This was my first hope conference (The Next HOPE Conference)despite being in New York City for more than half a decade. Always it seemed that work would send me out of town just before the con. However, this time around I had the good fortune of being in the city during the conference.
There were a few good talks some of which were not so technical but kindled the questions for privacy fanatics.
The talks I attended included Alessio Pennasilico’s talk about DDoS attack on Bakeca.it, Modern Crimeware and Tools talk by Alexander Heid, Steven Rambam’s talk on Privacy is Dead, Blaze Mouse Cheswick et. al’s talk which was abstract but awesome. I did attend a few more talks and it was fun. All in all a great conference.

As can be seen from the recent “xz attack” discovery that there nation states have realized that this is likely the “best” vector to impact large-scale systems in big organizations. With the cloud computing providers being the “source of computing” for most large corporations today, we should anticipate that a larger portion of the attacks will fall into this category. Also, just like “sleeper cells” in traditional espionage, such “sleepers” may exist in numerous OSS projects. Does that mean we should stop using open source – hell no. All that means is we just need to be careful. Can we detect these attacks? It’s tough to detect but yes we can detect them by good ol’ school, telemetry and observability.

But that’s not what this blog post is about. I think the most interesting bit from the xz attack for me was that the libraries that get harder to debug and decode are much juicier targets. How does that matter? The ML libraries that are super popular like pytorch and tensorflow and others are quite hard to compile out of bound from scratch. Such libraries can have interesting attack vectors which allow nice pickle compromises. I say “nice” because the family of insecure deserialization has existed in CWE since 2006! It’s older than many other issues and will continue to exist.

My only hope is that maintainers of core ML projects such as PyTorch, Tensorflow, keras and others start showing a slightly higher level of paranoia and build reproducibility so the supply chain attacks can be avoided on such harder to debug libraries.

Silsilay, the latest movie by Khalid Mohammed, a critic famous for his Sunday Times articles, is a disaster to say the least. Mr.Mohammed, who has torn apart most of the movies in his journalism career, to my disappointment, has not proven himself any better than the pack he tore apart. I think if he himself saw the movie impartially he probably would have given it negative five stars.
Silsilay, as the movie is called, is a movie of three stories running one after the other albeit aimlessly. The first story is of a film actress (Bhoomika Chawla) who falls in love with a bookie (Rahul Bose) who is two-timing his girl-friend, who in turn is two-timing him…sounds complex…don’t bother…it’s not complex but just kiwi drainex!
The second story is of a young girl (Riya Sen) who looks stunning in the movie and is afraid to lose her virginity and is consoled by her overly promiscuous friend to do *it*. Ashmit Patel steps into the story as her boy toy (read “snuggies”) and Jimmy Shergill, who is her co-worker from work and is looking to gain her attention. Some good (aimless) smooches result between Ashmit and Riya and Khalid Mohammed succeeds in spinning a story that is as ridiculous as Riya and Ashmit’s acting. For god’s sake Riya, Nirma soap advertisements were better!
As if the torture was not enough, Mr.Mohammed had a life-saver (or at least as he thought) a still more ridiculous story. Well, some B-grade films would have called this 3rd story a *saga*…but I frankly think that Khalid Mohammed doesn’t think!
It’s a combination of a love triangle…sorry…love quadrilateral with a diagonal (please figure out what this means on your own…watching the movie wouldn’t help anyway). In this story Tabu plays a housewife whose husband (KK) is going out with a (super hot) air hostess (Celina Jaitley) and whose son suffers from Oedipus Complex ( where a person falls in love with his own mother). As if this carcass did not stink the theatres…there was more bull**** coming across in the form of Shah Rukh Khan in between stories and scenes. Mr. Khan there are many ways to win Filmfare awards…this is probably the last way to *buy* the awards. Mr.Khan does a saving act by signalling to the audience how he behaves when nature calls arrive…how he insanely goes about dancing for no reason whatsoever.
This is all a part of the crap that I call Silsilay!
-Rajat.
Awesome Japanese Artifacts!

Seems like the pwn2own this time around is going to be putting up prizes of about $100,000+ for people who can find 0-days for a variety of platforms. Especially, the fact that about $60,000 are being devoted for 0-days on the mobile security platform including the android platform etc., indicates a new era of security bugs.
The iPhone (non-jailbroken ones) as well as the BlackBerry application do tend to use signed executables. One only hopes that like the trust-relationships of the SSL-based certificates, the trust is really kept by analyzing the blackberry and iPhone apps.
Tyler Shields from Veracode presented his work of TXSBBSpy (source code URL: http://www.veracode.com/images/txsBBSpy.java; Presentation slides: http://www.veracode.com/images/TylerShields-MonkeyBerries-ShmooCon-2010.pdf).  In this he suggested that when controlled APIs are used the code needs to be signed by RIM but to do that RIM only gets the hash and not the source code.  This presents an interesting situation where RIM could actually be signing something that they don’t really know what it seems to be doing.

I was using the vpnc the other day on my Backtrack 4 R2 system to log in to VPN. I noticed that there was nothing that would give me the status of whether or not the tunnel was up. So I wrote a small one-liner to help me:

while [ `ps aux |grep vpnc|grep -v grep|awk '{print $2}'` ] ; do printf "Connected\r"; done


I wrote a very small script to set static IPs on a kubuntu box.

#!/bin/bash
if [ $# -lt 4 ]
then
    echo "Usage: $0 <interface> <ip> <netmask> <gateway> <dns1>"
exit
fi
ifconfig $1 $2 netmask $3
echo "Static IP set"
route add default gw $4
echo "Routes added"
if [ "$5" != "" ]
then
    echo "nameserver $5" >>/etc/resolv.conf
fi
echo "DNS set"

VMWare is excellent for malware analysts because it lets you keep snapshots of pristine Virtual machine states and you can revert back to them when you want to.
I encountered a weired error this time around on my Windows XP Pro VM. Whenever I would try to take any snapshots I would get an error: “Error taking snapshot: Windows XP Professional.VMX-Snapshot1.vmsn file already exists”. When I looked into the folder there was no .vmsn file with that name. I deleted all the files .lck and .lock files and still to no avail. Then I saw the files named as
Windows XP Professional-000001-s00?.VMDK.
The regex for these files was:
Windows XP Professional-00000?-s00?.VMDK
where ? is one character replaced by 0-9. Upon deleting these files, my snapshots started working properly.