Yup, it’s about that time again. Jeremiah has put up yet another webappsec professional survey. If you haven’t taken a look at his previous surveys you should - some of them are actually pretty interesting. Either way, it’s worth looking at the results, even if you don’t take part in the survey itself.

Also, I should note that the time is quickly approaching in which we’ll all be descending upon Blackhat and DefCon. I’ll be speaking at Blackhat on Xploiting Google Gadgets and an abrieviated version of the speech at DefCon as well. I’m also doing another speech at DefCon with Rich Mogul, David Mortman, Chris Hoff, Robert Graham, and David Maynor called All Your Sploits (and Servers) Are Belong To Us. So if you are planning on being there, drop on by and introduce yourself! I hope to see you all there.

I got forwarded this link today from businesswire about how Google and Yahoo are now going to be armed with the information necessary to look at and extract information out of SWF files. Ho-boy, here we go. The link was sent to me with the “bad juju” caveat, and I’m pretty sure I agree.

The problem is, like anything, if the search engines start pulling down rich applications that actually interact with the web application, there is untold issues that could arise. For instance, Flash applications have quite a bit of rich features in them, and some of that could be dangerous if they interact with back end applications. Also, if the word “test” appears in a Flash movie, does that mean it should get indexed? Or is it a frame that’s not visible, or off the side of the page, or whatever? What if it takes ten minutes to find that particular line of text or dozens of sub-menus? Are people really going to sit for that?

Do people really want to load a Flash movie when they query for things? I know I sure don’t! I’m already annoyed when I get linked to PDF files or .docx files. I think this just takes searching to a new level where people don’t actually want to go. Instead of crawling deeper and refining their search, the search engines are going to new mediums to stave off the people (like myself) who have argued that Flash isn’t a good medium for accessibility, usability and SEO. SEO is going to be off the table soon enough, leaving accessibility and usability.

But seriously, what’s next? Are the search engines going to decompile Java applets looking for text? As a side note, this should, at least in the short term, lead to a new round of Flash hacking, once it goes live. I’ll give a tee-shirt to the first person who writes a Google dork for internal Flash text that leads to exploitation.

Notice how I’m always fashionably late to the party? Well anyway, this time is no different, but I highly recommend if you are heading out to Blackhat this year you try to hit up the Breach/OWASP/WASC party on Wednesday night. The details are on Jeremiah’s blog.

Think about it like this - Dinis Cruz is drinking and yelling at the top of his lungs something about creating a worhol worm to “show them all”, Jeff Williams is yelling something about how whitebox scanning is the only answer, Ivan Ristić is talking so quiet I can’t hardly hear him, Jer’s wife does some MMA on the Whitehat Security newbies, Portswigger is yelling something in some crazy cockney accent that I can hardly understand - but I’m sure I’m agreeing with him on whatever it is. It’s just a great time. I hope to see you all there!

I had some very disturbing news today from one of the forum users - he had just been fired by TJX for whistle blowing on their security issues. CrYpTiC_MauleR, who’s posts on TJX can be found here was fired today by TJX for talking about the company’s security flaws. This is the same company who recently lost millions of credit card numbers, for those of you who don’t recall. They tracked him down by IP (we’re still not completely sure how they did this, but we think it may have to do with a DynDNS account he uses), contacted his ISP to find out who he was, brought him into the office, questioned him about what he found, asked for him to write down his thoughts on how to fix the issues and then promptly fired him.

I completely understand why a company would want to reduce their risk, but this doesn’t bode well for future would-be whistle blowers, or for the future state of security for TJX. CrYpTiC_MauleR has been a long time poster on sla.ckers.org and has made a lot of contributions. I, for one, feel terrible about what happened, and I implore the community to reach out to him on sla.ckers.org, especially if you are looking for someone to help out in any open positions you might have. I think the best possible outcome of this would be that he gets a better job for caring about consumer security at large. Only time will tell.

But as a side note, I must caution everyone who prefers full disclosure as a rule, to be particularly cautious when posting that information, especially when it’s under your own name or a name you use elsewhere that may be tied back to you. Many of the largest companies on earth post to or read this site regularly, and no doubt someone will take personal offense at your actions, so I encourage everyone by way of example to please protect yourself - especially from those who would claim to care about security. Only actions matter in this world.

This post is a few months overdue but here it is. I’ve been heavily involved in the security industry in one respect or another for well over a decade, and until recently, I had the luxury of being able to talk about whatever I pleased, especially when I got myself out of a few handcuffs that I was bound by a few years ago (around the time I started this blog). I had a lot to say and henceforth you had this website in all it’s glory. However, since I started my own company, I’ve had the fortune or mis-fortune, however you want to look at it, of being exposed to a lot of things I wouldn’t have been able to see otherwise.

That means, I am now under contract with lots of the same companies I have talked about in the past. These same companies I have talked about in positive and negative ways both. Clearly I’m not out to screw anyone, the negative stuff was mostly about my feelings regarding certain technologies. If you have seen me suspiciously not talking about things, it’s probably because I’m either too busy to talk about it or I have a reason I’m not talking about it. Long ago I used to say that I talk about 1/3 of what I know. Another 1/3rd was stuff that could only hurt people with no positive gain and the last 1/3rd was stuff that was just too theoretical or too out there for people to understand since it wasn’t yet provable. Unfortunately, the first 1/3rd (the stuff I can talk about) has been shrinking rapidly and being replaced by a fairly large percentage of things I cannot discuss. That means I’m less fun to read in blog posts, in interviews and at parties.

Rest assured, my knowledge has increased a lot since starting this website due in large part to how much more I have had the privilege of being exposed to. So the irony is, I know more but I can talk about less than ever before. Jeremiah and I were talking about this exact thing last week - he had the same feelings. Which means this blog is going to get more and more watered down with time, and there’s just nothing I can reasonably do about that, save quit and take up writing full time and I know how poorly writers get paid.

That’s the down-side. The up side is that I am not going to stop blogging, but it might not look like it has in the past, if you read my earlier posts. I thought this was an important distinction that I make public, just as I did when I told everyone that I was starting my own company so I could no longer be considered an unbiased source of information.

I started this site because of my family. I wanted a chance to make the Internet a safe place for them to interact with. What better way than to scream from the mountain top that is ha.ckers.org about the issues I see on a daily basis? I can, with lots of quantifiable evidence, say that things are worse now than they were when I started this site. But at least now people are finally aware of the problems, enough to carry that torch without my direct input. The topic of Webappsec was esoteric and lame to most people even two years ago, but now it’s finally come into it’s own, and not just because I decry it, but because there are dozens of websites and many companies devoted to the topic now. My hope is that maybe one of the readers of this site will pick up where I left off and do what I have I as of this moment been incapable of doing - make the Internet a safe place for all our families. I will continue to do the same with a slightly diminished vocal profile than before.

I apologize if this post seems like any sort of betrayal, as that’s sincerely the last thing I would want. But in the spirit of full disclosure, I wanted to at least let you know why things may seem a lot slower now than they did even a year ago. Although I can’t tell you what I know, I will tell you this - things are far worse than they appear, and there are no shortages of extremely vulnerable applications out there as I find zero-day vulnerabilities regularly. It’s simply amazing how bad things really are.

Lastly, I will talk about this more in the coming months, but I am writing a book that will probably be one of the few highly technical documents I put out to the public for a while. Even though it might appear that I’m writing less than ever, in actuality, I’m writing more. O’Reilly has tentatively agreed to publish it (contracts are not yet signed so no promises yet) and I’m really looking forward to getting it out into the hands of the people who do want to make a positive change towards the security of the Internet. If you’re one of those people I invite you to read the book when it’s finished. I’ll give more details at a later date.

I looked at my Google feedfetcher stat today in my logs - over 3,800 subscribers on Google news alone with over 7,000 total subscribers through various feed readers alone! For those of you who have followed this blog for the two years or so since I started it or for any substantial time, I really appreciate your readership. Thank you, everyone. I mean it! You’re like family to me - you know, like that close-talking crazy aunt that no one likes, who has all those cats.

Well, today is the day. We can finally stop having discussions about the value of PCI, because there is a new product on the market that solves all the business needs without the pesky problems of wishy washy compliance regulations. It’s called Scanless PCI. The premise is pretty simple, go to the website, grab the code, throw it on your website and poof. You’re PCI certified. No fuss, no muss.

The beauty of this system is that everyone gets what they want. Awareness, certification, and of course, protection from PCI fines. We don’t have to sit around spinning yarns about what is and isn’t a secure web site, or what the definition of PCI 6.6 means or what have you. No more! I’m glad we can finally put this entire thing to bed. Not that I take credit cards, but I might just get it myself. It’s so easy!

Whelp, we’ve talked about it, but now it’s finally possible. CSRF can now cause jail time. The FBI has begun arresting people who click on links to supposed child pornography. Now, I understand the noble pursuit, but there’s a fairly huge flaw in the old logic. I can force users to click on links anytime I want. Now here comes some interesting CSRF technology grey area. The authorities might reasonably say, “The referrer doesn’t match.” Okay, well that’s what our good friend META refresh is for. I can force you to click on things without leaving a referring URL at all.

So now the real question is would a user with no referring URL be worthy of investigation? Is this the newest wave in reasons to turn off referring URLs? I mean, seriously, what if the browser pre-fetches, or if an attacker puts a hovering iframe beneath the mouse, or they are using an older browser/plugin that allows spoofed referring URLs. Eesh. Again, I’m all for the noble pursuit, but seriously - this seems a little dangerous to me. Is clicking a link evidence enough of guilt? If so, can I now take search engines to court for trying SQL injection against me or for spidering and caching illicit content? And now have we given people plausible deniability, “I knew it was fake before I clicked on it” or “I was just seeing if it was an FBI site or not” etc….

<sarcasm> Be the first kid on the block to surprise your friend with an illegal version of a Rick-roll. </sarcasm> The act of clicking a link as evidence of guilt is almost certainly asking for trouble and abuse.

Sample code on how easy it is to not send a referring URL: <META HTTP-EQUIV="refresh" CONTENT="0;url=http://child-porn-site">

If you haven’t been to RSACon and are into the whole schmoozing aspect of the security industry, you need to book your flight right now. RSACon is basically a bazaar of vendors from all over the world, promoting their tools. There’s no substitute for it. I wouldn’t expect to go to it and learn anything from the talks, but it is cool walking around talking to the vendors, seeing the new terminology that they’ll be stuck with for the next 12 months, and getting the pitches. I personally love that con for the sellout aspect if nothing else. But wait, that’s not all…

For the last few years Jeremiah has been putting on the RSACon WASC meetup. It’s just a few hours for everyone to get together who’s interested in webappsec. The first year it was just a few of us. The next year it was around 100 people. It’s no doubt going to be even bigger. It just shows how big this industry is getting! So if you are interested, check out the details on Jer’s blog. If you happen to be in town, even if you’re not coming to the conference please drop by. I’m always up to meet webappsec people!

Well, it was a long Sunday. I was planning on going and hitting some balls on the golf course, but no, instead I spent the better part of the day dealing with a DDoS attack. Before it was completely killed 73 IPs were used to perform a flood of GET requests against sla.ckers.org. Thankfully we were able to thwart the attack by writing some tricky software to detect the attack and firewall it. But it was still the better part of a day dealing with it.

The end result was we found the attacker (the owner of www.au-p2p.info who apparently was made fun of at some point a year ago on the board). When pride goes too far, eesh! More on this user here. Cyberhacker665 is in at least some way affiliated with or owns evilzone.org. The attacker did a vanity search for himself before initiating the attack. The original IP was tracked back to the attacker’s ISP, who was sent an abuse email and now the user is offline for the time being. We effectively DoSed the DDoSer. It’s too bad, I had long forgotten about that post - apparently he hasn’t.

This wasn’t the first high volume traffic incident we’ve received (we’ve been slashdotted several times, and reached the front page of Digg and Reddit as well) and we get tons of attacks per day. But this was probably one of the worst. Just another day on ckers.org… Golfing would have been better use of a Sunday, even if I suck at it.

I’ve been meaning to post this since Blackhat last year, but I just finally got around to posting a working example. Using David Byrne’s res:// timing trick and a hybrid of Jeremiah’s META refresh blocking I was able to do the same thing David was but without JavaScript. Oh how funky it is though!

Here’s the demo (only works in IE7.0). The timing is large enough so that you can actually see a difference (varies between a 5 and 15 second difference for me per link - for reasons I am still unsure of). But it’s a big enough difference that it should be possible to measure the file’s presence. The hard part is keeping it going without a user noticing that their browser locked up on them for the many seconds required to run. Pretty funky demo, and normally I’d probably set a cookie to keep the data but I got bored of writing the demo since I don’t think it’s especially practical. But you get the idea.

In other news, I should also mention that I got back from the Minnesota OWASP meeting. I was really surprised to see how many people came out to see me (probably 75 or so). All really nice people and I was impressed by Kuai and the entire setup. Very nicely done. I think my slides will be posted today or tomorrow. I guess Bruce Schneier spoke there the month before I did, so these guys definitely have got their eye on the heavy hitters for those of you on the speaking circuit. I also spoke on Minnesota Public Radio as well, which was kinda fun. I hope it continues to grow!

I missed Schmoocon and DC Blackhat but here is the unofficial list of my upcoming cons: Source Boston (leading a panel), RSACon 2008 (just visiting), TRISC (speaking), Secure360 (speaking - unconfirmed), Super Secret SANS Conference to be talked about at a later date (speaking), OWASP Denver (speaking - unconfirmed), World OWASP NYC 2008 (speaking). So yah, busy busy busy…