Today was our 13th birthday. In Internet years, that's a long time. Depending on your outlook, we're either almost a pensioner or just started our troublesome teens. We'd like to think it's somewhere in the middle. The Internet has changed lots from when SensePost was first started on the 14th February 2000. Our first year saw the infamous ILOVEYOU worm wreak havoc across the net, and we learned some, lessons on vulnerability disclosure, a year later we moved on to papers about "SQL insertion" and advanced trojans. And the research continues today.
We've published a few tools along the way, presented some (we think) cool ideas and were lucky enough to have spent the past decade training thousands of people in the art of hacking. Most importantly, we made some great friends in this community of ours. It has been a cool adventure, and indeed still very much is, for everyone who's has the pleasure of calling themselves a Plak'er. Ex-plakkers have gone on to do more great things and branch out into new spaces. Current Plakkers are still doing cool things too!
But reminiscing isn't complete without some pictures to remind you just how much hair some people had, and just how little some people's work habit's have changed. Not to mention the now questionable fashion.
Fast forward thirteen years, the offices are fancier and the plakkers have become easier on the eye, but the hacking is still as sweet.
As we move into our teenage years (or statesman ship depending on your view), we aren't standing still or slowing down. The team has grown; we now have ten different nationalities in the team, are capable of having a conversation in over 15 languages, and have developed incredible foos ball skills.
This week, we marked another special occasion for us at SensePost: the opening of our first London office in the trendy Hackney area (it has "hack" in it, and is down the road from Google, fancy eh?). We've been operating in the UK for some time, but decided to put down some roots with our growing clan this side of the pond.
And we still love our clients, they made us who we are, and still do. Last month alone, the team was in eight different countries doing what they do best.
But with all the change we are still the same SensePost at heart. Thank you for reminiscing with us on our birthday. Here's to another thirteen years of hacking stuff, having fun and making friends.
Considering how freely i've ranted on our blog over the past few years i found it incredibly hard to to write this post. SensePost has been my home for the better part of a decade and i have been firstname.lastname@example.org much more than i have been haroon meer.
In truly boring last post manner i wanted to quickly say thanks to everyone for making it such a fun ride. From the awesome people who took a chance on us when we were scarily young and foolish, to the guys (and girls) who joined us to help make SP elite. From the many customers who tolerated my sloppy dressing to Secure Data Holdings who have been awesome in every interaction we have ever had with them. From the people who have used our tools, read our work and contributed ideas to the people who read this blog (Hi Mom!).
Seriously.. thanks muchly!
It's been an awesome 10 years and with the quality of guys that remain at SensePost, it's a safe bet that the next 10 are going to be even better..
The question that everyone asks me is "what now?". The short answer still has 2 parts..
With Penetration Testing and Research over the past while I've spent a lot of time and energy trying to find new ways to break stuff, and new ways to break into stuff.. (it's been incredibly fun!)
I'm hoping now to be able to aim the same sort of bull-headedness at defending stuff, and at building solutions that give applications and networks a fighting chance.
I'll still pop in occasionally at the SensePost offices (mainly to have the coffee and lose at foosball), and my relationship with Secure Data Holdings also remains intact (Other than our historical relationship, Thinkst is doing some consulting work for SDH, making them our first customer!). Hey.. you might even still find me bending your ear on this blog..
So.. all that remains is to say thanks again.. it's been amazingly fun, incredibly rewarding and "rockingly leet"
The recent Safari Carpet Bombing bug reported by Nitesh Dhanjani and ignored by Apple had all the makings of an egg-on-face incident. We were discussing it over foosball, and the obvious consensus was "if a line starts with: "thats not exploitable, its only.." then odds are you are wrong.."
Interestingly.. Microsoft bloggers were quick to pounce on this PR-Fiasco in the making. Microsoft released a security advisory commenting on the danger of a "blended threat" - Now.. by accident (or by design) that advisory looks a lot like - "This is an Apple screwup!", indeed one of the solutions is: "Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple."
filled in the details, pointing to Avivs 2006 Finding, which is a pure DLL search order bug (which incidentally was published as an IE7 bug). So now the Microsoft folks who were sneering at Safari all end up shuffling their feet a little while looking at the floor. All credit to RHensing from Microsoft, who quickly awarded Microsoft the FAIL open goat award too.. *ouch*
Like sands through the hourglass...
from the SourceBoston videos i blogged about:
Dr Geer never dissapoints, and kicked it off with the 4 rules on his office wall:
The 2nd quote that was awesome, (during the interview with the l0pht members) was from Dildog.. ex-l0pht, ex-@stake, now Veracodes chief scientist.. The discussion turned to "security companies and snake oil", and the fact that dildog was a "vendor" again.. With a dry smile that could have been at home in a john cleese movie, he replies:
"*nod*.. this time with feeling!"
This was a bit of a catchphrase in our office a few years back, after a QA process kicked back a report to an analyst with those words: "once more with feeling...". The difference between someone going through the motions, and someone doing it with feeling is marked... and i cant imagine why anyone would do it any other way..
Over the past while we have been getting emails from people trying to figure out why they had entries like this in their http log files:
10.10.1.136 - - [32/Dec/2007:25:61:07 +0200] "GET //admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.1" 404 - Recently a concerned Wikto user figured out that this was linked to him using Wikto (our Win32 Nikto Replacement + Directory / File / Back-End Miner). A snippet from his email read:
I sniffed the traffic going out from my host going to the target host and infact this is the result: HTTP GET /admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.0 All the requests are full of this... Well, at this point the questions are two: 1) You have a strange sense of humor. 2) You have been compromised. Waiting for a feedback,
We replied to his email to allay his concerns, but the question comes up often enough, so i figured i would paste our response here:
The quick short answer is: a strange sense of humour..
As you probably know, part of Wikto's advantage over other scanners is that it doesnt rely on the HTTP response code coming back from the server to make its decisions. This is why an HTTP server that responds with "friendly 404" messages (a 200 with an error) throw simple scanners off..
Instead Wikto asks for a resource that does not exist (but that looks similar to your request.. i.e. if you wanted login.asp we first look for [strange_file_that_will_never_be_there].asp and then we compare the response to looking for login.asp
if both pages return a similar result, even if its not a 400 message, we can conclude that the resource isnt there.. During the last build our lead developer (email@example.com) had a minor turf war with one of our lead analysts (firstname.lastname@example.org) that probably started over some life and death matter like coffee, pool or foosball..
Gareth used a host name of ian.devs.like.a.girl in some article/chapter he wrote on penetration testing, so when ian needed a [strange_file_that_will_never_be_there] he came up with the obvious choice.. now everyone who scans using wikto loudly testifies to: a) our strange sense of humour b) that ian won that round! :> -snip-
(In the new build this string is user configurable, so you can insult members of your team while pen-testing too..)
So there you have it.. If you have seen it in your logs:
a) Congrats! - The fact that you even check your logs is admirable
b) Dont worry (unless you have hidden directories, backup files, etc lying around - cause chances are Wikto will find it)
Oh.. for the "windows_sucks_and_i_dont_want_to_boot_a_vm_image_to_run_this_tool" brigade, i have it on good authority that ian's Java port of Wikto (wiktoJ ?) is being dusted and polished.. so watch this space..