This is why our emails and sensitive documents are all over Wikileaks. Stop clicking shit. (Geekish)
Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.
I don’t think 2017 is going to be much better….
Well Your Linux distributors should be happy now. For years they’ve been bugging Your JoeDog to eliminate his convenience library. Linux distributors don’t like convenience libraries which is odd because they’re very convenient. With this release, we move that code from lib/joedog into src.
Valery Levental fixed and improved issues involving the data URI scheme, chunked transfers and zero-length content.
Danylo Hlynskyi improved the man page documentation.
Your JoeDog is pleased to announce a new utility for your fun and games. This is a full-featured version of a perl script we wrote and which is now implemented in C. Introducing AJPing.
This program began life as a snippet which should pave the way for Apache JServ Protocol (AJP) support for siege. Since it’s very useful for checking connectivity and/or measuring the health of a servlet engine, we decided to release it as a fully functional utility.
AJPing supports both IPv4 (default) and IPv6. You can invoke the latter with a command line switch. Let’s take a look at this puppy in action, mmmkay?
Bully $ ajping -i6 -r5 ajp://ip6-localhost:8009/
--- ajping v1.0.1 to ip6-localhost:8009 ---
5 bytes from ip6-localhost (::1): seq=1 time=979 ms
5 bytes from ip6-localhost (::1): seq=2 time=257 ms
5 bytes from ip6-localhost (::1): seq=3 time=199 ms
5 bytes from ip6-localhost (::1): seq=4 time=235 ms
5 bytes from ip6-localhost (::1): seq=5 time=239 ms
--- ip6-localhost:8009 ajping statistics ---
5 packets sent, 5 received, 0% packet loss, time: 1909 ms
rtt min/avg/max = 199/381/979 ms
The first thing you’ll notice is the output looks a lot like ping. That was by design. AJPing sends and receives 5 byte packets and measures the round trip time in milliseconds. When the run is complete, it summarizes the transaction stats in the statistics section of the output.
[AJPing: Initial Public Release]
With next to no fanfare you’re JoeDog released siege-3.1.2.
Awesome! What’s new? We moved an include directive from one file to another. Exciting! Wait – what?
Basically this means siege-3.1.2 should compile in more environments than siege-3.1.1.
Oh, well that’s something … I guess.
In 2011, an al Qaeda operative named Maksud Lodin was arrested in Berlin. Among his possessions was a memory card that contained, among other things, a porn video called KickAss. While that may have raised eyebrows — “a religious holy warrior is carrying beat-off material?” — it wasn’t what authorities were after. To them the “good stuff” is actionable intelligence. According to die Zeit, they found it. Federal police recovered al Qaeda documents that were hidden on the card. Where? The were embedded in the film.
In total, the Germans recovered 141 separate text documents hidden within a .mov file. The discovery confirmed a long-standing hunch that al Qaeda used steganography to hide its information in plain sight. The public was outraged and horrified. “OMG! Al Qaeda is embedding shit inside our porn!!11!1!!”
Your JoeDog was reminded of al Qaeda’s porn when he stumbled across timeshifter. It’s a small utility that lets you to embed messages in regular network traffic. How does it work? By modifying the time intervals between packets, @anfractuosus is able to hide messages in plain site. The system relies on binary encoding. A short delay means 0 and a long delay means 1. By sending messages in this manner, the transmission is unlikely to arouse suspicion.
To implement this system, you’ll need the libnetfilter_queue library and the ability to set iptables rules. All the code is available along with detailed instructions. Check it out.
The future is now and it kind of sucks.
Paul Krugman reminds us of that in today’s column. He takes us back the 1979 cult classic, The Hitchhiker’s Guide To The Galaxy. In that book, Earth is dismissed as an archaic planet whose life forms “are so amazingly primitive that they still think digital watches are a pretty neat idea.” Yeah, well that was before the technology revolution. Now we have iWatches that remind us to stand when we’ve been sitting too long …. ugh.
So what happened to the future? We were supposed to have flying cars and they gave us 140 characters. We were supposed to have witty housekeeping robots. Instead we’re watching rumbas terrorize the dogs. We were supposed to have food pills but we’re still feeding ourselves. What do you want to eat? I don’t know, what do you want? Why can’t I just take a pill? We have pills for everything else. Can’t get a boner? Here’s your pill. Can’t pay attention? Have a pill. And what is hunger but a medical condition? It’s 2015 and we still haven’t cured that chronic disease.
Well things are looking up, you guys. Silicon Valley entrepreneurs are concocting food shakes to get you through the day. Hunger pangs? Drink this protein pancake batter. It’s not a food pill, but it’s a start. You still have to drink it but the only thing you dirty is a spoon and glass. If you use disposable plastic, clean up is a snap. Gulp, gulp, gulp, toss. Your JoeDog had a protein shake for lunch. Gulp, gulp, gulp, toss. Two hours later, he’s hungry as hell. Stupid science. Where’s my food pill?
Over at the Var Guy, Christopher Tozzi asks an interesting question:
Why did Linux succeed so spectacularly, whereas similar attempts to build a free or open source, Unix-like operating system kernel met with considerably less success?
Tozzi doesn’t claim to know the answer but he examines several theories.
- Linux had a decentralized development model.
- Torvalds was pragmatic whereas Stallman was ideological.
- The Linux kernel was better designed.
- The open source community threw its weight behind Linux.
Your JoeDog is not particularly fond of any of these notions. With the exception of number three, most of what is attributed to Linux could also be said of GNU. Yet the GNU kernel never took off while Linux did. But keep in mind, Linux would be nothing without GNU.
Stallman’s team provided the compiler, the debugger, the shell all the command line utilities. Most of what you think of as ‘Linux’ is actually GNU interface utilities. When you type ‘ls’, you’re executing code that Richard Stallman personally wrote. GNU’s only real failure was its kernel but given all its other success, it’s hard to fault its development model. And they were certainly not without community support.
It’s often said that timing is everything and I think that applies to Linux. Torvalds’ kernel arrived at the right time, with the right license, with the right amount of complexity to satisfy the hobbyist. You could do things with Linux. You could breathe new life into an old 386. So maybe there’s some truth to the third bullet but it depends on the definition of “better.” By computer science standards, Linux was primitive compared with GNU’s kernel yet that simple design help align its timing with the stars.