Skip to content

Virtual Nudity at Airports

Recently, I had the pleasure of flying from the new terminal at the San Jose Airport. The building is quite nice from the inside and even has some cool futuristic moving statues. With all the good stuff comes also a set of virtual nudity machines at the security screening point. The virtual nudity machines also known as backscatter x-ray screening promise increased privacy since the naked images of passengers are viewed at a remote location and there is no requirement of a physical examination. As the sign states these machines are optional but whoever refuses must subject themselves to a thorough physical pat down. I already had one really bad experience with the virtual nudity machines at another airport - I was told I was not allowed to wear my watch or any necklaces. Well, this time I chose the metal detector and walked through without any further hassles. However, I had the pleasure of watching every single person who was shepherded through the virtual nudity machines being patted down. One woman had her breast touched - perhaps she dared to wear an underwire bra? The next guy got patted down around his legs. His offense was a chap stick hidden in his pocket. What really amused me was the guy after him who was patted down because he had not removed his handkerchief from his pocket. At the end of the day, anyone going through the backscatter x-ray machines got patted down and spent a significantly longer time at the security checkpoint. This seems like an overly expensive experiment that hopefully will be abandoned soon.
Categories: Security
Defined tags for this entry: ,

Adobe PDF Vulnerability: Stack overflow in Font File parsing

Metasploit has a great write up on new vulnerability in PDF. The basic problem is a stack overflow when parsing OpenType fonts. In particular, SING Glyphlet tables contain a 27 byte long unique name that is expected to be NUL-terminated and stored in a 28-byte buffer. The vulnerable code is using strcat and lacks bounds checking resulting in a stack overflow.

The PDF in the wild prepares the heap via Javascript and contains multiple different font files that are selected by navigating to a specific page in the PDF based on the viewer version. Each font files has slightly different shell code. It was amusing to see that the attackers after modifying the head and SING tables did not fix up their respective checksums. According to Metasploit, this exploit works under Windows 7 with both DEP and ASLR turned on. Fun Fun. As of now, no patched version is available. The SecBrowsing blog contains instructions with temporary remedies.
Categories: Malware, News, SpyBye
Defined tags for this entry: , ,

Libevent-2.0.7-rc release

Nick announced the release of Libevent-2.0.7-rc today. Here is an excerpt from his email:

Thanks to everybody who reported and fixed bugs in Libevent 2.0.6-rc,
Libevent 2.0.7-rc should be much more stable and portable, especially
for people using IOCP, Windows, rate-limiting, or threads.

There are also numerous small bugfixes thoughout the codebase (though
still not, alas, in the http stuff).

For a complete list of changes, just see the ChangeLog included with
the source distribution.


You can download source code of libevent releases from monkey.org
Categories: Libevent, News
Defined tags for this entry: ,

Anatomy of a PDF Exploit

PDF has become the de-facto standard for formatting print documents. Over the years, it has evolved into a feature rich and very complex system. PDF supports embedded Javascript that can be used for form validation and contains support for different image formats and 3D models, etc. As a result, PDF implementations have numerous vulnerabilities that can be exploit by adversaries to gain control over a user’s computer. Here are a number of CVEs that are currently being exploited in the wild: CVE-2007-5659, CVE-2008-2992, CVE-2009-0927, CVE-2009-2994, CVE-2009-4324, CVE-2010-0188.

In this blog post, we are going to look at current exploitation of CVE-2010-0188: An integer overflow in the parsing of the dot range option in TIFF files. The vulnerability was publicly announced in February 2010. Examples of exploit code are readily available on the Internet and a very good explanation of how the exploit works has been provided by Fortinet.

The exploit described by Fortinet utilizes an AcroForm described in XML. The XML contains an image field with an embedded TIFF image that triggers the vulnerability.

Continue reading "Anatomy of a PDF Exploit"
Categories: Hacking, Malware, Security
Defined tags for this entry: , ,

Heat treating the Wakizashi

Heat treating a sword using a water quench is a tense affair as the sword my crack and many hours of work may be lost. This video shows heat treating a wakizashi I made from forge welded cable that was folded several times. The Japanese differential heat treat calls for coating the back of the blade with a clay layer that retards the quench and allows the covered part of the steel to remain softer. The border between harder and softer steel becomes visible as hamon. Although, the heat treating was successful, the blade developed a welding flaw and at this point it looks like 20 hours of work might have been lost.
Categories: Hacking
Defined tags for this entry: ,

Folding Steel

Folded SteelWhen examining a traditionally forged Japanese sword, the steel structure (hada) often looks like wood grain. This structure is a result of folding and forge welding tamahagane. To simulate such hada without using expensive tamahagane, I took 24in of 1in diameter steel cable and forge welded it into a single piece of steel. That steel was then folded 7 times with some surface manipulation and then forged into a small wakizashi. The picture shows the tang after the scale was removed, polished and then lightly etched to show the grain. The steel structure seems similar to mokume hada. Now, I just need to find the time to shape, heat treat, polish and mount the sword. Expect progress pictures as work permits - probably in a few months.
Categories: Hacking
Defined tags for this entry: , ,