I found an interesting link after visiting Zeno’s post on a Malware paper produced by Google to document malware on the internet. Firstly, let me start by saying, this is a really good paper, as it discusses the ways in which malware propagates. Not that it’ll be news to anyone who reads this site religiously, but it’s still interesting to see all our theories validated.

Secondly, be wary of the statistic 1 out of 10 websites have malware. Google hand selected 17 million and only did a deep dive into 4.5 million sites out of their own repository. It’s well known that Google does not spider the entire internet (it’s a very small portion in reality) and also, they picked those URLs because they were likely conduits. They weren’t arbitrary. So let’s just take that statistic off the table. Yes, the Internet is a scary place, but not 1 out of 10 sites actively trying to screw you scary.

But back to the interesting stuff for a minute. They point to a large number of the exploits found having to do with website vulnerabilities, including those found within ASP and PHP and additionally a big chunk was delivered through holes in the site that allowed XSS. That XSS may have been intentional in the case of widgets or advertising or not, but in the end, it’s bad.

I should also point out that this doesn’t say anything about sites that attempt to do things like CSRF, or servers that have been compromised in other ways that allow the attacker to quietly steal user data. For instance, SQL injection or server vulnerabilities that just allow a back door into the system to pull confidential info out of the database.

One point that I’d like to make on top of this, is that the two things that were able to cause most of these problems were remote JavaScript and iframes. I just don’t see many applications for those technologies that, as a user, I care about (ads and widgets are pretty low on the list of what I care about seeing on my browser as a consumer). I am an edge case as a user, I’ll admit. But as nice as Web2.0 is, not getting malware is even nicer.

I’ve heard this technique dozens of times, but each time I hear it I really think it’s the unfortunate reality that someone probably got money selling the idea to someone who didn’t know better before realizing it themselves that it’s really not a great idea and now they have the unfortunate task of selling it to people who do. BioPassword (not to single them out because there are others who have come up with this same concept too) attempts to test the time and the pattern that people use to type in their passwords in an effort to stop password theft and replay. Where to start?

Firstly, we have to ignore the obvious problems, like getting a paper cut and making you type weird, or being drunk, or eating a sandwich and typing your password in with one hand. And I thought fingerprint biometrics were annoying! Of course you can bypass this by having it ask you more questions. There’s a good idea - let’s train people to give up their secret questions after typing a valid password.

But really, the adoption of this technology is almost non-existent, and if it ever was widely adopted all a bad guy would have to do is watch the timing of keystrokes in JavaScript space and replay them in the same way. This isn’t exactly rocket science to defeat. It’s an interest take, and I’m glad people are thinking about it, but this isn’t going to solving the problem it was intended to.

So the Seattle (beta) Toorcon was fun today. On top of learning a bunch about technologies that I just never get any time to play with (and probably a lot more to discuss there in the future after I do some more research with some of the people I met this week) I had a pretty successful talk. My talk was based on recovering information that the client freely gives up for more targeted exploitation. If you remember Ronald’s Black Dragon project, you’ll see striking similarities in this. I felt terrible building this, like I was ripping him off, but I assure you, there was no code-reuse and it’s for a different purpose than his code. Ronald’s code was meant more as a demonstration of what we know, my code is meant more as an actual tool, even though for the most part it does the same stuff.

So I took the same general concept of things like the JS environmental variables page and Ronald’s page, plus a few other goodies like the MHTML vuln and, attempting to locate local HTTP ports, etc… and I threw it all together into one peice of code that can be called from JS space. If you want a demo of what it looks like go visit the Master Recon-Tool (Mr. T). You will see very different results in IE and Firefox. If you want the full effect in IE, visit Gmail in IE7.0 before viewing the recon tool. That bug will get fixed soon enough, but for the time being it works.

Mr. T combines all that into one place so that you can gather a great deal of client based info through a single XSS hole. Then by taking the DOM and dumping it into a form that you submit to a logging server, you can know pretty much everything you want to know about breaking into the machine in question.

So essentially, this tool is a) portable b) extensible and c) buggy as it gets. It’s sorta meant to be buggy though, partially because it’s not thoroughly thought out since I’ve been moving around so much this month, and partially because it doesn’t need to be 100% accurate. It does work pretty well though. It’s meant to be modified as much as it makes sense to, which is why I wrote it in PERL and made it as clear as possible what I was doing under the hood. Sure, specific vulns will get fixed, and sure, new things will need to get added, but ultimately, this is one of the best ways to do browser based recon out there. You can download the source to the project here if you want to play with it.

I’m finally finished with all the Microsoft talks for this week. It was a lot of fun this week - I had more and more fun as the week went on, which also coincidentally coincides with my health improving (had a bad cold this week). Thankfully, I was up for today, because I had a really good meeting, but let’s start from the beginning.

The first two talks went well. They were to the executives. Unfortunately they were also pretty short so I didn’t go into nearly as much technical meat as I would have liked to, but it was a nice high level overview on how small holes are really a big deal in the webappsec space. I ended up spending most of my time talking with a few key people in MSRC, and IE while I was there. There was a big reception party that night, which I barely remember because I was so sick, but I got to meet Dan Kaminsky from Ioactive amongst the sea of blue. There were actually a lot of hackers and security researchers there, it turned out. Caleb Sima from SPI, for instance was there. There were some good tech talk - but an elephant could have been in the room and I probably wouldn’t have noticed - I was that out of it.

The next morning I felt 1000x better. I was the last presenter. Rob Thomas kicked off the day with a talk on the hacker economics. It was a nice high level whirlwind of what bad guys are up to. The Flexilis guys demonstrated a bunch of bluetooth 0day and also demonstrated their bluetooth sniper rifle that can steal info off of a cell phone from over a mile away (how they got that thing on the plane still amazes me). David Maynor and Robert Graham had a really nice demo on reverse engineering exploits. It was fast and furious but very nicely done. I wasn’t the only one who was sick that day though, Bunnie was also recovering from some serious jetlag but those guys managed to pull of a really good speech on why DRM isn’t interesting. I would have to agree.

I was able to deliver my full presentation in the main convention hall (which incidentally looks a lot like the senate in Star Wars). Cool convention center. My speech went off without a hitch. I demonstrated some of the obvious holes, like the MHTML stuff, which they are very much committed to fixing now, among other known issues. Ultimately, it went really well. After it was over we all split up for the most part. Only a handful of us stayed. The Errata guys and I headed over to get some food with Caleb, Dragos and some of the Ioactive crowd. Funny stories, too much to go into but by the end of the night, it was just the Errata guys, Caleb and me. Not a crowd you want to bring home to mama.

I managed to crawl into bed around 3:30 after punching out some emails. Today I went over to MS again, solo this time. I met with the IE team so they could do a Q&A with me. And when I mean the IE team, I mean the whole IE team. It was such a good turn-out that we had to take multiple pictures to get everyone in it. See here and here (and that’s after a bunch of people bailed too). It was a really great showing and I think we got more work done in that hour than I did the entire time I was here this week.

After it was over I got a chance to sit down and watch a preso by Bob Fish on Microsoft’s XSS library. The interesting part is how serious they are taking this (thankfully). Bob’s speech basically laid down the law on the fact that MS was to use this framework for all it’s new websites and eventually retroactively start using it on every site. I’ve mentioned it before, but if you run ASP.NET go check out the anti-XSS library. Cool stuff.

After it’s all said and done, I really get a great deal of confidence in what MS is doing (not that it couldn’t deal with improvements here and there, but at least they aren’t going on the wrong path). Yes, like any massive company they have flaws, and some of those flaws are holy-crap type flaws but thankfully, it’s clear they’re committed to doing the right thing where possible. And since they control the vast population of unwashed internet users, they also have the most potential for fixing the problems. Anyway, feel free to check out the rest of the pics. I’ll be talking at Toorcon tomorrow.

Well BlueHat is officially over, although I’m still in meetings - I’ll post some details and some of the photos later. Meanwhile I’ve been meeting a lot with the security teams (as you probably would have guessed). I did end up getting quite a lot of technical meat out of them, most of which is for a later date, but two things in particular struck my interest because they were things I personally had gotten wrong over the last few months, and I wanted to correct myself before someone else did.

The first is that somewhere, at some point, someone mentioned that the bug was closed in IE7.0 that allowed webpages that did not set charsets to be framed and inherit the charset of the parent frame. Alas, it has not been fixed. Someone told me or maybe it was on a blog somewhere, perhaps. At any rate I didn’t attempt to verify for myself. So I’m pretty sure at some point I mentioned it on the forums or on the blog but anyway, it’s not fixed. Initially, as I found this out, I thought, “Whoah, that’s bad.” But as I talked with the MS guys, I realized it’s really not that bad if you take in context of the situation it has to manifest itself.

For that bug to work it has to be a site that you cannot find XSS in (otherwise why bother with this convoluted method)? So that leaves the remaining 20% or whatever percentage of sites you cannot XSS directly or whatever the real number is, 10%… whatever. Then that same site needs to omit no charset. That leaves a pretty damned small number right there. Then you have to also find some way to inject some text on the page that would otherwise be blocked if it were traditional XSS. So yeah, while this does have some potential for exploitation it’s pretty damned statistically insignificant from what I can tell in how many additional sites it would allow you to XSS. Still, it needs to be fixed and the MS guys are indeed fixing it, but I’m not going to run screaming through the streets over that one.

The second mistake I’m sure I’ve made at some point was surrounding HTTPOnly. I’ve heard from a lot of different people that HTTPOnly cookies can be read by XMLHTTPRequest. Stupidly, I told MS that without blinking an eye having never verified it for myself. Thankfully they went and verified, and whoops, I was mis-informed. After they nicely told me I was on crack I went and figured out what was going on. That is true in Firefox, but Firefox doesn’t support HTTPOnly yet anyway, so who cares? IE quietly and nicely ignores those headers as it should. So while I’m sure other people blindly believe HTTPOnly is broken in IE7.0, I’m pretty certain unless you can somehow trigger the TRACE method again inside XMLHTTPRequest, it’s not broken by what we know today - I won’t speak for tomorrow, though.

I feel better now that I’ve set the story straight on that. Anyway, this isn’t the only thing I got out of the conference - don’t worry, but it was probably the most urgent thing for me to take care of talking about.

Okay, I had a lot of fun with this post. No new news here, but I was able to talk to someone who was willing to sit down and write out some thoughts from a phisher’s perspective. The phisher goes by the name “lithium” and agreed to answer a number of questions that have been on my mind for a while now. Huge thanks to him, as I think a lot of this is valuable information to the community at large, These are his words - unmodified:

How would you describe yourself? Age? Did you go to school? Interests?

Determined is the best word to describe myself. I’m 18 years young. Yes, I went to school. I left after high school. My interests are mma (mixed martial arts); fitness and last but not least..The internet!

How did you get your start in phishing? How did you get interested in it?

The typical scam mail that my parents kept recieving in their inbox. They were very poorly done! Yet in general they worked. So, I knew automatically I could come up with more efficient methods and have a far greater outcome.

How long have you been phishing?

I’ve been pishing since I turned 14. So thats, Nearly 5 years.

Do you have any idea how many people’s identities you’ve stolen so far?

Way over 20 million. Social networking worms really hit it off for me! I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through.

Did you need to forge any particular relationships with other people/groups to get started?

No, When I started I went solo. Alot of groups came to me asking if I wanted in, I declined.

What types of sites make the best phishing sites?

Social networking sites, Any site that involves teenagers ranging from 14 years old upwards.

What are the steps you take to set up a phishing site?

I try find a domain name that would best suite the current target. Try find a few similarities which would make my site more realistic. Then, Register it! I then find a reliable anonymouse host. (Offshore are the most reliable) Although, I do tend to use compromised hosting accounts.

Secondly, I view the page source. Then I alter the source code to post the forms information to my pishing site.

Thirdly, I create a php file which will POST the current forms information to a text file on my server. I use the same php file with every site, Just minor alterations are needed since it’s mearly a few lines of php code.

How many people do you typically phish per site you post?

That all depends on the size of the website (the ammount of users) Usually, I pish 30k a day.

How do you monetize the identities and how much does that net you?

Social networking sites, Make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers. All in all, I make 3k to 4k a day. I only pish 3-4 days a week. Depends on how much time I invest, The more time I invest the greater the outcome.

Are there any costs associated with phishing?

Yes there are costs. A dedicated server, VPN, Network encryption software and time.

What sort of hardware/software do you need to do this? Anything special (phishing kits, etc…)? What kind of internet connection do you use?

For MOST social networking sites, I use a program called MyChanger. You can find it on this website - www.myownchanger.com - This makes pishing so much faster on social networking sites. Everything is automated! messaging/bulletins/comments/profile modifications it’s great. Other than that, I get ALOT of custom programs built to suite my needs from freelance developers. My internet connection isn’t anything fancy, A stanard 1mb adsl line.

How do you keep yourself safe from being caught?

I use VPN’s, Dedicated servers, Proxies and my network traffic is
encrypted. All payments are made through egold.

Are there any anti-phishing deterrents (tools or technology) that make life as a phisher harder?

Oh sure, There are many things that make pishing harder. But since Internet Explorer 7 and firefox 2 have implemented an antiphishing protection, Those two cause the most irritation.

Do you forsee any changes to the phishing industry that are worthy of note?

No.

Anything else you’d like to share/last words?

Lazy web developers are the reason I’m still around pishing.

Pretty telling on the current state of affairs, I’d say. The first interesting point I took from this were that IE7 and FF2 were actually a somewhat okay deterrent. From the looks of it, it hasn’t made much of a dent - only changed the tactics that phishers use. I suppose we could have guessed that since there is no lack of phishing emails in our inboxes, still I found it somewhat surprising that it was making a dent. I actually predicted that it would before IE7.0 launched, but I lost a bit of hope afterwards. Interesting nonetheless.

The second is that the password is used in more than one place 50% of the time - we already knew that but it’s interesting to hear it from a phisher’s perspective on how that’s actually useful to help monetize the attack. A huge thanks to lithium who allowed me to post all of his words. Does it make you re-think that MySpace profile you set up?

While doing some tests I ended up writing a piece of JavaScript that has some weird effects. It is based off of the CSS history hack, but for some reason it causes MSIE7.0 to have some really funky hanging. Click here in IE7.0 only if you want to halt your tab. This only affects the tab you are currently on and it still allows you to open other tabs. But the tab you are on becomes unusable.

I’m not sure what this could be used for other than a simple DoS, but the weird part is this doesn’t affect the CPU or take up memory or anything that a normal DoS does, it just makes it unresponsive to doing anything within the tab. Weird, huh? Anyway, it was something I found a few weeks ago, but never got anything useful out of it.

One concept I have been playing with a lot lately is interesting ways to take the robot out of CAPTCHA solving, but still solving it subversively. Sure, we came up with the mechanical turk methods, the porn proxy, using kid’s games, and a variety of other low tech solutions. However, the other day, I came up with a concept for an actual service that does this. Let me explain:

CAPTCHAs or any automated Turing tests in general attempt to see if the consumer is a robot or not by throwing up an image to test if the human can read them. The reason why webmasters use them is so they can detect if the user is real or not. So webmasters have a need, and spammers also have a need. Webmasters want to detect if a user is really a person or not, and a spammer wants to solve those CAPTCHAs in whatever way is effective. So here’s the concept.

By setting up a central proxy with APIs for webmasters you can solve both problems at once. The webmaster gets to have unique CAPTCHAs by using the API to query the proxy. The proxy pulls a CAPTCHA from somewhere on the Internet that a spammer wants to break. The spammer uses their own API to decide if the consumer types in the correct password or not and sends back a decision back to the webmaster through the proxy. The webmaster then can allow the user to succeed or fail as they choose. The only motivation for the black-hat webmaster to do this is if they represent a lower value target than the websites that the spammer tends to attack and/or if they don’t care about other websites’ problems with security.

Of course this is entirely black-hat, and provides no good service whatsoever, but it does solve two different people’s problems at the same time. Of course this symbiosis does introduce latency by slowing the consumer down while they wait for the proxy and the spammer to validate the entry. Maybe a credit system would need to be put in place based on the latency time to ensure quality. This service exploits one of the two fatal flaws in CAPTCHAs - if it works perfectly although it can detect it is a person or not, it cannot detect their intentions (the second being that if it is created by a computer it can be read by a computer). Yah, evil, I know.

I was searching for an old Greasemonkey plugin and ran across some weird behavior. Greasemonkey apparently looks at the URL of the page you are going to, and if it ends in .user.js it instantly believes it is a Greasemonkey plugin. There is no way to get around it (even works if Greasemonkey is disabled it turns out). I’m not exactly sure how an attacker would use this against a user other than perhaps a DoS attack of a lot of these. But here is an example of what I’m talking about (only works if you have it installed).

You could do this with any domain simply by adding an extra parameter to the end of the page. This could be used in some form of detection, or could lead to some other form of exploitation as it does download the file to something like file:///C:/DOCUME~1/USERNA~1/LOCALS~1/Temp/test.user.js (although you would have to enumerate the 5 chars of the username to do anything useful with it). It also can be any mime type, such as, images for instance. It doesn’t help to switch rendering engines to IE though, because the .js extension won’t allow IE to render it, even if it isn’t JavaScript. Anyway, it was more odd than anything and maybe someone else can find some way to exploit it - I for some reason thought Greasemonkey at least looked at the first several lines of the file before deciding something was or wasn’t a Greasemonkey script. Guess not!

I ran across Sylvan’s post today about an article by Bruce Schneier about the state of the security industry. Now let me be clear, I have tremendous respect for both of of them, but I also have a lot of practical real-world experience to draw on, so here are my comments. Bruce and Sylvan both believe that it is better to be more secure first rather than building add-on services. I could not agree with this more. However…

What came first - the chicken or the egg? How can you know something consists of bad security before it gets broken? Clearly, we look at our past and make assumptions about the future state of the security model. We know what can’t work because we know what hasn’t worked. From that we extrapolate concepts and build frameworks that we believe solve the issues. But keep in mind that programmers are still flawed creatures.

Programmers make mistakes - they are lazy, make shortcuts, make concessions for functionality and ultimately make technical errors. It’s a fact. To my knowledge there has never been a secure programming language for web technologies or a 100% secure framework (if someone can point me to anything practical and flexible I’d be interested in it). Ultimately, I am actually somewhat surprised by Bruce’s position. If you look at his first book - Applied Cryptography - he basically stated that all security could be solved by good math. In his second book - Secrets And Lies - he basically said, “Hey, you remember that last book I wrote… wow, I couldn’t have been more wrong - humans are error prone creatures.” He really matured as a security expert between those two books in my mind. He started off as an academic and he ended up being a practical security expert. The math behind what we were all trying to build was fine (well, sometimes anyway), but it was the fact that people write their passwords on sticky notes and pick passwords that are their dog’s name that makes security flawed. But even putting all that aside, there is a lot of legacy code out there to overcome.

Now let’s get to the meat of this. Sylvan was critical of my conversion to not despising the use of WAFs in production environments. When I suggested to my client that I believed a WAF was a good solution (for them, in their particular situation) you have to understand that this was not a situation where they had the ability to pick a secure platform. It was far far too late for that. For them to choose a path other than a reactionary one would have proven to cause tremendous delays in their ability to protect themselves, and they were under grave and persistent threats. So asking them to embrace a secure platform is irrelevant to their current real world security needs. Here is where I think Bruce may be slipping back into academia. I don’t believe these issues can be solved by secure programming/frameworks, etc. This issue is far too complex. Simply put, complexity is the bastion of flaws.

In my experience the real-world issues that companies face is a hybrid of business issues, legacy code, acquisitions, third party complexities, client side security, poorly thought out input/output validation, un-patched systems/code, failure to follow the model of least privilege, and a thousand other smaller issues. To say that you can point to one thing and solve all of them or even most of them is understating the problem we currently face.

Again, I have the utmost respect for Bruce and to his credit he did come around at the end of his article stating that the products were going to be around for the rest of our lifetimes, I just think that these issues are not as trivially solved as this. I do agree with him in that the IT industry is attempting to to turn security into a commodity. However, as technology advances hackers will find their way around whatever tools are put in place. I disagree that security will fall out of the public’s eye - it may wane, but only as long as it takes for the next wave of attacks to surface.

So, sure it would be fantastic to build secure coding practices, and I agree that things like that would help out, but it’s far too late for the companies out there that already have these problems. Yes, companies should adopt this, and yes, they should take proactive measures. In the meantime, bolt-on-solutions are a practical pseudo-solution for the flaws we will continue to face until widespread adoption of better coding practices is commonplace. I’m not holding my breath.