a black plastic box connected to his computer. Within
moments, the screen showed a garbled string of characters that included
this: fu/kevine, along with some numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit
card, fresh from the issuing bank. The card bore the name of Kevin E.
Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.

The card companies have implied through their marketing that the
data is encrypted to make sure that a digital eavesdropper cannot get
any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”

But in tests on 20 cards from Visa, MasterCard
and American Express, the researchers here found that the cardholder’s
name and other data was being transmitted without encryption and in
plain text. They could skim and store the information from a card with
a device the size of a couple of paperback books, which they cobbled
together from readily available computer and radio components for $150.

Good Article in the New York TimesFound on Boing Boing, which has more links:

And here is a related post from the guys who did the hack on RFID-cusp blog. (Thanks, Tom Heydt-Benjamin).

Consumerist has a post worth reading here.

Anti-RFID activist group CASPIAN has a response here (see also these previous BB posts about the group's founder, Katherine Albrecht).

Posted in Privacy, Security | Leave a Comment »

Certification Top 10 Lists Revisited

Posted by Xavier Ashe on October 23, 2006

When a story like this ran in 2003, it prompted more responses and
controversy than we imagined. Although we try to be clear that the
order of appearance in any given list indicates nothing about relative
ranking or merit, that aspect of things provokes comment, as does the
inclusion of some little-known credentials or the omission of
better-known ones.

But given that there are more than 850 certifications and more
than 200 certification programs in today’s IT certification landscape,
we hope to help our readers distinguish good ones from mediocre or bad
ones, winners from losers and up-and-comers from programs in their
declining phase. So remember, you can go out and analyze the
marketplace for yourself and plow through the numerous interest, salary
and popularity surveys to try to figure out this stuff for yourself.
While you’re at it, it’s also important to pay attention to what’s
showing up in classified job ads and online postings to determine where
the real action is.

As in the previous survey, we tried to develop a rough
consensus about what’s hot and where the action appears to be in
today’s highly fragmented IT job market. We can’t dispute that these
lists draw heavily on the author’s knowledge, experience and
observations, thus they must also reflect his preferences (and possibly
even biases.) As in the previous collection of lists, each is labeled
by category, along with a short discussion of what characteristics made
credentials most suited for inclusion.

This is from and is getting a good bit of coverage.  Go and see where your certs fit and plan you next few.  Here's the winners:

Best Hands-On Programs: Certified Professional Information Technology Consultant (CPITC)
Best Supporting Materials: (ISC)2 Certified Information Systems Security Professional (CISSP)
Best Specialty Certifications: Brocade Certified SAN Designer (BCSD)
Toughest Recertification Requirements: Cisco Certifications
Best Vendor-Neutral Credentials: Building Industry Consulting Services International (BiCSi)
Most Technically Advanced Programs: (ISC)2 Certified Information Systems Security Professional (CISSP)
Best New Programs or Certs: (ISC)2 Associate Program
Best Entry-Level Certifications:
Certified Wireless Network Administrator (CWNA)

Posted in Other Technology, Security | Leave a Comment »

Toolkit to Disable Automatic Delivery of Internet Explorer 7

Posted by Xavier Ashe on October 19, 2006

To help our customers become more secure and up-to-date,
Microsoft will distribute Internet Explorer 7 as a high-priority update
via Automatic Updates for Windows XP and Windows Server 2003 soon after
the final version of the browser is released (planned for fourth
quarter 2006). Microsoft is making a non-expiring Blocker Toolkit
available for those organizations that would like to block automatic
delivery of Internet Explorer 7 to machines in environments where
Automatic Updates is enabled.


  • The Blocker Toolkit will prevent machines from
    receiving Internet Explorer 7 as a high-priority update via Automatic
    Updates and the “Express” install option on the Windows Update and
    Microsoft Update sites. The Blocker Toolkit will not expire.
  • The
    Blocker Toolkit will not prevent users from manually installing
    Internet Explorer 7 as a Recommended update from the Windows Update or
    Microsoft Update sites, from the Microsoft Download Center, or from
    external media.
  • Organizations do not need to deploy the
    Blocker Toolkit in environments managed with an update management
    solution such as Windows Server Update Services or Systems Management
    Server 2003. Organizations can use those products to fully manage
    deployment of updates released through Windows Update and Microsoft
    Update, including Internet Explorer 7, within their environment.

See the “Additional Information” section below for detailed
instructions on configuring and deploying the Blocker Toolkit. The same
information is also provided in the Help file included in the download.

Answers to Frequently Asked Questions can be found here.

So if you don't want to be forced to run IE 7, download this toolkit from Microsoft.

Posted in Other Technology | Leave a Comment »

Hacking Web 2.0 Applications with Firefox

Posted by Xavier Ashe on October 18, 2006

AJAX and interactive web services form the backbone
of “web 2.0” applications. This technological transformation brings
about new challenges for security professionals.

This article looks at some of the methods, tools and tricks to dissect
web 2.0 applications (including Ajax) and discover security holes using
Firefox and its plugins. The key learning objectives of this article
are to understand the:

  • web 2.0 application architecture and its security concerns.
  • hacking challenges such as discovering hidden calls, crawling issues, and Ajax side logic discovery.
  • discovery of XHR calls with the Firebug tool.
  • simulation of browser event automation with the Chickenfoot plugin.
  • debugging of applications from a security standpoint, using the Firebug debugger.
  • methodical approach to vulnerability detection.

I guess it's Ajax hacking day.  This article comes from Security Focus.

Posted in Security | Leave a Comment »

What You Should Know About AJAX Security: 24 Tutorials

Posted by Xavier Ashe on October 18, 2006

For the most part AJAX does not significantly increase the security
vulnerabilities in most web applications. However, javascript, XML and
asynchronous server calls do have potential holes if not properly
implemented. If you're an application developer or security
professional there are things to watch out for with AJAX applications.
If you're new to AJAX there are many hazards to watch out for, and
tutorials and examples are one of the worst culprits for security
vulnerabilities. Before you start downloading examples and making them
live on your server you should learn a bit about security first. Below,
you'll find a list of tutorials, examples, and articles that will
detail many of the security implications of using AJAX..

As always special thanks to all of the hard work done by the
developers and security professionals who have taken there time to make
all of this great information publicly accessible. Also if you know of
other great resources or tutorials pertaining to AJAX please use my
comments section on this article to add to the overall list. Thanks!

Get all the tutorials on

Posted in Security | Leave a Comment »

MS Replies to XBox Hacks: Hitachi GDR-3120L v0078FK

Posted by Xavier Ashe on October 16, 2006

There's a thread on our forums
about a new version (0078FK) of the Hitachi-LG GDR-3120L Xbox360 DVD
drive found in newly manufactured (starting end august 06 anyway, maybe
earlier too) consoles (mostly found in Australia and UK atm, but soon
probably everywhere).
The drive has many changes to try to make FW hacking harder. Garyopa posted a great summary of all discoveries found so far about this new drive version:

There has been many changes done to the new Hitachi GDR-3120L – Version: 0078fk drive:
* 1: No “memdump” command works, totally new program needed
* 2: Chip type has been changed to a 39VF020, so new “flashsec” program needed
* 3: Black hard glue has been added covering all the chip pins and the controller pins.
* 4: External “debug” triggering into ModeB has been removed.

What does all mean:
* 1: The Team-X kit will no longer work on this drive.
* 2: Dumping the firmware by software is currently not possible
* 3: Wiring in a patching-on-the-fly “mod” would be very hard due to the “new black glue”
* 4: Removing the flash chip to externally be read will destory the drive due to the “new black glue”

What options are left to us:
* 1: Get more people working on this new drive, currently only in UK and Aussie.
* 2: Destory at one drive to be able to dump the firmware, using a external programmer.
* 3: Afterwards sitting down and re-writing all the programs: “memdump, firmcrypt, flashsec”.
* 4: If you can't wait, buy an older produced x360 console (Before Late July/Early Aug. dates).

That's all for now….
We are working on it….
Hopefully some poor soul will give us one personally…
So we can destory it and play with it for everyone else….

From XBox Scene News.

Posted in XBox Hacks | Leave a Comment »

President fired, chairman resigns in major shakeup at McAfee; rumors of buy-out abound

Posted by Xavier Ashe on October 11, 2006

Security giant McAfee announced today that it has
fired its president, and its chairman and CEO has retired following an
internal investigation that revealed stock option improprieties.

Dale Fuller, a member of the McAfee Board
of Directors since January and former president and CEO of Borland
Software, was named acting chairman and CEO. Charles J. Robel, who
joined the McAfee board in June, was appointed non-executive chairman.

McAfee announced during a morning conference call that George
Samenuk stepped down as chairman and CEO, and Kevin Weiss was fired.
The purge was the fall-out of a special committee investigation into
shady options practices going back 10 years at the company.

As a result of the probe, the company must restate historical
financial reports. That restatement likely will fall between $100
million and $150 million, said Eric Brown, McAfee's CFO and COO.

Samenuk said in a statement issued today that he stepped down “in
the best interests of the company, its shareholders and employees,”
adding that he felt “regret” over the questionable stock options
practices occurring during his tenure.

Brown declined to comment on why Samenuk left on his own terms but
Weiss was fired. Weiss, who joined McAfee in October 2002, was
responsible for sales, business operations and partner relationship
development, according to a biography on the company's website.

Read the full article at SC Magazine.

Posted in Security | Leave a Comment »

Bureau of Industry and Security Hacked

Posted by Xavier Ashe on October 11, 2006

The BIS is the part of the U.S. Department of Commerce responsible
for export control. If you have a dual-use technology that you need
special approval in order to export outside the U.S., or to export it
to specific countries, BIS is what you submit the paperwork to.

It's been hacked by “hackers working through Chinese servers,” and has been shut down. This may very well have been a targeted attack.

Manufacturers of hardware crypto devices — mass-market software is
exempted — must submit detailed design information to BIS in order to
get an export license. There's a lot of detailed information on crypto
products in the BIS computers.

Of course, I have no way of knowing if this information was breached
or if that's what the hackers were after, but it is interesting. On the
other hand, any crypto product that relied on this information being
secret doesn't deserve to be on the market anyway.

From Bruce Schneier's blog.

Posted in Security | Leave a Comment »

Hackers find use for Google Code Search

Posted by Xavier Ashe on October 9, 2006

The company's new source-code search engine,
unveiled Thursday as a tool to help simplify life for developers, can
also be misused to search for software bugs, password information, and
even proprietary code that shouldn't have been posted to the Internet
in the first place, security experts said Friday.

Unlike Google's main Web search engineGoogle Code Search
peeks into the actual lines of code whenever it finds source-code files
on the Internet. This will make it easier for developers to search
source code directly and dig up open-source tools they may not have
known about, but it has a drawback.

downside is that you could also use that kind of search to look for
things that are vulnerable and then guess who might have used that code
snippet and then just fire away at it,” said Mike Armistead, vice
president of products with source-code analysis provider Fortify
Software Inc.

Give 'em an inch… Read the full article from Infoworld.

Posted in Security | Leave a Comment »

Nintendo DS Homebrew how-to

Posted by Xavier Ashe on October 9, 2006

Intrigued by the notion of playing old school games on your DS but don't know where to begin? Would you like to use your DS as a map or check out a free browser?
Never fear — no matter how technically challenged you may be, there's
a solution for you. This time, it comes in the form of a
beginner-friendly guide to checking out homebrew options for your very own Nintendo DS.

The guide takes you step by step through the process of preparing to
use homebrew apps. After all, understanding is one thing — actually
taking the plunge is another, and the guide is very helpful when it
comes to recommendations on what to get and what to do with it once you
have it. While this guide covers the basics about preparing for
homebrew and looping around the built-in protections, it doesn't get
into applications. Baby steps, people. They're saving those things for
future guides. So if you're looking to get started but haven't a clue
what to do, check it out.

Awesome Guide from S0rethumbs.  I know what I am doming with my DS tonight!  [via]

Posted in For Fun, Other Technology | Leave a Comment »

Need a Security Checklist?

Posted by Xavier Ashe on October 9, 2006

Active Directory Checklist, Application Security Checklist, Application
Services Checklist, Biometrics Checklist, Cisco Router Checklist,
Database Security Checklist, Defense Switched Network Checklist,
Desktop Applications Checklist, Domain Name System (DNS) Checklist,
Enclave Checklist, ERP STIG Security Application Checklist, Draft Joint
Information Assurance Officer Checklist, Joint System Administrator
Checklist, Draft Joint Wireless Administrator Checklist, Juniper Router
Checklist, Keyboard, Video, and Mouse (KVM) Switch Checklist for
Sharing Peripherals Across the Network STIG, Macintosh OS X Checklist,
.NET Framework Security Checklist, NetOps Checklist, Network Checklist,
Open VMS Security Checklist, OS/390 Logical Partition Checklist, OS/390
RACF Checklist, OS/390 ACF2 Checklist, OS/390 Self Assessment
Checklist, OS/390 TSS Checklist, Storage Area Network (SAN) Checklist
for Sharing Peripherals Across the Network STIG, Tandem Checklist,
Traditional Basic Checklist, Traditional Common Compliance Validation
Checklist, Traditional DISA Checklist, Traditional NIPRNET Compliance
Validation Checklist, Traditional SIPRNET Compliance Validation
Checklist, Unisys Checklist, Universal Serial Bus (USB) Checklist for
Sharing Peripherals Across the Network STIG Version, UNIX Security
Checklist, Virtual Machine (VM) Checklist, VMS 6.0 Vulnerability ID to
STIG ID Cross Reference, Voice Over Internet Protocol (VOIP) Checklist,
Web Server Security Checklist, Windows 2000 Security Checklist, Windows
2003 Checklist, Windows NT Security Checklist, Windows XP Security
Checklist, Wireless Security Checklist, Wireless Blackberry Security

Pick One… any one.  From the Information Assurance Support Enviroment (IASA), sponsered by Defense
Information Systems Agency

Posted in Security | Leave a Comment »

PCI Data Security Sandard Updated to 1.1

Posted by Xavier Ashe on October 5, 2006

How has the PCI Data Security Standard changed (January 2005 version to version 1.1)?
The focus of the 1.1 revision has been to address questions about how
to implement the standard. The standard has been updated to provide
clarification to certain requirements and to give flexibility for
compensating controls for complex requirements such as data encryption.
These updates are designed to acknowledge partner and customer
feedback, along with technical compliance constraints, and foster rapid
adoption, while maintaining the robustness of the security measures in
the January 2005 version. Additional requirements have been added to
address emerging threats related to application security.

The Council has compiled a Summary of Changes
describing the significant differences between the two DSS versions; to
read this document, click here.

When will the new version of the PCI Data Security Standard (version 1.1) become effective?
Version 1.1 of the PCI Data Security Standard became effective with the
launch of the PCI Security Standards Council. Some of the more complex
individual requirements contained in the new version of the standard
have built-in lead time for implementation.

Where can I get details of these requirements?
The PCI DSS version 1.1 and all supporting documentation can be found at

From the PCI Security Standards FAQ.

Posted in Security | Leave a Comment »

How To: Dismantle an Atomic Bomb

Posted by Xavier Ashe on October 5, 2006

Sure, the odds are slim that you'd ever be faced with
an atomic device ticking down to zero. But think of how Jack Bauer it'd
be if you were. And then who're you going to trust? Us or some
do-gooder rock band?

Very important information from Wired.

If these tips don't work, give us a call and let us know what we got wrong.

Posted in For Fun, Other Technology | Leave a Comment »

How to use your PC and Webcam as a motion-detecting and recording security camera

Posted by Xavier Ashe on October 4, 2006

This tutorial will take you step-by-step through setting up your PC and
Webcam to act as a motion-detecting and recording security camera
system. And the software required to do this is open source (free).

6 Reasons to set up a motion activated web-cam

  1. Maybe you live in a questionable (at best) part of East Vancouver
    and you’ve already been broken into (while you were doing the dishes).
    It would be helpful next time to have pictures of the intruder.
  2. Maybe you’re trying to prove to your landlord that some of the
    more questionable members of the general East Vancouver public are
    using the pathway between your building and the one next door as a
    shortcut between streets. Often with very large bags of cans (it’s a
    Vancouver thing). Loudly. At all hours of the day and night.
  3. Perhaps you want to catch someone using your PC after you’ve asked
    them repeatedly not to use it (because they seem to go out of their way
    to install spyware, toolbars you don’t want, and leave behind Britney
    Spears mp3s on your desktop)
  4. You’re bored?
  5. You want to get pictures of the pretty birdies eating from your new bird feeder.
  6. Yeah I know what you were expecting here, that’s lewd. Get your mind out of the gutter, this is a family site.

Good stuff from Simplehelp.

Posted in Other Technology, Security | Leave a Comment »

Phreaky Boys: audio of phreaker exploits from 1990

Posted by Xavier Ashe on October 3, 2006

When I was a dumb teenager, I spent a lot of time dabbling in the
phreaker culture of the late 80s / early 90s. During that time, I made
audio recordings of compromised voice mail box systems that were
commandeered by phone hackers. The hackers would replace the original
box greetings with more interesting content such as calling card /
credit card numbers, underground BBS numbers, hacking tips, and other

These recordings languished on crappy, hissy old analog tapes until
a few years ago when I decided to digitize them for posterity onto my
home computer. There they languished still, until the other day when I
decided to contact Jason Scott (of and
fame) for his advice on how to get the files out for posterity. He very
generously offered his support of hosting and cataloging the audio
files here: Link.

He has begun adding interesting descriptions for the files in this directory: Link.

I've released the files in the interest of preserving a little bit of
hacker culture history. I was motivated to do this because I have not
yet had any luck finding any similar audio files out there.

From Boing Boing.  1990 doesn't seem that long ago.  I had moved on to TCP/IP, Trumpet WinSock, and SLIP by then. 

Posted in Security | Leave a Comment »

Mythbusters-Beat Finger Print Security System

Posted by Xavier Ashe on October 2, 2006

As if to snub the claims, they break it three times!
Supposedly it monitors pulse, sweat, temperature, and other attributes.
First, Adam obtains an impression of a fingerprint already present on
the reader and creates a latex copy that he adheres to his own thumb.
Initial attempts fail, but when Adam licks the latex, the door opens.
Next, Jamie tries a ballistics gel copy of the fingerprint. Sure
enough, the door opens right away. Adam remarks that some cheap
computer fingerprint reader was actually more difficult to hack than
the “unbreakable” door lock! Finally, Adam tries the simplest of all
attacks: a photocopy of the authorized fingerprint. No warmth, no
pulse, only a lick — and again, the door opens.

Found on Steve Riley's Blog.

Posted in Security | Leave a Comment »

ATM Hack Uncovered *Working Link Update*

Posted by Xavier Ashe on October 2, 2006

A security expert in New York has learned how to get free money from
some ATMs by entering a special code sequence on the PIN pad.

Last week, news reports circulated
about a cyber thief who strolled into a gas station in Virginia Beach,
Virginia, and, with no special equipment, reprogrammed the mini ATM in
the corner to think it had $5.00 bills in its dispensing tray, instead
of $20.00 bills.

Using a pre-paid debit card, the crook then made a withdrawal, and casually strolled off with a 300% profit in his pocket.

Foolishly, he left the ATM misprogrammed this way for 9 days —
presumably to the delight of other customers — before a good Samaritan
reported the issue and exposed the caper.

How, exactly, he pulled off the swindle remained unreported. Curious, Dave Goldsmith, a computer security researcher at Matasano Security began poking around. Based on CNN's video, he identified the ATM as a Tranax Mini Bank 1500 series.

He then set out to see if he could get a copy of the manual for the apparently-vulnerable machine to find out how the hack worked. Fifteen minutes later, he reported success.

Read the full Wired article.  Here's the Tranax Mini Bank 1500 series Operator Manual.

Posted in Security | Leave a Comment »

White and Nerdy

Posted by Xavier Ashe on October 2, 2006

Posted in For Fun | Leave a Comment »

Stealing Search Engine Queries with JavaScript

Posted by Xavier Ashe on October 1, 2006

SPI Labs has discovered a practical method of using JavaScript to
detect the search queries a user has entered into arbitrary search
engines. All the code needed to steal a user's search queries is
written in JavaScript and uses Cascading Style Sheets (CSS). This code
could be embedded into any website either by the website owner or by a
malicious third party through a Cross-site Scripting (XSS) attack.
There it would harvest information about every visitor to that site.

Possible uses:

-HMO's website could check if a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers.

-Advertising networks could gather information about which
topics someone is interested based on their search history and use that
to echance their customer databases.

-Government websites could see if a visitor has been searching for bomb-making instructions.

SPI has published a whitepaper about this technique and has also
release proof of concept code that will steal search engine queries.
Works solid in Firefox, and IE support is a little shaky on multi word


Found on Full Disclosure.

Posted in Security | Leave a Comment »

%d bloggers like this: