Niels Provos - Hacking

Making Wootz Steel

nospam@example.com (Niels Provos) — Fri, 10 May 2013 16:31:53 -0700

Our experiments in creating crucible steel with a composition similar to ancient Wootz steel are continuing. In this video, we show the process of making a Wootz ingot and our first successful forging of the ingot into a bar. Our crucibles are charged with wrought iron from wagon tires, pulverized charcoal, some O1 tool steel, calcium carbonate and glass. Watch the video for all the details.

Phone call with a Heavily-Accented Phisher

nospam@example.com (Niels Provos) — Thu, 02 May 2013 17:50:24 -0700

or How I failed to get the whole story

I am lying on the bed with a stomach bug when the phone is ringing. It says 544 Unknown Name. The following is an abbreviated recollection of the phone call.

Woman: Hello. This is a computer support call. Are you the owner of a Windows XP, Windows 7 or Windows 8 computer?

Me: Thanks for calling.

Woman: Are you the owner of a Windows XP, Windows 7 or Windows 8 computer.

Me: Yes, I own the computer I am using.

Woman: Can you look at your keyboard. In the left bottom corner do you have a key that says CTRL.

Me: I turned off the computer. Do you want me to turn it back on.

Woman: Yes, turn the computer back on. Let me know when it is ready.

Me: OK. I pressed the power button. It says it’s booting.

Deliberate pause for dramatic accent. I wait about 30 seconds. During the whole phone call, I managed to turn the computer off at least 5 times.

Me: It says user name now. What shall I do?

Woman: What is your user name and password.
Continue reading "Phone call with a Heavily-Accented Phisher"

Crucible Steel

nospam@example.com (Niels Provos) — Wed, 13 Feb 2013 20:40:30 -0800

Our first experiments with creating crucible steel. The video shows the first run in which we melt wrought iron at 3000F. The ultimate goal is to create crucible steel with high carbon content that can be forged into swords.

The Serpent in the Sword continued...

nospam@example.com (Niels Provos) — Wed, 21 Mar 2012 21:06:24 -0700

The Serpent in the Sword project is slowly progressing. I have posted a couple more videos documenting the process. In part 2, the bevels of the sword are forged, the geometry is established on a belt sander and the sword is finally heat treated. In part 3, the sword fittings are made, e.g. the lower and upper guard as well as the pommel and wooden hilt. If things go right, the sword will be finished just in time to my visit to Germany in July. The Viking museum in Haithabu has a special event in which 20 Viking ships will sail to its harbor. There is also the new Viking Puppet Theater which should be fun to watch. It's called "Wikinger Puppentheater Ygdrasil" and has it's premiere in April at the museum in Haithabu.

The Serpent in the Sword

nospam@example.com (Niels Provos) — Fri, 20 Jan 2012 22:47:00 -0800

Inspired by "The Serpent in the Sword" from Lee A Jones, I embarked on the quest of forging a pattern-welded double-edged sword that has a visual serpent at its core. The video shows my progress over about 7 days of work. Pattern-welding in addition to structural benefits is also visually very attractive. The sword in this video is constructed from a total of seven bars. Two edge bars, two twisted bars and three bars for the serpent. The whole process while using modern tools is very similar to the one that anglo-saxon or viking-age blacksmiths might have employed. Each step in created a pattern-welded sword is explained and narrated in the video above.

Pattern-Welded Seax

nospam@example.com (Niels Provos) — Fri, 06 Jan 2012 21:17:44 -0800

In my quest to forge another double-edged viking-age sword, I have been experimenting with a serpent pattern. As part of my experimentation, I forged the the seax shown in the picture. It's over all length is 21.5 in, with a 16.5 in long blade and 5in long handle. It's a 7 bar construction. The cutting edge and back are W1. The two twisted bars are 11-layers of 15n20 and 1095. The serpent itself is an 11-layer straight laminate of 15n20 and 1095 backed by two bars of mild steel. As the picture shows the pattern came out quite nicely and the overall shape of the blade is quite pleasing. The next project is going to take the serpent pattern to a double-edged sword. We will see how that goes.

Forging a Composite Viking-age Sword

nospam@example.com (Niels Provos) — Fri, 09 Sep 2011 00:15:11 -0700

The video shows forging a pattern-welded Viking-age sword consisting of a 5-bar construction based on dimensions from a find in Norway. The video shows squaring up the rods and how I bundle the five bars (3 twisted core and 2 edge) into a sword-like object and then forge weld it. Instead of employing a wrap around edge, I am cutting a V into the tip that is forge-welded back together.

Viking-Age Iron Making In Oakland

nospam@example.com (Niels Provos) — Mon, 18 Jul 2011 22:18:22 -0700

Pattern-Welded Kurzsax

nospam@example.com (Niels Provos) — Sun, 05 Jun 2011 10:56:23 -0700

This knife is a multi-bar construction with W1 for the cutting edge and 1095 and 15n20 for the twisted rods. It is inspired by early Viking-age finds from Norway. The guard and pommel are made from brass and embossed with a triangle design. The handle is made from bok oak used in the defensive ring wall of the Viking-age Haithabu settlement in Northern Germany.

The knife was created as the result of an accident. While working on the rods for a Langsax, I twisted too hard and a piece of the rod sheared off. Fortunately, that piece was long enough to suffice for a Kurzsax. The blade is about 7.5in long and then handle measures 5.5in for a total of 13in. The knife features a scandi grind and is very sharp. There is no secondary bevel on the edge.

Mästermyr inspired Chest

nospam@example.com (Niels Provos) — Fri, 20 May 2011 05:29:31 -0700

Last year, I started making an oak chest with forged straps and lock inspired by the Viking-age tool chest found at Mästermyr. The chest uses the same construction as the original one, e.g. mortise and through tenon, rabbets for the front and back, compound angles due to all sides leaning in and dowels. The straps, hinges and chest handle are not authentic but look quite nice.

From Mästermyr Chest

More in progress pictures can be found in the album.

Forging a Chest Handle

nospam@example.com (Niels Provos) — Sat, 09 Apr 2011 18:25:59 -0700

As my work on the Mästermyr-like chest is slowly coming to completion, I noticed that due to thicker planks, the chest is getting too heavy to carry comfortably without handles. Although, the original chest did not have any handles, I decided to forge handles anyway. None of the books in my library had good illustrations of Viking-age handles but the simple design above is going to fit with the hardware I have forged so far.

This handle was forged from a 7in long piece of 3/4in round steel. I isolated a 1in piece in the middle by fullering with a spring fuller at 3in and 4in from the end. After the middle piece was isolated, I tapered both sides to 1/4in so that each end was about 6in in length. The transitions were square, octagon and then round as usual. Each end was bend at 3in over the horn of the anvil.

The loops were forged from 1/4in thick and 1in wide rectangular steel. I used a butcher to get a tenon that could be forged down to 1/4in round and then drilled a 1/2in hole for the eye where the handle is going to fit through.

To make the handle stop rotating at 90 degrees, i.e. to avoid squeezing the hands, I put each end of the handle in the vise and used a set hammer to bend a stop that is going to engage with the plate, see the picture. The base plate is 1/8in thick and the loops where riveted to it with the handle in place. The whole process took about 5 hours.

Surprisingly, aside from a couple blacksmithing books, I could not find any article on the web that shows how to forge a chest handle.

Lizamoon SQL Injection Campaign Compared

nospam@example.com (Niels Provos) — Sun, 03 Apr 2011 15:24:20 -0700

Malware infections such as SQL injection are a well known security problem. Over the past two years we have seen several large-scale infections on the web, e.g. Gumblar.cn and Martuz.cn. Recently, a new SQL injection campaign called Lizamoon has gained a lot of attention. I had expected web sites would become more secure over time and less susceptible to simple security problems, so it is surprising that SQL injection is still a prevalent problem. That let me to wonder: Was Lizamoon as successful as previous infections? In a discussion about this problem, my colleague Panayiotis Mavrommatis suggested that comparing the size of campaigns via search engine result estimates might not be very accurate measurement.

That begs the question of how to assess the impact of infections. While the number of infected URLs is one possible measure, it is skewed by many different factors, e.g. a single vulnerable site contributes a large fraction of the infected URLs and overstates the impact. Instead, counting the number of infected sites might be a better metric. Even so, to judge the relative scale of an infection campaign, it might be helpful to compare it to previous incidents.

Below is a comparison of the Gumblar.cn/, Martuz.cn/ and Lizamoon infections based on Google's Safe Browsing data. The graph shows the number of unique infected sites over a 30 day sliding window.

For this analysis, I counted the sites that had a functioning reference to it, e.g. a script src=. Sites that escaped the script tag rendering it harmless were not counted. For Lizamoon, I aggregated the sites provided by the websense blog into a single measure:

hxxp://lizamoon.com/
hxxp://tadygus.com/
hxxp://alexblane.com/
hxxp://alisa-carter.com/
hxxp://online-stats201.info/
hxxp://stats-master111.info/
hxxp://agasi-story.info/
hxxp://general-st.info/
hxxp://extra-service.info/
hxxp://t6ryt56.info/
hxxp://sol-stats.info/
hxxp://google-stats49.info/
hxxp://google-stats45.info/
hxxp://google-stats50.info/
hxxp://stats-master88.info/
hxxp://eva-marine.info/
hxxp://stats-master99.info/
hxxp://worid-of-books.com/
hxxp://google-server43.info/
hxxp://tzv-stats.info/
hxxp://milapop.com/
hxxp://pop-stats.info/
hxxp://star-stats.info/
hxxp://multi-stats.info/
hxxp://google-stats44.info/
hxxp://books-loader.info/
hxxp://google-stats73.info/
hxxp://google-stats47.info/
hxxp://google-stats50.info/

The graph shows two interesting facts.

The Lizamoon campaign started around September 2010 and actually peaked in October 2010 with ~5600 infected sites. At the moment, it seems to be undergoing a revival.
If we compare the number of infected sites, Gumblar.cn/ is still clearly the winner with ~62,000 sites, followed closely by Martuz.cn/.

For future studies of malware infections, I suggest taking the number of infected sites as a more reliable measure than counting the number of infected URLs.

Update 2011-04-04: The blog post incorrectly referred to Gumblar.cn and Martuz.cn/ as SQL injection attacks. These attacks used stolen FTP credentials.

Anatomy of a PDF Exploit

nospam@example.com (Niels Provos) — Thu, 19 Aug 2010 17:10:08 -0700

PDF has become the de-facto standard for formatting print documents. Over the years, it has evolved into a feature rich and very complex system. PDF supports embedded Javascript that can be used for form validation and contains support for different image formats and 3D models, etc. As a result, PDF implementations have numerous vulnerabilities that can be exploit by adversaries to gain control over a user’s computer. Here are a number of CVEs that are currently being exploited in the wild: CVE-2007-5659, CVE-2008-2992, CVE-2009-0927, CVE-2009-2994, CVE-2009-4324, CVE-2010-0188.

In this blog post, we are going to look at current exploitation of CVE-2010-0188: An integer overflow in the parsing of the dot range option in TIFF files. The vulnerability was publicly announced in February 2010. Examples of exploit code are readily available on the Internet and a very good explanation of how the exploit works has been provided by Fortinet.

The exploit described by Fortinet utilizes an AcroForm described in XML. The XML contains an image field with an embedded TIFF image that triggers the vulnerability.

Continue reading "Anatomy of a PDF Exploit"

Heat treating the Wakizashi

nospam@example.com (Niels Provos) — Fri, 30 Jul 2010 20:33:16 -0700

Heat treating a sword using a water quench is a tense affair as the sword my crack and many hours of work may be lost. This video shows heat treating a wakizashi I made from forge welded cable that was folded several times. The Japanese differential heat treat calls for coating the back of the blade with a clay layer that retards the quench and allows the covered part of the steel to remain softer. The border between harder and softer steel becomes visible as hamon. Although, the heat treating was successful, the blade developed a welding flaw and at this point it looks like 20 hours of work might have been lost.

Folding Steel

nospam@example.com (Niels Provos) — Sun, 30 May 2010 19:26:51 -0700

When examining a traditionally forged Japanese sword, the steel structure (hada) often looks like wood grain. This structure is a result of folding and forge welding tamahagane. To simulate such hada without using expensive tamahagane, I took 24in of 1in diameter steel cable and forge welded it into a single piece of steel. That steel was then folded 7 times with some surface manipulation and then forged into a small wakizashi. The picture shows the tang after the scale was removed, polished and then lightly etched to show the grain. The steel structure seems similar to mokume hada. Now, I just need to find the time to shape, heat treat, polish and mount the sword. Expect progress pictures as work permits - probably in a few months.