Box of Shit: The Kat Variance

For those who know about the sordid history of the Box of Shit, you know where the name comes from. While some may have thoughtful touches and some personalized items, they are generally fun junk. Behold, the Kat variance! After sending a true box of shit to her, a couple months pass and I get an epic, wonderfully prepared, designer box of greatness that surprised me several times over. Timing worked out so I opened it on Christmas and voilà, I had my own celebration in a box. But first, I had to taunt her, to make sure I was giving back as much as she gave me, even before I knew what that was. Given the pandemic, I of course had to let it stew for a bit before I could open it… for safety.

When I did, boy was I surprised. It was just like something you get wrapped at one of those tables in the mall before Christmas day, staffed by four elderly ladies that know how to wrap shit.

Four individually wrapped presents, a cloth sack, and four hidden candy canes surrounded by little strands of tissue ribbon worms that kind of haunt my dreams now. I found two going through my desk drawers this morning. The lush squirrels toasting the holidays were a nice touch but I think they are controlling the worms now. Do they look innocent to you?!

Anyway, if you look closely you may notice that they have orders dictating the order to be opened. But nothing about that little cloth sack. Do I open it first? Last? Dealer’s choice? This of course drove me crazy because you can’t violate the spirt of a box of shit, thems the rules dammit. Technically, I should open it after the third since that would not beak any rules, if you think about it. But I opened it first because I didn’t think about that until writing this blog. #fail

As a collector of squirrel currency (yes, it’s a thing!) and tokens, but not challenge coins, this was a great surprise. While I don’t collect them, I see a lot with my morning mails telling me what “squirrel coins” were put up for auction. “Squirrel challenge coin“, see? Despite that, I had never seen this variation of a secret squirrel challenge coin! Win! On to the first box…

A box of squirrel paper clips. Brilliant! Because what animal is more known for organizing than squirrels! Not only had I never seen these, I am actually running low on paper clips. The next time I print out emails and hand them to someone, beautifully bound with these, they will be impressed. Box #2…

Squirrels, the game! Collect Nuts, Cause Mayhem, Make Terrible Squirrel puns! Yes, yes, and more yes! At squirrel nutworking events I am known for cracking a good joke before I leaf for the night. The best part… never seen this game before. Three for three! Box #3…

The nanoblock NBC_178, aka the Squirrel! If you are looking at it thinking it is a Chipmunk, you are wrong (notice the tail). And even if you were right they are in the Sciuridae family! Now, I have seen this and even built one before, that completed pic is from last year. But, I asked if I should re-gift or build again and put on my second desk and I was told the second desk it is. So I have another lego project in my future. The hidden bonus? Nanoblock kits come with quite a few extra pieces; enough to make two extra acorns even. =) Box #4…

This one was a two-fer! First, an amazing squirrel puzzle box that I have never seen! Once opened, it came with some breath mints or the largest Quaaludes you’ve ever seen. TBD. Along with those was this great necklace that features a 1 Øre coin from Norway, known for it’s prominent squirrel featured. Most people who have received a box or envelope of shit from me have received one of these coins, but never in such great condition and never as part of a necklace. Some people wear patron saint necklaces and now I have my own.

So there you go, an absolutely incredible box that ascends past the title of ‘Box of Shit’. This was a box of brilliance.

Sitting on Undisclosed Vulnerabilities (e.g. SolarWinds Stragglers)

The company SolarWinds is in the news, victims of an attack that compromised their Orion Platform software by inserting a backdoor into it, allowing for remote code execution. Like most big breaches, we hear the term “sophisticated” used for the attack. And like many breaches, we quickly learn that it might not have been so sophisticated after all. There is plenty of commentary on this and the wave of attribution experts are out in full force on Twitter. You can read about all of that elsewhere as I cover a different aspect of vulnerability disclosures here.

For anyone who has done penetration testing, they have found vulnerabilities of course. Since those tests are done under non-disclosure agreements (NDA), the vulnerabilities are reported to the customer. One long-standing problem with process is that a vulnerability found during that test may be in commercial off-the-shelf (COTS) software that affects many other organizations in the world. But that NDA often says you cannot disclose them elsewhere, including to the vendor. Even if it does, most penetration testing shops don’t have someone designated to handle coordinated disclosure with the vendor. When it does happen, it is often in the tester’s spare time or if the company uses security advisories for advertising, may task them to write it up.

For more than 25 years, this means that a lot of vulnerabilities are discovered in COTS that die in customer reports. The customers may sometimes report them to a vendor themselves looking for a fix. But surprisingly, that often does not happen. How do we know? Many testers have seen the exact same vulnerability during a test of the same customer a year or more after the original. There are times where a tester will disclose those vulnerabilities long after the fact, without coordinating with the vendor. This can happen after they leave the company they did the testing for or when they think sufficient time has passed.

I think we saw this yesterday with SolarWinds with the publication of CVE-2018-16243. First, while MITRE is not consistent about the assignment year, CVE is intended to use the year to denote when the vulnerability was discovered, not disclosed. A 2018 ID assigned to an issue that was published yesterday strongly suggests the researcher requested the ID back in 2018 but waited until now to publish. The exact date is likely 8/30/2018 per the disclosure itself. But looking at the disclosure, done via gist.github.com, we can see via the revisions that it was published 12/14/2020. So the researcher appears to have sat on these SolarWinds Database Performance Analyzer vulnerabilities for 837 days. Based on the disclosure, there was no coordination with the vendor and no fix currently available. On the upside, seven distinct XSS vulnerabilities were disclosed but the CVE only covers six of them.

Why now? Because SolarWinds was in the news albeit for a vulnerability in a different product (SolarWinds Orion Platform). Looking at prior vulnerability disclosures, it is easy to tell where the researcher works. A quick LinkedIn search verifies that bit of information and brings us to the fun question; did they find these SolarWinds vulnerabilities at their prior job, the downtime between jobs, or at Optiv? All three have interesting implications if you think about it. =)

Jumping back to the point, I will renew the call I have made in the past; penetration testing shops should use an NDA that allows them to report vulnerabilities in COTS to the vendors on behalf of the customer. They should manage the coordinated disclosure process and publish an advisory after a fix has been made available and they verified their customer has mitigated the vulnerabilities. Yes, it is a little extra work! Yes, it also is a value add to your customer, value to any organization that uses the software, and the advisories become advertising of sorts. That little extra work will go a long way for the greater good.

Review Player Two

TL;DR

Ready Player Two is an enjoyable read that keeps the spirit and overall feel of the first book, with a few chapters in the middle that are a bit difficult to slog through. Worth a read though.

Summary

Ready Player Two is the aptly named sequel to Ready Player One. It picks up shortly after the end of the first book with four heroes ‘enjoying’ their lives to varying degrees, now as owners of the corporation that controls the OASIS. Similar to the first book, the sequel takes us on a new journey through an epic quest with even higher stakes. Instead of three gates now we’re faced with finding seven shards, each tied to a planet within the OASIS.

The main character and hero of the first book, Wade Watts, can’t find the first of seven shards and ends up paying someone a billion dollars for instructions to find it. The second comes after playing the ‘Sega Ninja’ arcade game in a specific place and completing the entire game. That takes us to the planet Shermer, a tribute to all things John Hughes. For this shard, rather than feeling like I was reading a well-written book, it felt more like reading a Wikipedia page with a vague plot instead. Factoid after factoid about John Hughes, his movies, characters in the movies, alternate scripts to the movies, and a lot of other pedantic details was poorly conceived.

The third shard takes us to Halcydonia, a planet designed to provide free education to any child in the world. After a lot of words for perhaps the easiest quest, the fourth shard bears the symbol of Prince and leads us to a planet ‘named’ in the same fashion. This becomes yet another Wikipedia page thinly disguised as a book chapter and bogs down the flow of the book. Even worse, the Prince quest drags on for several chapters. After an interesting battle with seven iterations of Prince, the next quest takes us into the world of Tolkien but not the more mainstream literature like the Hobbit or Lord of the Rings. With six shards in hand, Wade uses them to create the seventh shard and the actual plot continues. From here the rest of the story unfolds rapidly and is considerably more enjoyable.

Criticism

The books are set in the year 2045 and focused heavily on ‘retro’ culture, meaning us readers are well versed on many of the cultural aspects of the story like John Hughes, arcade games, Prince, and Tolkein. Since the story is set more than 20 years in the future, we’re given a good description of the technology that makes it possible and the state of the world. What is completely missing is any notion of anything cultural between the death of Prince and the time of the story. While I wouldn’t necessarily want to get distracted with a shard quest centered on a fictional piece of culture, I think the author has the writing chops to do exactly that and make it interesting, but does not.

Cline has been praised for his depiction of gender and sexuality in the book, and he deserves some credit for sure. During that bit, Wade tells us that with the new technology he had experienced sex as and with different genders and orientations. Cline should have made Wade decide to realize he is pansexual after his admitted experiences having sex with and as different genders. But that little bit about the technology’s ability to let one experience sex differently is mostly relegated to one page of one chapter and ultimately, the book falls on some common stereotypes in my eyes. The white girls knows all about John Hughes movies. The black girl knows all about Prince. The white boy and white girl know all about Tolkien. The Japanese boy knows the Japanese video game. Every main character has a hetero orientation except Aech, a lesbian. The only other character that suggests a different orientation, L0hengrin, is quickly glossed over. Even worse, she is potentially the most interesting new character of the entire book but is quickly put out of mind and used as a plot advancement point later with little fanfare.

Finally, while I really enjoy most of Cline’s writing style, there are small parts of the book that seem to break from the style of the first book and instead, are written as if they are lines from a movie script. In the board room when the four heroes meet the Low Five, they “run over to” greet them. In a board room with 10 people in it, there isn’t room to ‘run’. The main characters are treated as gods in the OASIS essentially, yet act like starry-eyed fans of someone that has already been written as a starry-eyed fan of them. This single scene had so many disconnects in my mind it stood out and made me wonder if Cline got distracted with notions of what the movie will look like.

Reference: Ready Player Two on Wikipedia.

Not all CVEs are Created Equal. Or even valid…

[I wrote this early 2019 and it was scheduled for January 7 but it apparently did not actually publish and then got lost in my excessive drafts list. I touched it up this week to publish because the example that triggered this blog is old but the response is evergreen. Apologies for the long delay!]

I recently caught a Tweet from @NullCon offering 10 free conferences passes to NullconDasham, awarded to “InfoSec heroes who shared their hard work with the community & contributed to the @CVEnew database“.

I re-Tweeted with comment pointing out “There were at least 311 CVE assignments in 2018 alone, that were for issues that were *not* a vulnerability. I hope you are going to scrutinize the submissions.” Anant Shrivastava replied asking for some examples, and the next morning Mitja Kolsek suggested a blog would be beneficial. Here it is, as short and sweet as I can, which is never short in the world of Vulnerability Databases (VDBs) due to caveats.

Continue reading

Thoughts on 0-days and Risk in 2020

[Stupid WordPress. This was scheduled to publish Nov 23 but didn’t for some reason. Here it is, a bit late…]

On Friday, Maddie Stone from the Google P0 team Tweeted about the 0-day exploits her team tracks. As someone who checks that sheet weekly and tracks vulnerabilities, including ones ‘discovered in the wild’, this is a topic that is squarely in my tiny niche in the industry. Also, big fan of the P0 team!

I replied to her Tweet suggesting it come with a disclaimer that it didn’t represent “all” 0-days, rather they tracked high-end 0-day used primarily in “APT” attacks. Ben Hawkes, manager of the team, replied and agreed with that assessment. Before we proceed, let’s define 0-day real quick since the term is used for a variety of vulnerabilities, often incorrectly.

In this case, the context is a 0-day is a vulnerability that was actually found being exploited in the wild before there was public knowledge of it. In Risk Based Security’s VulnDB, we track that as “discovered in the wild“. Since VulnDB is comprehensive and our goal is to track every vulnerability, regardless of software or severity, we tend to aggregate a lot more than others. As of this post, we have over 78,000 vulnerabilities that aren’t found in CVE / NVD as a point of comparison. In my reply to Maddie I pointed out that we had seen 51 this year compared to their 22.

Next, Allen Householder replied to me asking a fun point, which is how many vulnerabilities did that really represent. Out of the 20,000+ vulnerabilities aggregated in 2020, we have 51 that are flagged as “discovered in the wild”. That represents only 0.25% of all vulnerabilities this year. One point I made previously is that Google’s team likely doesn’t care about a 0-day in the “Adning Advertising Plugin for WordPress” despite it being used to compromise WordPress blogs.

So with that number in mind, it goes back to the narrative that companies need to be scared of 0-days. They absolutely do! But… and this is the big qualifier that needs to come with that fear, is that perhaps they don’t need to be as afraid of 0-days as they do of already public vulnerabilities that they missed. With only 51 0-days in 2020, that means a vast majority of organizations simply aren’t likely to be targeted. Fully patching all known vulnerabilities that impact them should be priority one.

More to the point, vulnerabilities that have functional public exploits allowing anyone to trivially launch a viable attack are consistently a much bigger risk than the elusive 0-days. That is also one reminder of how often times CVSS falls short, if your vulnerability intelligence doesn’t provide Temporal scoring or exploit availability. Organizations making risk decisions only using the CVSS Base score are missing out on an important risk attribute.

I’ll end this blog with some arbitrary statistics around 0-days for fun! These are based on VulnDB data as of 11/21/2020. Note that metadata is less complete before 2012, which includes ‘discovered in the wild’ classification.

  • 241,690 vulnerabilities, only 641 are 0days (0.27%)
  • 14 are in Google products: Chrome (5), V8 (3), Android (6)
  • 146 are in Microsoft products: Windows (63), IE (36)
  • 13 are in Apple products
  • 7 are in Oracle products: Java (4)
  • 62 are in Adobe products: Flash (38), Reader (14)
  • 18 are in security products 😞
  • The oldest is from 1975 in RSTS/E! Yes, for real.
  • The oldest you likely recognize is Sendmail in November, 1983

Dec 3 – Breckenridge Ski Report

The Good

  • The people on the mountain are mostly good about social distancing in on the lift rides (two people for a four-chair lift), but not so much in line. You get a stark reminder of this when it is 10 degrees and you can see everyone’s breath.
  • While not much of the terrain is open, the runs that are available are in good shape so the conditions are good.
  • At the bottom of the mountain there is more care about distancing with extra ski racks, someone to help guide people, and cordoned off areas near the ticket windows.

The Bad

  • At the lifts, the operators are doing nothing to enforce distancing. They are also ignoring people not following the mask mandate. People wearing a gaiter over the mouth only for example, go unchallenged. The lift crews are also largely ignoring people in line and talking to each other. Rare to get a friendly greeting.
  • With only three runs open on upper Peak 9, they are more crowded than prior years. There has been little to no enforcement of slow zones or the no jumping section of Cashier run.
  • It isn’t just the limited runs, it is a lot more crowded this week than compared to prior years. With the new reservation system it sounds like a good idea to limit the people on the mountain. But apparently Vail Resorts isn’t publishing just what that limit is. So instead of being on a run with a couple other people during the first week of December, I find myself on the run with 25 or more. This does not bode well for the rest of the season. As it stands, it seems like the reservation system is purely for show. Picture above shows eight people on the last leg of Cashier, with another 20 behind me. But, at least one bluebird day this week!
  • The revamped web site is riddled with bugs, so many and so severe as to hinder functionality. Want to get a buddy ticket? Good luck since you have to sign in to view prices, despite being signed in. EpicMix statistics? Gone completely. EpicMix app? While there appear to be some good new features, they come at the cost of removing some statistics too. Want to chat with someone about it? Enjoy the 463 minute wait.

The Hacker Jeopardy That Never Was

Many years ago, at early DEF CONs before 2000, I became a critic of Hacker Jeopardy after some of the questions had wrong answers. The host had written the questions and answers but got some wrong. The next year I offered to sanity check them before the game and did so, finding a few errors shortly before the game started. I think this happened a year after that but my memory is fuzzy as to how many years I helped. At some point I offered to help write questions well in advance of the next DEF CON and began scribbling ideas in a notebook. I found that notebook recently!

Below were to be the proposed topics and questions in order of difficulty. I have not included a few questions which would have been acceptable to most attendees back then, but shouldn’t have been in hindsight. One of the questions revolved around ‘open secrets’ of two individuals in the scene, one being John Draper and the other continuing to be an open secret to this day.

After a recent DEF CON which had a Hacker Jeopardy that had every team miss which port Telnet is on [23], I wonder how teams would do with these. Some may be subjective, but they had more widely-known backstories at the time.

Errata

  • This charlatan is best known for her delusions of grandeur, Erik Bloodaxe reading her mail, the FBI harassing her, and more. [Carolyn Meinel]
  • PGP is a lost concept to this charlatan. [Winn Schwartau]
  • This well-trained monkey/charlatan hacked a bank once. [Ira Winkler]
  • This charlatan can help you learn the SECRETS of hacking a public library or BBS. [Knightmare]
  • This charllatan is master of using ‘grep’ for his IDS at NASA! [Dan Ridge or ‘B-grep’ or ‘wizkid’]

Which DEF CON

This first answer on my list strikes me as wrong. My own memory today says only ~ 200 showed up to DEF CON 2, but now I wonder if it was really ~ 400, which would explain an answer of ~ 300 showing to DEF CON 1. But conventional wisdom and our poor memories often cite the first one only having ~ 100 there. Anyone have a more definitive memory?

  • Only 300 people showed to this DEF CON [1]
  • Which two hackers were thrown out of the Aladdin at which DEF CON? [Pete Shipley / Voyager @ 5]
  • The Sahara was serving minors Heineken beer at which DEF CON? [2]

W’ere here to help…

  • We are hackers who will be glad to narc you for teenpron.gif! [EHAP or Ethical Hackers Against Porn]
  • We are hackers who will be glad to get you legal counsel like the other 0 we have helped. [HDF or Hackers Defense Foundation]
  • Spending a quarter million to prove what everyone knew by building “DeepCrack” is the only thing we’ve done in years. [EFF]
  • We’ll be glad to repost your advisories six months after you do! [CERT]
  • Pay us thousands, and our 17 year veterans will babble … err teach you to hack Japanese banks. [se7en]

DX3BH!

  • What does RSA stand for? [Rivest, Shamir, Adleman]
  • Win95 SSH supports what flavors of encryption? [Idea, 3DES, Blowfish]
  • Name one ITAR loophole [printing or missile]
  • What crypto engine is unix crypt() based on? [Enigma]

Everything under the Sun

  • Sun was derived from what flavor of Unix, while Solaris hails from which? [BSD vs SysV]
  • What is the default debugger installed with Solaris? [adb]
  • How many returns does it take t overflow AND exploit a vulnerable binary on the sparc architecture? [2]

Ancient Exploits

(I only had notes for 4 questions, nothing written out)

  • SunOS 4.0.3
  • Convex
  • Unicos 7.x
  • BBS

Fucking Unix

The idea for this was Unix commands that were also commonly joked about euphemisms for sexual activity. There were many, many more back in the day but I only ended up with three questions in my notes for some reason.

  • Foreplay as ‘stinky pinky’ [finger]
  • This function might lead to child processes [fork()]
  • These two commands make 69 [head + tail]

Ultimately these were never used I don’t believe, and as I recall, the host and question writer for Hacker Jeopardy at the time said ‘yes’ to collaborating on questions in advance of the next convention, but did not follow-through at all so the idea died off.

I don’t recall what “8.6” referred to for the answer to the first question under ‘Everything under the sun’, so I didn’t include it above.