Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3"
Just Another Security Blog
Saturday, June 30, 2007
iPhone HTTP User-Agent String
Just a quick FYI.. The following is the HTTP User-Agent string supplied by the iPhone browser:
Thursday, June 14, 2007
URL Deobfuscation
A few days ago, I was having a little fun with a coworker. I sent him several obfuscated URL's through Outlook Web Access (OWA) from Internet Explorer (IE)7.
The 3 URLs I sent were:
http://1096965168/
http://0x41.0x62.0x5c.0x30/
http://0101.0142.0134.0060/
(Warning, links NSFW!!)
Which all resolve to: http://65.98.92.48/ (http://goatse.cz)
Strangely enough, as I sent the email, the links were transformed to the "real" IP address, 65.98.92.48 before being sent. Originally I wrote it off as either a feature of OWA or Exchange, but I then resent using OWA via Firefox and also through Entourage. The last two test delivered the email with the URL's in their obfuscated form.. So, it appears that its the IE7 browser that is DE-obfuscating those URL's before they sent!
Additionally, while composing this post, I've noticed that neither Firefox on OSX, nor Safari on OSX was able to resolve the obfuscated URL's and display the site. Using Thunderbird on WindowsXP, I was also surprised to see that not only did Thunderbird label the email as a potential scam, it presented me with a pop-up warning when I attempted to click the links.
(Click for full size view)
As someone who "cut my teeth" working the Security/ Abuse desk at UUNET, I remember URL obfuscation as a major tool in the spammer/ phisher arsenal. Alot of these bad guys would hide their sites by doing something like http://www.bankofamerica.com@0x41.0x62.0x5c.0x30/.
The 3 URLs I sent were:
http://1096965168/
http://0x41.0x62.0x5c.0x30/
http://0101.0142.0134.0060/
(Warning, links NSFW!!)
Which all resolve to: http://65.98.92.48/ (http://goatse.cz)
Strangely enough, as I sent the email, the links were transformed to the "real" IP address, 65.98.92.48 before being sent. Originally I wrote it off as either a feature of OWA or Exchange, but I then resent using OWA via Firefox and also through Entourage. The last two test delivered the email with the URL's in their obfuscated form.. So, it appears that its the IE7 browser that is DE-obfuscating those URL's before they sent!
Additionally, while composing this post, I've noticed that neither Firefox on OSX, nor Safari on OSX was able to resolve the obfuscated URL's and display the site. Using Thunderbird on WindowsXP, I was also surprised to see that not only did Thunderbird label the email as a potential scam, it presented me with a pop-up warning when I attempted to click the links.
(Click for full size view)
As someone who "cut my teeth" working the Security/ Abuse desk at UUNET, I remember URL obfuscation as a major tool in the spammer/ phisher arsenal. Alot of these bad guys would hide their sites by doing something like http://www.bankofamerica.com@0x41.0x62.0x5c.0x30/.
Monday, June 11, 2007
VMware Fusion Beta 4
VMware has just released Beta 4 of its Fusion product. If you are not familiar with Fusion, this is VMware's Mac OSX version of its workstation product. Although they appear to be borrowing a lot of the cutting-edge features from Parallels [Unity (called Coherence in Parallels), booting of Boot Camp partitions, and DirectX 8.1 support (introduced with Parallels 3.0)], it will be interesting to see how they compete price-wise with Parallels. While Parallels 3.0 is currently retailing for a hefty $79.99, the Fusion Beta is a free download. According to the Fusion FAQ, the final pricing has not been set. The introduction of Fusion should provide for some great old fashion competition between VMware and Parallels in the arenas of performance, features, and price which will benefit us all.
Additionally, having Fusion now allows me to finally tinker with all those pre-built VMware appliances/ images!!
(Click for full size view)
Here is a screen shot of the Smoothwall Firewall VMware appliance running on my machine.
[UPDATE] Looks like VMware has set the price. From the updated FAQ:
Customers can pre-order VMware Fusion for $39.99 from www.vmware.com/mac until the product is GA (generally available) prior to the end of August 2007, which is a 50% savings over the suggested retail price of $79.99 when it is released in August 2007.
Additionally, having Fusion now allows me to finally tinker with all those pre-built VMware appliances/ images!!
(Click for full size view)
Here is a screen shot of the Smoothwall Firewall VMware appliance running on my machine.
[UPDATE] Looks like VMware has set the price. From the updated FAQ:
Customers can pre-order VMware Fusion for $39.99 from www.vmware.com/mac until the product is GA (generally available) prior to the end of August 2007, which is a 50% savings over the suggested retail price of $79.99 when it is released in August 2007.
Wednesday, June 06, 2007
Gentoo Auto-Update Scripts
Being a old OpenBSD user, I have grown quite accustom to receiving the daily email outputs from the fantastic /etc/daily, /etc/weekly, and /etc/month cronjobs. Now that I am supporting several Gentoo based servers, I find myself longing for that same system maintenance automation.
To addressed this, I have created a shell script for Gentoo to preform various nightly system administration tasks from a cron job and then email me a report reminiscent of OpenBSD's /etc/daily reports. This script is generic enough to run on all of my Gentoo based boxes. Additionally, since most of the servers I support serve some sort of security function, I've included optional auto-updating for Nikto plugins, Snort signatures, and Nessus plugins.
This script is released AS-IS under the New BSD License and is available from the "Downloads" section of my Google Code page. While I am currently running this script in production environments, it should still be considered Beta. Please feel free to change/add/ improve as you see fit. If anyone would like to contribute, please drop me a comment.
Subscribe to:
Posts (Atom)