May 2006

The SYDI project has received a $50 donation and would like to thank SEO Company. They have decided to support open source and are donating money to a lot of open source projects.

If you want to donate to the SYDI project there are instructions on the SYDI website.

Tags: sydi, open source, donations

The startup company midfr0st had worked for declared bankruptcy when the stock market crashed. Instead of searching for a new job, midfr0st had entered the hacking business and was now breaking into companies for money. Business was going very well, it had in fact made him rich. Compared to his former financial status he would say it had made him very rich. midfr0st was however facing a little dilemma. All the money he had earned didn’t belong to him, instead it belonged to a few online “identities” he had created or bought.

Up to a certain amount, spending money wasn’t a problem, but he was getting more careful and the thought of getting caught didn’t really appeal to him. His biggest problem was that his real identity didn’t have a job and should have been broke.

midfr0st was still thinking about a long term solution to the problem, the life he pictured for himself was a lot more luxurious that living in a small apartment as he did now.

The short term plan was to make his legal assets grow without causing anyone to get suspicious. The best candidate for the job was the stock market, but although midfr0st was interested in shares and bonds he didn’t feel he had time. midfr0st had found an institute offering private banking services. He had been piling up his legal asset but was still about $35 000 short of the $300 000 needed to open up the account he wanted.

Although he had the money elsewhere he couldn’t just transfer it since that kind of trail was exactly what he wanted to avoid. Aside from the money he had on his bank the only other asset to speak of were some stocks in a company he had bought back in ‘99. The company, Meriabeck Technologies, hadn’t quite shared the fate of the crashed company midfr0st had worked at, but close enough. It didn’t matter.

midfr0st had invested in Meriabeck after a recommendation from a friend, at first the stocks had soared, before they hit rock bottom. During the years to come midfr0st had more or less forgotten about them, so when he finally checked them he was happy to see that they had in fact increased a lot in value and were now worth 13% more than what he had originally paid for them. Unfortunately he still didn’t have enough money for the private banking account.

Another 16%, midfr0st thought. If he could just increase the value of the stocks he would be set to go. A plan was forming in his mind.

Tags: security, stories, fiction, stock market

“They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to scramble out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite complacently. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray - yet we tolerated it since we are use to it.”

This paragraph starts of Noam Eppel’s article titled The Complete, Unquestionable and Total Failure of Information Security. I think it’s a very interesting read but I don’t entirely agree on his more or less pitch black view of things. I guess it reminds me to much of Despair Inc..

There are a lot of problems when it comes to IT Security, but this doesn’t differ much from the “real world”. Sure you have click and play rootkits and what not, anybody can learn to break into a computer using tools easily found. You don’t have to be skilled to; grab someone’s purse, steal a car, physically “deface” someone, blackmail, steal from the office and so on.

Ok, so the Internet is a dangerous place. This doesn’t mean consumers or corporations can’t mitigate the risks and stay reasonably secure.

Might I guess that the user who created the screenshot with all the spyware wasn’t logged in as a limited user?

Anyway I’m looking forward to Noam’s next update and make sure you read his article.

Tags: security, cyber crime, hacking

Martin McKeay has a post of another brilliant way to get caught. Since this guy actually put people’s life at risk, I hope he gets a harsher punishment than the credit card guy.

Tags: security, hacking

This is just sad, according to this article a guy is facing one to two years in jail for hacking. He got caught stealing credit card information and ordering goods which he shipped to his home address. I have two theories of what happened.

1. He is so stupid he deserves jail time for that too along with his other crime.
2. He has a brother in jail and has seen Prison Break, now he is about to free his brother.

I think I favor the stupidity theory, to make the prison stay a bit more comfortable I’ll just go ahead and recommend this colorful wallpaper to decorate the cell.

Tags: cyber crime, fraud, stupidity

I was setting up a personal PayPal account today and during registration want me to provide answers to two “secret questions”. This is nothing new and usually I just do what Bruce Schneier talks about it his curse; enter gibberish.

Feeling very clever I press the signup button, the result:

Your information is incomplete or incorrect. Please correct the fields below and try again:

• You may not enter numbers in your mother’s maiden name.

• You must enter exactly four numbers or letters for the last four digits of your driver’s license number.

What could possess anyone to do this? This is just plain stupid. PayPal’s password policy forces you to have eight or more characters, but the secret question for your driver’s license doesn’t allow you to have more than four characters.

Tags: security, passwords, authentication

Aftermath:

Four months later.

Users had been complaining for a few weeks that the Internet access had been very slow. Kyle Donovan, the sysadmin at Regal-Pens, had informed everyone that they shouldn’t listen to Internet radio during work hours. This didn’t solve the problem, but when someone in management complained, there was talk about upgrading the Internet connection so Kyle didn’t think much about the complaints.

Their Terminal Server had also been slowing down of late and Kyle felt that a working Terminal Server was more important than having a fast Internet connection. He had been troubleshooting the server without finding anything.

Kyle had spoken with a geek friend of his, and agreed with his advice:

“You have to reinstall Windows every once in a while, it gets all clogged up in the registry and stuff. I bet not even Microsoft knows what’s going on in there.”

It shouldn’t be a hardware issue, Kyle thought. Not that many people used the Terminal Server, the whole thing seemed very strange. When Kyle was defragmenting the C: drive for the fifth time he saw something odd; the C: drive had used up 31 Gb of space. Strange, Kyle laughed when he saw that the C:\Windows directory consumed 22 Gb, talk about getting clogged up.

Kyle was sure he would share a laugh with his friend over this. He began by deleting all the blue $NTUninstall$ directories but it didn’t help, so the investigation continued. Finally he found a directory named:

C:\WINDOWS\system32\clients\faxclient\system\w95\

The name didn’t mean much to Kyle but its size was 18 Gb; at first Kyle was very puzzled. The directory held a great amount of pictures and asp files, and as he opened the first one his curiosity was replaced by an uneasy feeling in his stomach. Kyle felt the color withdrawing from his face, after seeing some more he got the taste of warm saliva in his mouth.

He didn’t make it all the way to the toilet but caught some of the puke in his hand, some of it he might have swallowed again but it didn’t stay down there for a long time anyway.

While washing his hands he realized that the pictures were still open on his screen for all to see. Panic seized him and on shaky legs he rushed back to the computer.

Kyle closed all the pictures and deleted the entire faxclient directory, his whole body was shaking. The thought that he might have been to rash crossed his mind, but it’s too late now. A long time after the incident Kyle was still worried that someone would come asking questions about the pictures that had been served on that server. He didn’t want to be accused of destroying evidence, or worse, but no one came.

After getting some coffee and calming down a small bit, Kyle hunted down his installation media for Windows and reinstalled the server. He had problems focusing and the reinstallation took the better part of the night.

During the coming week users thanked Kyle and said that what he’d done had fixed the Internet problem.

Kyle told management that the server had been hacked, but he didn’t mention the rest. Management asked how this could happen and the result was that they purchased a new firewall, which didn’t really solve anything.

The view on IT security that Kyle and his company had was a common one; we have no secrets, who would want to hack us?

Please note this is a purely fictional story, any names found here are made up. I’ve written this because I like writing, if someone reads it and enjoy it: great. If they get more conscious about security, that’s a bonus. If you have feedback or comments on the story please share them.

Links of Interest:

Computer Security Awareness videos

Security Awareness for Ma, Pa and the Corporate Clueless

Tags: security, stories, fiction, security awareness

I got an email from a user asking if I could change fonts in SYDI. My answer to him was; you change them.

There are two ways of doing this in SYDI both of them are easy.

The first way is to edit the script source. Open up SYDI-Server.vbs in a text editor and scroll down a bit to this section;

strFontBodyText = “Arial”
strFontHeading1 = “Trebuchet MS”
strFontHeading2 = “Trebuchet MS”
strFontHeading3 = “Trebuchet MS”
strFontHeading4 = “Trebuchet MS”
strFontTitle = “Trebuchet MS”
strFontTOC1 = “Trebuchet MS”
strFontTOC2 = “Trebuchet MS”
strFontTOC3 = “Trebuchet MS”
strFontHeader = “Arial”
strFontFooter = “Arial”

Just change the font names to what you want. If you don’t want to get your hands dirty by touching the code there is a fancier way of doing this too.

If you’ve used the help menu, cscript.exe sydi-server.vbs –h, you might have seen the –T option. What the Template (-T) option does is that it uses a Word Template file .dot and uses the settings from that file when writing the report for SYDI. The .dot file you choose to use can be one of your company’s template files or you can create a template just for SYDI.

To get started, run SYDI against your machine to create a word document. When the report is created, go to the Format drop down and choose “Styles and Formatting”. I’m using an English version of Word 2003 but it should be similar in other versions. From the Styles and Formatting section, change show to “Formatting in Use”. Now you can see the different formats used in the report.

Create a new word document, go the Styles and Formatting section, show “All Styles” and scroll down to Body Text, right click and select Modify, change the font to the one you want. I’ll just change the Body Text now but you can change all the ones found in “Formatting in Use” from the SYDI report.

Choose File, Save As. Change the Save as Type to “Document Template (*.dot)” and save the file as C:\SYDI\template.dot (or to your favorite directory).

To test your new template:

Cscript.exe sydi-server.vbs –TC:\sydi\template.dot

Hint: If you save the template in its default location you don’t need to specify the path when using –T.

If you’re having trouble implementing this or anything else related to SYDI, don’t hesitate to contact me.

Tags: sydi, network documentation, system administration, software, inventory

After having made sure everything worked in his demo site, n3m0 issued the sql injection and uploaded his nomad.asp script. For n3m0 the results were like hearing a beautiful song.

C:\WINDOWS\System32

0wned, the feeling still made n3m0 feel giggly, though this time it might have been because of lack of sleep. After penetrating the walls his focus went on to control. n3m0 began documenting the network, it had three servers. One Exchange server running IIS with OWA, this was the server he had first gained access to through the ShowRoom.Asp application. The second server was a Domain Controller which also acted as a file and print server. n3m0 chose the third server to host the website, it was a Windows Server 2003 box acting as a Terminal Server.

The server had 3 Gb of RAM, two 73 Gb SCSI disks set up in a RAID 1 mirror, only 13 Gb were used. Perfect, n3m0 found a suitable directory where his client would place the files and verified that the directory wasn’t part of any backup selection.

Regal-Pens used a firewall with a web interface, n3m0 was able to gain access with the help of a default password list. Later he also found the password in a text file located in kdonovan’s home directory; kdonovan was a member of the Domain Admins group which had prompted him to take a look. n3m0 opened up a random port for the web access and one to manage the server.

After some cleanup work he bid the network farewell and closed his connections.

Two days later the phone rang again.

“Hello” n3m0 answered.
“Why hello there,” said the distorted voice, “how are things progressing?”
“It’s done” n3m0 said.
“Excellent! What a good boy you are.”
“Uhm, what? Yes, I’m pretty good. So when will I get paid?”
“How do you want to transfer the money?”
“What, you’re not going to give them to me personally?” n3m0 asked.
“That’s not likely to happen, no.” The caller didn’t sound impressed.
“You don’t by any chance play online poker?”
“I guess I could learn.” n3m0 smiled.

Tags: security, stories, fiction