Blog - Page 56

Last night I got an email from the commander of the Search and Rescue (SAR) team that I am a part of, about a mutual-aid callout on San Jacinto for a missing hiker. I got the call at about 2230 and quickly responded that I would be there. I got about 4 hours of sleep as I had to wake up at 0330 in order to be at the Sheriff's Office at 0500 to pick up one of the Sheriff's vehicles and drive to the base of the tram by 0600 hours. I am not normally one to be on time, but when it comes to searches it is important to be punctual as someone's life is on the line.

At the briefing my teammate Mark Kinsey and I got our mission which entailed us riding up to the San Jacinto peak on Los Angeles Sheriff's Department's gargantuan Sikorsky SH-3 Sea King known as Air Rescue 5 then riding the hoist down to the summit and then hiking cross country through the west side of San Jacinto and eventually coming to a trail that would take us to the tram. I was excited about riding in a helicopter, as the last time I had the pleasure of rotor based travel I was in Search and Rescue in Santa Fe, New Mexico.

Zipping down from a hovering helicopter on a piece of aircraft cable attached to my seat harness whilst carrying my 24 hour pack was quite a rush. Once I was on the peak and I unclipped from the hoist I snapped a few photos of the bird and Mark and I made our way across the ridge.

The mission was supposed to be technical so we kept our harnesses on, but we never ended up needing them apart from the helicopter bit. It was really just bouldering for the first mile or so until we turned down towards the saddle between two peaks, at which point we had to walk on top of dense brush for about another 1/2 mile dropping several hundred vertical feet. After the brush it was fairly easy going for the next couple of miles until we hit more dense brush and it started raining. Despite the rain and the brush we made good time and soon enough we were on a real trail. We double-timed it back to the tram and made our way down to the command post for debriefing at around 1530.

We didn't find any tracks or signs of the missing subject, but hopefully other teams will find him tomorrow. [You can find the rest of the photos here]

Update They found him and he is ok!

Yesterday Penelope and I made a trip down to the San Diego Zoo and about half way through our adventures my camera started taking photos on its own in rapid succession while flashing Error 99 on the LCD. I tried pulling the batteries and letting it sit for a while, but that didn't cut it. I looked through my photo archive and I've taken well over 50,000 photos with it since I bought it in February 2005. Looks like I will be without a digital SLR (still have a film SLR body) for a couple of weeks while I get it repaired.

Update After finding someone who had the exact same problem that I did and emailing said person, I found out that I needed to replace my shutter. Canon will do it for $196 which also includes a complete overhaul and cleaning of the camera. It takes 7-10 business days to complete. I am sending it off today.

After our most excellent 17 mile bike ride through the fake downtown of Huntington Park which Mack Reed describes so wonderfully, Sean Bonner mentioned that there was a new Borat Trailer before Snakes on a Plane. I found it here on Yahoo, it's nice... I like.

My photography has been published before in a local music rag called Jointz Magazine. I was excited to find out that one of my protest photos (shown below) will be published in a report about American population growth and land use trends for a New York based not-for-profit organization called the Regional Plan Association. I will post a copy of the report once it prints.

Where are you man? We were good/best friends in High School. I can't seem to find you on the web except for this photo of you from 1996. If you stumble across this let me know!

I really didn't mean to wait this long before posting photos from our honeymoon, but I've been busy. I separated them into the following sections:* Nadi, Fiji * Jean-Michel Cousteau, Fiji : Arrival * Waterfall Hike, Cousteau, Fiji * Jean-Michel Cousteau Resort, Fiji * Town of Savusavu,Fiji * Private Island, Cousteau, Fiji * Fiji Village * Fiji Sunset HDR * Garden of the Sleeping Giant, Nadi, Fiji * Lautoka, Fiji

Joanna Rutkowska gave a highly informative talk at Black Hat called "Subverting Vista Kernel For Fun And Profit." In the first part of her talk, she demonstrated an attack on Vista's code signing feature that requires any code that is loaded into the kernel to be signed by Microsoft. Her attack did not take advantage of an implementation bug or a vulnerability, but instead used the built in raw disk write access to change a few lines in the pagefile. Once the pagefile was altered and the changed data was read back into memory she was able to load any code she desired into the kernel. She stated that this didn't mean that Vista was insecure, just not as secure as Microsoft says.

I talked to her for a few minutes today about her talk and asked if she was going to be releasing the code, and she said she didn't see the point of doing that. Her goal was not to provide people with a way to hack systems, but to alert the community and Microsoft of a flaw in the system. She also mentioned that she is in active informal discussions with Microsoft and they are aware of the problem and the potential solutions she laid out in her talk, but she didn't want to comment on what they were going to do about it.

The second part of her talk covered a proof of concept root kit called Blue Pill that takes advantage of the extremely powerful new virtualization features in the new 64 bit AMD processors. Blue Pill takes a running operating system and completely virtualizes it beneath a Hypervisor which can then be used to intercept certain system calls and execute arbitrary code nearly completely invisible to the user. As the system is truly virtualized on the processor level and not in kernel and userspace, the virtualized system has direct access to the hardware (except for calls the hypervisor is intercepting) and detection would be non-trivial to say the least. Although she did her research on the AMD processor, she said the same attacks would be possible on the new Intel chips, although their virtualization implementation was not as powerful.

"Faster Pwning Assured: Hardware Hacks and Cracks with FPGAs" with David Hulton & Dan Moniz. I didn't stay for this talk, as I'd seen Hikari's original talk at LayerOne a couple years back, but I did get a couple shots of him and the expanded setup of FPGAs.

Brendan O'Connor gave a talk called "Vulnerabilities in Not-So Embedded Systems" about how easy it is to take over the computers that run the Xerox Multifunction Devices. Basically he wants people to treat these supposed embedded systems as servers which they really are. Through his research he found that the Xerox systems didn't have the GRUB boot loader locked down with a password so he was able to gain access to the system and basically do whatever he wanted with it. These systems are dangerous because they are full linux systems, but the user doesn't have access to it so they are unable to secure it. As you know services are constantly being found to be vulnerable and relying on a technician to come and patch your copier isn't going to keep your network safe. It would be wise for vendors to allow users access to these systems so that they can keep them safe.

Alex Stamos and Zane Lackey gave a talk at Black Hat called "Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0". As AJAX evolves from a toy used by teenyboppers to a serious tool used by banks, hospitals and uncle same, it becomes more and more important to ensure bug free code. AJAX has changed web attacks by exposing the use of frameworks used by the applications via included .js files which expose supported calls. Cross site scripting becomes more complicated as you can inject script into the javascript stream. Injection attacks are also more dangerous due to front ends that are exposed in the client side code. Business logic in applications has become more complex so parameter manipulation vulnerabilities are still excellent attacks.

XSS becomes more complicated and more interesting because you can just put javascript right into a running javascript engine, which becomes harder to escape as you're no longer looking for brackets and tags.

Because your browser is running a javascript application, if an attacker sends you rogue code, in say link form in your cool AJAX email app, your browser will run the code sent in the webmail application instead of loading it in a new page and then the attacker would be sent your authentication cookie. The attacker would then have access to your web mail. The speakers used the fictitious company Webmail.com in this example, and when asked about gmail they responded that they have more lawyers than webmail.com, but it was pretty clear the attack they were talking about was possibly on gmail.

Dynamic script nodes allow attackers to embed malicious javascript in a website that would allow a cookie from any site to be pulled because browsers allow cross domain XmlHttpRequests, this is very bad!