[SecurityRatty] tag: cookies

Fake Windows XP Activation Trojan Wants Your CVV2 Code

Mon, 06 Oct 2008 15:01:01 +0000

In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software.

Proxy Caches are a Challenging Threat to Internet Security

Sun, 05 Oct 2008 06:41:52 +0000

Proxy caches, combined with poorly written session management code, can easily leads to serious security flaws similar to what we highlighted in A New Security Breach in Google Docs Revealed.

Web developers have no control over proxy caches in the Internet. However, developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies that serve cached data for economic and performance reasons.

As a consequence, this fact-of-life on the Internet sometimes results in multiple web clients being sent the same Set-Cookie HTTP headers, for example. Caching proxy servers should obtain a fresh cookie for the each new client request. Ideally, proxy caches should not cache session management cookies and distribute cached cookies to multiple clients. However, application developers cannot assume that proxy caches are well behaved, especially for applications where security and privacy are required.

Web developers cannot know whether their content is consumed directly or via a proxy cache. Developers also cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intended content. For example, a session ID issued to a client gets used while it is valid or until abandoned and expired. If it is served and delivered in response to an unencrypted HTTP GET request, there’s no guarantee it will be consumed by the intended web browser.

Ideally, SSL should be used on all web transactions that require confidentiality and privacy, including our recent Google Docs breach. On the other hand, even SSL is not foolproof. For example, many web developers do not correctly set the “Encrypted Sessions Only” cookie property. These incorrectly configured “secure” servers will send HTTPS cookies in the open, unencrypted.

There be dragons …

Note: Reposted from the (ISC)2 blog.

Internet Explorer security levels compared

Tue, 16 Sep 2008 20:19:36 +0000

A pretty good question came across the newsgroups the other day. Someone was asking what are the differences between IE's "medium" and "medium-high" security settings. I did some digging, and found only this on MSDN: About URL security zone templates. No wonder it's difficult to find -- the terminology is different, and the table is organized by URL actions, not by the text in the dialog.

Someone on the IE security team forwarded me a document that had additional details. So here, for your enjoyment, is a chart listing the default settings for each security level. To answer the newsgroup poster, "medium" and "medium-high" aren't the same.

About the formatting: to get it to fit within the width of the blog's text section, I've made some abbreviations.

Column headings

Entries

H	High	D	Disable
MH	Medium-high	E	Enable
M	Medium	P	Prompt
ML	Medium-low
L	Low

In a few cases, the table shows a number rather than D or E or P; below the table is a description of each such entry.

At the very bottom of this post I've included the settings from the privacy tab, too.

Note: these settings reflect those for Internet Explorer 7 on Vista SP1. Please see the MDSN link above for differences between IE 6 and IE 7.

.NET Framework

	H	MH	M	ML	L
Loose XAML	D	E	E	E	E
XAML browser applications	D	E	E	E	E
XPS documents	D	E	E	E	E

.NET Framework-reliant components

	H	MH	M	ML	L
Permissions for components with manifests	D	1	1	1	1
Run components not signed with Authenticode	D	E	E	E	E
Run components signed with Authenticode	D	E	E	E	E

1 = High safety

ActiveX controls and plug-ins

	H	MH	M	ML	L
Allow previously unused ActiveX controls to run without prompt	D	D	E	E	E
Allow scriptlets	D	D	D	E	E
Automatic prompting for ActiveX controls	D	D	D	E	E
Binary and script behaviors	D	E	E	E	E
Display video and animation on a Web page that doesn't use an external media player	D	D	D	D	D
Download signed ActiveX controls	D	P	P	P	E
Download unsigned ActiveX controls	D	D	D	D	P
Initialize and script ActiveX controls not marked as safe for scripting	D	D	D	D	P
Run ActiveX controls and plug-ins	D	E	E	E	E
Script ActiveX controls marked as safe for scripting	D	E	E	E	E

Downloads

	H	MH	M	ML	L
Automatic prompting for file downloads	D	E	E	E	E
File download	D	E	E	E	E
Font download	P	E	E	E	E

Enable .NET Framework setup

	H	MH	M	ML	L
Enable .NET Framework setup	D	E	E	E	E

Miscellaneous

	H	MH	M	ML	L
Access data sources across domains	D	D	D	P	E
Allow META REFRESH	D	E	E	E	E
Allow scripting of Internet Explorer Web browser control	D	D	D	E	E
Allow script-initiated windows without size or position constraints	D	D	D	E	E
Allow web pages to use restricted protocols for active content	D	P	P	P	P
Allow web sites to open windows without address or status bars	D	D	D	E	E
Display mixed content	P	P	P	P	P
Don't prompt for client certificate selection when no certificates or only one certificate exists	D	D	D	E	E
Drag and drop or copy and paste files	P	E	E	E	E
Include local directory path when uploading files to a server	D	E	E	E	E
Installation of desktop items	D	P	P	P	E
Launching applications and unsafe files	D	P	P	E	E
Launching programs and files in an IFRAME	D	P	P	P	E
Navigate sub-frames across different domains	D	D	D	E	E
Open files based on content, not file extension	D	E	E	E	E
Software channel permissions	1	2	2	2	3
Submit non-encrypted form data	P	E	E	E	E
Use phishing filter	E	E	E	D	D
Use pop-up blocker	E	E	E	D	D
Userdata persistence	D	E	E	E	E
Web sites in less privileged content zone can navigate into this zone	D	E	E	E	P

     1 = Prohibit downloads from software update channels
     2 = Cache content downloaded from software update channels
     3 = Automatically install software updates

Scripting

	H	MH	M	ML	L
Active scripting	D	E	E	E	E
Allow programmatic clipboard access	D	P	P	P	E
Allow status bar updates via script	D	D	D	E	E
Allow Web sites to prompt for information using scripted windows	D	D	E	E	E
Scripting of Java applets	D	E	E	E	E

User authentication

	H	MH	M	ML	L
Logon	1	2	2	2	3

     1 = Prompt the user for name and password
     2 = Automatic logon only in intranet zone
     3 = Automatic logon with current user name and password

Privacy settings (on the "Privacy" tab)

	H	MH	M	ML	L
Allow persistent cookies	D	E	E	E	E
Allow per-session cookies	D	E	E	E	E
Allow third-party persistent cookies	D	P	P	E	E
Allow third-party session cookies	D	E	E	E	E

New Tool To Be Released Can Steal Authentication Credentials Through Encrypted Secure Channels

Wed, 10 Sep 2008 23:31:44 +0000

New tool that can steal users authentication credentials makes websites used for email, banking, e-commerce and other sensitive applications less secure, even when they’re sent through supposedly secure channels. The toolkit, named CookieMonster, is used in a variety of man-in-the-middle scenarios to trick a victim’s browser into turning over the authentication cookies used to gain access [...]

NetBarrier X5

Tue, 02 Sep 2008 20:00:00 +0000

Intego's NetBarrier X5 security suite offers several tools to protect your Mac from vandals and criminals. Its centerpiece is the NetBarrier firewall, but the package can also block cookies while your surf the Web, scrub personal data afterwards, and block Trojan horses. While NetBarrier X5's features are generally good, the $50 program has enough peculiarities that some users will be better off with the firewall tools that come with OS X for free.

Safari At Risk of a Cookie Monster attack

Thu, 31 Jul 2008 07:57:54 +0000

There are reports of a new Apple Safari flaw, exploiting cookies in the browser. However, the vulnerability exploit hasn’t been seen in the wild and there’s as yet no response from Apple about the flaw. Here’s the potential damages -

An attacker who successfully exploits the vulnerability could perform a session fixation attack. This allows the attacker to pre-set the victim’s session ID and to use the fixed session ID for malicious activities.

An attack of this sort, known as “cross-site cooking,” might include tricking a user to log in through a malicious form, exploiting a cross-site scripting vulnerability or meta tag injection flaw, breaking into host in the target server’s domain, and network traffic alteration.

To learn more, read the full article.

Apple Safari Domain Extensions Insecure Cookie Access Vulnerability

Tue, 29 Jul 2008 06:37:20 +0000

According to National Vulnerability Database, Apple’s Safari browser is vulnerable to session fixation attacks because of the way it handles cookies in country-specific top-level domains. A hacker who appeared at Microsoft’s Blue Hat summit, is credited with discovering this Safari vulnerability. Safari 3.1.2 is vulnerable; other versions may also be affected. Apple Safari allows web sites [...]

Event Tracking Google Style

Tue, 22 Jul 2008 15:46:05 +0000

Most readers who operate a web site are familar with Google Analytics (GA). GA users add a bit of Javascript on their web pages. The Javascript has tracking code that executes when visitors request web pages. The GA tracking code basically sets or updates cookies on the user’s browser and requests a single-pixel image from the GA servers.

In the last release of the GA code, Google added Event Tracking. In Google-speak, events are actions that visitors take on a web page that do not generate new pageviews. Examples of these events are, interacting with a Flash player, a AJAX widget or an audio player. In the old GA, webbies could track event-data as a pageview. However, because event tracking using crude pageviews is not very effective, GA added new functionality they refer to as Event Tracking.

There are 4 components in the GA events data model; Objects, Actions, Labels and Values. GA Objects are areas of web pages that visitors interact with, for example a video player or an Ajax widget. The second part of the GA event tracking data model is Actions. Actions are related to an Object, representing Actions that visitors perform on the Object. Labels further describe Actions, associating context with Actions. Last, but not least, Values are quantities associated with Labels.

Notice how Google defines this event processing model as Event Tracking. Similar to the reference architecture we described in What is Complex Event Processing?, operations on single event objects are generally tracking-oriented, often referred to as Event Refinement in the art-and-science of multisensor data fusion (MSDF).

The GA event tracking model does not (yet) incorporate Situation Refinement, which in MSDF-speak, would be object-to-object processing, representing a higher level of interaction modelling.

Can you provide examples where object-to-object interaction between various objects on a single web site represents a real-world situational (complex event) model?

Taking this one step further, can you think of some examples where object-to-object interaction between various objects on different web sites represents a real-world situational model?

Review: Internet Cleanup 5.0

Sun, 20 Jul 2008 20:00:00 +0000

As you use the Internet, traces of your activities build up on your Mac in the form of things like cookies, caches, entries in your browser history, transcripts of instant messaging chats, and e-mail attachments. Smith Micro's Internet Cleanup provides a suite of tools to help you locate and delete such data to protect your privacy, which is especially important if you're using a shared computer. Several additional tools in the package protect your Mac against certain kinds of spyware, hacking, and other threats.

Cross-Domain Vulnerability In Microsoft Internet Explorer 6

Fri, 27 Jun 2008 10:03:45 +0000

New Microsoft Internet Explorer 6 vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. A proof-of-concept code for this vulnerability is already available. The vulnerability could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At [...]