Oops, big lag since last entry. That's just because i lost something very precious in my life.

A report about a visit of a ICBM Titan 2 Launch Complex Site, and it's correlation to computer security, especially "tradeoffs in designing secure systems: balancing high availability with strong access control". Extremly interesting, not just the security procedures and aspects of it, but also the historic indications of the cold war.
"But more importantly, a few hundred of the successors to the Titans, the "Minuteman III" missiles, remain active in silos throughout the northern US, run by crews and following procedures essentially similar to those here."
And another important design decision: "Bombs are also engineered to fail gracefully." (PAM). Good to know :)

In other news, the plans for Star Wars seem to be on ice. This is good news, as the MAD doctrin still applies. I wonder if it really didnt work, or if all the failures was just to confuse the russians.

Blackwater does it like Diebold - Insurgents Hack U.S. Drones. But they didnt seem to have haxxored them, just intercepting the unencrypted video feed of some of its sensors. Better than google earth! (Update: Manual to intercept the mpeg data)
"Fixing the security gap would have caused delays, according to current and former military officials. It would have added to the Predator's price. Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military". Similar problem like with the ICBM's.
Not surprising after all: "After 9/11, it rushed the armed Predator into service without so much as an instruction manual, and now it's struggling to figure out how to integrate the UAVs into an increased workload". Again, they like high availability.
And the newly aquired Reaper Drones share the same vulnerability. Obama likes them all, nevertheles. Maybe the Isreali one's are better designed.
Developing countrys seem to like to misuse US military equipment: The Great Brazilian Sat-Hack Crackdown.

How is this possible? Maaaybe like this...
Vast Spy System Loots Computers in 103 Countries
Electronic Spy Network Focused on Dalai Lama and Embassy Computers

In other news, unlike the military, an industry has it's focus more on the former (strong access control) than the latter (high availability):
DRM Chaos verhindert 3D-Vorpremieren von Avatar

Iran also has its problems with availability: Iran loses its only AWACS (in a parade!)

Better than having malware on board: Royal Navy warship lose email in virus infection

Despite some not so smart inventions, there are some really interesting development in weapon designs, like Iron Courtain (not this one).

Statistics of the day: The US should pull out of Washington

Fragmentation handling is implemented!
This was the last showstoper feature. I now move on the clean and tidy the code, and will release it in some time.

On other news, Steffen Wendzel uploaded his Diploma Thesis about Protokollwechsel zur Realisierung von Covert Channels und Header-Strukturveränderungen zur Vermeidung von Covert Channels (Blog)
Very interesting.
I implemented the http channel, and the http proxy feature.

Let me give you an example of the proxy feature works:

First, we open a connection in kelvin to the http channel (the details doesnt interest us here).
I also activate the http proxy option ("proxy_on").


To illustrate the standard behaviour, lets send a http request to the http server of the rootkitet box (
dobin@unreal ~ $ export http_proxy="localhost:8080"
dobin@unreal ~ $ wget  -O - --no-cookies -S | cat
--2009-04-24 19:33:56--
Resolving localhost..., ::1
Connecting to localhost||:8080... connected.
Proxy request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Fri, 24 Apr 2009 15:33:55 GMT
  Server: Apache/2.2.11 (FreeBSD) mod_ssl/2.2.11 OpenSSL/0.9.7e-p1 DAV/2
  Last-Modified: Fri, 17 Apr 2009 22:58:53 GMT
  ETag: "5c220-2c-467c81fe40540"
  Accept-Ranges: bytes
  Content-Length: 44
  Connection: close
  Content-Type: text/html
Length: 44 [text/html]
Saving to: `STDOUT'

100%[========================================>] 44          --.-K/s   in 0s     
2009-04-24 19:33:56 (15.4 MB/s) - `-' saved [44/44]

<html><body><h1>It works!</h1></body></html>

As you can see, wget retrieves index.html from the standard apache installation, with cookies disabled, and prints the http header and html sourcecode to stdout. It uses our local rheya proxy (localhost:8080). No cookies sent or received, as this is just a normal .html file.

Now, we want to call the "test" method in Kelvin. The "test" commands just transfers 100 bytes of data to rheya, and expects 100 bytes in return in the reply.

Kelvin creates the solyaris request, and is waiting (blocks) to receive an suitable HTTP request. Nothing has been sent for this command until now.

We generate the http traffic with the same wget command from earlier:
dobin@unreal ~ $ wget  -O - --no-cookies -S | cat
--2009-04-24 19:37:24--
Resolving localhost..., ::1
Connecting to localhost||:8080... connected.
Proxy request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Fri, 24 Apr 2009 15:37:23 GMT
  Server: Apache/2.2.11 (FreeBSD) mod_ssl/2.2.11 OpenSSL/0.9.7e-p1 DAV/2
  Last-Modified: Fri, 17 Apr 2009 22:58:53 GMT
  ETag: "5c220-2c-467c81fe40540"
  Accept-Ranges: bytes
  Content-Length: 44
  Connection: close
  Content-Type: text/html
Length: 44 [text/html]
Saving to: `STDOUT'

100%[========================================>] 44          --.-K/s   in 0s
2009-04-24 19:37:24 (17.0 MB/s) - `-' saved [44/44]

<html><body><h1>It works!</h1></body></html>
The only difference between this wget request and the one earlier is the "Set-Cookie:" line.

What happened?

As you can see, rheya replied with an "Set-Cookie" line, which is the answer for our solyaris request. The line was inserted in the kernel, after apache created its reply (the standard page doesnt include any cookies, of course).

The reason it inserted the "Set-Cookie" line was because Kelvin intercepted the http request from wget in its proxy, and transparently added a "Cookie:" line, which's content is the solyaris request it generated.

Additional to wget, Kelvin also interpreted the http reply, and found the answer for his rheya "test" request:

This is just the PoC. There are a lot of rough edges, which will be cleaned out in the next few weeks.

Of course, instead of wget, one can also use a normal browser like firefox, or even a web site crawler, to automate the transfer of data to and from the rootkit.


  • SNMP Channel implemented
  • cleaned node (removed m, static answer)
  • Implemented basic fragmentation handling
  • Function names cleanup
  • Fixed various crashes
  • Collect port statistics
  • Rudimentary implementation of SNMP Channel
  • removed anyoption, now use boost::program_options
  • Various updates and bugfixes
  • Updated and bugfixed DNS Channel
  • Use Boost::ASIO for SNMP UDP channel in kelvin, instead of packet sniffing
  • Works without config file, again
  • Works on FreeBSD 6
  • ChannelChardev works again
There's still lot of things to do. Wont release in the next few months.

Steampunk ?!

| | Comments (0) | TrackBacks (0)

Ein wunderbares Bild des ersten Kampfes von zwei Ironclads Warships (CSS Virginia/Merrimac und USS Monitor). Diese hatten nicht mehr einen Rumpf aus Holz, sondern aus (oder mit) Metall. Man bemerke das grossartige Design der beiden, um möglichst wenig Trefferfläche zu exponieren. Das schien auch grossartig zu funktionieren: 
the two ironclads repeatedly tried to ram one another while shells bounced off their armor
Ein anderes, die USS Cairo:

Aber insbesondere ist mir die ähnlichkeit zu heutigen "Stealth" Ships aufgefallen. Back to the roots?

Eine Visby Class Corvett, Schweden

M80 Stiletto