More control over baddies: PHPIDS and WordPress

A few weeks ago I stumbled on the PHPIDS project. (Most likely from PenTestIT) It seemed like a pretty cool idea, I mean who doesn't love more logs? And I've been experiencing quite a bit of spam messages despite my attempts to add spam catching plugins and CAPTCHAs; though I've tried to maintain usability by not requiring registration. So perhaps PHPIDS can me understand my baddies a bit better.

Read More

Exploring recent PDF exploits: A Time Killer

Over the past few months I've seen numerous articles and CVEs on Adobe Reader and it's vulnerabilities. It seems like everyday I wake up to a new discussion on how to launch some bit of javascript or run application xyz. Well, I've also been seeing many attempts to exploit old vulnerabilities. (Usually by correlating suspicious domains to sets of drive-by-download PDF files thanks to a short script by my friend Dave.) Either way, this last week the number of malicious PDFs increased. So I decided to take some apart and familiarize myself with the different vulnerabilities and how JavaScript played a role. All the information I found had already been documented (and I'll try my best to link to those discoveries). But I want to walk through my investigation and maybe up-turn a few overlooked rocks.

Read More

Web Security: Practicing what you, I, Preach

Everyone loves to make their own web apps. And it's very common for senior computer security undergraduates to design a web app for their capstone project. A couple of weeks ago some friends of mine were finishing their's, and asked me to take a look. Like all others interested in infosec, I instantly turned to input validation with a bit of header manipulation. I'd say it's common for most infosec students to do the same. It's ironic that I am still hosting legacy web apps (that I've built) which have not gone through similar critiques. Like most others, I designed them a while back, they worked, and I was proud; so I called them completed and moved on.

Read More

Dual VPNing and why ICMP is a Friend

The security lab I've been developing is located on my university's campus network. If I want to work from home (which I did this week), I need to VPN on to campus. If I then want to work within the security lab I need to VPN on to the lab. I call this dual VPNing! For both VPN connections I opt out of using the VPN as my gateway. So essentially I utilize the campus VPN for a secured connection to my security lab VPN server, then the security lab VPN to access the lab NAT. This leaves my innocent laptop with quite a large routing table, but she's a trooper and doesn't complain.

Read More

Fun with Network Forensics: Discovering a Rouge Bridge

This is a short write up on some interesting things I found while completing a midterm project for a Network Forensics class I took last year. My network forensics group decided to map the traffic for contemporary Windows-based denial of service vulnerabilities. Our project utilized a live network of volunteer hosts connected to the university network. We used NetFlow data collected by Flow Tools. While searching for possible exploits I found a hidden network bridge. The bridge used a non-human host registered to a roaming port in a networking closet. The host was eventually found to use a rouge process which proxied connections from an external residence on to campus. A malicious user could have used this bridge to proxy requests from their home through the university.

Read More

Virtual Security Lab: Architecture

Last month I wrote about my aspirations to create virtual security lab for students on campus to use. Well, as of now the lab is up and running! It is comprised of four machines all running dual Xeon, dual-core processors with 12 GBs of ram per. One machine, acting as a file server, has 1 TB of storage on a Raid 10. The others have 500 GB for internal storage. Two machines run ESXi and act as hypervisors, one machine runs Windows 2008 as a management device, and the file server is running openfiler.
Read More

Security talk at NYU cSplash

This weekend I gave a turbo-talk at NYU's Courant Splash!. cSplash is a math and science festival for high school students. I arrived at the event a bit early and spent some time talking to past teachers. I was really interested in whether the students were receptive of some of the advanced topics given in math and science. I had never given a presentation to high school students so I wasn't sure if they'd participate. As it turns out, some of the students signed up for the festival themselves, as opposed to my miss-conception that their respective school had registered them. (I wish I was that motivated in high school.)
Read More

Virtual Security Lab using ESXi

I've been working on solving a very specific problem. I'd like to have access to a general security lab on campus such that myself and a few friends can practice for a cybersecurity competition. The university has a great Security lab, the only problem is, everyone loves using it and it has relatively strong physical security. Either way, a few students cannot walk in at 3:00AM and start running attack scenarios. Go figure.

Read More

Proxied Email Addresses per-Application

Abstract: I wanted some mechanic in email, such that I could tell how a person found my address. Since I post my email address to many web sites, I wanted a way to track which web sites knew which emails. So I wrote a small script which allowed me to think of email addresses on the fly and distribute them. When someone responded to the emails they would be analyzed and forwarded to my inbox with a reply-to address that would take the opposite route and be sent as the 'on-the-fly' email address.
Read More