_/\_ _/\_ 001 ) ( __)' ( 10001 _ ) '.( )` _'__ __ _ _ 0011001 _ __ __| | __ _ __ `-._\()/| '_ \ / _ \\ \ /\ / /000 110 | __|/ _ | / _ \| ' _| / `| | | || __/ \ v v /001 001 | | | |_| || __/| | | |_| |_| \___| \_/\_/10001 00110|_| \__'_| \___||_| ', - -` 00000110101box.sk '.- - .` / \\ \ -= NewOrder.box.sk Newsletter =- | (_) | supporting and strengthening the community `. . . . ' = ----------------------------------------------------------------------- = | issue: 00001100 December 11, 2005 | = ----------------------------------------------------------------------- = The NewOrder Newsletter is published by the NewOrder staff with the help of many contributors. To register and subscribe to this newsletter visit http://neworder.box.sk -[ 0x00 . Contents ]------------------------------------------------------- 0x01 Newsletter Intro 0x02 Site Update - Article Review - Project Update and Review 0x03 Security Review - Exploits and the Community - Oversized Filenames and the Windows Shell - CASsandra: Code AccesS Security AN aDministRAtor's intro 0x04 News Review - On Nessus - On OASIS 0x05 Box Talk - A Review of Juice.box.sk - In Search of the Overman - On the Community 0x06 NewOrder Extra - Data's Cryptographic Challenge - Resolution's Rant - Boycott Microsoft AntiSpyware - Some Kind of Perl Column - From the ToolBox - Introduction to SAN's and Possible Security Issues - 10,000 Monkeys and a Webpage 0x07 Newsletter Outro -[ 0x01 . Newsletter Intro ]----------------------------------------------- Welcome to the twelfth NewOrder Newsletter! In this issue we have some exciting topics. In addition to our regular articles in the security review, rattle shows us a new slight of hand trick to hide files and stand__sure introduces us to CASsandra. For the news junkies buli discusses the move by Nessus away from Open Source and the recent drama with the Open Document Format. Also in the boxtalk section we have a pretty thought- provoking article by zshzn wherein he takes us on a search for the Overman and cd gives us his view on the community (Welcome back cd!). Finally, we have two great articles in the extra section by Byte69 and izik (both regular contributors to our site). We have all this plus our regular content (did I mention the new Perl column?). We hope u enjoy it! -[ 0x02 . Site Update ]---------------------------------------------------- ---[ from Mirrorshades ] 1) Staff Changes Since the last newsletter, we have had a few staff retire, and some new and old staff members returning. Staff members Data, Skudd, and M4tt have retired, we wish them well! Krellor began as a new staff member, and we have welcomed cd, furcalor, Stand__sure and Noshankus back to the ranks. 2) New Forums In response to the ever-changing types of questions showing up on the various forums, NewOrder has added two new discussion forums. For the gearheads out there, the Hardware forum gives you a place to discuss everything from microprocessors to headphones. For everyone who visits the site, the Suggestions and Feedback forum is your place to sound off! Got an idea for making the site better? This forum is the place for you. While we are unable to implement every single idea posted, do feel free to share and discuss your ideas for improvement. 3) IRC At long last, the official #neworder IRC channel is no more. There are a number of reasons for this, but the primary reason is simply the lack of useful content to be found there -- more often than not, the channel was just full of people idling and not interacting at all. The staff felt that it would be a more productive use of everyone's time and efforts to compile a list of *useful* IRC channels that NewOrder members frequent, so that everyone can benefit. Watch the site for more details! ---[ Article Review ] Steganos Internet Anonym 2006 Reviews -> Software By D3ltree on Nov 29 2005 In this article the author reviews the software, Steganos Internet Anonym 2006 - the tool that 'turns you into a ghost on the internet'. He considers the different features of this proxy tool and weighs it's benefits and downfalls. Read full Introduction to Windows Sockets Articles -> Programming By krellor on Nov 22 2005 In this article the author provides a solid introduction to programming windows sockets in c. He explains how to code a client and server app thoroughly commenting and demonstrating the process. Read full Solution to Crypto Challenge: NewsLetter 11 New Order Newsltter By data on Nov 13 2005 In this article the author provides the solution to Data's Cryptographic Challenge from Newsletter #11. We had intended to mention the first person to get the challenge right when we provided the solution. Unfortunately, we never received a correct answer! Remember to send your submissions for this editions challenge to us at NewOrder.Newsletter AT gmail.com. Read full Computer Flu Shot: A Potential Solution to Viruses Views By cronus on Oct 17 2005 In this article the author considers the problem of viruses and offers a solution. In this discussion piece he advocates giving your computer a 'flu shot' to prevent the possibility of infection or the spread of an infection. Read full Applications of CRCs to TMTO Articles -> Security By xxloginxx on Oct 14 2005 In this number-crunching article the author shows us how Cyclical Redundancy Checks are used in a TMTO hash database. He explains the theory, demonstrates the math and explains how it helps overcome the hurdle of size in a TMTO database. Read full HOWTO: Bypass Email Filters HOW-TO -> Windows By s0journist on Oct 04 2005 In this article the author describes the importance of email in the office place and common means of protecting this service. He goes on to describe how one can use three common windows tools to bypass most email filters. Read full Memory management by the Linux kernel: #2 inside the kernel Articles -> Software By Cereal on Aug 09 2005 In this article the author continues his discussion about memory management by the Linux kernel. In it he explains how memory management is done inside the kernel itself. Read full Stealing the Network: How to Own the Box Reviews -> Books By mirrorshades on Aug 08 2005 In this article mirrorshades reviews the book, Stealing the Network: How to Own the Box. He gives the book a positive review, highly recommending it to anyone with an interest in security. Read full Hidden Users on Windows Articles -> Security By nabiy on Jul 31 2005 In this article the author documents the failure of the User Account Manager in the Windows Control Panel to report interactive logins made with the netapi. Test code was provided by the author and by stand__sure. Read full Reverse Engineering with LD_PRELOAD Articles -> Security By izik on Jul 10 2005 In this article the author discuses how the LD_PRELOAD feature can be userful for reversing dynamically linked executables. The technique he describes allows one to hijack functions, inject code and manipulate the application flow. Read full Don't Idle in the Sunset! Articles By nabiy on Jul 03 2005 In this article the author discusses some of the impacts of the Patriot Act on our community and our reaction to it. The problem of our apathy in this matter is specifically addressed and we are encouraged to take action. Read full Memory management by the Linux kernel: #1 Outside the kernel Articles -> Software By Cereal on Jun 22 2005 In this article, the first in a series on the Linux kernel, the author discusses how the Linux Kernel handles memory outside of the kernel. That is, he discusses how it handles the data in the 'user-space' of the Linux system. Read full ---[ Project Update and Review ] Distroguide wiki Project Leader: teddy Homepage: http://distroguide.box.sk/ Description: The Distro Guide is a community project that pools information about different distributions of linux, whether it be for the novice user, system administrator, or server admin. Teddy's Comments: "With help from all you users out there, we hope to create a comprehensive guide for Linux and BSD distributions that is also newb friendly. Right now we are wiki'ing our brains out, slowly but surely building a strong base for the major distros from RedHat, Slackware, Gentoo, and Debian. Also, we have started to compile a long list of linux software, from text editors to graphic manipulators. Now we cant do this project alone, so if you have expierience with a certain distro, give us some info on it. We'll gladly take the help, and its a way to give back to the community that helped you start out." GData: An Online MD5 Hash Database Project Leader: Gravix Homepage: http://gdataonline.com Description: GData was started by Gravix as just a project to kill time. It started off as a collection of hashes from two dictionaries: TheArgon (albeit cropped) and GDict (Gravix's personal dictionary). The hashes were set up in patterns to allow for faster access times. [ Update on Gizmo and Ghost . by izik ] Both projects, Gizmo and Ghost, have been put on hold. I am currently working on a couple new ones so they've really been put on the shelf and I can't say that I have much more to add to them. I sure would have to get more feedback (part of the reason I put them on hold for the first time) from the users before adding any features or resuming development on them. [ MD5 Reverse Lookup Database - 90GB and counting . by xxloginxx ] I was asked if I'd include an update on the progress of a project I've been spearheading for a little over a year, with this publication of the newsletter. Over the past year, the database character set has evolved quite a bit, and a lot of new techniques have been developed. Here is a rough timeline of the milestones. October 2004 1-4 Length (aA?) database first put online. December 2004 Added 5 Length (aA0) to the initial database. January 2005 Size restrictions halted the next variation of the database from being published. Therefore, NullAck suggested a technique he calls, removing the filename from the file, that allowed the next variation to be finished. March 2005 1-4 Length (aA0?), 5 Length (aA0), and 6 (a) database was put online. At 265.4GB, it would be the last variation unless a new space reduction techniques could be found. May 2005 The application of CRCs to TMTO was first developed and reduced the 1-6 length database to only 45GB. The database was also migrated back to a single table, which reduced filesystem overhead. July 2005 The current building applications no longer could meet the speed requirements to build a large database in an acceptable amount of time. So the applications were transposed into C sources. August 2005 1-5 Length (aA0?), 6 Length (aA0), 7 Length (a0), and 8-9 Length (0) database was completed in 8 hours, and put online. At ~90GB, it's the largest true TMTO database online, with the smallest size reqirement. November 2005 With over 80,000 queries made to the database in under two months, >50% have been broken. With a 1 in 2 chance of breaking an MD5 hash in under .20, I'd have to say I'm happy with the progress of the project overall. Despite a lot of growing pains and dead ends, I'm relatively confident that the 8 Length - alpha (lower), will be added within the next 2-3 months. Which will likely boost the effectiveness to over 90%. The database will likely be offline for a few weeks because of abuse (over 50,000 queries made from 4 specific IPs). Once the blacklist system is in place, it'll come back online. If abuse still is out of hand, I'll make the database private, and you'll have to login to access the search. It's lame that people would abuse such as cool project by uncontrollably spamming it, but people are lame, so I'm not surprised. -[ 0x03 . Security Review ]------------------------------------------------ ---[ Exploits and the Community . by xXloginXx ] Without the existence of Microsoft's Internet Explorer, the joy of remotely owning a machine with a different exploit every month, would simply not exist. The sad fact that Internet Explorer, Microsoft's flagship browser, is plagued with security holes not only makes life easier for the more notorious of us, but it is also helping the web browser industry evolve. As people become fed up with pop-ups, and the frequent hostile ActiveX controls, the populous began to explore other options. In search of a browser that simply did what it was supposed to do - browse the web - with as little fuss as possible, and in the most simplistic manner possible. Other web browser projects began to get more attention. Which in turn, led to more involvement, more testing, and better production software. But my belief is that all web browsers will go the way of IE unless they take a different approach than Microsoft has chosen. The whole, "Do what you've always done, and you'll get what you've always gotten", folk tale holds some ground in this matter. I think once browsers like Firefox, and many gain popularity, the attention of hackers, not unlike ourselves, will be geared toward these new contending web browsers. In the neverending quest of curiously wanting to know everything about everything, we'll start to tinker with the intimate code. And I have no doubt that we'll start seeing (or have already seen) Firefox exploits trickling down the RSS feeds. But this is inevitable, all code is written by humans, and is therefore essentially flawed. People forget to sanitize variables, or simply overlook a small function. And the frequency in which this occurs increases as the size of a project grows. I've have already heard hardcore IE users slamming Firefox for having to update around 7 times over it's existence (1.0 - 1.7), because of bugs and small exploits. And I've read reports about the frequency of exploits for Firefox being higher than for IE. But when it comes down to it, does it really matter how many exploits there were in the past for a specific browser, if the current product is secure (relatively speaking, as you can never be 100% "secure"), stable, and simply browses the web with ease and simplicity. What it really boils down to for me, in order to use a web browser (with the exception of useability, and simplicity), is this: How fast is a patch released after an exploit is published? If I like a product, I quite honestly will use it forever, just as long as it does the job, and is quickly patched. I don't care about past exploits, etc, etc, as long as the latest version doesn't suffer from them. I just want an up-to- date, web browser, that does what I want and doesn't jeopardize my personal security when I'm online. I believe Microsoft's main failure with IE is there innability to quickly respond to threats, but this is changing, and IE 7.0 is starting to look appetizing again. I will always use Firefox, but that doesn't mean IE 7.0 won't meet the needs of everyone else. If Firefox falls into the unsupported category, I'll probably go back to IE. That's the catch twenty- two of the web browser industry. And who knows...anything can happen, so I'm not going to make predictions. Enough serious babbling, on to the good stuff. // PHPbb 2.0.15 - makecmd() vulnerability After PHPbb v2.0.10 was ravaged by Santy.A, and it's variants, everyone raced to update, and Google made the smart move of blocking the proper queries to it's search engine to put a screeching halt on Santy's further propogation. On the flip side, Google failed to block variations of the Santy.A, such as: 2.0.10 * 2004*2005 Powered By So individuals, like myself, were happy that Santy.A was gone, but were even more happy that no one was racing to update their PHPbb code because Google had put a stop to the overwhelming threat. Thousands of PHPbb's still vulnerable to the old exploit were out there. Finding them was the key, and the above variant of the Santy.A query resulted in hundreds of pages of results. Right after Google had announced the block, I tried my variation, and grinned widely as it wasn't block. After a few months of reaking havoc, and making sure admins got the point: Upgrade or get hacked. I began to see the results page dwindle, and now trying to find a PHPbb that's running v2.0.10 wasn't so easy anymore. Which is good, due to the overwhelming amount of trouble people not unlike myself had already caused. Now that the dust has settled, it's safe to speak my mind on the subject. Now, there still lies a vulnerability in 2.0.15, which is has pretty much been phased out by the time of this publication. It was the exact same sytax used to exploit the unsanitized variable of 2.0.10, but used the makecmd() command to bypass the sanitization. I've tested this exploit, and it only works under extremely particular conditions. Out of say, 30 - 40 tests, it only worked once. And even then, the output wasn't echo'd, so I couldn't read configs or anything, just execute a python backdoor, and then shell in. Which 99.9% of scripties couldn't even fathom of doing. So despite slipping under the radar, it was patched in 2.0.16, and is now extinct. URL: http://www.milw0rm.com/id.php?id=1080 URL: http://awarenetwork.org/home/.rants/06-29-2005.13.35/shag.py ---[ Oversized Filenames And The Windows Shell . by rattle ] I was fuzzing IM file transfers with a friend and we had the idea to send a file with a too long name, something larger than 255 chars (MAX_PATH). It was not possible to create such a file with the explorer or the cmd shell in windows (both XP SP2 and Win2k3 SP1) so I decided to use raw Win32 API calls to get around that. I recalled these few lines from the MSDN library: lpFileName Pointer to a null-terminated string that specifies the name of the object (file, pipe, mailslot, communications resource, disk device, console, or directory) to create or open. If *lpFileName is a path, there is a default string size limit of MAX_PATH characters. This limit is related to how the CreateFile function parses paths. Windows NT: You can use paths longer than MAX_PATH characters by calling the wide (W) version of CreateFile and prepending "\\?\" to the path. The "\\?\" tells the function to turn off path parsing. This lets you use paths that are nearly 32,000 Unicode characters long. However, each component in the path cannot be more than MAX_PATH characters long. [...] 32000 chars, huh? That sounds good to me. The IM fuzzing did not work out as planned - but what happened in Windows when I created oversized files was ... disturbing. [1] [limitations] The files I renamed to something that was 255 chars in length would become pretty persistent fucks. Neither explorer.exe nor the cmd shell could remove, rename, move or copy the oversized files at all. This was tested on WinXP SP2 and Win2003 SP1, with exactly the same result respectively. Neither of the 2 shells shipping with modern versions of Windows OS support oversized filenames. Even worse were oversized directories. Just like files, I could not delete/copy/move/rename them at all. However, it gets even better. They could not be searched, browsed, or enumerated in any way. There was absolutely no way to determine the contents of an oversized directory by conventional means. You always wanted a way to hide your data without crypt0? Easy! Just use xmv (see [3]) to oversize-rename your porn folder and your mom will be hopelessly lost! \o/ Now which problems arise out of this? - Trojans hiding in oversized directories somewhere on the PC, preferably in the %TEMP% directory. The oversized dir inside %TEMP% will never be deleted because it cannot be deleted by the windows shell, and the trojan has very good chances to not be found in there. - Trojans writng their logfiles or similar information to such locations. - Reckless teenagers hiding away their pr0n from their parents and the world outside. [2] [investigation] I tinkered with the API a bit to investigate the extent of what is possible and what is not. First and foremost, it is strictly impossible to set the working directory of any process to some oversized directory. It is possible to do all of the following, though (using the right API): ° create oversized files and directories ° move, copy, rename oversized files and directories ° delete oversized files and directories ° enumerate contents of an oversized directory Thus, the flaw is clearly in explorer.exe and cmd.exe. [3] [solution] Since you might also want to tinker with this phenomenon a bit, I coded a small set of commandline tools that can actually deal with oversized files and directories: ° xmv : move files and directories ° xmd : create a directory ° xcp : copy files and directories ° xls : directory listing ° xec : execute a file ° xrm : remove files and directories ° xio : simple cat-like utility for in/output source code && binaries are available here: http://awarenetwork.org/home/.rants/09-03-2005.12.45/ ---[ CASsandra . by stand__sure ] CASsandra: Code AccesS Security AN aDministRAtor's introduction Target Audience: Microsoft Windows® users and administrators Skill Level Required: Intermediate Appreciation for Simple SIlly acroNyms: Essential Introduction The story of Odysseus tells us that it was the fate of Cassandra to always presage a coming disaster but to be unable to avert it. Many system administrators share a similar fate - they are able to predict that something will happen to compromise a system under their watch, but are generally unable to prevent it. Modern computer usage frequently downloads and runs code from relatively unknown sources - code can be contained in documents, in email messages, etc. Good security policy dictates that users run with as few privileges as possible (often restricting access to files and to registry keys). This is called "role-based security". There are problems with the approach, however: even when running with restricted privileges, it is still possible for personal information to be exposed, for a privilege elevation to occur, for a bug to wreak havoc, for code to do things that are unexpected, etc. Role-based security is not fool-proof. We can presage a disaster at some point, yet cannot prevent it... Enter "evidence-based security". With the advent of the .NET Framework, Microsoft has introduced a new security mechanism - code-based security. It is now possible to restrict applications based upon certain characteristics - evidence. On a high level, code is mapped into "code groups" based upon "evidence", and a permission set is associated with the code group. Evidence Evidence includes: * applications' installation directory, * a cryptographic hash of the assembly, * the site from which the assembly originates, * the cryptographic strong name of the assembly, * the URL from which the assembly originates (including the protocol prefix: http, https, ftp, etc.), * the zone from which the assembly originates (these are the same zones as found in msie), and * the digital signature of the assembly publisher. On an administrative level, you choose which evidence is looked at as a criterion for membership in code groups which you create. Permission Sets Out of the box the .NET framework comes with the following named permission sets: Nothing - No permissions (code cannot run). Execution - Permission to run (execute), but no permissions to use protected resources. Internet - The default policy permission set suitable for content from unknown origin. LocalIntranet - The default policy permission set within an enterprise. Everything - All standard (built-in) permissions, except permission to skip verification. FullTrust - Full access to all resources. SkipVerification - Grants rights to bypass the verification. These named permission sets cannot be modified, but they can be copied and modified. In most cases, these permission sets are sufficient. You can, however, define your own as needed. According to Microsoft, only the Internet permission set guarantees privacy. As a general rule, I would suggest sandboxing most applications that you download and install in a code group that has this permission set exclusively at the machine level. If you have downloaded an installer and installed an application, the program by default will run in the "My Computer" group which is "Full Trust." If you run it from the browser, then the "Zone Identity" rules are effective. It should be noted that in no case will the software run with permissions greater than those yielded under traditional role- based security (e.g. if the logged user cannot access the HKLM registry hive, then the software cannot access it either - the software can, however, access any file that you can access). Permissions At this point, you are likely wondering what security restrictions you can place on an application. Here are all of the permissions that are granted without restriction to a "Full Trust" application. _________________________________________________________________________ | | | |· DataProtectionPermission | NEW: Controls the ability to access | | | data and memory. | |--------------------------------|----------------------------------------| |· DnsPermission | Ability to access Domain Name System | | | (DNS) servers on the network | |--------------------------------|----------------------------------------| |· EnvironmentPermission | Ability to access environment variables| | -------------------------------|----------------------------------------| |· EventLogPermission | Allows control of code access | | | permissions for event logging | |--------------------------------|----------------------------------------| |· FileDialogPermission | Ability to access files or folders | | | through a file dialog | |--------------------------------|----------------------------------------| |· FileIOPermission | Ability to access files and folders | |--------------------------------|----------------------------------------| |· IsolatedStorageFilePermission | Ability to use a private virtual file | | | system | |--------------------------------|----------------------------------------| |· KeyContainerPermission | Ability to access key containers | | | (crypto) | |--------------------------------|----------------------------------------| |· OleDbPermission | Intended for future use when the .NET | | | Framework Data Provider for OLE DB is | | | enabled for partial trust scenarios. | | | The .NET Framework Data Provider for | | | OLE DB currently requires FullTrust | | | permission. At present, using the | | | OleDbPermission class has no effect | |--------------------------------|----------------------------------------| |· PerformanceCounterPermission | Allows control of code access | | | permissions for PerformanceCounter | |--------------------------------|----------------------------------------| |· PrintingPermission | Controls access to printers | |--------------------------------|----------------------------------------| |· ReflectionPermission | Ability to access metadata (type | | | information) | |--------------------------------|----------------------------------------| |· RegistryPermission | Ability to access registry variables | |--------------------------------|----------------------------------------| |· SecurityPermission | | |--------------------------------|----------------------------------------| | o Assertion | Ability to assert that all this code's | | | callers have the requisite permission | | | for the operation | |--------------------------------|----------------------------------------| | o BindingRedirects | Permission to perform explicit binding | | | redirection in the application | | | configuration file | |--------------------------------|----------------------------------------| | o ControlAppDomain | Ability to create and manipulate an | | | AppDomain | |--------------------------------|----------------------------------------| | o ControlDomainPolicy | Ability to specify domain policy | |--------------------------------|----------------------------------------| | o ControlEvidence | Ability to provide evidence, including | | | Ability to alter the evidence provided | | | by the common language runtime - DO NOT| | | GRANT THIS PERMISSION TO CODE! | |--------------------------------|----------------------------------------| | o ControlPolicy | Ability to view and modify policy - DO | | | NOT GRANT THIS PERMISSION TO CODE! | |--------------------------------|----------------------------------------| | o ControlPrincipal | Ability to manipulate the principal | | | object | |--------------------------------|----------------------------------------| | o ControlThread | Ability to use certain advanced options| | | on a thread | |--------------------------------|----------------------------------------| | o Execution | Ability to run | |--------------------------------|----------------------------------------| | o Infrastructure | Permission to plug code into the common| | | language runtime infrastructure, such | | | as adding Remoting Context Sinks, Envoy| | | Sinks and Dynamic Sinks | |--------------------------------|----------------------------------------| | o RemotingConfiguration | Permission to configure Remoting types | | | and channels (think IPC) | |--------------------------------|----------------------------------------| | o SerializationFormatter | Ability to provide serialization | | | services | |--------------------------------|----------------------------------------| | o UnmanagedCode | Ability to call native code | |--------------------------------|----------------------------------------| |· SocketPermission | Controls rights to make or accept | | | connections on a transport address | |--------------------------------|----------------------------------------| |· SqlClientPermission | Enables the NET Framework Data Provider| | | for SQL Server to help ensure that a | | | user has a security level adequate to | | | access a data source. | |--------------------------------|----------------------------------------| |· StorePermission | NEW: Controls access to stores | | | containing X509 certificates | |--------------------------------|----------------------------------------| |· UIPermission | Controls the permissions related to | | | user interfaces and the clipboard | |--------------------------------|----------------------------------------| |· WebBrowserPermission | OBSOLETE. .NET 1.0 and 1.1 code may | | | use this permission (see WebPermission)| |--------------------------------|----------------------------------------| |· WebPermission | NEW: Controls the right to access HTTP | | | Internet resources | |________________________________|________________________________________| This may still seem like a quagmire. Again, my advice is to sandbox most applications in the Internet Zone. When an application requires more privileges than you have allowed, several things can happen: an exception can be raised, the application may (and hopefully will) throw a custom error telling you how to resolve the issue, the application may die quietly. This is exactly the behavior that you want - it tells you what the application is trying to do. (As an aside, there are tools like PermView and PermCalc to help with this. Each has its deficiencies, however. PermView only assesses declarative security requests and demands in the code - if the programmer uses imperative security demands or omits them entirely this tool will not be of much assistance. Similarly, PermCalc performs a static analysis and suffers similar deficiencies. The most accurate way to figure out what privileges code needs is to sandbox it and run it.) Policy Levels At this point, wondering how you would set up CAS policies enterprise-wide, group-wide, etc. CAS is set up in a hierarchical fashion. Enterprise: %Systemroot%\Microsoft.NET\Framework\version\Config\enterprise.config Machine: %Systemroot%\Microsoft.NET\Framework\version\Config\security.config User: %UserProfile%\Application Data\Microsoft\CLR Security Config\version\security.config AppDomain: N/A The first three levels can be controlled by the administrator. Users can set at the third level. The final level is controlled by the programmer. Intersection: The effective security policy applied to a given application is the intersection of the security permissions granted at each level. Thus, if a permission is denied at the enterprise level, a malicious application cannot elevate its privileges to overcome the restriction. Out of the box, the Enterprise and User levels are set to unrestricted and policy is controlled at the Machine level. At which level, you configure policy will be a function of your organization's structure. The denial of a privilege at any level will prevent the software from acquiring that permission. That being said: it is possible to prevent policies at a lower level from denying privileges to an application; this is done by setting the Level Final on your policy. If this is set on an Enterprise-level policy, then the Machine, User and AppDomain policies are ignored. If you are on a network without a Domain Controller, all policies should be set on the Machine level. Union: The permissions granted at a given level are combined with all of the other permissions. Thus, if a permission is granted in Policy1 at the Machine level and denied in Policy2 at the Machine level, it is GRANTED at the Machine level UNLESS the Exclusive attribute is set in Policy2. Setting Exclusive in a permission set has the effect of ignoring all other policies at that level. When you sandbox an application, this is the setting that you will want to use since the All Code group has unrestricted permissions. Setting Up CAS As with most things Windows®, you can work from either the command line or from MMC. It is my recommendation that you configure graphically and analyze from the command line. Each NET Framework version is administered separately. I assume that this will eventually change... To start the GUI either use Start -> Control Panel -> Administrative Tools -> Microsoft NET Framework version Configuration or mmc :\%WINDIR%\Microsoft.NET\Framework\\mscorcfg.msc At the appropriate policy level, select Code Groups, then All_Code and finally Add a Child Code Group. This will initiate a wizard that will walk you through the process of creating a Code Group. First, you will name and optionally describe the group. Next, you will choose a membership condition based upon one of the evidence categories mentioned above (as an aside it is possible to create your own membership conditions, this is beyond the scope of this article). Finally, you will associate the Group with an existing Permission Set. It is my recommendation that you copy an existing Permission Set (setting the Exclusive attribute) and associate your new Code Group with it. As an example, if I were to create a Code Group for software from Lutz Roeder, I might use a Strong Name Membership Condition using the public key token found in the assembly (the GUI tool will extract this for you), viz. 0024000004800000940000000602000000240000525341310004000001000100A5EA9108AFE EED28C22716296D73A169809A232221D55FE0C389660933D2078863B98D1B740BD12499CF07 FE956DC713A7090B736E1936B5460EB5B40EFED04CE9ED4AFC010E81C1E4F2EEECB1724302B 3412BD4B690DAC107984BD836DE19672D1956B6679B15452C99A93D907EF9A8FA8DB7A73627 727AB36F96BD0B0924B8 Determining the Effective Policy on an Assembly I prefer to do this from the command line since the MMC snap-in requires you to visit each permission set individually. The console display lists all of the permissions in an XML format. Here is a sample that looks at the permissions on the hasher utility that I introduced in a previous article: C:\>caspol -all -rsp "C:\Program Files\Stand__Sure\Hasher\Hasher.exe" Microsoft (R) .NET Framework CasPol 2.0.50215.44 Copyright (C) Microsoft Corporation. All rights reserved. Resolving permissions for level = Enterprise Resolving permissions for level = Machine Resolving permissions for level = User Grant = Note: The -a[ll] switch is important if you are on a network with a DC. To see the permissions in a set, you would execute: C:\>caspol [-a] -lp To see the groups, C:\>caspol -a -lg Deploying the Security Policy to All Machines in a Domain One of the nicest features of the graphical CAS administration interface is the ability to create an installer package to deploy the policies that you author. To create an installer package simply right-click the Runtime Security Policy node in the left pane and select Create Deployment Package. Once this is done, you can deploy the package via GPO, MS SMS, etc. Conclusion This article has given you a brief introduction to Code Access Security. It is by no means a comprehensive treatment of the subject. CAS is intended to work in conjunction with traditional role-based security and cannot elevate privileges beyond those granted to a given user. It is useful as a tool for further restricting your exposure to vulnerabilities that arise from malicious and poorly-written applications. Unlike Cassandra, we can do something to prevent disaster. An Aside From a programmer's point of view, CAS is a wonderful thing because it allows a developer to document in advance what permissions his/her application will need in order to run. For the tool/library developer, things get a bit more complex. An article on this is being written for publication at NewOrder's sister site http://code.box.sk. References 1. Security Policy Best Practices http://www.gotdotnet.com/team/clr/SecurityPolicyBestPractices.htm 2. About NET Security http://wwwgotdotnet.com/team/clr/about_security.aspx 3. NET Framework Developer's Guide: Code Access Security http://msdn.microsoft.com/library/en-us/cpguide/html/ cpconcodeaccesssecurity.asp 4. 15 Seconds : Configuring .NET Code Access Security http://www.15seconds.com/issue/040121.htm 5. Code Access Security from the Perspective of the Developer and Administrator http://www.c-sharpcorner.com/Code/2004/Feb/CodeAccessSecurity.asp 6. Code Access Security in the .NET Framework http://www.devx.com/vb2themax/Article/19886?type=kbarticle&trk=mscp -[ 0x04 . News Review ]---------------------------------------------------- ---[ On Nessus . by buli ] The great security hole scanning tool went closed-source as of release 3.0. This was a shock for all the OpenSource community and intrigued questions started after the first minute the announcement hit the Internet. One of the many early reactions included a small interview with Ron Gula, CTO and co-founder of Tenable Network Security made available by NewsForge in the next afternoon. It made light in many questions users all over had. The main idea is that Ron encourages corporate software usage for his tool, and GPL was just in his way. Next he bitches around about how he has very little code submission from the community. It's an interesting interview that can give a general overview about what strategies other popular software out there might adopt in the future. An interesting ending note of the interview is Nmap's father Fyodor that needs to clear some things out to his userbase, such as Nessus going closed-source doesn't involve Nmap too. Although Nessus2 is still under development and updates haven't failed to show up, forks have soon after arrived. There are currently three different projects handling the OpenSource side of the Nessus core: GNessUS, Sussen, and Porz-Wahn. I wish them the best of luck! This all happened at the beginning of October, Nessus news are still hitting the news sites. One of the latest is yet another interview with Ron covering almost the same questions. It's a bit more elaborate and covers more topics about future development. All in all it's an interesting read. The sad thing isn't Nessus going closed-source, I'm sure at least one of the forks will give the OpenSource community a good alternative. I'm more worried about this sort of new current of OpenSource applications, distributions etc. getting switching partially or entirely to a corporate like philosophy and generating a shareware feel to the OpenSource versions of their product. That's just a bad course of a great phenomenon! ---[ On OASIS . by buli ] It's been a long time since the OpenDocument standard hit the news. Many suites adopted the standard on their next versions and strange coalition were made in the Office world. Important office suites steeped over their ego and adopted the new format in spite of their own. These include KOffice, Sun's OpenOffice and AbiWord. The fastest to respond was KOffice that released the support for the new format in it's beta1 1.4 version a few days before the standard was adopted by the TC Administration. Sun was a bit late at integrating the format. It was added though after finishing up on OpenOffice version 2, along with other neat features. http://www.koffice.org/announcements/announce-1.4.php http://www.openoffice.org/press/2.0/press_release.html Of course Microsoft again failed to behave and started being an ass playing around with affirmations of adopting or not the new standard just to promote it's next MsOffice suite. It began bragging about a similar XML open document based version that they're adopting in their next Office12. Press declarations and confusing interviews related to the new standard have been plenty this period. http://consortiuminfo.org/newsblog/blog.php?ID=1761 http://consortiuminfo.org/newsblog/blog.php?ID=1760 While still in the Office area, another important event was Google and Sun's announcement about a future collaboration for a WebOffice suite. This was another topic that made waves and people everywhere started talking about Google trying to steal as much ground as it can from MS. This happened exactly when there were many speculations about Google working on developing a new competitive operating system against MS. I think it is a good thing solid alternatives start to rise against MsOffice. However, much has to be done before any of these OpenSource alternatives can achieve the complexity of an application such as Word. -[ 0x05 . Box Talk ]-------------------------------------------------------- ---[ A Review of Juice.box.sk . by nabiy ] Juice is another sister site to NewOrder on the box network. Juice is primarily concerned with the community; it's about filling that void in the Internet. If you are old enough to remember you might recall the early days when the net was still a community. It was a place to share your thoughts and your ideas, a place to kick off your shoes and enjoy the company of your friends. Juice is that kind of place in the present time. On Juice you will find a vast array of topics. You will see that we discuss the insane and the religious in the same forum. Some of our more recent topics in the forums include discussion on planning the perfect crime, dog killing in Korea, and the latest King Kong movie. This diversity of topic extends to our articles section as well. If you look at our front page you'll find some well-written essays by the members of our community, discussion and thought provoking pieces such as "What's Life All About" or the randomly funny article like "The Top 100 Things I'd Do If I Ever Became An Evil Overlord". What it comes down to is a site where community is valued and open participation is encouraged. We strive to be honest, and open with each other to make juice a place based on trust and friendship - the foundation to a good community. So we encourage you, to come visit juice, enjoy your daily juice and remember to share, give and get back. ---[ In Search of the Overman. by zshzn ] Friedrich Nietzsche detailed the concept of an Ubermensch, a man above others and above the society before him. Equality of man was a farce. Contemporary thought believes that all men are born equal, but that does not fulfil that men maintain equality. Not all men are equal. Similarly, not all hackers are equal. Could this be debated? For sure we have different abilities and different specialities, but any person in any scene will know that there are those clearly above him and those clearly below him. Within any community there are those that stand out. We have them here. Often we are shocked by a post on the boards from a newcomer that appears both blatantly ignorant and blatantly arrogant. He feels he's some kind of talented hacker, yet looks very foolish to the majority of the community. Probably he's new to security communities. Probably he is young. Probably he is one of the better students in his grade at his school when it comes to computer abilities. There he stands out, there he is a cut above the rest. Yet he hasn't been to a community a few cuts above his and doesn't understand his place in a greater scheme of things. We cannot expect someone to be able to see past the limits of their experience. Although we can all scorn this class of newcomers and isolate them as the only application of this problem, they aren't. The same can be applied to higher levels. The various authors of this newsletter represent most of the New0rder elite, and even some past that. However, anyone in this group can find another community where not only do they not have that status, but perhaps they would only be among equals, or a bottom-feeder, or even completely rejected. Do not delude yourself, New0rder is not the be-all and end-all of computer security. There are levels above New0rder. This is not something New0rder should be ashamed of, or hide from. Like any other field, there seems to always be a level above. If you were a star on your high school football team, and that team won their division, would you be ashamed that you and your team are a score of levels below the best? Of course not. Likewise, the quality of New0rder has to be judged on how well it does within its range, within the niche that it fits. From this perspective, I think New0rder is excellent. It has a large population, and can successfully cater to a large range of knowledge. This is something New0rder should be proud of. Similarly New0rder acts as a portal to many of us. At New0rder we prepare to move on. At New0rder we meet people who have moved on but stuck around, and who can introduce us to a more fitting level for ourselves. New0rder connects to other communities and plays a part in a higher labyrinth that defines hacker society. The door to the entrance room of the metaphorical house that is the underground. What does one do when they have reached the peak of knowledge that one community can provide them? Some settle down, content with succeeding amongst the group and having gained respect within that group, perhaps enjoying some form of staff status. They might be too busy with work or life to aggressively pursue new knowledge, or conceited enough to worry about status over knowledge. Status is dependent on the society you're in. There is no such thing as universal status. The areas a notch or two above or below you won't even have heard of you. To these people, I'm glad they are content, and I can only request that they don't be too bothersome (naturally they usually aren't) to those in spectrums above or below them. Some see the light and realize the relativity of everyone's knowledge, and act courteously to everyone, and that is respected. There's another type of person, one that is of greater interest to me and this ramble. The curious person. The person that always wants to reach for more, always looking for an outlet to more knowledge. The person with a will to power. They are the ones that when progressing through the ranks of a community, find other more advanced communities, and go there also. They soak up the fresh information and hang around. Maybe after a while they don't even want to be around the original community, they find it too frustrating and pointless for them. It doesn't bother them that they're no longer a top dog and no longer have respect, they will happily be quiet in their new IRC channels and pick up information. They aren't satisfied with just knowing enough about something to pass off as understanding it on IRC. They want to really KNOW it, they want to be able to use it effectively, and to do so they will practice it regardless of having a direct practical reason or not. They aren't satisfied with appearance or respect, they are hungry for knowledge. Somewhere else in this newsletter I've left a challenge. It's not official and it has no set prize, if any. The challenge is to anyone out there that wants to find their inner 0verman. This is another clue I've left to make it more obvious. Any truly curious individual would find this challenge, solve it, and find me and tell me about it. Speaking of which, when you join a newer and more advanced community, don't try to be active right away. Don't try to prove yourself to the group. Most likely you'll only make a fool of yourself, and no one will be impressed with the knowledge you bring to the table. Feel free to idle quietly in the channel and figure out how things are while learning. Read the forums but don't post unless you actually know what you're talking about, or it's just a casual non-technical point. You don't need to participate immediately. I feel a bit guilty for not explaining much about what's beyond New0rder. I mention it vaguely. I don't want to mention any places specifically. I don't think either New0rder or those other places would appreciate it. But I can give a bit of a description. Generally, the higher up places are smaller. They are less tolerant. They are more exclusive and they accept from a smaller range of knowledgeable people. They aren't going to advertise, whether it be by associations with other sites for mutual profit or Google whoring. They don't want to bring in the people who need to search Google to find hacking organizations. They're web portal is not necessarily very active, and does not necessarily exist. The deeper you go the less of a presence you're likely to find, accumulating to the ultimate extreme of avoiding public realms such as non-secret IRC channels and open websites, or having mostly a physical scene. There's a great degree of secrecy between a massive commercial site like New0rder and a hidden organization, and there will be a corresponding degree of knowledge expected from the users. Back to the point of this, where is the Overman? Think of your skills, do you think you qualify as a hacker? What is that ultimate level that those curious learners can feel satisfied at? Or can they ever? Take a look at this text, http://neworder.box.sk/files/hack4.txt by PHC. About three quarters of a page down they start listing points of qualifications, all identified with asterisks. Personally, I find that list very impressive, and don't know anybody who wouldn't. To me, that list of elements embodied in one being would be my 0verman. Who still feels they can call themselves a hacker after reading that? If that doesn't have a humbling effect on you you're either too elite to be reading this, or you're as arrogant as anybody I know. For the rest of us this list puts in perspective the humiliating limitations of our skill. Yet that is no reason to despair. No one should throw up their arms and give up. Perhaps one should be more modest now, to the benefit of themselves and others. Everyone should still strive to be more than they can. Only through years of progression could one become an 0verman. A man with a will to power could do it. Someone who would never be dissuaded with humiliation and setbacks. Those are the ones who can prosper. Those are the hackers. ---[ On the Community . by cd ] Emm... Its been around 3 years really since I was last active on the NewOrder Community. Community is the word I stress here. There are plenty of sites where you can be online 24/7 one day and the next disappear and nobody will notice. Even when you get back, you'll find the boards full of people your unfamiliar with. Perhaps the occasional name will appear, perhaps not. With NewOrder it's very much like the home away from home. Community's like NewOrder are one of the special things about the internet, a true global connection of people. The security scene in general has seen a big shift from 10 or even 5 years ago. Nowadays even the most illiterate of computer users are familiar with the terms spyware, trojans & a whole other bundle of cracker related terms. The mass media might be taking a bigger look at computer security now, but unfortunately the confusion over the term cracker and hacker still persists. I wonder how long it will take before the term hacker is viewed less with suspicion. Probably not within any of our lifetimes I imagine. Hacking for many people still conjures the image of the lone teenager, endlessly typing away transferring millions from one account into another. I think 99% of the users on NewOrder can attest that this is far from the case. Hacking is much more than computers. Hacking is for many a way of life, a way of thinking about things. Hackers are the sort of people that if you give them a new gadget they'll want to take it apart, to see how it works, to understand it. There's one technique that I think everyone could do to have in their skill set. That technique is social engineering. It might not be the most technical of ways to get into a system but it's the sort of life skill that comes in useful in more ways than grabbing a password. A few days ago I went to see my brother up in Oxford. We had been out hitting the pubs for around 7 hours before somehow ending up wondering around one of the many university campuses. Its social engineering that saved us from being dragged off to the security office or worse, getting arrested. I have no idea what we were actually up to but one of the security guards came at us, obviously annoyed at the fact we were on the grounds. Normally, I'd panic and try and run. But I figured the best way to get us out of trouble was to turn the situation around and get the guard on our side. Security guards like to feel powerful and special, it makes up for the fact they're not quite good enough to be police. Knowing that, I called the guy sir with every other word. I made out that I was a confused new student, worried that I'd get in trouble. After around 5 minutes of conversation the guy was convinced that I must be studying at the university and just lost. Far from throwing us off the campus he told us the code to unlock the student halls so that we could return to our supposed room and wished us on our way. It's these kinds of situation that having a hackers mindset comes in useful in more ways than you'd think. Convincing the bus driver I wasn't going to be sick on my way back to London was more of a challenge though and all the social engineering in the world couldn't replace the humble and tested method of drunken begging. What I'm getting at is that hacking is a means to live your life. Communities like NewOrder foster the growth and sharing of knowledge of thousands of people, and that is something very special and worth working for. I'd like to thank everyone for their support and all the messages I've received since coming back to the site. Its been great to get back into the community and been given the opportunity to work on the newsletter again. Thanx again to everyone and have a great Christmas (if your planning on celebrating it that is)! -[ 0x06 . NewOrder Extra ]------------------------------------------------- ---[ Data's Cryptographic Challenge ] Let us take a quick recap of the RSA cryptosystem before we proceed to the challenge. RSA key generation ------------------- (1)Generate two large random primes, p and q. Compute n = pq and the Euler Totient Function phi(n) = (p-1)(q-1). (2)Choose an integer e, 1 < e < phi(n), such that gcd(e, phi(n)) = 1. (3)Compute d=inverse(e) modulo phi(n). The public key is (e, n) and the private key is (d,n). Let P be the plaintext. Encryption step --------------- (4)Ciphertext C = P^e modulo n. Decryption step --------------- (5)Plaintext P = C^d modulo n. Now,lets get down to the challenge.We know n=p*q= 326876483856375377836408113541818740612158979784333325058933572380589599781 863811517071616309237201565063336067575773563488977778628035159022460252258 90311618086597583349 and phi(n)=32687648385637537783640811354181874061215897978433332505893357238058 959978186380381796500954286944382260885931091253678968820310599119415741692 715244067649854289986564236 It is known that either p or q has been used in other cryptosystems for key generation. Our task is to find the values of p and q and save the day! Please send in your solution to NewOrder.Newsletter AT gmail.com ---[ Resolution's Rant - Boycott Microsoft Antispyware ] Before I get to my opinion on this matter, allow me to summarize this ordeal so everyone is up to speed on what has happened. As far as I know, this has yet to be discussed at NewOrder, which is why I am writing this. Due to recent circumstances, I can no longer recommend Microsoft AntiSpyware as a trustworthy spyware removal program. In a move that has further proven their deceitful behavior and total disregard for their consumer's privacy and security, Microsoft has downgraded certain spyware programs to the recommended action of "Ignore" in their popular AntiSpyware program. Among the ignored are numerous variants of the following programs: Claria/Gator/GAIN, WhenU, NewDotNet, eZula.TopText, and Webhancer. These are high profile spyware applications that should be removed by any respectable antispyware program. The most notable of these programs is Claria, which is more commonly recognized as the notorious Gator advertising company. The name change came about when the company (in an effort to clean up their objectionable image) made attempts to try and disassociate itself with the groups that secretly installed the Gator software onto unsuspecting user's computers. It is believed that Microsoft downgraded Claria due to acquisition talks the corporation had planned with the advertising company earlier in the year. In the first week of July 2005, news started circulating about Microsoft quietly downgrading the Claria software (and all of its variants) and it was believed that Microsoft might actually purchase the advertising company, or at least become a partner with it in some way or another. Around two weeks later, a Microsoft employee confirmed reports that the Redmond giant had called off talks with Claria. The source stated that the reason for this had to do with concern of a public outcry if Microsoft were to get involved with a company that is so heavily associated with spyware. Interesting. So the software giant that has created an entire campaign on "Trustworthy Computing" had the nerve to try and align itself with one of the largest spyware purveyors in history. On top of that, they quietly downgraded the Claria/Gator software (and others) to "Ignore" so as to stay on good terms with the company. Did you feel that folks? That was Microsoft spitting in your face. You should feel outraged over this. I know I do. I actually used Microsoft AntiSpyware, but not anymore. I have even recommended it to a number of people. Why, because it was actually a good product, but leave it to Microsoft to piss all over it. To add insult to injury, Microsoft has admitted that they are still open to acquiring companies with "behavioral tracking software" in the future. With millions of people currently using this utility, Microsoft had an obligation to be a role model in the antispyware community, but they let greed overshadow the needs of their consumers. I just hope other users of this software can see this and not allow themselves to be made pawns in Microsoft's twisted little game. You can no longer trust Microsoft AntiSpyware to provide reliable detection results. Any spyware removal software that purposely ignores certain adware products is a threat to the privacy and personal security of the ones who use such a tool. Whether Microsoft has caved to legal threats, the demands of the Claria advertising firm, or whether they have made this decision on their own has yet to be determined, regardless, it does not matter. Microsoft has clearly shown that it will wrongfully downgrade a serious threat to your privacy just so they can get on good terms with another company. This is clear-cut deceptive behavior, which is meant to lure people into a false sense of security, and as far as I'm concerned, this program should be classified as "rougeware" and removed from your PC. ---[ Some Kind of Perl Column . by zshzn ] Welcome to some kind of a Perl column. This should be a regular feature in future New0rder Newsletters. I'm not going to write about something very complex, nor am I going to write some kind of tutorial for beginning Perl programmers. Since I don't even have much of a Perl audience, I'll write about whatever I damn well feel like writing. I'm not catering to an audience, I'm writing about something that interests me, yet that I find important. What I'm writing about now is list context and scalar context as interpreted in Perl. That's right, it sounds boring. It's not secret tricks to making random cool obfuscated code. Maybe next time. First thing to cover is that Perl code can be run from the command line with the -e flag, and I'll be using that in examples expecting you to drop that into a terminal. Second thing to cover, since this is a personal pet peeve of myself and others, is that the language is Perl, the interpreter is perl, and PERL doesn't exist. If you write PERL someone will be obligated to kill you. I may surround Perl code with backtics when in the middle of a line or sentence, when actually using that code remove the backtics, expect if for some reason I use backtics within the code, being that they are a quoting mechanism for the qx() function anyways. Let's begin. `perl -e 'print reverse "neworder\n" '`. That's right, don't put the backtics in your terminal. What happens? I expect everyone just suffered a terrible shock, because nothing seemed to be reversed! If you didn't, shame on you for not trying that when I told you to! So why did that happen? And no, "neworder\n" is not a palindrome. Some of you might conclude that reverse() is broken. It isn't. In Perl there are two 'contexts' that you need to worry about for now, 'scalar' and 'list'. A scalar in Perl is a single variable, be it an integer or string or just about anything. A list is just as it sounds, a list of scalars. This is not to be confused with an array. An array can hold the contents of a list, but you don't need an array to have a list. An array is named and exists in memory, a list exists in Perl's internal stack. Look at these two scenarios: perl -e 'print ("car", "truck", "bus")' perl -e '@array = ("car", "truck", "bus"); print @array' Both situations provide the print() function with a list, and both give the same output, but only one is using an array. Lists are not dependent on arrays, an array is a structure of variables, lists need never be defined. Some functions in Perl are specifically scalar commands, they take a single unit and do something with it. When provided with a list, they shorten it to a scalar and you most likely don't get the result you expected. This effect is commonly called "flattening", comparable to dropping something from three dimensions to two. Other functions work in list context, and need a list. There are a handful that do both. Perl operators are context sensitive too. The reverse() function operates in both scalar and list context and defaults to list. Take this example: perl -e 'print reverse ("car", "truck", "bus")' None of the words individually are reversed, but the order of the list is. reverse() has reversed a list that's been passed to it, and then passed that list further on to print() which also has list and scalar context operations, which then printed the list. Now to solve the issue for those that haven't already, reverse() defaults to list context and took "neworder\n" as a one-item list. In our last example, the list items didn't get their characters reversed, just the order of the items in the list was reversed. When you reverse a one-item list, nothing changes. So how do we get what we want? We force scalar context. perl -e 'print scalar reverse "neworder\n" ' Now you have what you expected. Notice the newline is no magical exception, and finds itself at the front. Previously we gave the interpreter absolutely no signal that we wanted scalar context (and you didn't even understand that we needed scalar context specifically). Now we're taken one method of forcing scalar context. Some could argue that the reverse() function should be 'smart' and realize it only has one item in its list. However, adding peculiarities into functions instead of following the general principle of "list first unless otherwise specified", is not a wise idea. Think about it this way, what if you may or may not end up with a one item list, yet you want the list reversed, you would find your results buggy if you had automatic scalar context when the list was only one item and you would have to then force list context just to be sure. Another language would implement two functions to do the same task, one for arrays and one for strings. Following that theory, PHP for the most obvious example, has implemented an outrageous amount of similar functions for tasks, instead of making flexible functions that follow the same acting philosophy. Why is understanding context in Perl important? It's important because if you want to succeed in Perl programming, if you want to be able to write complex lines incorporating multiple functions without spreading them out in multiple lines as a poor C programming would do, then learning context is essential. Programmers tend to come to Perl and code like they're coding in C, which is understandable, but their code is inefficient and often bloated. You'll see a fitting example below. As you may have noticed, functions in Perl don't require parens, they can usually be removed when not needed to specify precedence and limitation. `print "blah"` is nicer than `print("blah")`. Also, you can chain commands, which might not be easy in other languages. Compare: print scalar reverse "neworder\n"; versus print(scalar(reverse("neworder\n"))); versus $temp = reverse("neworder\n"); $temp = scalar($temp); print $temp; The Perl way is cleaner, shorter, and quicker. ---[ From the ToolBox ] For this Newsletter edition zshzn gives us a bf generator written in Perl. We thought it would be a great way to usher in the new Perl column and keep up with the seasonal spirit. Hope you have fun with it! #!/usr/bin/perl # If you know a few things about BF you'll realize that # this generates a very simple output. Well, I'm working # on it, some day I'll get around to having it generate # more complex code # Have some code use strict; die "Usage: bfgen.pl inputfile outputfile\n" unless @ARGV > 1; my $infile = shift; my $outfile = shift; open my $IN, '<', $infile or die $!; my $bring = do { local $/ = undef; <$IN> }; my @stuff = split '', $bring; our $result .= '+' for 1 .. ord $stuff[0]; for my $index (0 .. $#stuff) { my $current = $stuff[$index]; my $next = $stuff[$index + 1]; $result .= '.'; if ($next gt $current) { $result .= '+' for 1 .. (ord $next) - (ord $current) } elsif ($next lt $current) { $result .= '-' for 1 .. (ord $current) - (ord $next) } } open my $OUT, '>', $outfile or die $!; print $OUT $result; # Have some more code -> http://zshzn.skudd.com/code/bf.txt ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Merry Christmas New0rder! ++++++++.-------.++.++++++++.----------------------------------- I hack to learn; never did I learn to hack --------.++++++++++++++++++++++++++++++++++++++++++++++++++++++. Read between the lines ~ Speak my language ---------------------.+++++++++++.+++++++++.----------------.--- zshzn --------------------------------------------------------.------- Do you have a tool or code fragment that you find useful or just want to share? Send your submission to us at NewOrder.Newsletter AT gmail.com. Remember to include your NewOrder nick / handle with your submission. ---[ Introduction to SAN's and Possible Security Issues . by Byte69 ] This is an introductory article to SAN's (Storage Area Networks). They are becoming more wide spread and so basic knowledge of these devices is important. I hope this article will help you gain some familiarity with them and some possible security issues associated with their deployment. Now the beauty of a SAN is it works a lot like a normal network. So the storage system can actually be presenting storage to multiple systems. Now one of the tricks is that you can't have all storage seen by all systems. If you do that and have a mixed environment you could have some major data corruption problems. So usually there is software or hardware zones to protect the presentation of storage (zones act like fences). They make it so only the system you assigned that area of storage can see it or use it. The zones are set usually at the fiber switch. You can think of them like VLANS on your network. It makes it so according to what port it is in the switch or the WWID (like Ethernet address) it will present specific parts of your storage to it. >Why zone? You need this because if not zoned your Windows systems could see your Unix disk and write a signature and guess what now all your Unix data is gone. Some large enterprises will have hundreds or thousands of systems attached to there SAN. As long as you have the correct software and switch zoning you will be fine. >Interconnects. There are two interconnect ways. Using a hub or a switch. They operate similar to what a network type would. The hub uses a arbitrated loop or (FCAL) setup. Think of it like token ring only one thing can talk on the loop at a time. These have pretty much gone away in favor of the switches. The switches create links between ports and everyone can talk on the switch and it will send it to the correct place depending on zoning. >Security issues. Now for some possible security problems. I see two locations where there are security issues in the setup. Customers usually do not update when they need to update. The storage appliance that manages the SAN usually is running Windows. It is also usually running a web server interface or other similar services. This is to make it easy for the SAN admin to manage it. The ones I have dealt with usually have left it as it was installed. The Administrative login in this case is easily guessed if you have exposure to this. Usually the login is something like administrator and the password is Admin(last 6 digits of appliance serial number backwards) Example: Admin32201F. The main problem is that these appliances are not generally maintained properly. They usually do not get patched during the normal MS patch cycle becausr most users are worried it will mess up the appliance or SAN. This is the wrong approach to take when dealing with a vital appliance as these usually are. Consider some of the things that these appliances can do like managing the switches along with the zoning and managing the storage system. If someone got into one of these appliances you could do a lot of damage. The first thing a malicious intruder could do is initialize the storage system itself. Which means all disk groups etc are deleted. If then a new set of disk groups were created they would not be able to recover the data. They would have to recreate the disk groups and restore the data. Now if this was done imagine the amount of damage that you could cause. Most SAN admins also do not document their storage systems configuration. So if they lost the configuration they may never get it back to operational without allot of downtime. The second option our malicious intruder has is to get into the management appliance and clear all the zoning information on the fiber switches. By doing this he could easily corrupt data and/or cause a denial of service to systems. These appliances also introduce other attack vectors on the network, as most of the switches also are attached to the users network. So if you know the IP to the switch you could log in to the switches and do the same thing as above with out using the appliance. You can start a telnet session and do it from the CLI or some switches even have a web server and you just point your browser to the IP address of the switch. You can and could cause havoc if they are not protected. Most of these switches or made by Brocade and the manuals are available on the Internet. What's worse, most users still have default passwords on these switches. These passwords are also usually something like admin with a password of you guessed it... password. >Summary. I hope this gave you a basic over view of the SAN and some possible security problems that need to be addressed before it becomes a problem. As I have said this is an introduction. I plan on another paper on the convergence of SAN's and your other data over your networks. These are all problems that are need to be faced. ---[ 10,000 Monkeys and a Webpage . by Izik ] A lot has been said on the Peer2Peer structure and how flexible and useful it could really be. But in reality the only concept that has proven to be working on top of it, is mostly File sharing. The main advantage and disadvantage in the Peer2Peer structure is lack of the central server which acts as an authority figure. In this article I will explain a concept, a theory on how one can implement a trust system within a Peer2Peer structure, without any authority figure nor previous assumption toward peers in the network. To implement this concept we will take a goal, that goal will be to surf to a given webpage from within the Peer2Peer network, using the peers as proxies, thus providing the anonymity aspect. Each peer in our theoretical network is equipped with a simple plugin that accepts a GET request, processes it and then returns back the data. This situation is a bit tricky, as we relay on peers to give us back a piece of data which we never encountered before. This could easily be abused by evil peers to return a false or modified context to mislead us. So how can we trust a given peer to give us back the actual data without modifying nor fixing it? The answer is by applying democracy. Democracy in our case would be to a make a poll on the given GET request (e.g. GET /index.html) and sample back the results. If all the peers were telling the truth we should have only one type of result data, if for some reason a few peers decided to be evil and fake back the data or return it modified, the poll will let us know about it. To compare between one result and another we will use a hash function like MD5, and will go with the MD5 hash that has been returned most often. Of course this method isn't bullet proof, as massive amount of evil peers returning the same MD5 will poison the poll, and lead us into thinking that their data chunk/reply is the right one. But this as well can be dealt with. We can perform a polygraph test by accessing a dummy site which can be any site and sample different parts on it and keep the MD5 to ourself and ask the peers to go to the same site and examine first hand who's telling the truth and who's not. Another method could be the Human Factor as in some cases it would be easy to spot a context spoofing as such 'Wrong Picture' or 'Broken Text' and based on Human judgement to issue out individual trust levels for peers and increase their weight in the next poll. To conclude I would say it's possible to implement a trust system within an Peer2Peer structure without having a well defined authority server. It's just a matter of how much one is willing to risk. -[ 0x07 . Newsletter Outro ]----------------------------------------------- We hope you've enjoyed this edition of the NewOrder Newsletter. In closing we'd like to wish everyone a happy holiday season and we hope you have good times rather than hard times. We also would like to ask you to remember that we are a community of learners; we learn it then share it. So go learn something new, then come back and tell us about it! See you on the site! = ----------------------------------------------------------------------- = NewOrder and the NewOrder Newsletter team do not make any guarantees expressed or implied as to the accuracy of this publication. If you do something stupid as a result of what you have read here, and something goes wrong, blame it on the freaking rain but not on us. All content is the intellectual property of the respective author(s). Copying of content without their permission is prohibited and lame. Copyright (C) 2005 NewOrder Newsletter team, all rights reserved. Support the NewOrder agenda, distribute freely! = ----------------------------------------------------------------------- =