Information Security Blogs

So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it. However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint.

In my case, the reason why I had to come up with a solution to this problem is because I had to simulate an attack in which the attacker had gained access to a Internet-visible web server. In this case, I needed to perform a portscan of the backend database server and make sure that only required ports are visible (a customized mssql port in this case). For reasons that are irrelevant to this post, the customer could only give me restricted access (NOT root) to the web server via SSH.

I really didn’t want to download a tool such as nmap and then compile it. In theory, I wouldn’t be able to cause serious damage to the system since I was using a restricted user account. Even then, I always try to be as polite as possible with customers’ environments during security assessments, especially when it’s a production system.

Anyway, my solution to this problem was to write a simple TCP portscanner in bash which glues around the telnet command which is present on most Unix/Linux distributions. Literally, all I’m doing is looking for Connected to responses generated by telnet which tells us that a successful TCP connection was established (open port). Very vanilla and trivial stuff as you can see! Nevertheless, I accomplished what I wanted, which is to perform a portscan without having to download any tools and without requiring root privileges.

The following is the short version of our agile hacking TCP portscanner which you can literally copy and paste on your shell (just change the value of the HOST variable to the IP address of the system you want to scan):

HOST=127.0.0.1;for((port=1;port=65535;++port));do echo -en "$port ";if echo -en "open $HOST $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null;then echo -en "\n\nport $port/tcp is open\n\n";fi;done

The following is a more elaborate version of our portscanner which supports scanning for either common or all ports. The list of common ports is read from the ‘/etc/services’ file which is present on most Unix/Linux systems:

#!/bin/bash

# telnet-based TCP portscanner
# By Adrian 'pagvac' Pastor | www.gnucitizen.org

# delay in seconds
DELAY=0.001

if [[ $# -ne 2 ]]
then
	echo "usage: $0 <mode> <host>"
	echo -e "modes:\t1 - common TCP ports only"
	echo -e "\t2 - all TCP ports"
	exit
fi

if [[ $1 -eq 1 ]]
then
	echo "scanning for the following common TCP ports on $2 ..."
	for port in `grep '/tcp' /etc/services | cut -d '/' -f 1 | cut -d ' ' -f 2 | grep -v '#' | awk '{print $2}' | sort | uniq`
	do
		echo -en "$port "
		if echo -en "open $2 $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null
		then	
			echo -en "\n\nport $port/tcp is open\n\n"
		fi
		sleep $DELAY
	done
	echo -en "\n"
elif [[ $1 -eq 2 ]]
then
	echo "scanning for all TCP ports on $2 ..."
	for((port=1;port<=65535;++port))
	do
		echo -en "$port "
		if echo -en "open $2 $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null
		then	
			echo -en "\n\nport $port/tcp is open\n\n"
		fi
		sleep $DELAY
	done
	echo -en "\n"
fi

Syntax follows:

gnucitizen $ ./telnetps.sh
usage: ./telnetps.sh  <mode> <host>
modes:
        1 - common TCP ports only
        2 - all TCP ports

More interesting is perhaps the access model they employ. To login, all you need is the United Mileage Plus number of the primary Red Carpet Club account holder. Now, having long questioned the wisdom of a luggage tag that displays these numbers, be it a "hole-punched" Mileage Plus membership card, or a more obvious oval-shaped Red Carpet Club tag, I'm even more wary now. But if you're in bind and need your airport wireless fix, odds are you won't have to walk far to find one available for the taking. As a matter of fact, I see two from where I'm sitting right now.

I've yet to explore how difficult it would be to exhaustive search for valid numbers, or if multiple logins are permitted at a given time, or how far outside of the Red Carpet Club these numbers are valid, or... I also wonder how long it'll be until some poor schmuck is arrested for allegedly downloading child porn from an airport wireless network...

If this were a wired network this wouldn't be a security problem. After all, if you're inside the RCC, presumably you're an RCC member (unless you bought a day pass), in which case you should be entitled to use the network. But as Danny indicates, the wireless AP is probably accessible from outside the RCC, so if you sit outside the club, you should be able to get on the network, making it just a matter of having a valid mileage plus number, which you can get off of someone's luggage tag.

As far as exhaustive search goes, MP numbers are 11 digits long, but the first digit seems to always be zero, so this is a 10 digit space. I don't know how many RCC members there are, but Wikipedia claims that there are about 750,000 Premier and Premier Executive members, so let's say there are on the order of 200,000 RCC members, or 2*10^{-5} of the space. If the numbers are randomly distributed, you'd need to search about 100,000 numbers in order to find one. This could take quite some time (over a day at one per second). You might be able to get some leverage because the distribution isn't random. They seem to be issued in some kind of increasing sequence, though there seem to be too many numbers for it to be strictly sequential. If there's a check digit like in credit card numbers this would make the space a lot easier to search. (If someone knows the actual algorithm, please write in.) Of course, you only need to know a few valid numbers, so this might not be a totally prohibitive attack if reading it off someone's tag weren't so easy.

Three more thoughts:

• RCC entry itself is a lot more valuable than access to the wireless, since the wireless access doesn't cost United much, but access to the club costs them food and (in the International terminal), free drinks. I assume it's not hard forge an MP card once you know a valid number. I'm not an RCC member so usually when I'm there it's on the "international ticket" + Star Alliance Gold exception, so they check my ticket, which is hard to forge. Do they insist on seeing your ticket if you're an RCC member? If not, this is actually a new attack vector on the RCC, since it would let you extract numbers even if it weren't easy to read them off other people's luggage.
• There's actually a fairly easy way to secure the system against remote attacks (ones that don't involve somehow gaining access to the RCC interior) that wouldn't require lining the RCC walls with copper sheeting. For the first login to the RCC network, require not just your RCC #, but also a random passcode given to people on entrance (or maybe posted on the wall). After that, you can install a cookie on their computers and just let them on without a new login. ¹
• I'm a bit curious how the system checks for RCC number validity. Does it have a local copy of the RCC database? Is it connected to United's central systems? That could be interesting.

¹ See draft-rescorla-stateless-tokens for a description of some techniques for avoiding the need for a centralized cookie database.

Lately I have seen a movement towards the idea that you can't prevent security problems, so you should do your best to detect and eliminate them. While I agree with this in the general sense, it is clear that a very strong tendency in malware evolution nowdays is to make it both as stealth as possible and as hard to remove as possible.

Lets imagine a (nightmare) scenario:

• malware files hosted on a fast-flux network
• distributed through social engineering (the click here to get dancing bunnies e-mails kind for example)
• the downloaded executable is mutated at every download slightly, and at every couple of hours in a major fashion (supposing a fixed timeperiod for the attack, this can be done by creating the required number of variations for the packer-tool in advance)
• once run, it loads a kernel-mode driver, disables and prevents security software from running and tries to hide itself

All these components are already out there (there is malware with this behavior - so much for giving the bad guys ideas), and although as far as I know, there is no malware family using all the techniques, it's probably only a matter of (little) time.

I'm not saying that such an infestation is impossible to detect (given enough intelligence, it can be detected by specific network traffic patterns, or by the fact that the security software is no longer working) or to clean (reinstalling from a clean, read only media should work in almost all the cases), but it has the potential to wreak havok in the circle of people who think that security is an add-on that you can buy for money, put it on and never worry about it again.

Not to sound too alarmist, but such an attack has the potential to take down the root DNS servers (through a DDoS attack), making much of the Internet unusable and most certainly would have the potential to take down all but the most powerful sites (which have multiple redundancy on all continents, etc), creating enormous damage. The security industry should wake up and realize that unless something is done to curb the exponential growth of electronic crime, disaster will strike in a couple of years.

And by something I don't refer to even more fearmongering and buy our products type of messages, rather real user education (for end-users, IT professionals and C level executives) and cooperation.

I'm getting old or something, because I seem to rant more an more. Much of this text is contained in an e-mai sent to the .NET Rocks podcast regarding their OOXML show, but I thought it might be interesting to publish it here to clarify my views on IP, OSS, the universe and everything :-)

Two more things I would like to say before I get into the rant: .NET Rocks is great, great show. Just listen to this episode about good UI design if you want to get a taste. Also, here is a (somewhat) related article on the artima weblog about why one does Open Source development which are agree with whole heartedly. One thing I would like to add (to the artima article): if your company uses OSS and you discover a bug, contributing the patch back means that you (hopefully) don't have to re-fix the bug when you decide to upgrade to a new version.

<rant on>

I have a love-hate relationship with Microsoft (and by extension other things related to the MS Universe like Windows or your show) and the last podcast (Politics of OOXML) definitely pushed it towards the hate side of it. Please, please for sake of all that is good and beautiful in this world, stick to tech-topics and leave the politics out. While I believe that everybody should have a right to express her or his opinion, one-sided discussions like the one from the podcast make me want to yell very loudly at least.

Your guest was possibly the worst person to discuss this issue, because he is (from what I can tell from the bio) a tech-journalist (ok, he dabbled in SmallTalk, but that doesn't make him a technical person). IT has many, many intricacies which people who think they understand very often get wrong. Also, he is a member of Association for Competitive Technology which sound nice, but who pays his salary? You don't know (or didn't tell on the show!). If you visit the site of ACT and you click on the Members link, it tells you how to become a member not who the members footing the bill are! But still I would hazard a guess and say that MS is a member.

Later correction: I managed to find the member list (thanks to Google, no thanks to the site!) here: http://www.actonline.org/na/about/members.html, and surprise-surprise Microsoft is a member while Sun and IBM are not. How can you even think that a person who is payed by MS but still pretends to be independent (because he doesn't disclose his relationship with Microsoft) can give a balanced and at least somewhat accurate view of the issues? Its worse than having a MS PR person on, because there at least the bias is clear (although you couldn't miss that in the interview either. the three of you giggling together: the EU fining MS x dollars, what's that about? - it's about wanting to do business in the EU). He was a wolf in a sheep's clothing (hope I got the expression right).

Your whole discussion revolved around bashing other companies and putting MS up on the pedestal. All that was missing was the three of you singing "MS can do no wrong!". Lets face it, public companies (like MS) are motivated by the profit and will do anything for the profit (thats not saying that other companies are better, it's just saying that they are no worse). And make no mistake, Bills philanthropic (although great) effort don't change that. He gives that money from his own personal stash. MS could never give that kind of money, because its shareholders would hang the management! (or fire them at least).

And finally, your discussion about Imaginary Property! This is one of my hot-button issues (recently I wanted to yell at Charles of Channel 9 when he was interviewing Miguel de Icaza and ask something along the line of "but doesn't MS have to protect its intellectual property?"). IP is basic misunderstanding of lawyers and economists the way the scientific process works. (I've heard a story which I think describes this well, stating that the e-mail is a very good reflection of the scientific process, where you can quote other people - when replying - and you can argue their points one by one and if it would have been invented by lawyers you wouldn't be able to do that because "it infringes on copyright"). To get back, there is no such things as IP! It is an expression meant to confuse the issue by lumping three different things into one category and then making the argument "if A is IP and we agree that A needs protection, then IP needs protection and B (because it's IP) needs protection". To get a little more concrete, the three things are:

1. Trademarks - which are reasonable to enforce to avoid confusion and counterfeiting.
2. Copyright - again, reasonable as a principle, not reasonable as the length of the protection (90+ years - but hey, I like Mozart :))
3. Patents - this is the most dubious one, especially in the area of software patents. The naive argument (again, I have to mention Charles who - in a recent interview, sorry for not remembering which - said something along the lines "you have many patent cubes, that is great") is that I got this idea, I should be able to profit from this. The two (very convincing in my opinion) counterarguments are: you can already profit from it by implementing it and selling the implementation! (which - the implementation - is protected by copyright!). Also, there aren't an original ideas. I claim that nobody has came up with something from nothing. Every algorithm, idea, and so on is an extension of an existing idea with some addition, or a combination of multiple ideas from different fields and so on. (Computer) Science doesn't advance by "pure genius", it advances by building on the work of others (as Einstein said: "science is 1% inspiration and 99% work").

Imagine what would happen if some of the most fundamental ideas (like linked lists) would be patented. You might say but this is elementary, you can't patent this. Making abstraction from the fact that it seems these days that you can patent anything, here is a better example: b-trees. They are fundamental, can be found in every CS textbook, but are by no means "simple", "intuitive" or "elementary" until you studied them. Patenting them would have meant the death of modern databases, because it is the fundamental algorithm for indexing.

So keep in mind: every time you perpetuate the myth of Immaginary Property, an SQL Server dies!

As you can see, making the argument that trademarks must be protected, trademarks are IP, thus IP must be protected and thus patents should also be protected is a fallacy at best and sneaky and malicious at worst!

Sidenote: there is one more concept which sometimes gets lumped in the category of IP: trade secrets.

PS: You mentioned that people complained that the MS standard document (with recards to the MS Office file formats) was too detailed. I don't know who you were referring to, but (AFAIK) the general consensus seems to be that MS provides too little or too vague descriptions and many descriptions are inherently bound to its products (something along the line: if this field is set, rendering shall be done the way MS Word 6.0 did it, but failing to speficfy how actually MS Word 6.0 did it)

<rant off>

If you want to get more details, you can watch the video below from patent attorney Stephan Kinsella (found it via Slashdot / Techdirt). The actual sessions is about half an hour long, the rest are question and answers. For more interesting and insightful articles, check out all the articles tagged on techdirt with IP.

Via the Hacker Webzine blog (yes, I'm challenging all the security gods by linking to the blog which social engineered people in giving their passwords just for fun - so take care):

The Interesting Hacks To Fascinate People: The MIT Gallery of Hacks

Also on that page I found the engineers drinking song:

Lyrics can be found here

Recently I discussed using EFS as a simple, yet reliable, form of file encryption. Among the doubts raised was the following from an article by fellow MVP Deb Shinder on EFS:

EFS generates a self-signed certificate. However, there are problems inherent in using self-signed certificates:

• Unlike a certificate issued by a trusted third party (CA), a self-signed certificate signifies only self-trust. It’s sort of like relying on an ID card created by its bearer, rather than a government-issued card. Since encrypted files aren’t shared with anyone else, this isn’t really as much of a problem as it might at first appear, but it’s not the only problem.
• If the self-signed certificate’s key becomes corrupted or gets deleted, the files that have been encrypted with it can’t be decrypted. The user can’t request a new certificate as he could do with a CA.

Well, she's right, but that only really gives a part of the picture, and it verges on out-and-out recommending that self-signed certificates are completely untrustworthy. Certainly that's how self-signed certificates are often viewed.

Let's take the second item first, shall we?

"Request a new certificate" isn't quite as simple as all that. If the user has deleted, or corrupted, the private key, and didn't save a copy, then requesting a new certificate will merely allow the user to encrypt new files, and won't let them recover old files. [The exception is, of course, if you use something called "Key Recovery" at your certificate authority (CA) - but that's effectively an automated "save a copy".]

Even renewing a certificate changes its thumbprint, so to decrypt your old EFS-encrypted files, you should keep your old EFS certificates and private keys around, or use CIPHER to re-encrypt with current certificates.

So, the second point is dependent on whether the CA has set up Key Recovery - this isn't a problem if you make a copy of your certificate and private key, onto removable storage. And keep it very carefully stored away.

As to the first point - you (or rather, your computer) already trust dozens of self-signed certificates. Without them, Windows Update would not work, nor would many of the secured web sites that you use on a regular basis.

Whuh?

Hey, look - they've all got the same thing in "Issued To" as they have in "Issued By"!

Yes, that's right - every single "Trusted Root" certificate is self-signed!

If you're new to PKI and cryptography, that's going to seem weird - but a moment's thought should set you at rest.

Every certificate must be signed. There must be a "first certificate" in any chain of signed certificates, and if that "first certificate" is signed by anyone other than itself, then it's not the first certificate. QED.

The reason we trust any non-root certificate is that we trust the issuer to choose to sign only those certificates whose identity can be validated according to their policy.

So, if we can't trust these trusted roots because of who they're signed by, why should we trust them?

The reason we trust self-signed certificates is that we have a reason to trust them - and that reason is outside of the certificate and its signature. The majority (perhaps all) of the certificates in your Trusted Root Certificate Store come from Microsoft - they didn't originate there, but they were distributed by Microsoft along with the operating system, and updates to the operating system.

You trusted the operating system's original install disks implicitly, and that trust is where the trust for the Trusted Root certificates is rooted. That's a trust outside of the certificate chains themselves.

So, based on that logic, you can trust the self-signed certificates that EFS issues in the absence of a CA, only if there is something outside of the certificate itself that you trust.

What could that be?

For me, it's simple - I trust the operating system to generate the certificate, and I trust my operational processes that keep the private key associated with the EFS certificate secure.

There are other reasons to be concerned about using the self-signed EFS certificates that are generated in the absence of a CA, though, and I'll address those in the next post on this topic.

There’s no breathing easy when it comes to online security these days. As some several thousands of Web sites try to recover from being hacked via SQL injection barely two days ago, in comes another massive attack on more than half a million Web sites.

Advanced Threats Research Program Manager Ivan Macalintal found the malicious script JS_SMALL.QT injected into various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program. In the past, some of these compromised sites were found to have been riddled with “phake pharma” and porn comment spam, while others were seen to be previously defaced by underground hackers. Advanced Threats Researcher Alice Decker have seen infections relating to this malicious script as early as February this year.

This compromise is almost similar to the mass compromises that we’ve seen earlier — visiting a compromised site leads to a series of redirections, which eventually causes the downloading of malware. In this case, TROJ_ZLOB.CCW is on the tail-end. In true ZLOB fashion, this variant poses as a video codec installer:

Sure, this one is not at all tricky, since we’ve seen our share of ZLOB variants posing as video codecs before. However, consider that this specific variant tries to lure users into installing the codec by presenting itself as being necessary to view porn:

Who wouldn’t want free porn? Unfortunately users expecting explicit videos will instead get a slew of Trojans detected as the following:

• TROJ_DNSCHANG.CS
• TROJ_ALUREON.AE
• TROJ_ALUREON.AH
• TROJ_ALUREON.AI

These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats.

Trend Micro Web Threat Protection already prevents access to the malicious URLs. And as always, users are advised to display extra caution when browsing Web sites, and ensure their security software is up to date.

Our researchers are continuing to investigate this case. We will be posting updates on this compromise as more information becomes available.

Consolidated findings of the Advanced Threats Research, Escalation, and Threat Respone teams at TrendLabs

ShareThis

Phew! The rumours were untrue. Diageo will not be closing down the Guinness brewery in Dublin 8, and will continue brewing the black stuff in Dublin 8, thankfully:

Diageo is to close its breweries at Kilkenny and Dundalk, significantly reduce its brewing capacity at St James’s Gate and build a new brewery on the outskirts of Dublin under a plan announced today.

The company said it would invest EUR 650 million (£520 million) between 2009 and 2013 in the restructuring.

The renovation of the St James’s Gate brewing operations is expected to cost around EUR 70 million and will see the volume of Guinness brewed there fall from around one billion pints a year, to just over 500 million.

This plant will serve the Irish and British markets and will be based on the Thomas St side of the site. The company said this would ensure that every pint of Guinness sold in Ireland would be brewed here. Approximately half of the 55 acre site will then be sold once the five-year project is complete.

Around 65 staff will remain in brewing operations at St James’s Gate with about 100 others due to transfer to the new Dublin plant. Although the company has yet to announce the exact location of its new brewery, the company says it will have a capacity of around nine million hectolitres, or around three times that of the refurbished St James’s Gate site. This new brewery will produce Guinness for export and ales and lagers for the Irish market.

Diageo said when the two Dublin breweries are fully operational in five years time it will transfer brewing out of the Kilkenny and Dundalk breweries and close these plants. This move will result in ‘a net reduction in staff of around 250′, the company said.

The company employs 800 people in its brewing operation and a total of 2,500 in the Republic and Northern Ireland.

Diageo said these two plants “do not have the scale necessary for sustained success in increasingly competitive market conditions”.

The company said it would offer those employees relocation opportunities where possible. Those for whom relocation is not possible will be offered “a severance package alongside career counselling”.

Operations at its Waterford brewery will be “streamlined” as part of the re-organisation leading to “some reduction in output”. the current workforce of 27 in Waterford would be reduced to ‘around 18′ but Diageo was unable to confirm the extent of the output reduction.

The company says the St James’s Gate site it proposes to sell and the Kilkenny and Dundalk sites have an estimated value of EUR 510 million.

The Guinness Storehouse, which receives around 900,000 visitors a year, will continue to be based at St. James’s Gate.

The company estimates it will incur one-off costs of EUR 152 million during the restructuring and says this would be treated as an exceptional cost in the fiscal year ending in June 2008.

Paul Walsh, chief executive of Diageo said: ‘Over the last twelve months we have conducted a rigorous review of our brewing operations in Ireland. It examined many options and I believe it has identified the right formula for the long-term success of our business in Ireland and for the continued global success of the Guinness brand.’

“Our ambition is to combine the most modern brewing standards with almost 300 years of brewing tradition, craft and heritage.”

Guinness has been brewed at St James’s Gate for almost 250 years. Guinness extract produced at the Dublin site is exported to more than 45 countries.

Just stumbled onto a DDOS bot written in java. Usually there aren’t too many malicious programs for java so I decided to take a closer look. The code quality is about as bad as in the previous entry that depicted the PHP DDoS Bot, but I think the java version has more potential to grow into a problem. (more…)

Every so often I run into some new evil that interests me enough to take a deeper peek. This time a DDOS bot written in PHP caught my eye. I haven’t seen this in the wild anywhere, but it’s still quite interesting. (more…)

• How did the TJX data breach happen? Part 1: Anatomy
• Data Classification Is Dead | securosis.com
• The legal implications of the PCI data security standard - SC Magazine US

As I have mentioned in other posts (Retro-bundling - another suck of the Apple, MacBook Air debuts; iTunes Pesters Me Again, Removing Apple Mobile Device Support, I didn't want iTunes - now I've got iPod, too?, etc, etc), this has long since stopped being an issue for me, because I've removed all the Apple software from my machine as a bit of a protest against Apple's inability or unwillingness to provide me the means to manage my own systems.

Now, I understand that Apple has finally heard some of the complaints from various blogs around the world, and has done something about it.

They have separated the updates from the new software. The new dialog looks like this:

But it still marks the new software by default to be installed.

This is the behaviour that is wrong - okay, so it's now clear as to the difference between an update and a new software, but the key again is that Apple is marking new software for installation from an update tool.

An update tool should be a piece of software that most users say "yes, do whatever", and that doesn't then cause significant additions to the software. By automatically checking new software, Apple is eroding the trust that users will have in the update tool.

Again, I don't mind that they're encouraging users to install Safari - I don't even mind them spending time persuading their existing install base to use it. What I'm perplexed at is that Apple feels that they have to slide it in under the door, rather than sell it to users on its own merits.

And, yes, I'm quite well aware that you could also say the same of any browser that ships with an operating system - except, really, you've got to have a browser shipping in your operating system these days. Yeah, the guys who ship the operating system have an advantage - and they worked hard to build that advantage in the first place. They have a certain momentum behind anything they offer, and even if the system is as open and transparent to all application vendors as it is to the OS vendor, the default installed applications will generally have a larger market share than the 'after-market' tools, just because of users' inertia.

[Note that the paragraph above applies to Apple / Mac / Safari, just as well as it does to Microsoft / Windows / Internet Explorer]

However, I don't think that users' inertia is a cause for sleight-of-hand tactics like retro-bundling.

Five hours into their assault on West Point, the hackers got serious.

The SQL [structured query language] inserts that came earlier were just pablum intended to lull the Army cadets into a false sense of security. But then the bad guys unleashed a stealthy kernel-level rootkit that burrowed into one workstation, started scraping data and "calling home."

It was a highly sophisticated attack, but this time the bad guys were really good guys in wolves' clothing.

For four days in late April, the National Security Agency -- the nation's most secretive repository of spooks, snoops and electronic eavesdroppers -- directed coordinated assaults on custom-built networks at seven of the nation's military academies, including West Point, the Army university 50 miles north of New York City.

It was all part of the seventh annual Cyber Defense Exercise, a training event for future military IT specialists. The exercise offered a rare window into the NSA's toolkit for infiltrating, corrupting or destroying computer networks.

The 34 Army cadets comprising the West Point IT team operated in a different kind of battlefield, but their combat skills and instincts need to be every bit as sharp. Like George Washington said: "There is nothing so likely to produce peace as to be well prepared to meet the enemy."

The SQL injections, targeting their Fedora Core 8 Web server, were a piece of cake for these IT combatants. Each injection tried to smuggle malicious code inside the seemingly harmless language used by the network’s MySQL software. The cadets handily defended with open source Apache web server modules, plus some manual tweaking of the SQL database to "avoid any surprises," in the words of Lt Col. Joe Adams, a West Point instructor who helped coach the team.

But the kernel-level rootkit was much more dangerous. This stealthy operating-system hijacker can open unseen "back doors" into even highly protected networks. When they detected the rootkit's "calls home" the cadets launched Sysinternal's security software to find the hijacker, then they manually scoured the workstation to find the unwelcome executable file.

Then they terminated it. With extreme prejudice.

"This was probably the most challenging part of the exercise, since it required them to use some advanced techniques to find the rootkit," Adams says. And rooting it out helped boost the West Point team to the top of the pile when, in the aftermath of the exercise, the referees rated all the universities' network defenses.

For the second year in a row, the Army placed first over the Navy, Air Force, Coast Guard and others, winning geek bragging rights and the privilege of holding onto a gaudy, 60-pound brass trophy festooned with bald eagles and American flags. Adams credits the team’s thorough preparation and their excellent teamwork despite the round-the-clock schedule.

At the network control room on the second floor of West Point’s 200-year-old engineering building (which once was an indoor horse corral and still smells like it in some remote corners, according to one instructor), the IT team set up cots and, just for the hell of it, camouflaged netting. They worked in shifts, with one team member always monitoring incoming and outgoing traffic. He or she would alert other cadets -- "router guys" -- to block any suspicious addresses. Meanwhile, off-shift cadets would make food and coffee runs to keep everyone fueled up and alert. Together, the team was "faster than anyone else," Adams says.

But the way the cadets designed their network was a big factor in their victory, too. The NSA dictated some terms: All networks had to be capable of e-mail, chat and other services and had to be up and running at all times despite any attacks or defensive measures. Beyond that, the teams were free to come up with their own designs.

West Point's took three weeks to build. The cadets settled on a fairly standard Linux and FreeBSD-based network with advanced routing techniques for steering incoming traffic in directions of the IT team's choosing.

The choices in software tools for responding to any attack really boiled down to "automatic" versus "custom," says Eric Dean, a civilian programmer and instructor. He adds that while automatic tools that do most of their own work are certainly easier, custom tools that allow more manual tweaking are more effective. "I expect one of the 'lessons learned' will be the use of custom tools instead of automatics."

Even with a solid network design and passable software choices, there was an element of intuitiveness required to defend against the NSA, especially once it became clear the agency was using minor, and perhaps somewhat obvious, attacks to screen for sneakier, more serious ones.

"One of the challenges was when they see a scan, deciding if this is it, or if it’s a cover," says Dean. Spotting "cover" attacks meant thinking like the NSA -- something Dean says the cadets did quite well. "I was surprised at their creativity."

Legal limitations were a surprising obstacle to a realistic exercise. Ideally, the teams would be allowed to attack other schools' networks while also defending their own. But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network.

And despite the relative sophistication of the NSA's assaults, the agency told Wired.com that it had tailored its attacks to be just "a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones."

In other words, grasshopper, nice work -- but the NSA is capable of much craftier network take-downs.

Sometime back we had come across this interesting vulnerability posted by a Chinese researcher in his blog, claiming to have found a zero day vulnerability in php 5.2.3.

We got a chance to dig a bit deeper into this and were able to reproduce the vulnerability based on the information provided in the blog. After investigation, we found that this vulnerablility affects not only verion 5.2.3 but also version 5.2.5. It is a heap overflow which can be triggered when a web server with PHP receives a malformed URI request, it can be a simple request like “GET /index.php/aa HTTP/1.1″ . Successful exploitation of this can result in arbitrary code execution with the privileges of the WEB Server.

This happens because the author misplaced the bracket resulting in miscalculation of the buffer which can result in a heap overflow. So fixing this issue is also simple viz: In \sapi\cgi\cgi-man.c do a grep for: “ptlen + env_path_info ? strlen(env_path_info) : 0;” , and replace this with “ptlen + (env_path_info ? strlen(env_path_info) : 0); ”

This is one of the classic examples of small human errors (which can sometime be even typos) that can result in vulnerabilities.

We had reported this issue to PHP dev team almost immediately after we had come to know about this issue in the wild and they’ve just come out with a patch for this. We highly recommend users to update with the latest version of PHP 5.2.6 released . This patch besides this issue, fixes a host of other security related fixes, some of which we deem as critical. This specific issue affects FastCGI packages of PHP.

This issue has been given the identifier CVE-2008-0599.

We shall continue to monitor this threat and update if we come across anything malicious.

In a variety of colors.

EDITED TO ADD (4/10): Link fixed.

Last month I gave a talk at InfoSecurity Europe in London. The title was "Reconceptualizing Security," or maybe "The Theater of Security," and it is a follow-on to my work on the psychology of security. I haven't yet written this work up, but you can listen to or watch my talk.