[SecurityRatty] tag: redirect

Deploying Metasploit's Meterpreter with MITM and an Ettercap filter

Sat, 22 Nov 2008 09:15:04 +0000

Deploying Metasploit's Meterpreter with MITM and an Ettercap filter
In this video, Bigmac shows how to redirect web traffic and trick users into downloading Meterpreter and running it on their box.

Deploying Metasploit's Meterpreter with MITM and an Ettercap filter

Sat, 22 Nov 2008 09:15:04 +0000

Deploying Metasploit's Meterpreter with MITM and an Ettercap filter
In this video, Bigmac shows how to redirect web traffic and trick users into downloading Meterpreter and running it on their box.

Deploying Metasploit's Meterpreter with MITM and an Ettercap filter

Sat, 22 Nov 2008 09:15:04 +0000

Deploying Metasploit's Meterpreter with MITM and an Ettercap filter
In this video, Bigmac shows how to redirect web traffic and trick users into downloading Meterpreter and running it on their box.

Open Redirects and Common Weakness Enumeration

Thu, 16 Oct 2008 10:58:00 +0000

Hopefully, you're more than familiar with CVE (Common Vulnerabilities and Exposures), but perhaps you're less familiar with CWE (Common Weaknesses Enumeration). Both are significant efforts, international in scope, and the excellent products of The MITRE Corporation, sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.
Approximately six months ago I was discussing open redirect vulnerabilities with Steven Christey of MITRE, who mentioned that that CWE entry for open redirects was sparse and dated, with little reference material. In particular, he pointed out the lack of defining papers. I accepted this information as a challenge and produced an article that was published in (IN)SECURE Issue 17. Soon after Issue 17 went live, I also took note of an excellent academic paper specific to the topic of open redirect vulnerabilities; Shue, Kalafut and Gupta's Exploitable Redirects on the Web: Identification, Prevalence, and Defense. Complete with these two papers as references, as well as two current CVE identifiers for popular web applications suffering from open redirect vulnerabilities (discovered by yours truly), CVE-2008-2052 & 2951, CWE-601: URL Redirection to Untrusted Site (aka 'Open Redirect') is now current and complete.
As open redirects are undoubtedly one of my biggest pet peeves, I am pleased to no end. Hopefully CWE-601 will help drive more application vendors and site operators to put an end to this easily mitigated vulnerability.

CWE:
"International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design."

del.icio.us | digg | Submit to Slashdot

AOL Hosted Sites Distribute Malware

Mon, 13 Oct 2008 23:21:17 +0000

Malware on AOL hosted pages has been recently reported by Alex Eckelberry from Sunbelt. It seems that it is not new and AOL is actually neglecting this issue, allowing visitors to get infected with rogue software. AOL’s German Hometown page has a number of pages that redirect to rogue antivirus programs like Antivirus XP (Do NOT [...]

One Spam to rule them all!

Sat, 11 Oct 2008 19:37:02 +0000

If we only had a dollar for each spam we recieved, we could end the worlds money crisis!

clipped from www.crime-research.org

40 Trillion Spam E-mails This Year

ComputerWorld did a nice story called Spam Filters: Making Them Work relying on the Ferris numbers. However, the lesson we should learn is buried deeper in the details: spam is no longer a nuisance that clogs inboxes, it’s a security issue. The majority of spam messages now try to breach security on the computer reading the message, or redirect the user to a Web site full of malware etc.

XSF & XSS: Double your pleasure, double your fun

Sun, 21 Sep 2008 17:00:00 +0000

If you've read this blog, or those of my peers, you're likely quite familiar with cross-site scripting, and the problems associated with open redirect vulnerabilities. A vulnerability you may be less familiar with is cross-site framing, which largely couples the best of both above-mentioned vulnerabilities.
What then, if there's a cross-site framing vulnerability coupled with cross-site scripting in the content offered by the frame? All sorts of problems come to mind: phishing, malware, credential theft; all arguably twice removed from the attacker's source, tucked away in the context of two victim sites.
First, I'll discuss the original XSS issue that led to this finding.
Recently, I was investigating a flawed parameter in Openhire, a career posting vendor used by major companies like Crate&Barrel, Eileen Fisher, Enterprise, Benjamin Moore, Scottrade, and Getty Images.
Most of these sites simply link to the Openhire offering that hosts job postings on their behalf which, in turn, has been crafted to look like the referring site.
As an example, here's Scottrade's employment page hosted by Openhire.

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?version=1&company_id=15624

Standard stuff, looks nicely like the Scottrade site, so everything's cool, right?
Wrong? What if someone hosting a service on your behalf suffers a security gap?
You're only as strong as your weakest link!
Here's the posting for an Application Security Engineer (funny, eh?) at Scottrade as hosted on their behalf by Openhire:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=976367&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters%3B%3B%3BInformation%20Technology%3B%3B%3BSecurity&startflag=3&CFID=66851845&CFTOKEN=29a95-d12594d4-47d9-49e8-9067-1091bdf68e80

Now here the same job posting spewing massive cookie data:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3

Screen shot offered below, as the code above will likely be repaired very soon by Openhire. I notified them this past Thursday.

It's bad enough when there's an application security hole in code someone else is hosting on your behalf, but what if your method of displaying said code is also at risk? Enter the Getty Images Jobs page.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=careeropps&startflag=0&company_id=15531&version=2&CFID=12265212&CFTOKEN=60213778

Watch what happens when you pull the Openhire code. Can you say self-replicating frame loop from hell (in Firefox)? Trust me your browser will crash if you leave this running too long. This will likely be fixed soon, so if the URL doesn't work, the screen shot exemplifies the issue.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html

What if, instead of Openhire's Getty Images page, or nothing at all (which obviously creates its own issue), we drop in an arbitrary URL?
Yep, you guessed it.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://www.xssed.com/news/26/Cross-site_framed/

Now, bringing it all home for double the pleasure, double the fun, what if we coupled the original Openhire cross-site scripting vuln with Getty Images cross-site frame vuln?

It hurts twice as much, in my book.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3

The lessons learned:
1) Ensure your partners are writing secure code on you behalf.
2) Ensure that the code you utilize to incorporate said partner's code is also well written. ;-)

Double the headache, double the dumb.

del.icio.us | digg

Business In Thailand - Part 1: The Challenge

Fri, 05 Sep 2008 10:16:36 +0000

Recently someone asked about business in Thailand. Here is my first post on this challenging topic:

First of all, as background information, I learned the Thai alphabet (script with 44 consonants and 32 vowels) nearly 20 years ago, so I have have a pretty decent foundation for the Thai language compared to most foreigners visting or working in Thailand. I can read (slowly) and speak better than 99.99+ percent of all foreigners in Thailand. For this reason, I thought it was ”the right thing to do” to redirect my career to a “new challenge” in the business climate of Thailand as I continue to improve my foreign language skills. I wanted to help Thailand progress in IT and IT security, so where else would I go but where I have second language skills?

This was no small decision as you can imagine. Your career and life changes quite dramatically when you give up a long established consulting practice in the US and dive into business in a foreign land, seeking a new challenge. I can frankly tell you thatit is more difficult to do business in Thailand (as a foreigner) than I expected, for a number of reasons. Here is my first off-topic post on this topic.

First of all, it is not legal for foreigners to directly own land in Thailand. Foreigners can ”own” land using a variety of legal loopholes, proxy owners and shell companies; but all of this is risky and not advised. Many foreigners lose a lot of money coming to Thailand and attempting to buy land via various “structures”. Some get lucky, but the entire process of foreigners buying and selling land is quite risky and not recommended.

Foreigners can legally own condominiums, under certain conditions, but this “foreign market” results in inflated prices for condos in Thailand that are traded in an “artificial market place” designed for foreigners. Condos in Bangkok and major resort areas that are up-to-par with condos in the US can easily cost more than condos in major cities in the US. Hence, the cost of living in Thailand is not as economical as some might believe when you visit Thailand as a tourist.

Second, business in Thailand can best be described as protectionism with discrimination where the government has placed many barriers to entry to foreigners working and competing in Thailand. Every foreigner must have a work permit and these work permits are expensive and time consuming to maintain. If you own a business you must pay high professional service fees for “auditors” to perform annual and semiannual audits regardless of how much income you have (including zero). Firms in Thailand charge thousands of dollars for these ”audits”.

Third, if you operate a business in Thailand, you must have a place of business (you cannot legally work from your condo you bought at high prices!), so you are forced, by law, to lease office space. Foreigners from the US, for example, must be paid a minimum of 50,000 Thai Baht per month, so the government will take 10 percent of that each month as their share of tax withholdings. Startups with no income simply pay income taxes against their personal savings to comply with the law. Therefore, to start a company and maintain the business in Thailand, you are required to pay significant startup, monthly, semi-annual and annual fees, permits, tax, leases, visas, etc.

Forth, generating incoming revenue in Thailand can be quite difficult in a climate of both protectionism and discrimination. In Thailand, it is easy when you are spending money. This is the ”Land of Smiles” that tourists see and experience. However, when you are legally permitted to work in Thailand and trying to generate in-country income, you cannot help but notice the protectionism and discrimination against foreigners working and living here. Many foreigners working in Thailand just “give up” because the barriers to business success are quite high.

Fifth, on top of the challenges of protectionism/discrimination regarding foreigners and foreign investments, which I have only just scratched the surface here, is the overall global business slowdown combined with a climate of political instability which I am sure you have seen in the news. Thailand has seen 18 coups since 1932. Currently, Thailand is under a State-of-Emergency which negatively impacts business even more. Sound challenging?

Most people who live and work in Thailand have the opinion that it is far better to enjoy being a tourist here. Working in Thailand is very difficult for many reasons. Being a tourist in Thailand is completely different than working here. When you are a tourist, foreign currently flows from you into Thailand, so life in Thailand as a tourist is fun and friendly, hence the “Land of Smiles” you have heard about or experienced. However, when you are working in Thailand and trying to generate income from Thailand versus bringing in foreign currency, you don’t see the “Land of Smiles” quite the same anymore.

Without getting into too many details in this post, I can simply say that a foreigner doing business in Thailand experiences both protectionism and discrimination. I came to Thailand hoping to contribute my experience to help the Kingdom. However, sometimes it feels like foreigners are only welcome if you are working for free, giving seminars for free, and bringing in lots of foreign currency here.

In a future post on business in Thailand I will dive into some details on a number of topics that might be of interest to readers who will never have a chance to come and work here.

Scammers Avoid Spam Detection By Using Redirection In Adobe Flash Files And ImageShack.com Free Hosting

Thu, 04 Sep 2008 15:59:04 +0000

Anti-spam service MessageLabs reports a new way found by scammers to bypass anti-spam filters. This time scammers are utilizing Adobe Flash files and free websites hosting services. Spam messages with harmless-looking content contain links to Flash-based files on free image hosting services like ImageShack.com. The commands embedded in flash files redirect the recipient to sites that [...]

Business In Thailand - Part 1: The Challenge

Thu, 04 Sep 2008 10:16:36 +0000

Recently someone asked about business in Thailand. Here is my first post on this topic:

First of all, I learned the Thai alphabet nearly 20 years ago, so I have have a pretty good foundation for the Thai language. I can read (slowly) and speak better than 99.99+ percent of all foreigners in Thailand; so, I thought it was time to redirect my career to a “new challenge” in the business climate of Thailand.

This was no small decision. Your career changes dramatically when you give up a successful consulting practice in the US and dive into business in a foreign land for a new challenge. I can frankly tell you that often the challenge is sometimes overwhelming. It is quite difficult as a foreigner to do business in Thailand.

First of all, it is not legal for foreigners to own land in Thailand. Foreigners can ”own” land using a variety of legal loopholes, proxy owners and shell companies; but all of this is risky and not advised. Foreigners lose a lot of money coming to Thailand and attempting to buy land. Some get lucky, but the entire process of foreigners buying and selling land is quite risky.

Foreigners can own condos, under certain conditions, but this results in inflated prices for condos in Thailand that are traded in an artificial market place. Condos that are up-to-par with condos in the US can easily cost more than condos in major cities in the US. Hence, the cost of living is not as cheap as some might believe.

Business can best be described as “protectism” where the government has placed many barriers to entry to foreigners working in Thailand. Every foreigner must have a work permit and these work permits are expensive and time consuming to maintain. If you own a business you must pay high professional service fees for auditors to perform annual and semiannual audits even if your business has no income yet. Firms in Thailand charge thousands of dollars for these ”audits”.

In addition, if you operate a business, you must have a place of business, so you are forced to lease office space. Foreigners from the US must be paid a minimum of 50,000 Thai Baht per month, so the government will take 10 percent of that each month as their share of tax withholdings. Therefore, to start a company, you will pay a lot of money in startup fees, permits, tax, leases, visas, etc. The entire system is designed to secure money from you, even if you do not have a penny of incoming revenue.

Of course, generating incoming revenue can be quite difficult in a climate of protectionism. In Thailand, it is easy when you are spending money. When you are trying to generate income from Thailand, as a foreigner the challenge can seem overwhelming at times. Many foreigners here give up because the barriers to business here are very high.

On top of all these challenges, which I have not described in detail, is the overall global business slowdown combined with a climate of political instability, which I am sure you have seen in the news.

Most people I know say it is better to be a tourist here. Being a tourist is completely different. Money flows from you, so life in Thailand is fun and friendly, complimentary to the “Land of Smiles” you have heard about. However, when you are working to have money flow the other direction, flow to you versus away from you, you don’t see the “Land of Smiles” as tourists experience.

Without getting into too many details, I can simply say that a foreigner doing business in Thailand experiences protectionism and, to a certain degree, discrimination, and sometimes I wonder if coming here for a “business challenge” was a good idea. I was seeking a “new challenge” and I got more than I bargained for!

In a future post on business in Thailand I will discuss issues regarding how little value is placed in intellectual property in Thailand and how this adversely impacts professional services. I will also touch on how this lack of regard for intellectual property impacts a consulting practice. Also, I will touch on some cultural differences in how Thais appear to view teamwork, which is very different than in the US.