Author Archives: phocean

ESFS, new perspectives for stenography ?

Tomas Touceda advertised a new project on Full Disclosure.
The idea sounds good, so I will keep an eye on this very interesting project.
Though I would like to know more about the methods that were used for encryption and stenography.

Code and explanations are on the ESFS project homepage.
Beyond the pratical usage, I wonder if it can offer anyhow better resistance to statistical analysis that usually defeat stenography. The author addresses partialy the point on the mailing list:

What I meant with hide is that, since it uses the LSBs, you can pick
any image, and “find data” in them, so it makes it a little bit harder
to know where you actually have data, and if you really do.

To this, a reader named stormrider pointed out an interesting research document (PDF), which is a state of the art of the limitations of stenography and the attacks against it. Is it really a dead-end ?

This is indeed a very interesting field of research.

Ravan, password cracking using Javascript!

Ravan is a new password cracking tool based on Javascript.

Wait, what ? Javascript ? Yes, as the author explains, modern Javascript engines are not so slow anymore, and in addition HTML 5 brings a new “feature” with webworkers which allow the browser to run Javascript in the background (e.g without waiting on the page executing the script).

Combine it with several computers connecting to the same page executing a password cracking script and you get easily quite a powerful distributed password cracker.

Visit this page for more details.

Mitigating Slow HTTP DoS Attacks

Interesting article on the latest Apache and ModSecurity techniques to prevent DoS HTTP attacks.

The attacks are well explained. I personally knew about Slowloris but didn’t about RUDY and post attacks.

Yet OpenSSL renegociation not fully fixed

How the hell is it possible that after so many months, the fix for OpenSSL renegociation has not been yet included in either Chrome (6.0.4) or Opera (10.61)? I haven’t tested other browsers though, except Firefox which at least has fixed the issue since several months.

get rid off ConsoleKit / Dbus / Hal stuff on a server

Console-Kit spawns 35 threads on my system, which is a waste considering that I use at most 7 vty. But it is definitely useless on a server (you don’t need fast switching stuff). Dbus and Hal are also not useful on a server and consuming resources for nothing.

Unfortunately, they are settled with the default basic installation and they have some dependencies (e.g the kernel and zypper) that make them impossible to simply uninstall .

Here is a way to at least deactivate these services at startup on openSUSE 11.2 (it might also work with 11.3).

First, ConsoleKit is not a standalone daemon anymore on the latest versions of openSUSE. It is started along with dbus (you will see that if you stop dbus, all the ConsoleKit thread will magically vanish).

But trying straight to remove dbus from the startup doesn’t work, because of dependencies among services. On my system, it complained like this:

# chkconfig dbus off
 insserv: Service dbus has to be enabled to start service bluez-coldplug
 insserv: Service dbus has to be enabled to start service network
 insserv: Service dbus has to be enabled to start service haldaemon
 insserv: Service dbus has to be enabled to start service earlyxdm
 insserv: exiting now!
 /sbin/insserv failed, exit code 1
 [1]    7954 exit 1     chkconfig dbus off

So, let’s remove the bluetooth stuff:

# zypper remove bluez

Then, we just deactivate the services that can’t uninstalled:

# chkconfig earlyxdm off
# chkconfig network-remotefs off
# chkconfig haldaemon off

You will probably want to keep the network service on, otherwise your configurations scripts won’t be read anymore. In fact, we will just edit the dependency of the startup script itself, by editing /etc/init.d/network and editing these lines:

# Required-Start:    $local_fs dbus
# Required-Stop:    $local_fs dbus

What we do is just deleting the dbus word, so that the script section looks like it:

### BEGIN INIT INFO
# Provides:        network
# Required-Start:    $local_fs
# Should-Start:        isdn openibd SuSEfirewall2_init
# Required-Stop:    $local_fs
# Should-Stop:        isdn openibd SuSEfirewall2_init
# Default-Start:    2 3 5
# Default-Stop:
# Short-Description:    Configure the localfs depending network interfaces
# Description:        Configure the localfs depending network interfaces
#                       and set up routing
### END INIT INFO

Now we are done and we should be able to definitely turn dbus off:

# chkconfig dbus off

Bingo! I didn’t monitor the memory precisely, but I believe I saved around 50 MB, which is always welcomed on a small server.

I don’t know if it is the best way – I may have missed something – however I am pretty happy as it now works as I wanted. Please let me know if you have a better tip.

EMET: configure memory protection on Windows

Microsoft published a nice tool named EMET (Enhanced Mitigation Experience Toolkit) whose purpose is to check and enforce the memory security policies such as ALSR and DEP.

It shows and allows to configure the global settings, but also, and this is the most interesting part, indicated for each process running if it supports those security measures. It is even able to enforce the protections for each application which would not support it natively (i.e. not set at compilation time).

Phocean.net

Computer Security Blog