| |
Current Topic: Computer Security |
|
Wired: 27B Stroke 6- Billy Hoffman on Ajax Security at RSA |
|
|
Topic: Computer Security |
2:47 pm EST, Feb 8, 2007 |
The best conference presenters have a story to tell, and this morning, Billy Hoffman -- the lead researcher at Web application security company SPI Dynamics, had a great story to tell Wednesday morning at the RSA security conference about how all your favorite new Web 2.0 applications are a boon to criminals.
27B Stroke 6 covered Billy's talk at the RSA security conference. Billy rocks. Wired: 27B Stroke 6- Billy Hoffman on Ajax Security at RSA |
|
MySpace superworm creator sentenced to probation, community service - News - SC Magazine Australia |
|
|
Topic: Computer Security |
9:29 pm EST, Feb 4, 2007 |
The man responsible for unleashing what is believed to be the first self-propagating cross-site scripting worm has pleaded guilty in Los Angeles Superior Court to charges stemming from his most infamous hacking. Samy Kamkar, who was 19 when he unleashed the attack on MySpace.com in October 2005, was sentenced to three years of probation and ordered to perform 90 days of community service, according to a MySpace statement released Wednesday. Kamkar also must pay an undisclosed amount of restitution to MySpace, and he is banned from accessing the internet for personal reasons for an unknown amount of time, according to the statement. Kamkar, using a programming technique known as Asynchronous JavaScript and XML(AJAX) that permitted browsers to execute malicious code, was able to circumvent MySpace’s strong JavaScript filters.
So checking eval'd text isn't necessary to have a "strong" Javascript filter... MySpace superworm creator sentenced to probation, community service - News - SC Magazine Australia |
|
Super Bowl XLI website owned |
|
|
Topic: Computer Security |
5:35 pm EST, Feb 2, 2007 |
Websense® Security Labs™ has discovered that the official website of Dolphin Stadium has been compromised with malicious code. The Dolphin Stadium is currently experiencing a large number of visitors, as it is the home of Sunday's Super Bowl XLI. The site is linked from numerous official Super Bowl websites and various Super Bowl-related search terms return links to the site. A link to a malicious javascript file has been inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit two vulnerabilities: MS06-014 and MS07-004. Both of these exploits attempt to download and execute a malicious file.
Thanks to Jeremiah Grossman for sending me a message today bringing this to my attention. Declan McCullagh posted some good resources about this. All are plain text and will not harm you. The original HTML page with the nasty JavaScript Nasty JavaScript file it loads VBScript file which gets bootstrapped from one of the HTML files Super Bowl XLI website owned |
|
GNUCITIZEN - JavaScript Remoting Dangers |
|
|
Topic: Computer Security |
1:57 pm EST, Jan 31, 2007 |
From Acidus: For those unfamiliar, GNUCITIZEN is quite possibly the best site on the internet for web security research that is not affiliated with a vendor. pdp has covered topics such as backdooring Quicktime files, building XSS attack libraries, improving existing protscanners and history stealers, and even a JavaScript web crawler (which is currently receiving a massive improvement...). Much of his work ends up appearing in live attacks a few months after the info is released. Needless to say I was really happy when pdp asked me to write a blog entry for his site. I wrote up a meaty overview of the different methods JavaScript can use to send HTTP requests, as well as the pros and cons of each.
GNUCITIZEN - JavaScript Remoting Dangers |
|
NoDaddy.Com - Exposing the Many Reasons Not to Trust GoDaddy with Your Domain Names |
|
|
Topic: Computer Security |
7:22 pm EST, Jan 29, 2007 |
Fyodor has started NoDaddy.com in response to last week's shutdown of seclists.org... I created this site to document instances of customer abuse at GoDaddy. The goal is for GoDaddy to either improve their policies and customer service, or suffer continued loss of market share to their customer-focused competition. While I gave this site its bare skeleton, I'm hoping it becomes more of a community effort. If you have been frustrated by GoDaddy's behavior, please see our call for volunteers and join in.
But it turns out GoDaddy has defenders! I found this article linked off of Google News! Screw Seclists.com, you should higher an internet security employee from MySpace to make sure you don't post our personal, highly secure information on your website. Obviously you aren't capable or maybe you just don't understand internet law.
Talk about Comedy Gold! The layers of irony in that passage are so thick its like a work of art! NoDaddy.Com - Exposing the Many Reasons Not to Trust GoDaddy with Your Domain Names |
|
GoDaddy pulls security site after MySpace complaints | Tech News on ZDNet |
|
|
Topic: Computer Security |
12:06 am EST, Jan 27, 2007 |
This is truly upsetting. I am seriously considering pulling all my domains from GoDaddy unless they reverse their stance on this. Update: 27BStroke6 has an audio recording of the voicemail Fyodor received as well as clear evidence that GoDaddy just doesn't get it: I think the fact that we gave him notice at all was pretty generous.
Jesus. I think the fact that I'm going to contact them formally before pulling my domains is pretty generous. Here is my original post: This was extremely irresponsible! GoDaddy shoots first and asks questions in 1 to 2 business days! A popular computer security Web site was abruptly yanked offline this week by MySpace.com and GoDaddy, the world's largest domain name registrar, raising questions about free speech and Internet governance.
Fyodor says in his post: I woke up yesterday morning to find a voice message from my domain registrar (GoDaddy) saying they were suspending the domain SecLists.org. One minute later I received an email saying that SecLists.org has "been suspended for violation of the GoDaddy.com Abuse Policy". And also "if the domain name(s) listed above are private, your Domains By Proxy(R) account has also been suspended." WTF??! Neither the email nor voicemail gave a phone number to reach them at, nor did they feel it was worth the effort to explain what the supposed violation was. They changed my domain nameserver to "NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM". Cute, eh? I called GoDaddy several times, and all three support people I spoke with (Craig, Ricky, then Wael) said that the abuse department doesn't take calls. They said I had email abuse_at_godaddy.com (which I had already done 3 times) and that I could then expect a response "within 1 or two business days".
1. This website is a major nexus for communication in the computer security industry. Having it down for an extended period of time likely had a greater negative impact on Internet security on the whole than the disclosure of a list of MySpace passwords that are already known to spammers. 2. It is totally inappropriate to shut down an entire site based on such a brief attempt to contact the owner and it is totally inappropriate to have a 1 to 2 day turn around time on review of decisions of this magnitude. 3. Godaddy has created a new denial of service attack that can be employed to shut down any website that allows public posting and employs them for DNS services: Step one: Post objectionable material. Step two: File complaint with GoDaddy. Step three: Website goes down. 4. They have the audacity to defend this decision! GoDaddy's Jones said that "we're not knee-jerk--we try to be responsible about verifying complaints." There's a broad spectrum of policies among domain name registrars, she acknowledged, with GoDaddy "probably the most aggressive." When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: "I don't know...It's a case-by-case basis."
You DON'T KNOW if you'd shut down NEWS.COM based on a single complain with no prior notification!?!# Fyodor says: Needless to say, I'm in the market for a new registrar.
If GoDaddy doesn't do something to address their policies I'll be in the same boat. What a major pain in the ass!
GoDaddy pulls security site after MySpace complaints | Tech News on ZDNet |
|
Your Free MacWorld Expo Platinum Pass |
|
|
Topic: Computer Security |
2:00 pm EST, Jan 16, 2007 |
This is a great example of information leakage in "Web 2.0" applications. Acidus comments: Last week a reporter asked me to comment on a story he was writing that detailed this hack. I couldn't post this to Memestreams until after that article was published. I plug in the register URL and start inserting my information. The second screen is where your Priority Code gets entered. Being the curious person I am I took a peek at the source code. Much to my chagrin I find this:
Well huh. These look like MD5 hashes. So what we need to do is crack the MD5 passwords with what we know about our keyspace: All upper case, most likely keyboard ASCII characters and numbers only. We can probably rule out non-printable ASCII so now we're just looking at A-Z0-9. Just an educated guess. We begin the crack. Less than 10 seconds and I've already cracked a code that looks interesting. Lets see what we get: A Platinum Pass for $0.00? Special line access to the Keynote! Alright!
My thoughts are this is an excellent example of security issues with Web 2.0 applications. Specifically, the leaking of an application's programing logic to the attacker. In the case, IDG tried to make their website more responsive by performing some of their validation on the client. They did this by pushing some JavaScript to the client's web browser. Even if IDG still performed that validation on the server, they have leaked how the priority code is verified and used by their website. This is the leaking of control logic All an attacker needs to do is look at the JavaScript code and see how the priority code is verified against a list of valid codes. Even though those codes are encrypted, the JavaScript again aids the attacker. It provides step by step instructions showing how the priority code is encrypted as well as the algorithm used allowing the attacker to easily brute force the valid codes. By accessing the JavaScript code, the attacker could also see that IDG made some mistakes before they encrypted the code, making the discounts even easily to brute force (IDG first capitalized the code and the removed a number of special characters and symbols, etc). This drastically reduced the number of combinations an attacker needs to try to brute force all the priority codes) Once the attacker knows all the priority codes, it is obvious which ones gave the attacker a free pass worth thousands of dollars. The moral of the story: JavaScript code is visible to an attacker. It is impossible to completely obfuscate or hide it. More and more Web 2.0 technologies like Ajax means more and more programs are placing application logic in JavaScript, making it even easy to attackers to find flaws in web applications. In this case, by trying to enrich the user's experience, the programmers exposed all of there discount offers in JavaScript, allowing an attacker to discovery them and perform fraud for thousands of dollars. Web developer's need to make sure they don't leak vital information about how their applications work. In today's Web 2.0 world of rich web interfaces like Ajax and Adobe's Flex, this is a very easy mistake to make.
Your Free MacWorld Expo Platinum Pass |
|
Attack of the Zombie Computers Is a Growing Threat, Experts Say - New York Times |
|
|
Topic: Computer Security |
4:13 am EST, Jan 7, 2007 |
Rick Wesson, left, is chief executive of the data-gathering company Support Intelligence; Adam Waters is chief operating officer. “We are losing this war badly,” Mr. Wesson said of the growing threat from botnets.
Awesome! I have not spoken to Adam in years. It's a real trip to see him pop up in the NYT. Attack of the Zombie Computers Is a Growing Threat, Experts Say - New York Times |
|
Ladies and gentlemen, the Internet has left the building... |
|
|
Topic: Computer Security |
7:51 pm EST, Jan 4, 2007 |
RSnake is a fucking genius. Using a file:/// URL pointed at the manual PDF installed with Acrobat, you can execute JavaScript in the local zone. Oh yeah, local file access, program execution, completely uncrippled XmlHttpRequest. This is not good. Ladies and gentlemen, the Internet has left the building... |
|
heise Security - News - Security specialist leaves PHP security team |
|
|
Topic: Computer Security |
9:33 am EST, Dec 16, 2006 |
Stefan Esser, PHP security specialist and member of the official PHP Security Response Team has, he says, had enough - in his blog he has announced his immediate resignation from the PHP Security Response Team. He states that he has various reasons for doing so, the most important of which is that his attempt to make PHP safer "from the inside" is futile. According to Esser, as soon as you try to criticise PHP security, you become persona-non-grata in the security team. In addition many of his suggestions were ignored because the developers considered Esser's choice of words, too abrasive. He says that he had stopped counting the number of times he was called a traitor when he published a bug report on a vulnerability in PHP.
According to Esser, he is going to drastically up the number of security advisories for PHP. Some of them will come without fixes. PHP site administrators are going to need to be on their toes. PHP has more than it's fair share of security problems.. Problems caused by the language, users, and ubiquity. The slant of all the articles I've seen on it suggests there is a see no evil, hear no evil, speak no evil approach being taken. heise Security - News - Security specialist leaves PHP security team |
|