Tom's Homepage
Tom's Journal

My Picture
User Info
Calendar
Friends
RSS/Atom
My Website
Subject:Large Credit Card Payment Processor Breach
Date & Time:Tue. Jan. 20, 2009 8:42pm
Mood & Music:
A large credit card breach was announced today, "coincidently" coinciding with the Presidential Inauguration (the perfect day to announce something without people noticing). This is expected to be one of the largest breaches reported, possibly surpassing TJX. Heartland Payment Systems processes credit card transactions for more than 250,000 businesses, 40% of which are from small to mid-sized restaurants around the country. There is a pretty good chance that at least one place you've used your credit card in the last year is one of their customers!

This is getting very little news coverage at the moment (near the bottom of nytimes.com, couldn't find it on the front page of cnn.com), so I'm helping spread the word! Here's a good article about it from Brian Krebs:

Payment Processor Breach May Be Largest Ever
post a comment

Subject:Simple Privilege Escalation in Mac OS X
Date & Time:Sat. Jun. 21, 2008 5:00pm
Mood & Music:
It has recently been announced that there is a serious privilege escalation vulnerability in Mac OS X 10.5 (Leopard) and 10.4 (Tiger)! It is very simple and straightforward, and could easily be performed by anyone with physical access, or by any sort of executable code any user runs (such as a Trojan)...standard Installer packages contain pre and post install scripts. Also, if there is ever a vulnerability similar to the one in Safari a few years ago that allowed automatic execution of shell scripts by visiting a web page, then this would be completely automated just by...visiting a web page!

The following code demonstrates the vulnerability:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';


It should return "root", indicating that the command was executed as root, the most privileged user on any standard Unix system. The command "whoami" is what gets run as root, so you can just imagine the consequences of replacing it with something more malicious! The reason this vulnerability works is because "ARDAgent", the Apple Remote Desktop Agent, runs as setuid root, meaning that no matter what user runs it, it runs with root privileges. And apparently ARDAgent will accept any AppleScript commands, including the one above that tells it to run a shell script...oh, and apparently, so far, Apple has claimed this this is a non-issue, just like it originally did the carpet-bombing vulnerability in Windows. Ironically, the same issue could presumably still be used in OS X flood a user's Desktop or Downloads folder with files that look benign, but that when executed run as root and install malware...

It seems that changing the permissions on ARDAgent so that it doesn't run as setuid root resolves the vulnerability, but this may not stick in future updates or if repairing permissions...

Read more about it here:
Serious Security Vulnerabilty In Apple OS X Leopard
post a comment

Subject:Very Scary and Non-Descript Dialog
Date & Time:Sun. Mar. 23, 2008 7:30pm
Mood & Music:
Apparently Microsoft isn't the only company capable of popping up very scary sounding yet incredibly non-helpful error messages:

The wireless network appears to have been compromised and will be disabled for about a minute.

I have now seen this dialog pop up a few times while visiting my parents house, without explanation. Airport does get disabled for about a minute, like it says, but there is absolutely no documentation anywhere, either in Mac OS X's help pages or the Apple website that explains what it actually means. Googling around for it only comes up with people who are just as puzzled, though some have discovered the file the string comes from (and have associated it with WPA), and some people report having seen it being related to a bug on iMac's that has since been patched. The only thing I can think at this point is it may have something to do with the wireless repeater I only recently set up to try to strengthen my dad's signal...maybe something about the way it rebroadcasts certain packets freaks out my Mac. I don't know...but in any case it's pretty interesting.

UPDATE (2008-11-30): Based on recent events and poking around that file more closely, I've determined that the dialog box is specifically triggered by MIC (Michael) failures, which could be indicative of a replay attack. In light of the current WPA vulnerabilities this is certainly a dialog to watch out for! It is actually part of the spec that MIC failures shut down the network for 60 seconds, so this isn't some random Mac thing. However, it would be nice if that dialog had some kind of more technical error code available without having to poke through the OS' strings. The code that triggers that dialog is "wpaIsFailureMIC", as well as "wpaIsReplayAttack", as seen in the file: Localizable.strings (long path)Collapse ) As far as why I kept seeing this at my parents house, it seems that the way the repeater was "repeating" (re-injecting) traffic was trigger MIC failures, which affected the whole house, not just me (I was just the only one to see an error dialog).
post a comment

Subject:Sponsored Groups Adding Hidden Apps Without Permission?
Date & Time:Tue. Feb. 5, 2008 4:29am
Mood & Music:
In case you didn't know, I am not a supporter of Facebook's third-party applications. I refuse to add any, and I specifically set my privacy settings so that apps can't get info about me, etc. Of course, every now and then they still do...I get a random invite, or see my name somewhere on a friend's page, or something or other. But this one is new.

Read more...Collapse )
1 comment
post a comment

Subject:FB Beacon Test
Date & Time:Thu. Nov. 22, 2007 3:38pm
Mood & Music:
Tom is testing how Facebook Beacon works. Please ignore this post. (c:=

Oh, and Happy Thanksgiving!
post a comment

Subject:Very Useful Traffic Information
Date & Time:Sat. Nov. 17, 2007 4:39pm
Mood & Music:
Incidents (SMITHTOWN) L.I.E. (I-495) IN BOTH DIRECTIONS BETWEEN SUNKEN MEADOW STATE PKWY AND SUNKEN MEADOW STATE PKWY NO PROBLEMS TO REPORT
post a comment

Subject:Quick and Informal Vista/UAC Review
Date & Time:Mon. May. 21, 2007 1:34am
Mood & Music:
Over the past few months I've tinkered with Vista a little bit off and on, mostly just to learn my way around and stuff. But yesterday, I decided that it would be a good idea to set up a quick test system and actually try to do things in it that I need to do in Windows...a lot of which is older software. It was actually a pretty mixed bag, of things I expected to not work working, things I expected to work not working, and all other combinations. But basically, as expected, Vista breaks legacy apps MUCH more than Windows XP did. In fact, most of the fairly old software that I still like to use from time to time (like older games) works fairly well in XP, but not in Vista. The old Monopoly CD-ROM, for example, performs really slow when trying to play movies and stuff, but runs way too fast at all other times (especially the music). None of my audio editing software works right...Cool Edit Pro and the newer Adobe Audition versions all have the same problems, though I haven't tried 2.0 yet. It seems like they are processing the audio correctly, and it is mostly playing back correctly (as far as the audio goes), but the visual feedback is way off...like the timecode, and the VU meters, all of which alternate between freezing and jumping all over the place...basically it's unusable.

And then there's User Account Control (UAC)...a VERY mixed bag. Generally I agree with and understand it in theory (it's actually really similar to security in Mac OS X, though most people wouldn't admit it), but the way it is implemented is pretty useless in many cases. Playing today I found it was actually slightly less useless than I thought, but it's still pretty bad. The main problem is that it is VERY non descriptive about what it is asking you to authorize. Some of it is so bad that I decided to tell the story with screen shots!

UAC Screen ShotsCollapse )
post a comment

Subject:This Week's Basic Algorithms Homework
Date & Time:Wed. Oct. 4, 2006 1:45pm
Mood & Music:
1. Sing Kodachrome in the shower. Loudly.

2. Root for the Yankees. Loudly.

3. Look at one of the bridges of New York.

4. (a) Do nothing in Washington Square Park.
    (b) Do it well.

5. (a) Come to classes on Monday, October 9.
    (b) Remember that there are no classes.
    (c) Do number 4 above.
post a comment

Subject:EDGES at NYU
Date & Time:Sat. Feb. 25, 2006 10:49pm
Mood & Music:Mood: amused
Early in the week, I heard from Justin Paul's website that his show, EDGES, was being performed at NYU! Unfortunately I had already missed the first weekend, and it didn't look like I'd make the Friday performance. The site said that the last performance was today at 2:00pm, but there was a bit of confusion because when I got there the theater was all locked up and no one was there! I waited a few minutes, then thought maybe the theater was wrong, so I started wandering around to all the likely locations (Kimmel, Frederick Loewe)...eventually I went to the Black Box in the Steinhardt building, and some people there told me it was actually at 8:00pm!

It was an interesting experience...it was put on by "The Players' Club", which seems to be affiliated with the Department of Vocal Performance. They just put on Merrily We Roll Along a few months ago, so I recognized a few of the actors from that (ironically, Chris Fitzgerald (who directed Edges here) starred as Franklin Shepard, a role Justin also played our senior year in high school), and they are putting on Into the Woods at the end of March. But anyway...there were ten people in it (the original EDGES was written for four people), and each of them had approximately one song of their own, and they changed a few things to better accommodate a larger ensemble. They added a bit more acting, and attempted to demonstrate more of a relationship between some of the characters and songs (for example, they had Wylie lead straight into I Once Knew and had the guy seem to be singing about the girl who sang Wylie). They also had someone play the father in One Reason, and they made the second half of it a bit of a duet. They also did interesting things with the lighting and stuff, like during Be My Friend they had creepy lighting (and acted creepy) at the line about "looking at you when you don't even know". They also ran into the aisle toward the end of that song and actually knelt down next to aisles, grabbed people's hands and looked them in the eye...in the row in front of me one of the actors actually climbed/jumped into the row and practically pounced on the guy sitting in front of me! (I assume they knew each other...) I liked some of the actors better than others, but they were all really good. Overall, it was enjoyable, though you can never beat the original...(c;=

I stuck around for a few minutes after, but unfortunately I didn't have the nerve to talk to any of the actors and brag about knowing Justin Paul. I went by myself because no one I invited was able to make it, and I didn't have the nerve to invite any other people...
post a comment

Subject:Safari/Mac OS X Vulnerability
Date & Time:Mon. Feb. 20, 2006 7:12pm
Mood & Music:Mood: okay
A new vulnerability has been announced in Safari that allows for automatic execution of shell scripts! In order to work automatically, one would need to have the setting to "Open 'safe' files after downloading" checked (which is set by default). With the setting checked, you could navigate to a website that downloads a seemingly safe ZIP file. Safari will automatically inflate the ZIP file, see the file inside is a "safe" file (such as a JPEG or a MOV), and automatically execute it. The problem is, this file could be a shell script with a missing or invalid "shebang line", which will trick Safari into thinking it's not a shell script, even though Mac OS X will still execute it. The ZIP file also contains metadata that tells Mac OS X that the enclosed file is to be launched with Terminal.app, even though the extension can be something like .jpg or .mov. Interesting to note is that Mac OS X picks the icon to use based on the extension, instead of based on what application the file will launch with.

This could lead to arbitrary code execution on your Mac, the scope of which depends on your setup. If you are running as a regular/limited user, the code should only be able to mess with your own files and settings (which is still very devastating). If you are running as an administrator, it could potentially mess with your applications (especially ones that are installed by drag and drop instead of with an authenticated installer). But it shouldn't be able to mess with system files without prompting for an administrator password, unless there is an unknown privilege escalation vulnerability...

The suggested action is to make sure the Safari setting to automatically open "safe" files is disabled. Also note that other browsers won't automatically execute the file enclosed within an archive, even if they are set to automatically execute the archive itself. Of course, if you run the deflated file it will automatically launch in Terminal, not in whatever program it looks like it will execute in. But if you Get Info on the file, you will see that it is a Terminal.app file, so remember it is important to always be careful when launching files downloaded from the Internet, even if they seem safe...

Here is the original advisory on the issue:
Apple Safari Browser Automatically Executes Shell Scripts

X-posted to macosx
post a comment

Subject:One hand not talking to the other?
Date & Time:Fri. Dec. 30, 2005 2:40am
Mood & Music:Mood: amused
Norton AntiVirus: Delete will permanently remove the selected file(s) from your computer.  Deleted Security Risks will be backed up in Quarentine if you need to recover the file.  Do you want to continue?
1 comment
post a comment

Subject:Rootkits and DRM: Sony went too far
Date & Time:Tue. Nov. 1, 2005 3:09am
Mood & Music:Mood: cynical
Check out this blog post I found on yesterday's ISC diary:

Sony, Rootkits and Digital Rights Management Gone Too Far

Apparently new Sony CD's install a rootkit on your computer to make sure you don't copy the music? Talk about going too far...

This is scary stuff. I wouldn't reccomend sticking any copy-protected CD's in your computer...
5 comments
post a comment

Subject:Webpage Updates
Date & Time:Thu. Oct. 20, 2005 2:53am
Mood & Music:
I made a lot of updates to my website today...I described most of them (as well as many updates I've made previously) on the main page, in the introduction.

One of the changes is showing the INFOCon...just in time for it to notify me that it's been raised to Yellow because of the Snort vulnerabilities. This is a long shot, but if any of you run Snort or Intrusion Detection Systems based on Snort, make sure you upgrade (to 2.4.3, or disable the 'bo' preprocessor) NOW! This flaw can be exploited with a single UDP packet to any port except 31337 (remember that Snort is an IDS, so it is listening to all traffic), and could lead to full system compromise since many Snort installations run as root. According to Kyle Haugsness at the Internet Storm Center, it doesn't take too long to write exploit code, and it is supposedly almost ready as a Metasploit plugin.

There is always a little irony (and danger) when Intrusion Detection Systems are vulnerable to such a potentially serious vulnerability...
post a comment

Subject:Benny Tudino's
Date & Time:Sat. Oct. 15, 2005 6:47pm
Mood & Music:Mood: happy
At the suggestion of dirty_eskimo in the nyu community, I decided to take the PATH to Hoboken today and have some pizza at Benny Tudino's, which was voted as the best pizza in NJ by Zagat's in 2005. It has the largest pizza slices around...about a foot long and across (at the crust)! They come from 28" pies, apparently...and beyond the mere fact that the slices were HUGE, it really was amazing pizza! I think it is safe to say that it's the best pizza I've ever had in New Jersey, having spent a decent amount of time in various parts of it. Definitely got to find some friends willing to be dragged there...(c:=

For anyone who wants to find it, see this map. It's not too far from the PATH station...just head uptown (north) a bit, then west a bit to Washington St, and then keep walking until you find it...it will be on the left.

It was a pretty nice neighborhood too, and a nice ride on the PATH train, which I had never taken before. Not to mention that it's still only $1.50, cheaper than the subway!
post a comment

Subject:Movin' Out
Date & Time:Thu. Jun. 30, 2005 12:15am
Mood & Music:Mood: tired
Movin' Out (the Broadway show based on the music of Billy Joel) was not exactly what I expected. Basically, there was a band led by a guy playing piano and singing, that played Billy Joel songs. Then there were actors who danced and stuff, but except for one scene there was no dialogue. So it felt more like a concert/revival than a Broadway musical.

In addition to my usual complaints about the seats being too tight, there was one other thing that bothered me a lot: the show was too loud! Now don't get me wrong...I loved the Billy Joel music, and I've been listening to it in the car. But the actual live show, was WAY too loud. Loud enough that it made my ears hurt, and it made me want to go out to the lobby and listen from there. It even sounded almost over-modulated at times! As someone familiar with sound, and who knows a lot of people who do live sound reinforcement, I was a bit offended. It absolutely did not have to be THAT loud...between the pain in my ears and the pain in my legs, it was difficult to enjoy...
post a comment

Subject:In Memory of Mr. Dauz
Date & Time:Fri. Jun. 17, 2005 1:42am
Mood & Music:Mood: sad
Mr. Dauz, a physical education teacher from Coleytown Middle School, passed away Wednesday night from lung cancer. I had him for special P.E. in middle school, and he was an amazing person. I loved his class, and would spend most of my mornings and study halls there. He made middle school much more enjoyable. I also met my friend Beau there, who is now one of my best friends. I know that he will be sorely missed by everyone at Coleytown.

Popular Coleytown Middle Teacher Douglas Dauz Dies After Brief Illness

Rest in peace.
post a comment

Subject:Netscape 8 and Security
Date & Time:Fri. May. 20, 2005 3:11am
Mood & Music:Mood: tired
So earlier today (yesterday really), Netscape 8 was released. For those who won't know, Netscape 8 is based on Firefox, instead of Mozilla (Seamonkey), and, among other things, allows pages to be rendered either by Gecko or Trident (IE's rendering engine).

The funny thing is, that the version they released was based on Firefox 1.0.3...meaning it didn't have the fixes contained in 1.0.4! Specifically, it was vulnerable to the two flaws which together allowed for arbitrary code execution from any site! People such as Ben Goodger talked about the JavaScript related vulnerabilities, but I decided to try the IconURL vulnerability myself...the one that allows arbitrary code execution. At first it didn't seem to work, but I learned that this was because the original proof-of-concept code loads something from addons.mozilla.org, and (for some reason) Netscape ships with only update.mozilla.org on the whitelist. When I added addons.mozilla.org, the exploit worked perfectly! So if Netscape added itself to the whitelist, then it would be a dangerous situation if they didn't fix this first!

Fortunately, less than 24 hours after the release, Netscape released 8.0.1 to fix these issues. I applaud the quick reaction, although this never should have happened in the first place...especially with all the claims about how it's "more secure than any other browser" and such! It was pretty ironic...

In fact, this brings me to the other funny thing about the release...when you visit netscape.com with any browser that isn't Netscape, you are presented with this full-page banner. Using the same tactics as ad and adware companies hardly seems reputable for a company promoting the "safest" browser...(c;=
post a comment

Subject:Firefox/Mozilla Patches Available
Date & Time:Thu. May. 12, 2005 1:39am
Mood & Music:Mood: good
Firefox 1.0.4 and Mozilla 1.7.8 are now available. These new versions fix the critical vulnerabilities that were disclosed earlier in the week. Everyone should upgrade ASAP, especially Firefox users (since they suffer from both vulnerabilities)! For more information on the vulnerabilities, see Mozilla's security advisory on the issue, or one of my earlier posts here or in firefoxusers.
post a comment

Subject:New Firefox Security Vulnerabilities
Date & Time:Mon. May. 9, 2005 12:13am
Mood & Music:Mood: okay
A set of new Firefox vulnerabilities have been publicly disclosed, unfortunately before a patch is available. Without going into too much technical detail, a flaw has been found that has to do with installing extensions that allows arbitrary code to run on your system with the same privileges Firefox has. In order for this to work, the site would have to be in the whitelist (the list of sites allowed to install extensions), but another flaw allows a site to spoof itself to be a site in the whitelist, such as Mozilla Update, and trigger the install from simply clicking on the page (not necessarily on a hyperlink or button). When used together, these flaws are serious. Proof of concept code exists, but I don't think there are any known malicious exploits yet.

A patch (Firefox 1.0.4) is expected soon, but in the mean time the best course of action is to disable sites from installing extensions. Mozilla Update has already taken steps to help mitigate this problem (by redirecting all traffic to do-not-add.mozilla.org), but it would still be a good idea to turn off software installation, especially if you've added other sites to the whitelist. This will not affect any extensions you already have installed; it will only prevent you from installing new ones.

To turn it off, go into Firefox Options/Preferences, to the "Web Features" page, and uncheck "Allow web sites to install software". (For those of you running trunk builds, it's the "Content" page.)

EDIT: Please be aware that this issue does affect ALL platforms, including Linux and Mac OS X, although there is some discussion as to whether or not it could affect *nix systems since executables would need to have execute permissions. And the actual malicious code that could seriously affect your system would most likely have to be OS-specific, although code that messes with Firefox itself probably wouldn't have to be.

If you want to see more information, see this MozillaZine article and this Secunia advisory.
post a comment

Subject:Dasani
Date & Time:Mon. Apr. 18, 2005 1:38am
Mood & Music:Mood: annoyed
"Dasani: The water that makes your mouth water"

A pretty funny commercial, considering that Dasani does make your mouth water (due to the salt content)...
2 comments
post a comment


Previous 20 entries
Firefox 3 - Download Now Get Thunderbird!