The lighter side of every problem…Debian OpenSSL

In the aftermath of the Debian SSH Keys issue, at least there’s a lighter side…

xkcd - Security Holes

There’s some good analysis, predictable PRNG toys and more funny pictures from HD Moore.

May 18th, 2008
By Joe | filed under Security | No Comments »

Metasploit Auxiliary Simple HTTP Get and Post

This auxiliary module for Metasploit does a simple HTTP GET or POST and returns the result, be it a file and error - whatever!

Get it here: Metasploit Simple HTTP

Rename the file to .rb and install in the aux directory of your Metasploit installation.

If you need a PUT example, Carnal0wnage has a good module on his blog.

February 28th, 2008
By Joe | filed under Security, Tools | No Comments »

Paros User-Agent Removal

Paros is a great little tool, however it can leave traces of its use due to an altered User-Agent header. (Adding Paros/x.x.x at the end of the UA, where x is the version). This can lead to problems some of which, including this fix, are detailed at Security Ripcord and Armor.

To remove this download the source and edit line 80 of Constant.java from

public static final String USER_AGENT = PROGRAM_NAME + “/” + PROGRAM_VERSION;

to

public static final String USER_AGENT = “”;

and recompile.

This should remove the obvious traces!

February 28th, 2008
By Joe | filed under Security, Tools | No Comments »

PinSentry, same old problems?

I received my PinSentry from a certain UK High Street bank today, and so far I don’t see where it’s going. This device, produced by Gemalto (http://www.gemalto.com//press/archives/2007/04-18-2007-Barclays.pdf) allows two factor authentication using a customers ‘Chip and Pin’ card.

This doesn’t really change anything as the numbers generated by the device (at least in identify mode) can be created one by one offline, written down and then later used sequentially. I’ve seen enough people with pin numbers on Post-It’s attached to their cards to know that it won’t be long before the notes also contains PinSentry numbers. FaultyFlipper has some good discussion of peoples feelings towards the devices as well as the reasons it may have been introduced.

I’ve had a quick look at the numbers generated, and they seem to follow a sequential pattern of random increments. A very quick phase-space analysis of one hundred numbers from the device shows no discernable patterns, but more numbers are needed to carry this out thoroughly.

If anyone is interested in sample output from the device, I can supply the numbers I have used for testing. Likewise if you’d like to supply me with some numbers (and not any personal details) let me know.

December 23rd, 2007
By Joe | filed under Security | No Comments »