[SecurityRatty] tag: rant

XSS Comedy III: Tax Cheats with Small Equipment

Wed, 12 Nov 2008 13:52:00 +0000

As part of an ongoing series, if I may I, the third in a series on the absurd, inane, and perhaps even funny. Lest you forget: the first and second in the series.
I don't know about you, but I enjoy occasionally watching offerings like the History Channel, AMC, or the Military Channel. I'm a 40ish, white male and as such I likely fit the general demographic as perceived by the marketing geniuses who buy the late evening advertising blocks on these channels.
That does NOT mean that I cheat of my taxes and thus need the services of a plethora of scam artists selling tax relief. Nor does it mean that I have any interest in "enhancement" opportunities like Enzyte or ExtenZe.
I just love people who choose to skip out on a primary obligation of citizenship that most of us choose to meet, and expect to magically turn $100,000 in tax debt into $999. Then there are the "businesses" who exploit these folks and willingly convince them of their "success" via the power of advertising, at which point my patience just snaps, as it did last night.
Thus, part one of this rant is a mighty bugger off to all the "tax relief" companies. To their patrons, may I suggest simply paying taxes like the rest of us?
Here's an XSS vulnerability in the Freedom Financial Network, "as seen on TV", designed to express precisely how I feel:

http://www.freedomfinancialnetwork.com/tax_debt.php?pid=ffn+go&key=%22%3E%3Cmarquee%3E%3Ch1%3ENOTHING_IS_FREE!%3C%2Fh1%3E%3C%2Fmarquee%3E

If and when they fix this issue, here's the video for posterity.

Part two of this rant will get you more bang for your buck, and I'm not talking enhancement.
Thanks to my utter disdain for the endlessly annoying advertising I went to the ExtenZe site to see what might be broken which immediately led me to discover an entire platform vulnerability in the ColdFusion application built by Internet Direct Response (IDR), the wankers who proudly bring you Maxoderm, Vivaxa, Vazomyne, Smoke Away, and Hydroxydrene; all such reputable products, and all repetitively wearing me out via DirectTV. At the ExtenZe site I spotted a variable that seemed worthy of building a Googledork from, and I soon discovered that it was a consistent variable in most of the sites pimping this crap; specifically, microppcsite. You can follow all the search results back to our friends at IDR.
A little experimentation and I quickly discovered that the similar microppcterm variable was vulnerable to entertaining XSS exploitation so I started with:

http://www.extenzeforlife.com/?microppcsite=googleµppcterm=%22%3E%3Cmarquee%3E%3Ch1%3EToo_short,_Morningwood?%3C%2Fh1%3E%3C%2Fmarquee%3E&gclid=CJ3T2NXH8JYCFQQCagod7xyBrA

Pick your poison, it works on most IDR gems.

http://www.enzyte-male-enhancement.com/google/?microppcsite=googleµppcterm=%22%3E%3Cmarquee%3E%3Ch1%3EBob_just_wants_your_money.%3C%2Fh1%3E%3C%2Fmarquee%3E

Again, a video, should IDR choose to fix their app.

And now, the grand prize for pathetic: The ExtenZe site is McAfee Secure.

I couldn't make this stuff up if I tried.
You thought www stood for world wide web. Try wee willy wankers. *sigh*

del.icio.us | digg | Submit to Slashdot

Links List 9.29.08

Mon, 29 Sep 2008 23:00:14 +0000

Trade shows, trade shows and more trade shows. VMworld and Interop dominated the stage a couple of weeks ago and then there was the annual Oracle blowout in SF last week. Has anyone gotten any work done lately?? (image from cdye1)

Does Oracle run the world? I would have to say no but Raj (Larry Ellison is his idol) and the 40,000 Oracle customers that descended upon SF last week might beg to differ. What do James Carville and Mary Matalin have to do with enterprise software? Pretty much nothing, except for the fact that they delivered the opening keynote for Oracle OpenWorld. (And that’s the only and last politically-oriented thing you’ll hear from me as we run up to the election). For a surprisingly funny and extensive photo gallery of the eye-popping event, check out cdye1’s photostream on Flickr.

But UB40, Elvis Costello and Seal aside, Oracle OpenWorld did offer training, certifications, and always entertaining speeches by Ellison. Ben Worthen’s favorite – “Larry Ellison’s Brilliant Anti-Cloud Computing Rant” delivered to analysts on Thursday. From Ben’s slightly-edited excerpt:

“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything that isn’t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?

“We’ll make cloud computing announcements. I’m not going to fight this thing. But I don’t understand what we would do differently in the light of cloud computing other than change the wording of some of our ads. That’s my view.”

So did everyone catch that? Cloud computing is complete gibberish and idiocy, but apparently Oracle’s already been doing enough around it to advertise the fact. I will have my cake and eat it too!

We’ve been pumping out the posts from the shows we went to – let me tell you, live-blogging is hard when you’re trying to share apparently miniscule amounts of bandwidth with 14,000 other attendees – and we have even more to share as we step back, contemplate and describe how some of the announcements, info and especially roadmaps fit into our overall picture over here at ScienceLogic.

For example, we released the results of our annual industry IT survey last week. Twice a year – at FOSE (for Government IT) and at Interop NY (for enterprises) – we take advantage of the fact that we have a big beautiful booth at these shows and offer a fabulous ScienceLogic t-shirt in return for a couple of minutes time with attendees living the problems we try to solve. Instead of telling people what their problems and priorities are, we like to ask.
Interop NY Survey - Trends and Challenges
Detailed Reports on Trends and Comparison to Government IT

And I just had to share this one because it is so bizarre. Are VMware and Paul Maritz guilty of plagiarism? You have to check this out to get even part of the picture. Apparently this guy has posted his slides (we know they are from VMworld 2007 because it says so in the lower-right-hand corner…) which prove that the “virtual datacenter operating system” idea was his idea a year before it showed up on Maritz’s keynote this year. Hmmm. And then after posting all these slides and making all the connections between his presentation and Maritz’s, he says he’s just kidding about the plagiarism. Can anyone sort this out and let me know?

I’ll tell you who wasn’t kidding when I went by their booth at VMworld – a certain chargeback vendor and VMware “partner” who was quite shocked two months ago when they walked into a meeting with VMware about future roadmap. Apparently, the slides they saw (preview of VMware’s announcement re adding extended chargeback capability within vCenter management services) were mighty might similar to slides they had given in a presentation to VMware about their own roadmap. Coincidence? I’ll let you decide. And I’ll also say, their strategy to combat this – support for Hyper-V coming early in 2009.

[OT rant] Are there any home WiFi routers that DON'T SUCK?

Fri, 22 Aug 2008 20:12:38 +0000

Warning: rant ahead, and names named.

When I'm not traveling, I like to work from home some days rather than endure the trek from Seattle to Redmond (although it's much better now that our own employee transit service has expanded into my neighborhood -- the existence of which is sad commentary on the availability and reliability of Seattle's public transit companies).

This means, of course, that I need fast and stable network connections. Comcast with their PowerBoost is working very well for me. But I just can't find a decent wireless router at all. My Lenovo T61p (with Intel 4965abgn adapter) just won't stay connected to my D-Link DIR-628 and IT'S DRIVING ME CRAZY! (Yes, I've tried various driver versions, from both Lenovo and Intel.)

My house is in an area with a lot of wireless activity -- sometimes I can see nine or ten SSIDs. I'm running draft N on 2.4GHz (which occupies two non-adjacent channels, currently 1 and 4), and I suspect the problem is collision interference. I could shift the router to 5.2GHz, which I probably would help, but then the rest of the computers in my house won't connect. Why, you ask? Well get this: the DIR-628 is part of D-Link's RangeBooster N family. So I stayed in the family and got two DWA-542 adapters for the desktop computers. Yet they only do 2.4GHz! Silly me, I assumed that being in the same family means full support of the router's capabilities.

I'm very tempted to replace my router again -- and I'm thinking that the best option is to get one with dual radios. That way I can move my T61p to 5.2GHz and replace the desktop adapters, while still having single-channel 802.11b/g on 2.4GHz for the Wii and my PlayStation Portable.

Now my request: tell me about your experience with home routers. What do you really like, and why? What should I buy?

On TV Warfare

Mon, 11 Aug 2008 13:41:00 +0000

It is simply amazing that all the countries now "get it" that war happens primarily on TV (this vs this; many other examples are around). It is also amazing that there is NO way to know where "media reporting" ends and "psyops" begin. So, a burning tank with no clear markings that you see on TV might be:

Tank belonging to warring side A
Tank belonging to warring side B
Just a tank that was passing by and got hit by mistake :-)
Something that looks like a burning tank
An archive shot that reporter added for visual impact

Same applies to the "primary weapon" of a modern TV war: "evidence of atrocities of the opposing side."

What's the truth? Who knows... progress brought us "TV wars," is this the first "YouTube war"? But if we cannot believe the media coverage, how can we believe a random video online? Well ... maybe the same way we often believe Wikipedia over Britannica.

In any case, if there was a better time to turn off the TV (and tune off the web news...), it would be now. Also, time to get the dust off my copy of Toffler?

Rant mode off :-)

Black Hat wrap up - secure@microsoft, booth babes and bloggers

Fri, 08 Aug 2008 10:46:21 +0000

You can read plenty of other blogs about some of the great presentations at Black Hat. So I thought I would take another angle and talk about some of the other stuff that may be important to you.

1. secure@microsoft.com – This years hottest party was again the Microsoft party. This year it was at the LAX club in the Luxor. As usual there were quite a number of people at the door who thought they could talk their way in or worse yet were told they “were one the list”. I was happy to be able to go and saw many of the usual suspects there as well. I had to leave the party early to go catch my red eye flight home, so went right to the airport from the party. As I wrote earlier, Microsoft is trying really hard on security. But I couldn’t help but notice the irony of this grainy, lousy picture of the DJ booth at the party. If you can, notice the computers that the secure@microsoft.com DJs are using. That’s right they are Macs!

2. A new low for booth babes – What would a Shimel review of a trade show be without a booth babe rant. Hey I recognize it is Vegas and all, but EdgeOS went way over the line this year. A booth babe dressed as a Las Vegas showgirl or some other type of costume makes a statement. I personally don’t like exploiting woman to make that statement, but I understand. However, these guys had woman who were dressed so raunchy and classless, that I could not bring myself to post a picture of them. Come on guys! You want to resort to the booth babe thing (and BTW I think the Black Hat crowd does not respond to that), at least have a little class. These girls looked like street walkers and do you and your company no favors. Is that really the image you want to promote? Grow up!

3. The Security Bloggers Network – We are back! With the end of the Black Hat show, the SBN is going back to being the SBN. The old logo is back and our promotion with Black Hat is at an end. However, I want to personally thank so many of you SBN members who blogged about Black Hat. The Black Hat marketing folks made it a point to come over to me and thank us for the overwhelming support and help of the community. Our network delivered big time with them and they are already thinking about ways we can work together next year. I will keep you all posted on that.

We have several new promotions we are working on with the SBN and will have more on that soon. Also, we learned some valuable lessons. Next time we will work with the network members more closely in doing these affiliations. Also, for any show like this we need to have an official bloggers get together. Not because we don’t want to buy our own drinks (thanks to Chris Hoff for doing more than his share in picking up a big bar tab), but frankly we need to reserve a place that has enough space for us. Security bloggers are big time. We have a great community of people who get together. Lets make it better.

I have some other ideas around the SBN I am working on too and want to form a committee to help. If you are a member and want to get involved, please drop me a line or comment.

Anyway, another year of Black Hat is in the books. It was a good one and I can’t wait until next year!

Monthly Blog Round-Up - July 2008

Fri, 01 Aug 2008 12:38:00 +0000

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

As you can easily, easily guess, the #1 spot this month is taken by my irreverent comments on a Terry Childs saga. Namely, "On Doomsaying (Terry Childs case)", "So ... Am I? Maybe I Am!" and "Admins , Good Guys or "I am NOT an Idiot!""
Obviously, my earlier post/rant called "You Are "A Security Idiot" If ..." takes the #2 spot. Yes, we all like to point out other people's problems, especially when they are epically huge :-)
Next up is my post "11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!"". It is both humorous and sadly true (and backed up by other sources)
Also popular is my post "Log Management - Day 1," which talks about the very first thing you do when embarking on a journey to log management.
Finally, again this month, my logging polls took the #1 spot! Poll #8 that covered context data for log analysis is analyzed here. Other popular polls include a controversial Windows Log Collection Poll (which is a poll #7) and poll #6 about logs that people actually look and poll #5 about logging challenges.
Strangely, a lot of people wanted to "Which Blogs Do I Read?" - so my brief post on that made it to the top.

See you in August, unless you are all on vacations, that is :-)

Possibly related posts / past monthly popular blog round-ups:

Technorati Tags: blog,security,loggings,monthly

Certificates - secure a. identity b. encryption c. both d. neither

Wed, 09 Jul 2008 04:44:01 +0000

With the release of Firefox 3.0 there has been a bit of controversy over how it handles self-signed certificates. It seems that Firefox makes it difficult to use self-signed certificates and some people are complaining about it. Here at StillSecure we use self-signed certs in our products and we had to change how we do things to make it work. However, there are than people like Lauren Weinstein who says that this is a step backward for Firefox because it makes it harder to send encrypted traffic. While I understand that it does make it harder, I think Lauren misses the forest for the trees here. The whole point of certificates are to prove identity. In fact they are called identity certificates.

The underlying reason for certificates is to ensure that the identity of the person or entity sending it is in fact genuine. It enables the the encryption function. In Weinstein's rant, somehow he has this bass akwards. Identity is secondary to encryption. He says, "Firefox is now putting so much emphasis on identity confirmation". For good reason I say! If we allow the whole idea of identity certs to be subverted for ease of encryption we are opening ourselves up to a whole range of bad things like phishing attacks, man in the middle, etc..

I say in our fervor to encrypt everything, lets not forget the importance of trust of identity that certificates enable. Without that the whole system crumbles. Now that being said, I agree that Firefox's GUI around handling these certificates could be better. It appears to be confusing to say the least. But again we can fix that without sacrificing the validity of certificates.

I should mention that I ran some of my ideas on this issue by Joel Snyder and StillSecure's own Andrew Grealy.

Certificates - secure a. identity b. encryption c. both d. neither

Wed, 09 Jul 2008 03:55:45 +0000

I should mention that I ran some of my ideas on this issue by Joel Snyder and StillSecure's own Andrew Grealy.

Monthly Blog Round-Up - June 2008

Tue, 01 Jul 2008 07:10:00 +0000

I saw this idea of a monthly blog round-up and I liked it. In general, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. This is what is driving an idiotic campaign of such "news" as "hackers increase hacking", "compliance is hard/easy/matters/doesn't" or "awareness of virtualization/SaaS/hacking/compliance grows."

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

Again this month, my logging polls took the #1 spot! Poll #8 that covered context data for log analysis is analyzed here. Other popular polls include a controversial Windows Log Collection Poll (which is a poll #7) and poll #6 about logs that people actually look and poll #5 about logging challenges. Next poll is coming soon.
Not entirely surprising, my post/rant called "You Are "A Security Idiot" If ..." takes the #2 spot after being live for only a few days. Yes, we all like to point out other people's problems, especially when they are epically huge :-)
Also not surprisingly, my post "11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!"" is on the Top list. It is both humorous and sadly true (and backed up by other sources)
A curious subject of DLP or "data leak prevention" (specifically, the post called "So, CAN We Have DLP?") also tops the charts. My previous post on data leak 'prevention' ("In Passing on DLP") is popular as well.
Again and again, people googling for "open source SIEM" have pushed this post (this tiny old pathetic blurb) to top5. This ancient post from years ago explains why an open source SIEM will NOT emerge soon, if ever.

See you in July!

Possibly related posts / past monthly popular blog round-ups:

Technorati tags: blog, security, loggings, monthly

Wee-Fi: Go, Go, Wires! Go, Go, Cablevision!

Fri, 16 May 2008 07:12:08 +0000

OSnews explains why wiring a house still makes sense in the 21st century c.e.: A very well-reasoned article from OSnews explains why the site still backs residential wiring. They're involved in the build-out of a Utah home partly as a technology demonstration, and they've put coax and Cat 5E Ethernet cable throughout, as well as conduits for future wire pulls. Fundamentally, wire has more capacity; I'd argue it does across several dimensions, too. You can run 1 Gbps raw across a Cat 5E or 6 Ethernet cable in both directions at the same time versus best performance of unidirectional nearly 100 Mbps in my testing of Draft N. But you also get switching with Ethernet--multiple simultaneous symmetrical 1 Gbps--and if you need more capacity you simply pull more wires and put in more switches. Wire is cheap and switches are now, too. It's a good read if you're thinking of rewiring (or unwiring) your home.

Cablevision's already started its rollout: An observant tri-stater at the Cable Rant site spotted Cablevision installers putting up BelAir gear on their cable line. He took some photos.