Haroon Meer
Two pointless excuses to post two pictures..
a) At the end of the year we usually end up getting geek-gifts.. from SensePost, to SensePost.. Last years iPod nano’s were always going to be a tough act to follow.. but i think the picture says it all:
(click pic for clearer view) I know for those across the pond its probably going to sound 3rd world, but i was genuinely suprised at how life-changing GPS technology is.. Of course, it brings the usual geek side effects (other than people playing with Pimp my GPS). I.e. we noticed the other day that in the car park before going home, everyone was busy fiddling with their GPS units.. so suddenly, a bunch of reasonably intelligent folks who used to make the commute to the office and home daily for about 3 years need instructions on how to do it *sigh*
Applescript for HTTP BruteForcing..
A long time ago i blogged on the joys of using VBS to automate bruteforcing [1|2]when one didnt want to mess about duplicating an applications functionality at the protocol level.. Yesterday i had need to brute-force a web application which tried hard to be difficult and annoying..
Normally i would have used crowbar, Suru or a ugly mangled Python script, but the application was strangely difficult..
i.e. the login process is multi staged, with new cookies being handed out at various stages. 302 redirects are used heavily and then to top it off a healthy dose of JavaScript is sent back in replies that also affect your navigation.. Now all of this can be scripted (obviously) but i figured i would try automating Safari with applescript to get the same effect..
Another time sink-hole..
A while back some of us discovered and subsequently lost days to “The Python Challenge“. Well.. prepare to write off a little more time, and check out “Project Euler“. From its about page:
”
What is Project Euler?
Project Euler is a series of challenging mathematical/computer programming problems that will require more than just mathematical insights to solve. Although mathematics will help you arrive at elegant and efficient methods, the use of a computer and programming skills will be required to solve most problems.
Amazon SimpleDB – Outsource your database??
Amazon announced the beta of Amazon SimpleDB without that much fanfare, but it is an interesting trend to watch..
Essentially amazon are giving the power of a database to people used to excel and simple queries, backed by their massively optimised infrastructure. It will make popping up a web shop even more trivial than it has been in the past, and i guess continues along the growing trend of allowing “content to be king”. i.e. u dont need a sql geek in your corner, just a good idea .
The coolest thing this weekend…
Ok.. so being the cautious geek i am, i had bought a mac mini a while back before jumping into the OS X waters.. Unfortunately it was probably the last PPC mac mini’s sold, which means it has limited options (unless i convert it to yellowdog or somethign of the sort).
About 4 months ago i bought a (huuuuge) tv.. unfortunately i quickly figured out that the reason i never bothered with one before is that there isnt really anything decent on tv, and deels and i still spent more time watching googlevids than anythign else..
Rob Auger from OWASP/WASC/CGiSecurity on Timing..
Rob had a rant on his site on the timing attack, with a CSRF twist.. We met him after our Vegas talk, but im not really sure how his attack differs from our published one..
my on-list response:
-snip- From: haroon meer To: bugtraq@cgisecurity.net Cc: websecurity@webappsec.org Subject: Re: [WEB SECURITY] Performing Distributed Brute Forcing of CSRF vulnerable login pages Hi Robert..
Thanks for the kind words on the talk.. If you check out the visio at: http://www.sensepost.com/blogstatic/2007/08/dxsrt.png you will see that its pretty much the same attack.. In a shameless display of self-pimpage, check out the paper http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf from page 12.. Figure 23 for example shows the results in a victim/zombies browser, after he has visited our page.. Effectively he tries the userlist we send him (in this case on a standard squirrelmail login page). Once he detects a timing diff (again using a trivial algorithm to avoid latency disparity) he simply makes another request to the attacker to report his success..
Casper and hidden IE windows..
OK.. so it was a long time ago, and old code is supposed to embarrass
you.. but i pulled casper.exe form our webpage today
to test something for the project im on..
interestingly it runs pretty ok, and actually doesnt look from the
outside as ugly as it is underneath..
if you never used casper, take it for a quick spin.. if nothing else u
will be suprised by how many invisible windows currently live on your
desktop..
Dino Dai Zovi is such a Rock Star..
Dino is the guy who added much shellcode coolness to MetaSploit, gave
the world Karma, released the first virtualization rootkit for Intel
(Vitriol), and gave much credibility to the Matasano crowd while he was
there..
Although he left the consultancy gig, he popped up briefly again during
the year to claim his macbook in the Cansec Hack the Mac challenge and
popped up again to break second-life..
Google as an MD5 Cracker..
Slashdot picked up on the blog post from Light Blue TouchPaper commenting on the fact that a researcher was suprised to discover that simply putting an md5 hash into google returned a hit with a mapping to the original word..
This is an interesting concept.. A while back, we decided to fiddle with the concept of using googles indexing and spidering as a new take on the time/space trade-off for password cracking..
Follow-up (OS X BSOD Win32 Icons)
Of course, Leopard’s new improved ™ finder includes an Itunes’esque “Cover Flow” view (which includes quick view thumbnailing quite impressively)..
Of course, it means you get a better look at the win32 – BSOD :>