In an age where JavaScript is so ubiquitous that some websites won't even load if you don't enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people's code.

Most are run-of-the-mill and hardly worth writing about, but reader Harry Sintonen writes in with a vulnerability on the CIA's site that THREAT LEVEL can't resist.

For those of you who don't see it after clicking through, notice that the links lead to the CIA's site, but displays a recent THREAT LEVEL story. Here the CIA search box fails to rip out characters that will run as a script when the site tries to process the search query.

This story went up at 3:26pm, and it's still working at 8:45pm.

This would be great for a prank form...

Update: This is still working today. So much for fast response.. Here is the obligatory memestreams @ cia.gov link.

CIA.gov XSS | Threat Level

Chinese hackers are growing increasingly bold in probing critical U.S. defense networks. But former U.S. counterterrorism chief Richard A. Clarke tells FP that if the United States waits for a dramatic, 9/11-style attack on its critical infrastructure to act, it will be missing the real threat.

Foreign Policy: Seven Questions: Waiting for a Cyber Pearl Harbor

A few hours ago, Pakistan Telecom (AS 17557) began advertising a small part of YouTube's (AS 36561) assigned network. This story is almost as old as BGP. Old hands will recognize this as, fundamentally, the same problem as the infamous AS 7007 from 1997, a more recent ConEd mistake of early 2006 and even TTNet's Christmas Eve gift 2005.

Just before 18:48 UTC, Pakistan Telecom, in response to government order (thanks nsp-sec-d) to block access to YouTube (see news item) started advertising a route for 208.65.153.0/24 to its provider, PCCW (AS 3491). For those unfamiliar with BGP, this is a more specific route than the ones used by YouTube (208.65.152.0/22), and therefore most routers would choose to send traffic to Pakistan Telecom for this slice of YouTube's network.

I became interested in this immediately as I was concerned that I wouldn't be able to spend my evening watching imbecilic videos of cats doing foolish things (even for a cat). Then, I started to examine our mountains of BGP data and quickly noticed that the correct AS path ("Will the real YouTube please stand up?") was getting restored to most of our peers.

The data points identified below are culled from over 250 peering sessions with 170 unique ASNs. While it is hard to describe exactly how widely this hijacked prefix was seen, we estimate that it was seen by a bit more than two-thirds of the Internet.

This table shows the timing of the event and how quickly the route propagated (this is actually a fairly normal propagation pattern). The ASNs seeing the prefix were mostly transit ASNs below, so this means that these routes were distributed broadly across the Internet. Almost all of the default free zone (DFZ) carried the hijacked route at least briefly.

As always, the gory details have worked their way to the nanog list..

So, it's heartwarming to know that two things are still true. It is still trivially possible to hijack prefixes (whether maliciously or inadvertently). I can go to sleep knowing that my neighbors are happily watching their LOLCATS.

Yes, I made the lolcat image. It's the lamest thing I've ever done, yet I have no shame.

Renesys Blog: Pakistan hijacks YouTube

Greg Conti published a book last October!

Information overload. If you're responsible for maintaining your network's security, you're living with it every day. Logs, alerts, packet captures, and even binary files take time and effort to analyze using text-based tools - and once your analysis is complete, the picture isn't always clear, or timely. And time is of the essence.

Information visualization is a branch of computer science concerned with modeling complex data using interactive images. When applied to network data, these interactive graphics allow administrators to quickly analyze, understand, and respond to emerging threats and vulnerabilities.

Security Data Visualization is a well-researched and richly illustrated introduction to the field. Greg Conti, creator of the network and security visualization tool RUMINT, shows you how to graph and display network data using a variety of tools so that you can understand complex datasets at a glance. And once you've seen what a network attack looks like, you'll have a better understanding of its low-level behavior - like how vulnerabilities are exploited and how worms and viruses propagate.

You'll learn how to use visualization techniques to:

# Audit your network for vulnerabilities using free visualization tools, such as AfterGlow and RUMINT
# See the underlying structure of a text file and explore the faulty security behavior of a Microsoft Word document
# Gain insight into large amounts of low-level packet data
# Identify and dissect port scans, Nessus vulnerability assessments, and Metasploit attacks
# View the global spread of the Sony rootkit, analyze antivirus effectiveness, and monitor widespread network attacks
# View and analyze firewall and intrusion detection system (IDS) logs

Security visualization systems display data in ways that are illuminating to both professionals and amateurs. Once you've finished reading this book, you'll understand how visualization can make your response to security threats faster and more effective

You can download Chapter 5, "One Night on my ISP", from the publisher.

Security Data Visualization: Graphical Techniques for Network Analysis

Thousands of legitimate Web sites are hosting an infection kit that evades detection by attempting to compromise each visitor only once and using a different file name each time, Web security firm Finjan warned on Monday.

The attack, dubbed the "Random JS toolkit" by the security firm, currently uses dozens of hosting servers and more than 10,000 legitimate domains to attempt to exploit the systems of visitors to the sites, the company said in an analysis posted to its Web site. The compromised sites host the malicious code -- foregoing the iframe redirect that has increasingly been used by attackers -- and serves up the attack to each visitor only once using a random file name each time. The two techniques, along with more traditional code obfuscation, makes the attack difficult to find, said Yuval Ben-Itzhak, chief technology officer for Finjan.

"This attack uses three different methods to go undetected by signature-based or URL-based defenses," Ben-Itzhak said. "If you realize that you've been infected, and you go and search sites, you will not be able to find the site that infected you."

The actual malicious code served to visitors by the sites compromised by the Random JS Toolkit attempts to exploit computers using 13 different vulnerabilities, the company said. The Trojan horse program steals the victim's login credentials to access online banks. The software uses encrypted communications to a number of sites hosted in the United States to return the information to the criminal group behind the attack, the analysis found.

Legitimate sites serving up stealthy attacks

Ajax Security is out and the feedback I'm getting is incredible.

Andrew van der Stock The Executive Director of OWASP reviewed a draft of Ajax Security and here is what he had to say about it:

If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserve success. Go buy this book. I can’t wait for it to come out.

Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies.

I really liked the easy, laid back writing style. Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field.

The structure flows pretty well, building upon what you’ve already learnt ...
there is advanced stuff, but the authors have to bring the newbie audience along for the ride.

Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time.

Some choice quotes from web security guru dre:

The book, Ajax Security, covered a lot of new material that hadn’t been seen or talked about in the press or the security industry. The authors introduced Ajax security topics with ease and provided greater understanding of how to view Javascript malware, tricks, and the aberrant Javascript worms from a security perspective.

Here are some of the “new” concepts that I enjoyed most Hijacking Ajax apps, Attacking Offline Ajax apps, Ajax proxy exposure of third-party XML/JSON data.

I really enjoyed the suggested defenses against “mashup” attacks as well as JSON API Hijacking. Without going into detail (I don’t want to ruin the book and the authors’ hard work), I ca... [ Read More (0.2k in body) ]

Ajax Security Book Out! Awesome buzz!

Dagmar posted up this summary of the situation with Dan Egerstad (Google Cache).

In a move almost staggeringly myopic, agents from Swedish National Crime and the Swedish Security Police raided Dan Egerstad on Monday of this week, rather clearly on the basis of his massive non-hack of the TOR routing service.

For those not catching on, Dan is the gentleman we all cheered a short while ago for having the ingenuity to set up and connect several new TOR (an anonymizing packet routing system) nodes and see if people were actually using the network with unencrypted protocols (which would basically be foolish in the extreme). It turns out that Dan's suspicions were right, and that not only were people using the network insecurely, lots of people, up to and including embassies and government and military offices were using the network unsafely--effectively sending emails and other sensitive traffic across the network completely in the clear where anyone who added their connectivity to the network could see it. This is very, very bad.

Let me make this clear... Anyone, myself included, can at any time, add their resources to and use the TOR network, simply by joining it and using it. (Non-technical explanation for simplicity) Participants in the network pass each other's traffic back and forth randomly through encrypted links, counting on the misdirection of a massive shell game to protect their privacy. Users are supposed to encrypt all their traffic as well as an additional step to keep the last site that handles the traffic before it goes back out to the Internet at large from being able to see what's being sent around. The encryption of the TOR network itself protects the contents up to that point, but no farther. For embassies and other installations that might have things going on where a breach of security could mean people die, incorrect use of the network almost guarantees that someone's likely to get hurt--possibly many, many someones. Dan figured that if anyone can do this, bad people were probably already doing it.

After doing his due diligence and trying to tell the people using the network unsafely the mistakes they were making (and getting nowhere), Dan took the more civic-minded approach of shouting it to the heavens by publishing samples and account information of the hapless fools on his website, and announcing the disturbing results of his completely legal and ethical research to security-oriented mailing lists in hopes that people would take notice and stop endangering themselves and others. The resulting splash should certainly penetrate far and ... [ Read More (0.2k in body) ]

Hacker arrested for... um... *not* hacking?

"Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't."
-- Jesse James Garrett, Father of Ajax

Billy is clearly happy about that quote.

Jesse James Garett: Buy Ajax Security Book

And while over 2/3 understand that Ajax applications have an increased attack surface, many of the comments showed that some people believe Ajax security is just about an increased attack surface.

Let me assure you, if Ajax Security was only about an increased attack surface two things would have happened:

1. Addison Wesley won't have asked me to write a 500 page book about it
2. Bryan and I would have finished a long time ago :-)

There are many issues surrounding Ajax Security and hopefully this piece will help people see the bigger Ajax Security picture.

A little peak into some of the many topics covered in Ajax Security, Billy Hoffman and Bryan Sullivan's book on all things Ajax.

Hopefully this little taste shows you that there is far far more to Ajax Security than some JavaScript eye candy and an increased attack surface. Developer, QA professional, and hacker alike will all find Ajax Security an enormously powerful resource to help design, build, test, and hack Ajax applications.

Ajax Security is more than an Increased Attack Surface

SWAT officers expected to find a victim shot to death, drugs and a belligerent armed suspect when they surrounded the home of an unsuspecting couple, but found they were only a part of a false emergency call caused by a teenager who hacked into the county’s emergency response system, authorities said.

As officers swarmed the home with assault rifles, dogs and a helicopter, a Lake Forest couple and their two toddlers inside their home slept unsuspectingly.

On March 29 at 11:30 p.m., authorities allege, Randall Ellis, a 19-year-old from Mukilteo, Wash., hacked into the county’s 911 system from his home and placed a false emergency call, prompting a fully armed response to the home of an unsuspecting couple that could have ended tragically.

Everyone loves a good prank, but hacking the 911 system and getting someone's house raided by the SWAT team is way over the line.. This kid is going to get his ass nailed to the wall.

News: Washington state man hacked into 9-1-1 system leading to SWAT raid on innocent homeowner