Sorry for taking down Memestreams this afternoon. According to Rattle, my pen test sent the load to 80 on the box.
There are some vulns in Memestreams. You should look for more and tell Tom (tom@memestreams.net) or Rattle (rattle@memestreams.net). Industrial Memetics should give out shirts to those who find new ones.
So far we've found:
-Some XSS/XSRF attacks -HTTP response splitting on a few pages -Some directory listings -Some default directories that shouldn't still be there -Some cryptographic issues
Date: Wed, 15 Nov 2006 20:57:42 +0100 (CET) From: ciro preziosi [precir@yahoo.it] Subject: new company To: acidus@msblabs.org
beloved friend billy is Giovanni, I would want to counterfeit a credit card, or to pass the codes of the magnetic cards of credit cards, and make stealing device to carry on mine, for being able appears please in Internet my answers I is in Italy and and would want to speak tantissimo. you how I must make? I pray to you you answer to me
giovanni arena
You just can't make this shit up.
I keep telling people, because I created Stripe Snoop, I keep getting emails from organized crime groups in Eastern Europe offering to pay me for card skimmer designs.
David Dewy over at ISS keeps telling Tom that I should stop all this Web nonsense and "works on some big boy stuff." While I am very happy in Layer 7 right now, I am starting to poke around in the low level stuff.
I bumped into Sir Dystic at Tooron and Security Opus last week we reconnected from back in the early days of Interz0ne. We had some all round good times at the Metreon in SF playing Street Fighter 2 and drinking sake out of wooden cubes.
He then showed me some fun stuff that reboots, freezes, and exceptions in kern32.dll on a fully patch XP SP2 box. We got to talking, because we are pretty sure this can be done remotely. Not only remotely, but from visiting a webpage!
Anyway, this is a starting point to play catch up to Josh's NT knowledge.
So to settle all this craziness about disclosing Firefox 0day, I decided to call Six Apart's press office, as Mischa Spiegelmock claimed he works there.
A gal named Jane Anderson, who has a killer accent BTW, talked with me and here what I found out.
-Mischa does work for Six Apart -Mischa didn't tell them he was doing this -The company has contacted Mozilla, but Six apart has nothing to do with getting the issue (issues?) resolved -Any future information regarding this flaw (flaws?) will not be released/discussed by Six Apart -Six Apart believes in responsible disclosure -It is the understanding of Six Apart that the presentation was supposed to be funny, but people didn't seem to take it that way. How exact stack overflows in FF's JavaScript interpreter are funny was never really explained to me -Jane has be *very* busy for the last day or so and this is causing them some major issues
I thanked Jane for talking so frankly with me but truth be told, they need to fire this guy. Immediately.
Short and sweet: I can find out what you have been searching Google for from JavaScript. I can put this JavaScript on any site either because I own it (How much do you trust memestreamas.net?) or because I have a XSS vuln that lets me inject JavaScript in the site.
Think the AOL leakage... only for everyone on the internet.
Some fun use cases:
-HMO’s website could check if a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers.
-Advertising networks could gather information about which topics someone is interested based on their search history and use that to enchance their customer databases.
-Government websites could see if a visitor has been searching for bomb-making instructions.
Oracle: Oracle encourages independent security researchers to follow a 'responsible disclosure' policy. Researchers notify vendors about a vulnerability and do not publicly disclose information regarding the vulnerability until we have released a patch for it.
... which is all well and good under you realize that Oracle is horrible about patching security issues, regularly taking not weeks, not months, but years to release a patch. If Oracle thinks security researchers are going to wait years, they are mistaken. At that point, its irresponsible not to release a public notice.
