[SecurityRatty] tag: tabs

Summarizing Zero Day's Posts for September

Tue, 07 Oct 2008 06:54:00 +0000

As usual, here's September's summary of all of my posts at Zero Day. You may also want to catch up and go through August's and July's summaries, next to adding my personal RSS feed or Zero Day's main feed to your RSS reader.

Notable article for September - Spamming vendor launches managed spamming service.

01. DoS vulnerability hits Google's Chrome, crashes with all tabs
02. Malware and spam attacks exploiting Picasa and ImageShack
03. Spamming vendor launches managed spamming service
04. Facebook introducing new security warning feature
05. Google downplays Chrome's carpet-bombing flaw
06. Targeted malware attack against U.S schools intercepted
07. The most "dangerous" celebrities to search for in 2008
08. Norwegian BitTorrent tracker under DDoS attack
09. Attacker: Hacking Sarah Palin's email was easy
10. Bill O'Reilly's web site hacked, attackers release personal details of users
11. India's government: At last, we've cracked Blackberry's encryption
12. Memory exhaustion DoS vulnerability hits Google's Chrome
13. 44% of second hand mobile devices still contain sensitive data
14. Spammers attacking Microsoft's CAPTCHA -- again

Learning From Sarah Palins Yahoo Mail Compromise

Thu, 18 Sep 2008 09:31:56 +0000

The password reset functionality of any online service is a major source of risk. They are especially problematic when they use only a “secret question” concerning personal information only and don’t tie back to another email account or a text message. Another account or cell phone number is something “out of band” from a direct transaction with the online service. It becomes 2-factor authentication.

When an alternate email account or cell phone number is not tied to an account, online services often use personal information, supposedly only known by the account holder, to verify identity and reset a password. The risk here is the personal information is often known to other individuals and if the account holder is a public figure then the information may be easily researched. Birthdays, names of pets, locations of homes, schools, and events can often be discovered online or guessed.

Paris Hilton’s T-Mobile account, and thus all her Sidekick cell phone contents which were mirrored online, was compromised when someone “guessed” the answer to her secret question. The secret questions was, “What is your pet’s name.” The answer of course was, “Tinkerbell”. Something easily researched. Many people would not have their pet’s name online but friends, family members, or perhaps an ex would know the answer. Using a pet’s name is a very bad security practice.

Now we have Sarah Palin, another public figure, having her online account compromised because someone used the password reset functionality and guessed the answer to Sarah Palin’s secret question. This is how the attacker says he found out her personal information and guessed the answer to her secret question. He details this on 4chan.org:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Best practices for setting up the password reset functionality of any online service:

Tie an account to another email account or cell phone number if that is an option. This will cause the service to send an out of band message and in essence make the password reset a 2-factor authentication.
Do not use any personal information that can be guessed as the answers to secret questions. Treat these answers like passwords. Don’t use dictionary words. Add some numbers or symbols to the answer. For example is Sarah Palin had used “Wasilla high 1964″ or “!Wasilla high!” it is far less likely it would be guessed. Pick a scheme to modify your secret answers so they aren’t guessable.
Try resetting your password. See if there are downgrade attacks which make it easier to reset the password. Yahoo for instance will allow you to specify that you don’t have access to the email address tied to your account and thus not send a password reset email. Since an attacker can do this the safety of using another account is eliminated thus making the answers to the secret question all that more important.

Managers Admit Theyd Exploit Private Data

Mon, 23 Jun 2008 06:21:46 +0000

Anything to make a buck for some folks. A study commissioned by the folks at StrongMail Systems found that some marketing managers would be willing to dish out private customer data in order to bump up sales.

From the Financial Times:

The research – which was commissioned by StrongMail Systems, an e-mail security company – comes after the privacy watchdog warned of receiving an alarming number of reports of data security breaches in the private sector.

The survey, which covered 900 data security and marketing professionals, found that 7 per cent of marketing managers would disclose customers’ sexual orientation, 14 per cent their involvement in political activism, and 19 per cent their credit card details.

Some managers said they would also disclose data about ethnicity and religious beliefs.

The research found that marketing managers never reported data losses or thefts to customers in 90 per cent of cases, as they thought they were not required to do so.

So, are you keeping tabs on your marketing folks?

Article Link

Last HOPE Radio

Thu, 05 Jun 2008 07:32:45 +0000

Keeping tabs on the upcoming Last Hope conference this July.

From the Last Hope:

For Immediate Release

THE LAST HOPE TO FEATURE HACKER RADIO

At The Last HOPE conference, hackers will broadcast their minds and their iPods.

In the center of the summer’s top hacker event will be a small isolation booth. “Radio Statler!” as the station is called, will send out a three day broadcast of all-original material. From the center of Manhattan, around the clock, discussions of the past, present, and future of technology, creativity, and humanity itself will be transmitted.

The first night of the conference, July 18th, the station will carry a program called Digital Music Night, hosted by Peter Kirn, editor of createdigitalmusic.com. The three hour live concert will feature a convergence of artists and musicians using custom, original tools for performing live in new and bizarre ways, including:

* Houseplants hooked up to live computer visuals and music
* A mutant trumpet, halfway between the digital and acoustic worlds
* Packets of data visualized as three-dimensional eye candy
* An animated digital art sketchpad controlled by Wii remote
* A set of digital gloves for gestural DJing
* A robotic drummer
* Computer-generated vocals that sing your spam folder to you
* Live digital art made from vintage game consoles and computers

The station will give additional talk and interview time to the conference’s speakers, broadcast the keynotes and other popular seminars, and offer attendees who don’t speak at the podium a chance to share their ideas. Many hackers who already do their own podcasts are being asked to contribute and do special programs for the conference.

Program and content submissions are still being taken, volunteers are being sought, and the organizers are looking for promotional sponsors to help cover the cost of broadcasting. More information can be found at http://radio.hope.net/ or by emailing projects@hope.net.

Damn, I’ll have to break out Garageband or maybe I’ll have to submit one of these tracks? HA!

Air Force Aims for 'Full Control' of 'Any and All' Computers

Wed, 14 May 2008 16:10:50 +0000

The Air Force wants a suite of hacker tools, to give it "access" to--and "full control" of--any kind of computer there is. And once the info warriors are in, the Air Force wants them to keep tabs on their "adversaries' information infrastructure completely undetected." The government is growing increasingly interested in waging war online.

Air Force Aims for 'Full Control' of 'Any and All' Computers

Tue, 13 May 2008 16:00:00 +0000

The Air Force wants a suite of hacker tools, to give it "access" to -- and "full control" of -- any kind of computer there is. And once the info warriors are in, the Air Force wants them to keep tabs on their "adversaries' information infrastructure completely undetected."

Utah Department of Administrative Services reports web site breach

Mon, 17 Mar 2008 08:34:28 +0000

Technorati Tag: Security Breach

Date Reported:
3/15/08

Organization:
State of Utah

Contractor/Consultant/Branch:
Department of Administrative Services
Division of Finance

Victims:
Citizens

Number Affected:
~500

Types of Data:
"personal information"

Breach Description:
"Computer files containing the personal information of approximately 500 individuals may have been accessed by unauthorized persons during a security breach at the Utah Division of Finance."

Reference URL:
Deseret Morning News
The Salt Lake Tribune

Report Credit:
The Salt Lake Tribune

Response:
From the online sources cited above:

The personal information of nearly 500 people may have been hacked into at the Department of Administrative Services.

Computer files containing the personal information of approximately 500 individuals may have been accessed by unauthorized persons during a security breach at the Utah Division of Finance.

Officials there say it is highly unlikely that the perpetrator accessed the personal information, but the department is attempting to contact everyone whose information may have been breached.
[Evan] Due to the fact that the individuals that were affected are the actual owners of the information in question, additional details are required so that they can judge the risk for themselves.

"We are now taking steps to determine the amount of information, if any, that was accessed by unauthorized persons. Utah attorney general special agents assigned to the Identity Theft Task Force are investigating this matter,"

The state withstands more than 100,000 potential attacks a day and the Department of Technology Services has stringent security policies in place.
[Evan] I'm not sure why it this is important. 100,000 daily attacks is not really that much for any web site with a moderate presence on the internet. This number probably takes into account port scans and probes. I would guess that port scans, probes, scripts, and errant traffic account for 95+% of these attacks. It is good to read that Utah DTS is keeping tabs and blocking at the perimeter.

Commentary:
There are few details available pertaining to this breach. I was unable to find the press release mentioned in the article(s).

Past Breaches:
State of Utah:
September, 2007 - Stolen Utah Department of Workforce Services laptop exposes 2,000

Automating web application security testing

Mon, 16 Jul 2007 07:40:00 +0000

Posted by Srinath Anantharaju, Security Team

Cross-site scripting (aka XSS) is the term used to describe a class of security vulnerabilities in web applications. An attacker can inject malicious scripts to perform unauthorized actions in the context of the victim's web session. Any web application that serves documents that include data from untrusted sources could be vulnerable to XSS if the untrusted data is not appropriately sanitized. A web application that is vulnerable to XSS can be exploited in two major ways:

Stored XSS - Commonly exploited in a web application where one user enters information that's viewed by another user. An attacker can inject malicious scripts that are executed in the context of the victim's session. The exploit is triggered when a victim visits the website at some point in the future, such as through improperly sanitized blog comments and guestbook entries, which facilitates stored XSS.

Reflected XSS - An application that echoes improperly sanitized user input received as query parameters is vulnerable to reflected XSS. With a vulnerable application, an attacker can craft a malicious URL and send it to the victim via email or any other mode of communication. When the victim visits the tampered link, the page is loaded along with the injected script that is executed in the context of the victim's session.

The general principle behind preventing XSS is the proper sanitization (via, for instance, escaping or filtering) of all untrusted data that is output by a web application. If untrusted data is output within an HTML document, the appropriate sanitization depends on the specific context in which the data is inserted into the HTML document. The context could be in the regular HTML body, tag attributes, URL attributes, URL query string attributes, style attributes, inside JavaScript, HTTP response headers, etc.

The following are some (by no means complete) examples of XSS vulnerabilities. Let's assume there is a web application that accepts user input as the 'q' parameter. Untrusted data coming from the attacker is marked in red.

Injection in regular HTML body - angled brackets not filtered or escaped

Your query '' returned xxx results

Injection inside tag attributes - double quote not filtered or escaped

blah">">

Injection inside URL attributes - non-http(s) URL

javascript:evil_script()">...

In JavaScript context - single quote not filtered or escaped

In the cases where XSS arises from meta characters being inserted from untrusted sources into an HTML document, the issue can be avoided either by filtering/disallowing the meta characters, or by escaping them appropriately for the given HTML context. For example, the HTML meta characters <, >, &, " and ' must be replaced with their corresponding HTML entity references <, >, &, " and ' respectively. In a JavaScript-literal context, inserting a backslash in front of , ', " and converting the carriage returns, line-feeds and tabs into , and respectively should avoid untrusted meta characters being interpreted as code.

How about an automated tool for finding XSS problems in web applications? Our security team has been developing a black box fuzzing tool called Lemon (deriving from the commonly-recognized name for a defective product). Fuzz testing (also referred to as fault-injection testing) is an automated testing approach based on supplying inputs that are designed to trigger and expose flaws in the application. Our vulnerability testing tool enumerates a web application's URLs and corresponding input parameters. It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyzes the resulting responses for evidence of such vulnerabilities. Although it started out as an experimental tool, it has proved to be quite effective in finding XSS problems. Besides XSS, it finds other security problems such as response splitting attacks, cookie poisoning problems, stacktrace leaks, encoding issues and charset bugs. Since the tool is homegrown it is easy to integrate into our automated test environment and to extend based on specific needs. We are constantly in the process of adding new attack vectors to improve the tool against known security problems.

Update:
I wanted to respond to a few questions that seem to be common among readers. I've listed them below. Thanks for the feedback. Please keep the questions and comments coming.

Q. Does Google plan to market it at some point?
A. Lemon is highly customized for Google apps and we have no plans of releasing it in near future.

Q. Did Google's security team check out any commercially available fuzzers? Is the ability to keep improving the fuzzer the main draw of a homegrown tool?
A. We did evaluate commercially available fuzzers but felt that our specialized needs could be served best by developing our own tools.