[SecurityRatty] tag: drop

Mamma.com: Insider trading and XSS

Tue, 18 Nov 2008 06:55:00 +0000

Mamma.com's got issues other than Mark Cuban's insider trading allegations. As a point of reference for this conversation, Mamma.com is ranked 4064 on Alexa as of today.
I won't profess to following Mr. Cuban's public life and the occasional antics. Obviously, he's a colorful and popular figure; certainly in Dallas, if not nationally.
What follows is not a judgment of Mr. Cuban or his pending legal challenges. I'm sure the process will play itself out accordingly.
A quick summary and some reference material:
The SEC has filed insider trading charges against Mr. Cuban. "According to the SEC, Cuban dumped 600,000 shares, or all of his 6.3% stake, in the search engine Mamma.com (The Mother of All Search Engines), in June 2004 after learning about private financing that the company was proposing. By selling, he avoided losing $750,000, the SEC alleges."
The whole issue for Mr. Cuban was PIPE financing because it's "dilutive to existing shareholders’ stakes."
That's the long and the short of the current issue, and again, not my real interest here, with the exception of the bet I made with myself regarding the probable web application security posture of mamma.com.
All this talk about a popular site immediately sets off the little bell in my head (I hear it a lot).
"What's wrong with the site?" is always the first question I ask myself.

I was not disappointed.

Mamma.com exhibits the following issues:
1) XSS vulnerability in the utfout variable.

2) XSS vulnerability in the qtype variable.

3) XSS vulnerability in their Mammajobs site at the pid variable. This one's weirder still; if you drop an IFRAME in, it simply redirects to any URL you include in the IFRAME string.

4) The prospect of CSRF (rather pointless here given that its just a search engine, but but still defies best practices) appears likely given that mamma.com blindly accepts updates via GET and POST with no sign of a formkey (canary) in sight.

I figured it best to stop there, and have submitted all these to Copernic (the Momma parent company).
I am however truly disappointed that an enterprise as ambitious and motivated as Momma/Copernic seems to have thrown the baby out with the bath water when it comes to web application security.
With regard to Mark Cuban dumping his shares: maybe he was afraid of getting pwned. ;-) All kidding aside, it's a shame that the whimsical and pessimistic thoughts regarding web site security that bounce around in my head inevitably bear themselves out.

del.icio.us | digg | Submit to Slashdot

Most Spam Came from a Single Web Hosting Firm

Mon, 17 Nov 2008 02:11:07 +0000

Really:

Experts say the precipitous drop-off in spam comes from Internet providers unplugging McColo Corp., a hosting provider in Northern California that was the home base for machines responsible for coordinating the sending of roughly 75 percent of all spam each day.

Certainly this won't last:

Bhandari said he expects the spam volume to recover to normal levels in about a week, as the spam operations that were previously hosted at McColo move to a new home.
"We're seeing a slow recovery," Bhandari. "We fully expect this to recover completely, and to go into the highest ever spam period during the upcoming holiday season."

But with all the talk of massive botnets sending spam, it's interesting that most of it still comes from hosting services. You'd think this would make the job of detecting spam a lot easier.

Spam drop could boost Trojan attacks

Mon, 17 Nov 2008 02:00:00 +0000

The dramatic fall in spam traffic last week after alleged rogue ISP McColo was taken down will be only a temporary reprieve and could generate a new wave of Trojans, experts warn.

Spam drop could boost Trojan attacks

Sun, 16 Nov 2008 21:00:00 +0000

The dramatic fall in spam traffic reported last week after alleged rogue ISP McColo was taken offline will only be a temporary reprieve and could actually generate a new wave of Trojans, experts have warned.

They didn't go away you know....

Fri, 14 Nov 2008 03:02:00 +0000

Listening to a discussion on CNN the day after President elect Obama won the U.S. Presidential race, made me think about what the terrorists may be thinking.

It really is fairly easy for the average citizen to push these thoughts out of their mind, but we should always keep it somewhere in our minds - close enough to recall it when necessary.

Bill Clinton was "tested" early in his Presidency as was the U.K.'s new Prime Minister - Gordon Brown. In PM Brown's case it came 72 hours after the Election in Britain. How long may we wait to see something here..or overseas, but definitely aimed at inflciting U.S. casualties?

Bottom line - we should always remian alert and open to the idea that something could happen and we can not afford to drop our guard and think "they have gone". Terrorists have great amounts of patience. They conduct surveillance right under the noses of their intended victims. As the old saying goes; "we have to be successful every single time - they only have to be lucky once".

Fun Reading on Security AND Compliance 9

Fri, 31 Oct 2008 09:05:00 +0000

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #9, dated October 30th, 2008. BTW, I am renaming it into “Fun Reading on Security AND Compliance”

“A Gartnergate?” What happened after Mr Pescatore uttered his now famous 12 words: “The best security program is at the business with the happiest customers.” This (complete with Gunnar’s famous “firewalls+SSL” chart), this – will add more as this snowballs.
Do you have an “ignorable” security policy? If yours is BOTH “ignorable” and “unfair”, then fuggedaboutit. Cisco survey kinda proves it. A few fun comments are here (“If people can't get their jobs done without having to find a way to circumvent policy then the policy is wrong.”)
Risk and clouds – here, here, here and here in poetic form (!). Fun reading, but you know what? For many, many organization, what they have today is LESS secure than any future cloud computing advance…
Richard Bejtlich drop-kicks SIEM too, then kicks it in the balls. Then kicks the dead horse (1,2,3)
Excellent reminder about why people don’t care about security with a fabled quote from MJR (yes, it is my fave too!) Overall, Rich “reassures” with: “Don’t worry. When things get bad enough, we’ll get the call. If you’ve kept your documentation and communications up, you won’t get shafted with the proverbial short end.”
A few essays on risk, from ANSI, from Schneier and from BlogInfoSec (part 1 and part 2, especially read part 2)
So, what do CTOs really do every day? Interesting summary here and here.
Fun exploration of security x privacy x compliance.
Burton Group opines on which security technologies will fare better/worse during "The crisis”
A really fun interview with our CEO Philippe Courtot here.
More on IT vs IT security, this time from Richard.
Do you want people like that doing “security”? A normal call center employee recognizes fraud, but their so-called “outsource security dept” authorizes the scam. Niiice.
Finally, “Robots Hunt 'Non-Cooperative Humans' in Army Plan” No comment :-)

Enjoy!

The Skein Hash Function

Wed, 29 Oct 2008 01:35:29 +0000

NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.)

Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper:

Executive Summary
Skein is a new family of cryptographic hash functions. Its design combines speed, security, simplicity, and a great deal of flexibility in a modular package that is easy to analyze.

Skein is fast. Skein-512 -- our primary proposal -- hashes data at 6.1 clock cycles per byte on a 64-bit CPU. This means that on a 3.1 GHz x64 Core 2 Duo CPU, Skein hashes data at 500 MBytes/second per core -- almost twice as fast as SHA-512 and three times faster than SHA-256. An optional hash-tree mode speeds up parallelizable implementations even more. Skein is fast for short messages, too; Skein-512 hashes short messages in about 1000 clock cycles.

Skein is secure. Its conservative design is based on the Threefish block cipher. Our current best attack on Threefish-512 is on 25 of 72 rounds, for a safety factor of 2.9. For comparison, at a similar stage in the standardization process, the AES encryption algorithm had an attack on 6 of 10 rounds, for a safety factor of only 1.7. Additionally, Skein has a number of provably secure properties, greatly increasing confidence in the algorithm.

Skein is simple. Using only three primitive operations, the Skein compression function can be easily understood and remembered. The rest of the algorithm is a straightforward iteration of this function.

Skein is flexible. Skein is defined for three different internal state sizes -- 256 bits, 512 bits, and 1024 bits -- and any output size. This allows Skein to be a drop-in replacement for the entire SHA family of hash functions. A completely optional and extendable argument system makes Skein an efficient tool to use for a very large number of functions: a PRNG, a stream cipher, a key derivation function, authentication without the overhead of HMAC, and a personalization capability. All these features can be implemented with very low overhead. Together with the Threefish large-block cipher at Skein core, this design provides a full set of symmetric cryptographic primitives suitable for most modern applications.

Skein is efficient on a variety of platforms, both hardware and software. Skein-512 can be implemented in about 200 bytes of state. Small devices, such as 8-bit smart cards, can implement Skein-256 using about 100 bytes of memory. Larger devices can implement the larger versions of Skein to achieve faster speeds.

Skein was designed by a team of highly experienced cryptographic experts from academia and industry, with expertise in cryptography, security analysis, software, chip design, and implementation of real-world cryptographic systems. This breadth of knowledge allowed them to create a balanced design that works well in all environments.

Here's source code, text vectors, and the like for Skein. Watch the Skein website for any updates -- new code, new results, new implementations, the proofs.

NIST's deadline is Friday. It seems as if everyone -- including many amateurs -- is working on a hash function, and I predict that NIST will receive at least 80 submissions. (Compare this to the 21 submissions NIST received -- five were rejected as not being complete -- for the AES competition in 1998.) I expect people to start posting their submissions over the weekend. (Ron Rivest already presented MD6 at Crypto in August.) Probably the best place to watch for new hash functions is here; I'll try to keep a listing of the submissions myself.

The selection process will take around four years. I've previously called this sort of thing a cryptographic demolition derby -- last one left standing wins -- but that's only half true. Certainly all the groups will spend the next couple of years trying to cryptanalyze each other, but in the end there will be a bunch of unbroken algorithms; NIST will select one based on performance and features.

NIST has stated that the goal of this process is not to choose the best standard but to choose a good standard. I think that's smart of them; in this process, "best" is the enemy of "good." My advice is this: immediately sort them based on performance and features. Ask the cryptographic community to focus its attention on the top dozen, rather than spread its attention across all 80 -- although I also expect that most of the amateur submissions will be rejected by NIST for not being "complete and proper." Otherwise, people will break the easy ones and the better ones will go unanalyzed.

NBA Preview and Flashback

Tue, 28 Oct 2008 20:42:50 +0000

NBA starts today, it is always good to have something to look forward to once the weather gets cold in Minnie. I follow two teams. The Celtics who have a decent chance at repeating as champs. KG and Pierce should be back in full force, hopefully Ray Allen holds up. Perkins and Rondo may get a little better with experience. Biggest loss is Posey and we will miss him a lot more than people think. A real glue guy, defense, passing, rebounding, makes the smart plays and as a middleware guy myself I can relate. He will make CP3 even more dangerous.

The other team I follow is the Timberwolves. I think they will be pretty good this year. Al Jefferson is a beast down low. Only four players averaged 20 and 10 last year and he is one. He is the best big man in the post after Duncan. Getting Love and Miller for OJ Mayo was a smart deal by McHale. I think McCants can be a decent instant offense 6th man. Would be good to see Foye step up this year. Weakness looks to be defense

*Flashback*

I am biased but I think the 1980s was the most fun time to watch NBA. Everyone talks about Bird and Magic, but there were a lot of great players back then. Here is my all underrated 1980s team (no Celtics included due to conflict of interest and unobjectivity)

C: Moses Malone - beast of a big man, immovable force under the hoop with fantastic foot work for a big man. It is too bad he was traded by Portland because he and Bill Walton would have been the best big man combo of all time.

PF: Bobby Jones - great defender, good rebounder, good passer for a big man. Typical Tar Heel -fundamentally sound. He would be the James Posey of this team. (Runner up: Calvin Natt)

SF: Bernard King - what a renaissance. Watch his moves on youtube, he was not that tall like say Alex English but he could go in the lane and score on anybody. Jordan of course is an all around better player but I think King was a better scorer and that is saying something. The playoffs when he was putting up 50 and 60 a night he was a terrifying force.

SG: Andrew Toney - they called him the Boston strangler and as Celtics fan there was no one I was more afraid of. Its a real shame his career got cut short. (Runner up: George Gervin)

PG: Tiny Archibald - Ok, one Celtic, but he is seriously underrated - would go flying into the lane, disappear in the trees, Tiny would fly out the bottom of the pile, and the ball would pop out the top and drop in. Probably the last great player to come out of NYC. (Runner up: Mo Cheeks)

Sixth Man - World B. Free - no doubt about this one, he was great as a sixth man. And this guy was plain fun to watch. He would bomb it from 30 feet, when he was on he was a force. He would kick his leg into the defender when he was shooting a j to draw the foul. (Runner up: Michael Cooper)

Money Mules Syndicate Actively Recruiting Since 2002

Tue, 28 Oct 2008 05:44:21 +0000

Money mules have already been an inseparable part of the underground ecosystem. And while others try to hide their activities by outsourcing their hosting needs to botnet masters partitioning their botnets, the experienced ones apply a decent level of OPSEC (operational security) by establishing a trust based model based on recommendations in order to even consider letting you register for their services. Their geographical location not only reflects the average time it would take to take action against their activities and expose yet another extensive network of fraudulent operations, but also, has the potential to increase or decrease the commissions that the mules take based on the risk factor of getting caught.

There are several different types of money mules, those serving themselves, and those offering their services to others, in this particular case, we have a money mules syndicate that's been operating since 2002, and is only serving the high profile customers. What happens when such a money mule syndicate (naturally) starts vertically integrating by offering value-added services like credit card balance checking and date of birth lookups? Profits apparently increase, since the syndicate is actively recruiting and is currently looking for 20 to 30 mules -- their current staff is said to be approximately 100 people -- to cash out anything from bank account logins, Paypal accounts, to stolen credit card data. Here's a translated description of the service :

"Who we are?

- First place at (cyber crime community) top list of trusted service providers for 2008
- We serve the big guys only since 2002
- We never scam, in business since 2002 without a single scam complaint
- We look for you, you don't look for us
- We offer outstanding working conditions and high commissions

Who you should be?
- Dedicated person with experience in the field
- Have been in the business for at least 6 months
- Have been recommended by at least 1 person from (cybercrime community) and from (cybercrime community)
- You take 45% commission of the processed check, minimal amount is $3000
- You pay a membership fee

In the next two months we draw the command of 20-30 people who will most satisfy our requirements. For the selected team will be Paradise conditions:

- Instant payment (a few hours after delivered)
- Large numbers to drop service in the USA and the UK (30)
- Individual drop in the number of large islands
- 3-5 fresh weekly drop
- Round-the-clock support"

In case some of their customers get scammed -- appreciate the irony here as scammers compensate the scammers getting scammed by the scammer's outsourced personnel -- by some of their money mules, the service is offering compensation for the stolen goods/amount of money, clearly speaking for the revenues it is to prone to be generating. OPSEC (Operational Security) has been taking place across high-profile cybercrime communities during the last quarter, mostly in response to their increasing awareness that in the very same way they keep track of the major anti-fraud features implemented across their services of (ab)use, those implementing them could be monitoring them as well.

Sniffers presentation at 2008 Louisville Metro InfoSec Conference Thursday, October 9th, 2008

Tue, 07 Oct 2008 04:33:10 +0000

Update:Sniffers presentation at 2008 Louisville Metro InfoSec Conference Thursday, October 9th, 2008
Looks like I will be presenting at the upcoming Louisville InfoSec Conference put on by the ISSA, Thursday, October 9th, 2008 at Churchhill Downs. The person they had set do do the live hacking demo had to drop out, so they asked me to fill in on short notice.