Billy strikes again:

In response to all the Mass SQL Injection attacks this year, Microsoft approached HP and the Web Security Research Group (formerly SPI Labs) for assistance. While there was nothing they could patch, Microsoft wanted to provide tools to help developers find and fix these issues. After a month of development HP created Scrawlr.

Scrawlr (short for SQL Injector and Crawler) is a free tool that will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr was designed specifically to help protect against these mass injection attack which are using Google queries to find older web applications and automatically injection them. As such, Scrawlr crawls a websites using the same techniques as a search engine: it doesn’t keep state, or submit forms, or execute JavaScript or Flash. This Scrawl is finding and auditing the pages that would have been indexed by the search engines.

To reduce false positives Scrawlr provides proof of the vulnerability results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

Microsoft Advisory
HP Web Security Research Group Blog
Scrawlr Download
Scrawlr FAQ

Introduction Scrawlr: a free Crawler + SQL Injector tool

The computer attackers who took down Comcast's homepage and webmail service for over five hours Thursday say they didn't know what they were getting themselves into.

In an hour-long telephone conference call with Threat Level, the hackers known as "Defiant" and "EBK" expressed astonishment over the attention their DNS hijacking has garnered. In the call, the pair bounded freely between jubilant excitement over the impact of their attack, and fatalism that they would soon be arrested for it.

Neither hacker would identify their full names or locations. Defiant's MySpace profile lists him in Cashville, Tennessee, but he says that's incorrect. His girlfriend lists herself in New York. Threat Level expects both hackers' names and locations will emerge shortly.

This is entertaining... One of those cases where you really gotta sympathize with the perps. It was a prank - fairly innocent. Egg on Comcast's face for getting outsmarted by a couple of teenage pot heads. Hope they don't throw the book at them. This isn't the mafia here.

Comcast Hijackers Say They Warned the Company First | Threat Level from Wired.com

Rob Kaufman, of the Air Force Information Operations Center, suggests mounting botnet code on the Air Force’s high-speed intrusion-detection systems. Defensively, that allows a quick response by directly linking our counterattack to the system that detects an incoming attack. The systems also have enough processing speed and communication capacity to handle large amounts of traffic.

Next, in what is truly the most inventive part of this concept, Lt. Chris Tollinger of the Air Force Intelligence, Surveillance and Reconnaissance Agency envisions continually capturing the thousands of computers the Air Force would normally discard every year for technology refresh, removing the power-hungry and heat-inducing hard drives, replacing them with low-power flash drives, then installing them in any available space every Air Force base can find. Even though those computers may no longer be sufficiently powerful to work for our people, individual machines need not be cutting-edge because the network as a whole can create massive power.

After that, the Air Force could add botnet code to all its desktop computers attached to the Nonsecret Internet Protocol Network (NIPRNet). Once the system reaches a level of maturity, it can add other .mil computers, then .gov machines.

This is so unbelievably stupid...

Air Force Colonel Wants to Build a Military Botnet | Threat Level

In an age where JavaScript is so ubiquitous that some websites won't even load if you don't enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people's code.

Most are run-of-the-mill and hardly worth writing about, but reader Harry Sintonen writes in with a vulnerability on the CIA's site that THREAT LEVEL can't resist.

For those of you who don't see it after clicking through, notice that the links lead to the CIA's site, but displays a recent THREAT LEVEL story. Here the CIA search box fails to rip out characters that will run as a script when the site tries to process the search query.

This story went up at 3:26pm, and it's still working at 8:45pm.

This would be great for a prank form...

Update: This is still working today. So much for fast response.. Here is the obligatory memestreams @ cia.gov link.

CIA.gov XSS | Threat Level

Chinese hackers are growing increasingly bold in probing critical U.S. defense networks. But former U.S. counterterrorism chief Richard A. Clarke tells FP that if the United States waits for a dramatic, 9/11-style attack on its critical infrastructure to act, it will be missing the real threat.

Foreign Policy: Seven Questions: Waiting for a Cyber Pearl Harbor

A few hours ago, Pakistan Telecom (AS 17557) began advertising a small part of YouTube's (AS 36561) assigned network. This story is almost as old as BGP. Old hands will recognize this as, fundamentally, the same problem as the infamous AS 7007 from 1997, a more recent ConEd mistake of early 2006 and even TTNet's Christmas Eve gift 2005.

Just before 18:48 UTC, Pakistan Telecom, in response to government order (thanks nsp-sec-d) to block access to YouTube (see news item) started advertising a route for 208.65.153.0/24 to its provider, PCCW (AS 3491). For those unfamiliar with BGP, this is a more specific route than the ones used by YouTube (208.65.152.0/22), and therefore most routers would choose to send traffic to Pakistan Telecom for this slice of YouTube's network.

I became interested in this immediately as I was concerned that I wouldn't be able to spend my evening watching imbecilic videos of cats doing foolish things (even for a cat). Then, I started to examine our mountains of BGP data and quickly noticed that the correct AS path ("Will the real YouTube please stand up?") was getting restored to most of our peers.

The data points identified below are culled from over 250 peering sessions with 170 unique ASNs. While it is hard to describe exactly how widely this hijacked prefix was seen, we estimate that it was seen by a bit more than two-thirds of the Internet.

This table shows the timing of the event and how quickly the route propagated (this is actually a fairly normal propagation pattern). The ASNs seeing the prefix were mostly transit ASNs below, so this means that these routes were distributed broadly across the Internet. Almost all of the default free zone (DFZ) carried the hijacked route at least briefly.

As always, the gory details have worked their way to the nanog list..

So, it's heartwarming to know that two things are still true. It is still trivially possible to hijack prefixes (whether maliciously or inadvertently). I can go to sleep knowing that my neighbors are happily watching their LOLCATS.

Yes, I made the lolcat image. It's the lamest thing I've ever done, yet I have no shame.

Renesys Blog: Pakistan hijacks YouTube

Greg Conti published a book last October!

Information overload. If you're responsible for maintaining your network's security, you're living with it every day. Logs, alerts, packet captures, and even binary files take time and effort to analyze using text-based tools - and once your analysis is complete, the picture isn't always clear, or timely. And time is of the essence.

Information visualization is a branch of computer science concerned with modeling complex data using interactive images. When applied to network data, these interactive graphics allow administrators to quickly analyze, understand, and respond to emerging threats and vulnerabilities.

Security Data Visualization is a well-researched and richly illustrated introduction to the field. Greg Conti, creator of the network and security visualization tool RUMINT, shows you how to graph and display network data using a variety of tools so that you can understand complex datasets at a glance. And once you've seen what a network attack looks like, you'll have a better understanding of its low-level behavior - like how vulnerabilities are exploited and how worms and viruses propagate.

You'll learn how to use visualization techniques to:

# Audit your network for vulnerabilities using free visualization tools, such as AfterGlow and RUMINT
# See the underlying structure of a text file and explore the faulty security behavior of a Microsoft Word document
# Gain insight into large amounts of low-level packet data
# Identify and dissect port scans, Nessus vulnerability assessments, and Metasploit attacks
# View the global spread of the Sony rootkit, analyze antivirus effectiveness, and monitor widespread network attacks
# View and analyze firewall and intrusion detection system (IDS) logs

Security visualization systems display data in ways that are illuminating to both professionals and amateurs. Once you've finished reading this book, you'll understand how visualization can make your response to security threats faster and more effective

You can download Chapter 5, "One Night on my ISP", from the publisher.

Security Data Visualization: Graphical Techniques for Network Analysis

Thousands of legitimate Web sites are hosting an infection kit that evades detection by attempting to compromise each visitor only once and using a different file name each time, Web security firm Finjan warned on Monday.

The attack, dubbed the "Random JS toolkit" by the security firm, currently uses dozens of hosting servers and more than 10,000 legitimate domains to attempt to exploit the systems of visitors to the sites, the company said in an analysis posted to its Web site. The compromised sites host the malicious code -- foregoing the iframe redirect that has increasingly been used by attackers -- and serves up the attack to each visitor only once using a random file name each time. The two techniques, along with more traditional code obfuscation, makes the attack difficult to find, said Yuval Ben-Itzhak, chief technology officer for Finjan.

"This attack uses three different methods to go undetected by signature-based or URL-based defenses," Ben-Itzhak said. "If you realize that you've been infected, and you go and search sites, you will not be able to find the site that infected you."

The actual malicious code served to visitors by the sites compromised by the Random JS Toolkit attempts to exploit computers using 13 different vulnerabilities, the company said. The Trojan horse program steals the victim's login credentials to access online banks. The software uses encrypted communications to a number of sites hosted in the United States to return the information to the criminal group behind the attack, the analysis found.

Legitimate sites serving up stealthy attacks

Ajax Security is out and the feedback I'm getting is incredible.

Andrew van der Stock The Executive Director of OWASP reviewed a draft of Ajax Security and here is what he had to say about it:

If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserve success. Go buy this book. I can’t wait for it to come out.

Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies.

I really liked the easy, laid back writing style. Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field.

The structure flows pretty well, building upon what you’ve already learnt ...
there is advanced stuff, but the authors have to bring the newbie audience along for the ride.

Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time.

Some choice quotes from web security guru dre:

The book, Ajax Security, covered a lot of new material that hadn’t been seen or talked about in the press or the security industry. The authors introduced Ajax security topics with ease and provided greater understanding of how to view Javascript malware, tricks, and the aberrant Javascript worms from a security perspective.

Here are some of the “new” concepts that I enjoyed most Hijacking Ajax apps, Attacking Offline Ajax apps, Ajax proxy exposure of third-party XML/JSON data.

I really enjoyed the suggested defenses against “mashup” attacks as well as JSON API Hijacking. Without going into detail (I don’t want to ruin the book and the authors’ hard work), I ca... [ Read More (0.2k in body) ]

Ajax Security Book Out! Awesome buzz!

Dagmar posted up this summary of the situation with Dan Egerstad (Google Cache).

In a move almost staggeringly myopic, agents from Swedish National Crime and the Swedish Security Police raided Dan Egerstad on Monday of this week, rather clearly on the basis of his massive non-hack of the TOR routing service.

For those not catching on, Dan is the gentleman we all cheered a short while ago for having the ingenuity to set up and connect several new TOR (an anonymizing packet routing system) nodes and see if people were actually using the network with unencrypted protocols (which would basically be foolish in the extreme). It turns out that Dan's suspicions were right, and that not only were people using the network insecurely, lots of people, up to and including embassies and government and military offices were using the network unsafely--effectively sending emails and other sensitive traffic across the network completely in the clear where anyone who added their connectivity to the network could see it. This is very, very bad.

Let me make this clear... Anyone, myself included, can at any time, add their resources to and use the TOR network, simply by joining it and using it. (Non-technical explanation for simplicity) Participants in the network pass each other's traffic back and forth randomly through encrypted links, counting on the misdirection of a massive shell game to protect their privacy. Users are supposed to encrypt all their traffic as well as an additional step to keep the last site that handles the traffic before it goes back out to the Internet at large from being able to see what's being sent around. The encryption of the TOR network itself protects the contents up to that point, but no farther. For embassies and other installations that might have things going on where a breach of security could mean people die, incorrect use of the network almost guarantees that someone's likely to get hurt--possibly many, many someones. Dan figured that if anyone can do this, bad people were probably already doing it.

After doing his due diligence and trying to tell the people using the network unsafely the mistakes they were making (and getting nowhere), Dan took the more civic-minded approach of shouting it to the heavens by publishing samples and account information of the hapless fools on his website, and announcing the disturbing results of his completely legal and ethical research to security-oriented mailing lists in hopes that people would take notice and stop endangering themselves and others. The resulting splash should certainly penetrate far and ... [ Read More (0.2k in body) ]

Hacker arrested for... um... *not* hacking?