Saturday, 21 June 2008

What is this NAC thing anyway?

A survey by Sophos reported that 39% of corporate computers scanned by thier NAC (compliance) modeules failed a basic security test.

Network world has a buyers guide for these products.

So what actually does a NAC device do?

NAC stands for "Network Access Control". NAC is a policy and compliance enforcement engine that helps both small and lerge organisation keep their networks and systems secure.

The main functions of a NAC include:

  • Vulnerability management,
  • Policy compliance, and
  • Standards and regulatory compliance (with respect to IT systems).

There are a variety of configuration options with NAC that range from policy separation, patch management and change control, security enforcement (anti-virus/malware defense, firewalls, monitoring and reporting, VPN control and system security and configuration management) and compliance management.

Want to learn more?

Qualys has provided a free download of "NAC for Dummies" on their site. Sophos has a good link on this topic as well. Cisco have mountains of NAC information.

I am not even being paid to plug these vendors.

Most systems are NOT secure. Most organisations I see are far from compliant or secure. NAC is a simple method of the 80-20 rule. If you automatically stop 80% of the issues, you will be likely to survive an attack against your organisations network.

This is not all that needs doing, but it does pose a begining.

Friday, 20 June 2008

A more detailed description of the Jura F90 vulnerability

The issue is a lack of input validation. OWASP would be a great learning exercise for the coders on this product. It seems to be assumed that only trust-worthy users will connect only to trust-worthy sites. I could not find any evidence of input validation.

Through the magic of Web Scarab and Paros proxy, one can capture the Internet communications used by the F90 Internet Connection Kit software. What you soon see is that the software does not account for either bypassing the local application and changing the input or in spoofed and re-directed sites.

The software does not validate the site it gets the information from nor does it sufficiently validate the input to the software.

At the moment as I think there are so few people as crazy as I am who actually have to have a gadget just as it is Internet connected; this is not likely to become a widespread attack vector.

The software is an oversized web proxy with other stuff to connect to the coffee machine thrown in. Jura did not make the assumption that an evil attacker could purposefully modify and publish “evil” coffee “recipes.

I have been taking the updated SANS@Home 610 course. I have a GREM, but Lenny and the other guys have added an additional component to the Reverse Engineering Malware Course. So I had to take it.

The course focuses on analysing and reversing malware, but IDA and Olly work on binaries of all types and the bad combination of a bottle of good resiling and 9 coffees after midnight is not a good combination. Hence I decided to attack my coffee maker and the control software.

There are certain aspects of code (like the ever faithful GETS() function) that should be beaten from existence. Others need to be securely configured such that all the required variable fields are entered correctly (see SPRINTF()). Unfortunately the coders at Jura did not consider that “bad people” would ever attack a coffee maker ;).

There are 2 main attacks that I have noted,
1 Loading a malicious setting or recipe into the device causing a “coffee overflow” etc.
2 More seriously, not validating the input correctly coupled with a lack of authorisation of the source and nothing to stop invalid data at the host means that malformed strings can be fed to the software that can either crash the system or if crafted correctly run a binary on the host.

So, as most people who check this list I no doubt know, not validating input is bad. Trusting the web as you have a piece of custom software that is closed source and a belief that users are all nice is bad.

Craig Wright Security Advisory 0002


The Oral B Triumph Toothbrush with SmartGuide™
ProfessionalCare™ 9900 is designed to enhance your brushing experience with “while-you-brush” feedback. SmartGuide is designed to ensure that you always have the best brushing experience.


Remote exploitation of an information disclosure vulnerability in Oral B’s SmartGuide management system allows attackers to obtain sensitive information.

This vulnerability exists due to a lack of authentication between the toothbrush and the monitor device.

There is also a possible wireless denial of service where a malicious attacker could stop the radio feedback and monitoring.


Exploitation allows an attacker to gain sensitive information from the toothbrush. No authentication is required to reach the affected application. The attacker only needs to be able to monitor the wireless transmission.

The attacker can determine the users brushing habits. It is possible to report on the location of the mouth that is being brushed and the amount of time spent on each of four defined “quantrants”.

An attacker could also conduct a serious DoS attack. Flooding the wireless communications causes the unit to stop responding. This can result in the following actions:
A. A continued DoS could cause the bristle monitor to not send an end of life signal to the SmartMonitor system leaving the user to continue using an old toothbrush head which could eventually lead to dental failure. The failure to monitor the most effective head life could result in bristle failure.
B. Dental statistics could be erased from the monitor unit. This would leave the user unable to determine and report on their brushing habits.
C. Fake battery life transmissions can be sent making the user believe that the battery life is in fact longer than is truly stored. This could lead to a catastrophic brushing failure where the toothbrush runs out of power in mid-clean. A continued long term attack could lead to the creation of cavities in the user’s teeth.


The DoS attack is readily detectable as the toothbrush rails to communicate to the monitoring unit.

Monitoring and interception remains undetectable with no known means to monitor this insidious threat to user brushing privacy.


The vendor has a deactivation process that will allow the toothbrush to operate manually with the radio disabled.


I was unable to get an adequate result from the vendor and the receptionist did not forward the calls after the first few. A direct call to the sales channel resulted in the comment, “who the hell would want to monitor a toothbrush”.


The Common Vulnerabilities and Exposures (CVE) project has not assigned a name to this issue as yet.


19/06/2008 Initial vendor notification
19/06/2008 Initial vendor response
19/06/2008 Coordinated public disclosure


Permission is granted for the redistribution of this alert electronically

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition.

There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Thursday, 19 June 2008

New Advances in Java Forensics

Yesterday I released a bug with the Internet access software for the Jura F90 coffee maker. This is a high end coffee machine that connects to the Internet.

The vulnerability was one thing, and demonstrates the lack of concern many people have for appliances. The move to the Internet connected house needs to also address the security of these devices. As a result of finding the vulnerability in the coffee maker, I decided to explore what else I could do with an Internet connected coffee machine.

Top this end I have to announce a whole new branch of “Java” forensics. Pun intended.

The Jura coffee machine has a small programmable ROM that stores information concerning the host coffee maker. The coffee machine also has a clock and can be configured to automatically start and warm up ready for the morning cup of espresso.

Some of the details that are tracked by the machine include:
1. The total number of cups made,
2. Details on the last few cups made including time and type of coffee (espresso, demitasse cup etc), if 1 or 2 cups where selected,
3. The time that the machine started and shutdown and the time running,
4. The total service time,
5. The time since the last service and the service codes that are active and have been fixed, and
6. Serial number, ownership details and coffee preferences.

When the connectivity kit is used (as with mine) the information stored is richer and more accessible than with the appliance on its own. Fault diagnosis is far easier; hence the likely use of this software by people other than total geeks such as me.

What this means to Forensics…

Here we have a whole new field of forensic science, appliance forensics. If a person claimed they left the house at 17.00 and they where the last to leave, how do they explain how a coffee was make at 17.15?

If a husband states he was not with anyone on the weekend, his wife can check if 2 coffees where made at one time giving an indication of another person (or a really bad coffee habit).

So with the Internet fridge, Internet coffee machine, Internet Oven… who knows, maybe we have a new forensic field.

Wednesday, 18 June 2008

The latest Java based attack...

I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

Enable the Jura Impressa F90 to communicate with the Internet, via a PC.
Download parameters to configure your espresso machine to your own personal taste.
If there's a problem, the engineers can run diagnostic tests and advise on the solution without your machine ever leaving the kitchen.”

Guess what – it can not be patched as far as I can tell ;) It also has a few software vulnerabilities.

Fun things you can do with a Jura coffee maker:

  1. Change the preset coffee settings (make weak or strong coffee)
  2. Change the amount of water per cup (say 300ml for a short black) and make a puddle
  3. Break it by engineering settings that are not compatible (and making it require a service)

As a bad pun, the third attack could be called a Java denial of service...

The connectivity kit uses the connectivity of the PC it is running on to connect the coffee machine to the internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary service.

Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.

Compromise by Coffee…

Tuesday, 17 June 2008

The myth of global warming

As an early component of my studies towards a Masters degree in Statistics with the University of Newcastle I did an analysis of the Varve data. Varve data is the glacial temperature data. This information covers a 11,000 year period.

“Varve analysis is the process of counting varves or annually laminated sediments to determine the rates of change in climate and various ecosystems. Varves form when glacial advances come in contact with bodies of water such as lakes. When this process occurs, layers of sediment form on the floor of the body of water. This technique provides an opportunity to acquire detailed chronological information about the composition, displacement, and climate of that region, at that time. It was first developed by the Swedish scientist Baron de Geer in 1878.”

Climate change is a well-known natural phenomenon. It has been occurring for over 10,000 years. We have data that demonstrates this. Further, as far as I know there where NO cars 10,000 years ago.

Unlike the touted end of existence in 2007 by pseudo-scientific mystics (being nice to the quacks), 2007 didn't turn out to be the warmest ever. In fact, 2007's global temperature was essentially the same as that in 2006 - and 2005, and 2004, and every year back to 2001. The record set in 1998 has not been surpassed. In fact, the earth has become colder.

For nearly a decade now, there has been no global warming. Even though atmospheric carbon dioxide continues to accumulate - it's up about 4 percent since 1998 - the global mean temperature has remained flat. That raises some obvious questions about the theory that CO2 is the cause of climate change.

In the US, a record 44.5 inches of snow fell in New Hampshire in Dec 2008. This broke the previous record of 43 inches that was set in 1876. The Canadian government is forecast the coldest winter in 15 years, and it was close. In South America the start of winter last year was one of the coldest ever observed. In Buenos Aires in 2007 it snowed for the first time in 89 years. In August 2008, Chile reported the "the toughest winter we have seen in the past 50 years". It resulted in an estimated loss of at least $200 million in destroyed crops and livestock.

June 2007 was the coldest winter on recorded history in Australia. New Zealand's vineyards lost much of their 2007 harvest when spring temperatures dropped to record lows.
All four agencies that track Earth's temperature - the Hadley Climate Research Unit in Britain, the NASA Goddard Institute for Space Studies in New York, the Christy group at the University of Alabama, and Remote Sensing Systems Inc in California ALL report a 0.7C cooling in 2007 - a reversal of the warming that has taken place over the 20th Century.

It is possible that by 2020, the world will not have warmed for over 20 years!

The 0.7ºC of temperature change from 1950 to 2006 disappeared, we are actually over 0.5ºC cooler than the earth was in the period from 1900 to 1920.

A warm Middle Ages saw vineyards in England. Greenland got its name due to the relatively lush coastal regions encountered by contemporary exploring Vikings. These villages lasted until around the 17th Century. At this point a cooling climate reduced the snow-free land available to the settlers and indigenous people alike. This cooling period left Greenland as we know it today.

Science beats myth, lets do the former.

Monday, 16 June 2008

Detecting Hydan

I submitted my SANS GCIH Gold paper (SANS Paper No. 6) on the weekend. This should be available soon (in a couple weeks on the SANS RR).

Hydan is not particularly difficult to detect statistically. The paper presented a preliminary method that could be further refined into a production level tool if the need to detect Hydan or a future variant was required. R was used to provide a statistical detection function. This could be compiled using an R code compiler rather than leaving it running in an interpreted mode as was done in the paper.

Statistical tools such as R provide an excellent tool for the analysis of data from computer systems and networks. These statistical tests could be expanded to uncover other forms of steganography. The methods in the paper have demonstrated that it is not necessary to analyze the entire binary executable as was supposed by the author of Hydan. The distribution of functionally equivalent but uncommon byte code instructions becomes statistically significant well before the entirety of these functions have been analyzed.

Future research efforts have started to detail the process to capture the encrypted header length and use this as both a means to Brute force the data and also to simply determine the message length will be expounded in a follow-up paper to the one sent to SANS for my GCIH Gold.

Sunday, 15 June 2008

Looking for people wanting to do the GSE-Malware exam!

So you want to do a GSE? Have you thought about the GSE-Malware?

If you have, then please feel free to sign up. If you are interested, I am happy to work with anyone who wishes to do this exam and help ensure that they understand the tools. What do I get? Well as Jeff has said, I am collecting them all. This is my 2nd platinum and it is unlikely that they will run the exam just for me - especially as I have one already. I have about 25 GIAC Certs and am working on gold No. 6, so I have some experience with these and the process.

So if you want to do the Malware exam and want to have a personal trainer/mentor at no cost - then sign up to take the GSE-Malware!


Weekend images

A few snaps from the farm.
Being winter, the trees are naked.
And being wet the stream is flowing well.
And even has an eel.
And a few small waterfalls.

And some more trees.
And the play of the light on the water.
And I am not in the mood to be verbose.
More contemplative.

Nessus and Commercialisation

Welcome to the world of economics. We are in (like it or not) a world of supply and demand. A world of limited resources.

In response to those asking “what about those who have submitted to Nessus”:
Back in the deep dark 90’s I hosted the Australian mirror for Nessus. When you chose “Select a server near you: Australia”, we where hosting it. My team and company submitted a fair number of things. So I believe that I can speak with authority with this topic.

Guess what I HAVE been paid for this time. Not in money, but in the same as all the others have. I used the product. I did my job, sold consulting time and got paid. Money did not come from Nessus directly, but I have made money from them. Just like all the other people who have used it commercially.

Being that there is an economic aspect to the earth, we can not forget this. The people who created and who maintain Nessus can other things as well. Do we presume to state that they have to maintain it in perpetuity – gratis?

Even when those people have added some input into Nessus, compare this to the commercial cost of a tool. I doubt that there are many who have added anywhere near enough to account for the cost of the alternative products. I remember signing for over $50k for ISS licenses at one point. I have not submitted that amount of effort myself to the Nessus project, and this is over a decade. This is including where I allowed staff to build new plugs and submit them in work time.

But wait, I still gained for that as well. And much of the material used was gained from clients. In particular, my former company at the time was maintaining security systems for the Australian Stock Exchange. We gained a large amount of information on threats, new attacks etc (strange that a stock exchange should be a target…). Some of this ended as new plugins. Again, we benefited from this. I benefited from this. I made money from Nessus as have most on this list who use it.

If it made you job easier, you have received something for nothing. If you have used it for consulting you have something for nothing. If you have used it to learn from, you have something for nothing and continue to do so. Rather than whining about the HUGE cost (which is less than I spend on coffee), be thankful for all the time it was free!

Yet it is free for education. It remains free for a number of purposes.

Commercialisation is not a bad thing. The Nessus team have a right to earn money for their efforts. They are not slaves bound to code for the great unwashed for eternity.

If you do not like it, there are options. Buy another commercial product (or again is this the we need something for free argument?)

To all those self centred, ignorant people, grow up! You are milking the developers of Nessus and have done so for years. They have a RIGHT to gain for their labour. Even the damned communists where not daft enough to believe that people had to work for nothing. At the price, Nessus is a bargain.

If you want a free alternative that is guaranteed to remain free, put in your own time. I will do the same. I will happily create a deed to form the product that will legally guarantee it remains both free and available. There is a catch to this. Those who volunteer will need to guarantee (in a legally binding sense) there time (in perpetuity). The product will be free at the cost of say 5 hours a week that you either do or to which you give the equal monetary compensation, say $120 an hour.

At current rates the annuity cost (financially assuming existing bond rates) for this equates to about US$260,000 (2 weeks holiday annually included). Who wants to sign up? I will write it and the software will be set as free forever and maintained. But if you drop out without signing up a replacement, trust me when I state that I will made the deed tight enough that even bankruptcy will not save you from paying out the remainder in money other then time.

For this is exactly what many of us are in effect demanding of the Nessus team.

This is in effect what the Nessus team have done. In fact, most if not all of them have done far more than this. We have in effect bled millions from them that they could have made, and we whine when the cow stops giving milk. Rather than being grateful for ALL that we have received, we complain!