The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for March, 2007

VoIP Security Tool List

Posted by Xavier Ashe on March 31, 2007

This VoIP Security Tool List provides categories, descriptions and
links to current free and commercial VoIP security tools. Each commercial tool is indicated by the following icon next to it:

The key objectives of this list are as follows:

  1. Provide links to tools that help test the efficacy of implemented best practices outlined by VOIPSA's Best Practices Project.
  2. Facilitate the open discussion of VoIP security tool information
    to help users better audit and defend their VoIP devices and
  3. Provide vendors the information needed to proactively test their
    VoIP devices' ability to function and withstand real-world attacks.

Very good list from VoIPSA.


Posted in Security, Tools | Leave a Comment »

Hacking Linux onto your 360 just got a wee bit easier

Posted by Xavier Ashe on March 31, 2007

Once again, we're a far cry from PS3-Linux-easy, but those 360 kids seem rather hard to dissuade. The latest development on the XeLL bootloader front is that you no longer need a serial cable hooked up for executing the boot loader, all you need is a 360 set up for running burned DVDs,
a modified version of the King Kong disc — you'll want the original
game, Windows and a DVD burner to get that together — and of course a
Live CD with XeLL and your Linux distro all prepped to go. By now we're
sure we don't need to tell you that this is limited to those lucky 4532
and 4548 kernels, but if you've got all of the above ingredients, plus
a little bit of patience and complete disregard for warranty voidance,
it looks like Linux on the 360 is within your reach at last. Peep a
video after the break of the previous version of XeLL doing its thing.

From Engadget.

Posted in XBox Hacks | Leave a Comment »

Good review of SILICA

Posted by Xavier Ashe on March 30, 2007

Imagine a device that, with the push of a button, automatically scans for
wireless networks, connects to them, and then attacks each and every device on
the network. Sound like something out of Hollywood? Well, the device is real,
and for $3600 you too can own one — and then own everyone.

The device, formally known as the SILICA, was created by Immunity to assist
penetration testers with their work. It officially hit the shelves in February
2007, but has been making some headlines over the last year as Immunity
demonstrated it at various conferences. Thankfully, White Wolf Security was
gracious enough to let us borrow theirs and give it a whirl. Quite honestly, we
were expecting to be a bit disappointed because media hype is usually
exaggerated. However, not only were we dead wrong about that assumption, but we
will go so far as to highly recommend this device to anyone interested in
penetration testing from the palm of your hand.

Read the full review at

Posted in Security | Leave a Comment »

Video Day at The Lazy Genius!

Posted by Xavier Ashe on March 19, 2007

First from

We are now offering video interviews with industry leaders on a wide range of issues related to the Security industry:

Second, Easynews has posted a nice mirror of many Security Conferences' Video Series.  Let the leeching begin!

Posted in Security | Leave a Comment »

McAfee maps malware risk domains

Posted by Xavier Ashe on March 13, 2007

A global road map of the riskiest and safest places to surf online
found Russian and Romanian sites among the top-level domains most
commonly hosting malicious downloads, browser exploits, and scams.

A survey of 265 top-level domains by McAfee, dubbed Mapping the Mal Web,
revealed large differences in safety from one domain to another. The
worst haven for malware belonged to the the tiny Pacific island of
Tokelau (.tk), where 10.1 per cent of websites contained dodgy content.
The most risky large country domains were Romania (.ro, 5.6 per cent
risky sites) and Russia (.ru, 4.5 per cent risky sites). These East
European country domains were the most likely to host exploit or
“drive-by-download” sites run by hackers.

By contrast, three of the safest top level domains were associated with
Nordic countries, namely Finland (.fi, 0.10 per cent), Norway (.no,
0.16 per cent) and Sweden (.se, 0.21 per cent). Iceland (.is, 0.19 per
cent) and Ireland (.ie, 0.11 per cent) rounded out McAfee's list of
safe surfing habitats.

Read the full article at the Register.  The complete study, along with an interactive map, can be found here.

Posted in Security | Leave a Comment »

Security Development Lifecycle (SDL) Banned Function Calls

Posted by Xavier Ashe on March 12, 2007

Prohibiting the use of banned APIs is a good way to remove a
significant number of code vulnerabilities — this practice is reflected
in Stage 6 of The Microsoft Security Development Lifecycle: “Establish
and Follow Best Practices for Development.” It can also be referenced
in Chapter 11 of the Microsoft Press Book The Security Development Lifecycle.

the C runtime library (CRT) was first created about 25 years ago, the
threats to computers were different; machines were not as
interconnected as they are today, and attacks were not as prevalent.
With this in mind, a subset of the C runtime library must be deprecated
for new code and, over time, removed from earlier code. It's just too
easy to get code wrong that uses these outdated functions. Even some of
the classic replacement functions are prone to error, too.

list is the SDL view of what comprises banned APIs; it is derived from
experience with real-world security bugs and focuses almost exclusively
on functions that can lead to buffer overruns (Howard, LeBlanc, and
Viega 2005). Any function in this section's tables must be replaced
with a more secure version. Obviously, you cannot replace a banned API
with another banned API. For example, replacing strcpy with strncpy is
not valid because strncpy is banned, too.

Also note that some of
the function names might be a little different, depending on whether
the function takes ASCII, Unicode, _T (ASCII or Unicode), or multibyte
chars. Some function names might include A or W at the
end of the name. For example, the StrSafe StringCbCatEx function is
also available as StringCbCatExW (Unicode) and StringCbCatExA (ASCII).

I'm not a developer, but I play one on TV.  If you, however, are writing any code, you should read this article by Microsoft.

Posted in Security | Leave a Comment »

An Analysis of Address Space Layout Randomization on Windows Vista

Posted by Xavier Ashe on March 12, 2007

Address space layout randomization (ASLR) is a
prophylactic security technology aimed at reducing the
effectiveness of exploit attempts. With the advent of the
Microsoft® Windows Vista operating system, ASLR has been
integrated into the default configuration of the Windows®
operating system for the first time. We measure the behavior
of the ASLR implementation in the Windows Vista RTM
release. Our analysis of the results uncovers predictability in
the implementation that reduces its effectiveness.

A very interesting paper from Symantec (PDF).  I hadn't heard about ASLR before.  It seems that Microsoft came to the realization that exploits will continue to happen.  So ASLR is an attempt at making it harder to implement the exploit.  It turns out that Microsoft implementation on ASLR is flowed and lessens it's effectiveness.  Good try fellas, maybe next time.

Posted in Security | Leave a Comment »

Vista activation crack #2 auto-renews the 30 day grace period

Posted by Xavier Ashe on March 11, 2007

Strike three two
for Vista's product activation system: the latest Vista activation
workaround is called “Timerstop t2a” which works by automatically
renewing the 30 day grace period before the user has to “activate”
their presumably legit copy of Windows. Besides the obviously malicious
undertone to these kind of utilities, we're certain that there are a
whole lot of legitimate Vista owners out there that would prefer to go
through this admittedly complex process rather than attempt the normal
activation procedure. Just like with DRM, anti-piracy PSAs before movies, and heck, even excessive surveillance,
innocent people tend not to like it when they're treated as suspects.
The lesson for Microsoft is that when people want to pirate software,
they will: even in the face of increasingly complex activation systems.
A pity then that Redmond's fired up photocopiers technically can't copy
a function that — purposely — doesn't exist in Mac OS X.

From Engadget.

Posted in Security | Leave a Comment »

Xbox 360 Hypervisor Privilege Escalation Vulnerability

Posted by Xavier Ashe on March 6, 2007

We have discovered a vulnerability in the Xbox 360 hypervisor that allows privilege escalation into hypervisor mode. Together with a method to
inject data into non-privileged memory areas, this vulnerability allows
an attacker with physical access to an Xbox 360 to run arbitrary code
such as alternative operating systems with full privileges and full
hardware access.

Technical details:
The Xbox 360 security system is designed around a hypervisor concept. All
games and other applications, which must be cryptographically signed with
Microsoft's private key, run in non-privileged mode, while only a small
hypervisor runs in privileged (“hypervisor”) mode. The hypervisor
controls access to memory and provides encryption and decryption

The policy implemented in the hypervisor forces all executable code to be
read-only and encrypted. Therefore, unprivileged code cannot change
executable code. A physical memory attack could modify code; however,
code memory is encrypted with a unique per-session key, making meaningful
modification of code memory in a broadly distributable fashion difficult.
In addition, the stack and heap are always marked as non-executable, and
therefore data loaded there can never be jumped to by unpriviledged code.

Unprivileged code interacts with the hypervisor via the “sc” (“syscall”)
instruction, which causes the machine to enter hypervisor mode. The
vulnerability is a result of incomplete checking of the parameters passed
to the syscall dispatcher, as illustrated below.

More info at Security Focus.

Posted in XBox Hacks | Leave a Comment »

NSA Releases Top Secret Crypto Papers

Posted by Xavier Ashe on March 4, 2007

The National Security Agency has released under FOIA nine crypto papers in
response to a request for informaton on Non-Secret Encryption filed in
October 1999. Three
of the papers were formerly classified Top Secret Codeword, one was formerly
classified Secret and were declassified for this request.

For a description of Non-Secret Encryption see
The Story of Non-Secret
,” J. H. Ellis.

NSA wrote that this
is an initial release and additional documents may be provided later. The
documents were received on 28 February 2007, scanned and converted to PDF.

All nine PDFs:

More information available on Cryptome.

Posted in Security | Leave a Comment »

Play Wii “Backups” without modchip

Posted by Xavier Ashe on March 1, 2007

A modified Nintendo Wii boots a backup of Red Steel. There is no modchip in the Wii, there is a parallel port cable soldered to the drive board. The cable costs under 3 dollars to make.

You will need a male parallel port
and a couple diodes, both parts available at Radioshack for under 3
bucks. Follow Erant’s instructions on soldering in the cable, then use
Syndicate or WAB’s “ISO Loader” or “WABModCheap” programs to
temporarily patch the drive firwmare to allow backups to load. Not as
feasabile as a modchip for the reason that you have to use a PC every
time, but for 3 bucks and the chance to get it done right then, it was
worth it for me.

Read the rest on The edge of I-Hacked.

Posted in Security | 2 Comments »

%d bloggers like this: