Create an Account
username: password:
 
  MemeStreams Logo

Spontaneous Sociability and The Enthymeme

search

Rattle
Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
  Music
Business
  Tech Industry
  Telecom Industry
Games
Health and Wellness
Holidays
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
Recreation
  Travel
Local Information
  SF Bay Area
   SF Bay Area News
Science
  Biology
  History
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Security
Sports
Technology
  Biotechnology
  Computers
   (Computer Security)
    Cryptography
   Cyber-Culture
   PC Hardware
   Computer Networking
   Macintosh
   Linux
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Current Topic: Computer Security

Stealing Search Engine Queries with JavaScript
Topic: Computer Security 9:27 am EDT, Oct  1, 2006

SPI Labs has expanded on existing techniques and discovered a practical method of using JavaScript to detect the search queries a user has entered into arbitrary search engines. As seen with the recent leakage of 36 million search queries made by half a million American Online subscribers, there are enormous privacy concerns when a user’s search queries are made public. All the code needed to steal a user’s search queries is written in JavaScript and uses Cascading Style Sheets (CSS). This code could be embedded into any website either by the website owner or by a malicious third party through a Cross-site Scripting (XSS) attack. There it would harvest information about every visitor to that site. For example, an HMO’s website could check if a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers. Advertising networks could gather information about which topics someone is interested based on their search history and use that to echance their customer databases. Government websites could see if a visitor has been searching for bomb-making instructions.

Acidus presented another one of his amazing web hacks at ToorCon this weekend. Javascript is loaded with issues... Here is another one.

Good job Billy.. I seriously love watching you hack shit up.

Update: Unlike the situation in my previous post, there is no vendor involved here. This is a good example of sounding the warning horn.

Stealing Search Engine Queries with JavaScript


Hackers claim zero-day flaw in Firefox | CNET News.com
Topic: Computer Security 9:17 am EDT, Oct  1, 2006

The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

Ok, nothing shocking there..

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

Irresponsible disclosure alarm starting to tingle..

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."

Snyder said she isn't happy with the disclosure and release of an exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

Now the irresponsible disclosure alarm is full on ringing. They didn't give the Mozilla people heads-up on this before presenting? That's _not_ the right way to go about things..

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.

This is exactly the kind of crap that turns up the heat on everyone.. Vendors should be given a reasonable amount of heads-up when bugs are discovered before they are publicly presented. THAT is for the greater good of the Internet and users.

Do any of the folks here in the MemeStreams community who are at ToorCon have any comments on this? Was anyone at the presentation?

Hackers claim zero-day flaw in Firefox | CNET News.com


Trend Micro to kick butt on botnets | The Register
Topic: Computer Security 3:03 am EDT, Sep 26, 2006

Trend Micro has declared war on botnets, opening a zombie PC pest control service for ISPs and other big network providers.

The security software firm's weapon of choice uses in-house-developed software called the Behavioral Analysis Security Engine (BASE). This is bundled with a hardware appliance and per-seat pricing to form the InterCloud Security Service (ISS). A team of Trend Micro researchers identifies botnets for this service.

ISS goes live in Q4 and will have some as yet unnamed first day customers trading up from the beta program, Trend says. Pricing is not on the table at time of writing.
According to Trend's CTO, Dave Rand, ISS represents the first phase of a multi-year project for the company. "We expect to kick butt on botnets," he declared today. But he readily acknowledges that the enemy is resourceful and the fight won't be easy.

Trend Micro to kick butt on botnets | The Register


OpenSSL | RSA Signature Forgery (CVE-2006-4339)
Topic: Computer Security 1:12 am EDT, Sep  8, 2006

Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.

Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.

OpenSSL | RSA Signature Forgery (CVE-2006-4339)


Reuters | IBM to buy ISS
Topic: Computer Security 9:59 am EDT, Aug 23, 2006

IBM said on Wednesday it agreed to buy Internet Security Systems Inc. for $1.3 billion, in a move to beef up its product line in the rapidly growing business of Internet security.

International Business Machines Corp., the world's largest information-technology company, said it will pay $28 a share for Internet Security, continuing an acquisition drive to fuel growth in its software and services businesses.

The price represents a 7.7 percent premium to Internet Security's Tuesday closing price of $26 a share on Nasdaq. The stock rose 7 percent, or $1.82, in premarket trade.

Unexpected!

Update: Our friends at ISS may find this link helpful.

Reuters | IBM to buy ISS


Captcha Mashup
Topic: Computer Security 1:30 pm EDT, Aug 15, 2006

"I met my wife on your captcha!!!" -- Steve, from New York

This captcha is based on pictures from Hotornot. You have to pick three hot people in order to prove you are not a robot. Possibly the most innovative security solution of 2006...

Captcha Mashup


A Cisco zero-day at Black Hat? | News.blog | CNET News.com
Topic: Computer Security 5:38 am EDT, Aug  5, 2006

Last year, Cisco Systems sued a security researcher and organizers of the Black Hat event after a presentation on switch and router security. This year, Cisco is quietly investigating a possible flaw that was mentioned during a talk on VoIP.

In a presentation Wednesday at Black Hat in Las Vegas, Hendrik Scholz of Germany's Freenet Cityline briefly mentioned a flaw in Cisco software, Black Hat organizers said. This flaw had apparently not been patched. Scholz and Black Hat are now keeping quiet on the issue to give Cisco time to investigate and respond.

"We are looking into it," said John Noh, a Cisco spokesman. "We have to look at the validity of it. We take these things very seriously. And if we need to inform our customers, we will."

It is unclear exactly what Cisco application the alleged flaw is in, but it appears to be related to voice over Internet Protocol applications since Scholz's talk was on "SIP Stack Fingerprinting and Stack Difference Attacks." Most of Cisco's current products don't yet offer extensive SIP, or Session Initiation Protocol, support.

This year, Cisco is playing nice. The company is one of the main Black Hat sponsors and Chief Security Officer John Stewart is in attendance. Cisco on Wednesday also threw a party for Black Hat attendees at Pure, the night club at Caesars Palace. One of the attendees spotted at the party: Michael Lynn.

Looks like Cisco learned a lesson after all.

A Cisco zero-day at Black Hat? | News.blog | CNET News.com


Black Hat: Researcher creates Net neutrality test
Topic: Computer Security 5:48 pm EDT, Aug  4, 2006

Dan Kaminsky will share details of this technique, which will eventually be rolled into a free software tool, today at the Black Hat USA security conference in Las Vegas. The software can tell whether computers are treating some types of TCP/IP traffic better than others -- dropping data that is being used in voice-over-IP (VoIP) calls or treating encrypted data as second-class, for example.

Kaminsky calls his technique "TCP-based active probing for faults." He says that the software he's developing will be similar to the Traceroute Internet utility that is used to track what path Internet traffic takes as it hops between two machines on different ends of the network.

But unlike Traceroute, Kaminsky's software will be able to make traffic appear as if it is coming from a particular carrier or is being used for a certain type of application, like VoIP. It will also be able to identify where the traffic is being dropped and could ultimately be used to finger service providers that are treating some network traffic as second-class.

The security researcher said he is curious to see what people do with his software. "People are going to start looking [at networks] and who knows what they are going to find," he said.

Black Hat: Researcher creates Net neutrality test


JavaScript opens doors to browser-based attacks | CNET News.com
Topic: Computer Security 1:25 pm EDT, Jul 30, 2006

Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as printers or routers.

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.

"We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks."

A successful attack could have significant impact. For example, it could scan your home network, detect a router model and then send it commands to enable wireless networking and turn off all encryption, Hoffman said. Or it could map a corporate network and launch attacks against servers that will appear to come from the inside, he said.

"Your browser can be used to hack internal networks," said Jeremiah Grossman the chief technology officer at Web application security company WhiteHat Security. Both SPI Dynamics and WhiteHat Security came up with the JavaScript-based network scanner at about the same time, he said. The companies plan to talk about their findings at next week's Black Hat security event in Las Vegas.

There have been similar attempts to craft JavaScript-based network scanners, but none as advanced as the SPI Dynamics example, Vaskovich said. "SPI Dynamics deserves credit for a clever attack vector and a solid demonstration of the issue. Their method of fingerprinting servers by checking for default image paths and names is slick."

Again, kudos to Acidus and the rest of the SPI Dynamics crew.

JavaScript opens doors to browser-based attacks | CNET News.com


Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
Topic: Computer Security 10:20 pm EDT, Jul 26, 2006

Or: How Acidus [*] learned how to port scan company intranets using JavaScript!

Imagine visiting a blog on a social site like MySpace.com or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.

This scenario is no longer one of fiction.

You can visit the proof of concept page he created and test drive it now.

Quite impressive.

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript


(Last) Newer << 6 - 7 - 8 - 9 - 10 - 11 - 12 - 13 - 14 - 15 ++ 25 >> Older (First)
 
 
Powered By Industrial Memetics
RSS2.0