Introducing Pulse

Well if you've been doing DNS zone transfers on VulnerableMinds.com then you know, but for the rest of you Pulse has been a mystery. Begun as Project Tango Pulse was meant to do one thing; give you a summarized, quick, complete look at the status of the information security threat landscape. It's a simple concept, but a lacking resource on the Internet.

Pulse came out of my own needs as a threat analyst. Work leaves me with no shortage of projects, research, emails, meetings, and yet the imperative need to have a complete view of what vulnerabilities, exploits, and malcode affecting all platforms. RSS feeds were a good start, but I quickly found myself reading dozens of feeds a day, many filled with useless information. Many I was able to replace or weed out, making it easy to get general news and the opinions, but I still needed more. I still needed information about threats, vulnerabilities and the code to exploit them, but struggled with so many feeds, and I still spent a huge amount of time reading unimportant information.

To this end I decided I needed a tool of my own, something to bring together all these feeds that bring into one place and yet eliminate the chaff, the low threat, the endless mailing list responses; the unnecessary.

The result is Pulse.

Now Pulse is a huge part of my daily workflow. I start my day with it, along with SANS Internet Storm Center and Arbor Networks Atlas portal. I feel that this combination gives me all the information I need to know to be on the "pulse" of the infosec threat landscape. 

I'll quit waxing philosophical about the why's and hows. It's straightforward, but I feel like it meets a need that isn't easily being filled by other services available on the Internet. So take a look, use it, enjoy, and feel free to send me feedback. Pulse isn't done, it's not finished, it's just beginning. To find out more:

• Introduction to Pulse - Presentation
  
• Project Tango Specification - Document

Another iPhone Security Perspective

Alright, I promise, last iPhone post, at least from me.

The fine folks over at Symantec's Security Response group are apparently taking a look at the iPhone from a "Wouldn't it be fun to land malicious code on this" perspective and seem to have more confidence than I did initially (See: iPhone sounds atlot like iPwn), and with good reason. It would seem that Apple hasn't been as caviler with their AJAX/iPhone integration as early reports suggested. For now that seems like good reason, but as the iPhone gets opened up further and further, either by Apple or by intrepid hackers, that may change.

So give the Symantec article a read, and enjoy your iPhone. We'll be coming for it soon...

iPhone sounds alot like iPwn

So as a fairly enthusiastic Apple fan I've been getting asked often how excited I am for the iPhone ("Very"), am I going to get one ("prolly sometime in July"), and if I think it will be that great ("I do"). With someone of a basic technology background this is usually followed by some question about applications, SDKs, and if I think Apple will open it up ("I do") to third party development.

My overall take on it? I've had a number of smartphones and aside from making calls I mostly just used the browser. As for other applications after a few that I tried for experimenting I found I rarely used others, just sticking to the basic software that was included, and even that little enough.

As for the iPhone I truly believe that the killer app will be Safari itself, if it's all that Steve has tried to demonstrate it, may or may not, be cracked up to be. I'm not really sure what applications the developers who are attacking Apple for not providing an SDK think they'll create. In the years of Palm/Windows Mobile/Symbian/Blackberry smart phones I've yet to see an app that overwhelms the function of a phone to make calls, text message, and maybe, if you're lucky, get email or browse the web. All of these are functions the iPhone will do out of the box. Even on my MacBook many of the most important things I do, blogging, reading RSS feeds, getting security news, are all things done in the web browser alone. What app are Apple devs just dying for the chance to make?

Now that multi paragraph rant is not to suggest I'm peachy about the whole thing. This is a security blog after all. By not creating an SDK for creating true applications or widgets, and instead relying on Javascript/Ajax (as though you can have one without the other) you lead to a new problem, web pages can have amazing integration with your personal phone. Let me rephrase that: Advanced applications, running from remote servers, with both instructions and data, that's been shown already to have concerning security issues, will be able to run on your iPhone, and have, in some way, access to your address book, iTunes, and the ability to make phone calls. How was this a good idea?

One of the few inherent security mechanisms built into web browsers is that they, to some extent, exist in a sandbox. Most of the time Javascript can't access the OS file system, it can't control applications other than the browser, it can't access system resources, and all those are only most of the time. There are plenty of side effects to current web technology that make a security researcher pull their hair out, and that's all in the sandbox. Billy Hoffman's Shmoocon presentation discussed many of these, from keylogging to his own technique for web scanning using just Javascript and his particular brand of maniacal thought.

It would seem, based on current information, Apple is deliberately adding such features creating a potential security nightmare, deliberately adding the ability for web applications to circumvent the sandbox. So what will happened? XSS attacks that rewrite your Addressbook? A hidden iframe that calls 911 for you? Who knows really, but when "webapps" can access system functions it's hard to imagine it staying innocent. Now it's very possible, and I'm in fact hopeful, that Apple has considered these things and put protections into place, but even so it is easy to suppose that this would be a thin veil of separation, and the possibility for misuse could easily be close to the surface.

For a company like Apple, who so often touts their security record (no I will not digress into a discussion of Safari now (but yeah, wow, 2 code execution vulnerabilities in a day?)), to not aggressively market that aspect makes me wonder how much consideration that aspect of design received. All of this is obviously speculating the worst, but as Apple has messaged little to nothing about the security features of the iPhone, leaving everyone to evaluate what they see. And based on what we see of the iPhone's design what else are security researchers to assume?

Or maybe I'm the only one who is worried about all this.... well, there's also Billy.

And the answers please...

Over at Nopsr.us the Underminers (aka 1@stPlace, winners of last years Defcon CTF) have put up a follow up to last years CTF quals writeup, which you can find here.

@tlas and his gang do a fantastic job walking through each of the challenges, and a lot can be learned from just taking a look. Even better, they managed to pry the challenge source code out of Kenshoto's hands (a feat they managed to pull off before I did) and have it posted, so that nearly the entire scenario can be recreated for ownage pleasure in your very own home. So go give it a look, you'll learn a bunch.

For those who are curious, Vulnerable Minds did play this year and were quite pleased with our 30 out of 160 finish. In what is the largest Defcon qualification year ever we were stoaked to come the top fifth and had an awesome time. ev3, Narc, LogicX, Bacon, Gpmidi, Bacchus, and myself spent most of the weekend at Akolyte and Saijak's apt, chugging Red Bull, watching Jurassic Park on repeat (seriously Pwnage100 was crap), and hacking to our hearts content. It was a great weekend, the challenges were excellent, tough but enjoyable, and it was one of the most fun and interesting events I've been a part of.

So props to the Kenshoto guys for an fantastic quals round, to the NopsR.Us/Underminers/1@stplace guys for the fantastic writeups, and to the Minds who dedicated their weekend to playing a fantastic game.

And watch out next year because Vulnerable Minds is coming to break all of your plates!

Time for a Tango

Well I've had a number of people curious about Project Tango. It's been going for a little over a week now, much of the initial work has been completed, and now I'm in the process of tuning some of the back end pieces for finalization and release.

So at this point I'm asking for some help, and in the process am going to give away a few things about the project, so here ya go:

• Are you a security professional who's an information junkie? Shoot me an email and let me know what you look for in getting your fix. What sites you read, what information you want, what information you don't want, and if you'd be interested in the Tango Beta.
  
• Are you a security professional using RSS to feed your information needs, whether addict level or more of a recreational RSS user? Shoot me an email, pet peeves, wants, information you don't or can't get via RSS, and if you'd be interested in the Tango Beta.
• Are you just really curious about what Project Tango is and want to make a compelling case to get in on the beta? Shoot me an email.
  

All email can be sent to tango.beta@vulnerableminds.com and we'll set you up for an early look at Project Tango.

Javascript Internal Vulnerability Scanner Source Code

This code was demoed at Shmoocon '07 during the Javascript Malware for a Grey Goo Tomorrow presentation. The code was given to us by our newest mind Mike, and first analyzed by Steve Davis. It allows for client side internal vulnerability scanning through Javascript. It is currently missing a frontend to run it. First one with a front end wins :)

UPDATE 3/25: Source code removed at request of Jikto creator

Gettin' Fired up with Firefox and Snort

Snort...
Firefox...
Two great tastes that taste great together...

What?!?

Yes folks, no joke about it. I haven't been really excited about an open source security project since the early days of Metasploit, before a young HD Moore turned the security industry on it's heads and added his name to lists of hacker greats. Called Firekeeper and it's meant to be a client application level intrusion prevention system for everyone's favorite open source browser, the venerable Firefox.

Firekeeper is a re-engineered version of the Snort detection engine, using standard Snort rules, this allows for one of the best IDS engines in the world. Integrated as a Firefox plugin this allows for detection of application level threats specific to Snort. All of this runs in the browser, nothing extra to set up, and runs on the fly. This gives it amazing possibilities, looking at only a small subset of signatures so it stays fast, with easy access to all sessions running in Firefox. It is even able to look into SSL sessions, something normal network IDS can't do without lots of fun expensive things like SSL accelerators and such.

Now the idea of application layer firewalls has been about for sometime, but this is something new and altogether different. These typically function on the server side, protecting web applications and things like huge enterprise information systems. This was a great idea during the late 90's, when server attacks were en vogue, but we've moved past that now. While server side attacks will never go away (I mean come on, they're so easy to find (not the vulnerabilities, the servers)) we've moved into an era of client side attacks, and browsers have always been a favorite. Firekeeper provides a level of protection that can't really be duplicated. Network IDS attemtps to work in the context of the network to protect the browser, it's counter intuitive. You wouldn't post a battleship to protect a fort 2o miles inland, you'd send tanks and solders. Firekeeper puts the protection in the right context, protect the browser at the browser.

Is this a sure fire way to protect the browser? I'm not sure but I tend to doubt it though its worth looking into. At the worst it's another layer of depth for securities beloved "Protection in Depth" model (which I've been questioning more and more lately after hearing Bruce Potter speak last week at the NoVA OWASP group). At the very least though it shows that people are taking novel approaches to protecting themselves and others, and that gives me hope.

P.S. How about a Mac version plz?!

Frameworks - The Way of the Future

I've finally done something I've been promising to do more lately. I've been programming more. SCARP, yes it needs a new name and no I'm not telling you what it is, has been my project of late and it's great getting back on the wagon. In spite of what I said in a previous post (Does this sound Scripted?: My Love/Hate Relationship) I've been back to learning Ruby. The draw of getting involved again with the Metasploit Project and the evangelism of my friend al3x has convinced me, and it's fully worth it. Ruby, once I got away from Why's Guide, has been a joy. My current project has been good, and it's already leading to a larger project that should be quite interesting.

One of the things that makes Ruby most interesting is Rails; defined by it's inventors as:

"...an open source web framework that's optimized for programmer happiness and sustainable productivity."

A nice application by the folks at 37 Signals, Rails will make my next project possible and I look forward to working with it.

In addition I'm also looking forward to renewing my involvement with the Metasploit Project, which moves to Ruby for version 3.0. Metasploit is defined as:

"...an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research."

Now before you start thinking that this post is going to be about me espousing my love of Ruby you should know I'm not there yet, though on the way. No, what sparked this post was coming across the Backframe Project. Not familiar? Neither was I. Backframe is:

"...an experiment to create a full featured attack console for exploiting web browsers, web users and remote applications. Those who are familiar with XSS Proxy or even BEEF might already be familiar with the core principles of the project.
...
The result of these core principles is an easy to use and understand web-client-oriented attack framework that keep the data, the presentation layer, and the underlying logic apart. This design is known as "the separation of concerns model". This is highly effective practice which allows to easily extend upon the core elements."

What struck me is the fact that frameworks, like Rails, Metasploit, and Backframe, are becoming the new elements of object oriented programming. Since the beginning of OOP there have been classes, even libraries, but now so many modern projects are moving well beyond that, complete applications, complex, intricately designed, with no other use than to facilitate the creation of other applications. The full featured APIs that are coming out of web projects from people like Google and sites like Remember The Milk are close relatives, but they are interfaces, where frameworks are going above and beyond.

What's my conclusion? I don't really know, I'm waiting to see. All I know is that projects like Rails and Metasploit are turning their respective industries on their heads. Rails has made Web 2.0 applications something that aren't just created by the likes of Google, but by some kid sitting in a coffeeshop on a MBP sucking down americanos wearing a goofy Puma sweater. Metasploit took cutting edge exploits, made them easy to develop, and even easier to fire, drastically changing the threat landscape for people like yours truly.

So check out Rails, Metasploit, and Backframe. They're all interesting projects with nice frameworky goodness. I'm not sure if frameworks will be the way of the future, but frameworks have largely become 2006's contribution to the idea of object oriented programming. I'm eager to see what 2007 may offer. And keep your eyes peeled, more fun is on the way.

GCal + RTM: Two Great Tastes

...that taste great together!

There's been some serious integration added between my two favorite online organization aids. The fine fine folks over at RememberTheMilk, for my money the hands down best todo lists (that's really over simplified) application on the net, have added some extensive features allowing them to hook into my favorite calendar application, Google Calendar.

I really enjoy RTM, but while logging into a calendar application daily makes sense due to it's temporal significance a todo list is more event driven. By combining the two both become much more viable. GCal needed a todo list. RTM needed a better way of organizing and displaying by time. This combination makes both a much more effective, and hopefully my life much better organized.

If you're in need of organization (and who isn't) and use either one I recommend checking out the other, it's a killer combo.