Normally I don’t pass this kind of stuff along on ha.ckers (rather this generally winds up on sla.ckers) but I wanted to get this out to a wider audience as I’m not sure there are a lot of people who are involved in this who read sla.ckers. Anyway, I can vouch for this person, and if you want to talk to him about secondary ticket markets (in particular using timing to buy lots of tickets all at once, based on our conversation) let me know and I’ll forward his contact info to you.

I’m a producer for a cable network and looking to do a story on the explosive growth of the secondary ticket market (Stubhub, Ebay, etc.) I’m not interested in doing an extended debate on the pros and cons of the free market system because I think that would be horribly boring. Rather I’m interested in exploring how programmers and software developers have figured out ways to take advantage of the arbitrage opportunities that the primary market system offers. The two most recent examples are a Hannah Montana concert that the “average” fan couldn’t get tickets for and the Colorado Rockies website crashing as they tried to sell their World Series tickets to the public. I’m looking to talk with as many people as possible about exactly how this works and anyone/everyone who might be involved in buying from the primary markets and re-selling on the secondary markets. Our conversations can be off-the record and if we both decide it makes sense to move forward we can talk about shooting an on-camera interview for the story.

Btw, I love the title - I feel like a matchmaker. Is it valentines day, already?

Whelp, I’m finally back from the OWASP conference. I feel completely beat up (like I felt after DefCon this year). In a good way, of course, just too much stuff going on. Let’s focus on some highlights, shall we? There were tons of big names in the webappsec space there in full force. Not the least of which, that I had wanted to meet up with were Samy (a la Samy worm), pdp, Jeremiah Grossman, Dinis Cruz, Stefano Di Paola, Ryan Barnett, Shreeraj Shah, Tom Brennan and many more…

One noteworthy speech was from the work by Tom Stripling, where he was able to turn the gmodules.com XSS exploit into a Google.com exploit. I guess perhaps Google should read their own definition of cross site scripting that they quoted to me about this very same issue. Not to gloat too much but I really hope Google enjoys that slice of humble pie. I don’t consider myself to be Google’s enemy, but when companies don’t listen, they have no one to blame but themselves. That said, I did talk to Google while I was there, and they expressed an interest to work more closely together going forward. As always, I’m a sucker for level headed thinking, so hopefully something good will come of that (more on that in a minute). Hopefully Tom will send me some technical detail that I can publish to go into more detail about how it worked.

Ryan Barnett had a really interesting speech on how OWASP has set up a fairly large network of honeypot proxies to watch and log bad guys attacking others. It wasn’t that that part was interesting (we’ve known for a long time that you shouldn’t consider proxies to be a good way to anonymize yourself) but the data that he logged was really interesting - specifically the use of these networks for click fraud.

My speech went well - I thought it was supposed to be a 40 minute speech (all the others were scheduled for 40 minutes, but mine was scheduled for over an hour). So I had looots of time for Q&A. Whoops! My speech was about how browsers had been insecure in the past and how that evolved into what we know. I also gave some long term suggestions (which probably deserves a separate post, to be honest). There were some good questions asked, and I managed to convince everyone that I knew what I was talking about. What stuck me was that not that many people in the webappsec space really knew much about browsers. It’s the other half of what we work on, so I think it’s critical that we keep a close eye on what browsers are doing and how they are evolving to help us be secure.

While I was there several people asked me to head up a browser security group, probably with six or seven members (to keep it lean, mean and potent). But the likely people involved will be a representative from two or three browser manufacturers (IE, FF and maybe Safari if we can find someone who’s interested over there) as well as a few large companies with web presence (like eBay and Google - both of whom have expressed interest). Perhaps we can push forward some of the changes I have been talking about for three or more years.

Samy’s speech was by far the best one I attended - not for the technical meat, because I think we are all pretty educated on the technical details by now, but because the story was just hilarious. Jeremiah and I got a picture with him wearing “Samy is my hero” shirts. I haven’t laughed that hard in a long time! But to quote a sanitized version of what one guy said, “Samy knew nothing about webappsec and one day he walked in, dropped his pants and took a huge dump on our industry and then left again. And we just looked around at one another and said, ‘What just happened?’” Yup, he completely changed our industry in ways that will probably never be completely understood. He may have caused a lot of trouble, but he really did come out with a lot of friends (myself included). One funny quote was that at some time some police officer pulled him over and mentioned that he had been convicted of theft and something else, and Samy said, “The theft charge is BS - I didn’t steal a million friends!” Cracked me up. Samy was not allowed to touch the computer during the speech, which required some coordination so that other people write the power point deck and operated it during his speech. What a life!

The panel I was on (about vulnerability disclosure) was mostly uneventful although one comment made by Oracle set me off a little. They said they don’t work with people who do irresponsible vulnerability disclosure. I think that’s so backwards and something Microsoft has really gotten right. Companies need to understand that the only way they are going to get hackers on their side is to reach out to them and figure out what they know, what makes them tick and get the hackers to start working with them instead of against them. Not to pick on Oracle on that one, but I’ve seen that attitude a lot and I think it’s a dangerous route (one that I’ve seen fail countless times now).

Anyway, it was a great time, punctuated by lots of laughs, and I’m really looking forward to the next one in New York/New Jersey lead up by Tom Brennan. Having been to just a normal meeting there, I have high expectations for the next one. For everyone I met while I was there, thanks for taking the time to talk to me! It’s always nice to put faces to the names and have some interesting conversations with smart people.

In other quick news, there is an interview with me in (in)secure magazine and if you haven’t already seen it on Jeremiah’s blog, the WhiteHat roundtable was posted online. Also, there is a rumor that Fortify is releasing a 22 minute movie about hackers that I am in. Okay, maybe it’s not a rumor, but I’m not sure what the timelines are on that one or how they’re going to release it. I have gotten a sneak preview and it had a pretty interesting cast of characters in it. Lastly, id and I are doing a system migration this weekend, so if you notice(d) some downtime that’s what’s going on. Anyway, that is all for now!

Some people think I’m paranoid - as if the world is out to get me. Honestly, I’ve always just thought I had a healthy dose of reality. As a result I’ve taken some pretty insane precautions with this site to protect it from itself and it’s owners (myself and id). Thankfully, that time was well spent. Although yesterday I realized it probably just wasn’t enough. Sirdarckcat and Kuza55 decided they wanted to own ha.ckers.org by defacing it. Alas, not only were they unsuccessful, but they were unsuccessful in several different ways. Here’s how it _should_ have worked.

Firstly they posted a relevant looking link to one of the posts with a link to a site that I wouldn’t recognize, to social engineer me into looking at it (http://ultimatehxr.googlepages.com/httpresponsespliting.html). Btw, thanks for hosting malicious content, Google - way to keep your site clean! Next, they pop open two iframes - one to the paper in question which is actually written by someone else, and the other to a site (http://www.x.se/xjcj) that performs a redirection to Sirdarckcat’s site (http://www.sirdarckcat.net/blah2.html).

Next, the wannabees attempt to use the CSS history attack to detect if I have posted to this site. In doing so (without JavaScript - thinking that I use NoScript for all my JavaScript protection) they pop open an iframe to my site: (http://ha.ckers.org/xss.swf?a=0:0;a/**/setter=eval;b/**/setter=atob;a=b=name;) which is a vuln in NoScript. The “name” variable corresponds to a huge embedded payload. That payload contains a XMLHTTPRequest that automatically posts their content to this site, with an additional bonus of a tracking pixel so they can see that it worked. Yup, that’s how it should have worked. Nope, it didn’t.

While we have some pretty insanely good mechanisms for protecting this site ultimately we did have one hole, which was rectified by simply removing access to xss.swf - so if you used it for testing, I apologize, you can blame Sirdarckcat and Kuza55 for making your testing harder than it needs to be. I tried to provide access to tools, despite the additional personal burden of upkeep, but when they are abused I have to remove them.

So now the real question is what should I do about it? I went from being pissed off, to dumbfounded and back again. I decided not to post this yesterday for a few reasons, but mostly to collect my thoughts, but I still haven’t come up with anything I’m particularly in love with. Clearly banning won’t work aside from IP bans, and nuking their existing accounts on sla.ckers, both of which they could easily evade, so I’m a little short on options.

Do I publically humiliate them? Do I remove all references to their pages everywhere on the site, since both of their sites should be considered malicious at this point? Do I post their docs? Do I test out the extradition treaties of Mexico and Australia (their respective countries)? Since they were doing it for credit do I show all the ways in which they were insanely sloppy (like building a site with my name on it for testing http://rsnakex.wordpress.com/)? Do I close up shop because my own readers are turning on me for no apparent reason (one of whom I had made a potential offer of a future position within my company - and no, that is no longer on the table)? I’m stumped. But one thing I do know - I’m not wearing a tinfoil hat for nothing.

If you happen to be anywhere near San Jose, California in mid November and have interest in web applications I suggest you check out the upcoming Appsec 2007 conference. The agenda isn’t nailed down, although I’ve seen a sneak preview of some of what has been proposed and it sounds pretty interesting. It’s going to be held at the eBay north campus, which is a really pretty campus, and home to much of eBay’s and PayPal’s security groups.

The nice part about this is we are starting to see some coordination between WASC and OWASP. I’ve felt like they were twin brothers who decided to do completely different things with their lives. Maybe we are paving a way towards either a consolidated or more well defined charter. Frankly, I’m just happy to see all the people who know what they’re doing showing up at the same time to the same place. I’m looking forward to it!

For those of you who are interested, the second ha.ckers.org challenge is underway. Click here to begin the challenge. Every thing you need is under that directory, and even after the contest is finished you are still able to participate, for those of you who don’t like the pressure of doing something in a certain timeframe. The forum is open for people who want to chat about this while they work. For everyone else, good luck!

Update: And the results are in! Pretty amazing times for the first several winners, and I’ll have to post on our “special winner” Stefan who managed to actually hack the test. Congrats to everyone who won! A spoiler is now live for anyone who is completely stumped.

2:04:53: NoS (Sergey Novotarskiy)

2:06:51: Stefan Esser

2:17:50: AviD

2:20:31: Mario Heiderich

2:21:00: christ1an

3:13:14: kuza55

3:17:22: Jibbler

4:32:43: barbarianbob

5:58:31: David Lindsay

6:22:45: fidels

And since he asked so nicely to be mentioned, Jesper came in 11th with a time of 6:28:05. DoctorDan followed at 6:52:11.

It looks like Cenzic is suing SPI Dynamics (now owned by HP) over a patent infringement. Cenzic has patented fault injection. Cenzic obviously feels confident that SPI is infringing on the technology they have patented. It’s a strange move, given how many people have vested interesting in making this patent go away. Now that Cenzic has become litigious it seems like it would be in the best interest of the industry and indeed all companies everywhere that use other scanning technology to get the patent thrown out. At first I didn’t care about this when I first read about it but now that Cenzic has taken to suing companies, I feel compelled to take action.

Personally I hope that SPI wins this and the patent is thrown out for a number of reasons. I think the patent is both obvious, has been done prior to their claims and been invented by dozens of people and companies over the years who have released their findings under various copyrights and licenses (myself included - I built a number of tools that injected specific faults into systems as early as 1995 and let’s not forget SATAN written in 1993 and stuff like the PHF scanning worms in 1996). But most importantly it’s hostile to the industry as a whole. It would only make things far more difficult, inhibit innovation and reduce our ability to secure the Internet as a whole. I have nothing against Cenzic, but this patent must die. In the mean-time, until this patent is thrown out, you are taking a risk if you have built any fault injection scanning technology that does not license Cenzic’s patent. Everyone else, please submit your prior art to the comments of this post or to SPI’s lawyers as you see fit.

Okay, it’s time for the second round of the ha.ckers.org challenge. If you remember last time I didn’t do a particularly good job of giving people a head’s up that the challenge was happening. This time I’m giving you lots of warning. I also made it harder in a few small ways. id thinks it’s way harder, but we’ll see, I have a feeling it’ll be solved pretty quickly (it can theoretically be solved in under 5 minutes if you already knew how to solve it). Here is the exact time it will start. Please make sure you do the correct conversions into whatever timezone you are in:

Monday August 20th at 1PM Pacific Time (4PM Eastern Time).

This time I’ll be focusing less on HTTP and a lot more on “states”. That’s your one and only hint. When the clock strikes, I’ll remove the htaccess file and you’ll find the challenge sitting here. Feel free to use the forum to chat amongst yourselves before/during/after the challenge. id and I still haven’t come to agreement on the prizes, but if anyone wants to sponsor the challenge and give away some shwag, let me know. Otherwise it might be more tee-shirts since we still have a box full of them that we’ll need to give away at some point or another.

Again, the rules of the challenge and the directions are part of what you need to find. There are lots of things going on, and I tried to build on the same framework as last time, so having some familiarity with the last test might help you (or it might not). Either way, it’s tough, and requires work, so good luck to anyone who attempts it. For those of you who couldn’t figure out the last one, don’t bother with this one, this one uses many of the same principles. I hope you guys like it - we are already coming up with some pretty out of the box ideas for the next one.

If you missed our Blackhat talk the other day and wanted to hear it, Whitehat is sponsoring a webcast this Tuesday. It’s at Tuesday, August 21, 2007 at 11:00 AM PDT (2:00 PM EDT). This is going to be almost a direct repeat of our Blackhat talk, so for those of you who already made it, don’t worry if you miss it.

We’ll be talking about a lot of the same concepts that we’ve already talked about on our individual sites, so if you are up to date and current with this and Jeremiah’s site, you probably won’t learn anything, but for those of you who tend to be hit and miss on the site and the technology, it’s probably worth it for you to join in to see a lot of what we talk about come together.

I just can’t seem to avoid controversy lately. This time Billy Hoffman decided to take a stab at something I am still befuddled by. He claimed Jeremiah Grossman and I re-presented a paper from 7 years ago. Wow, I think someone must have missed our talk and/or failed to read the paper completely. We only mentioned timing attacks in passing and in totally different contexts. Further, I’ve never once claimed to come up with the concept of timing attacks. In fact, quite the opposite. If he had read my blog carefully he would have seen that I fully admitted I had first read about the concept of it in Hacking Web Applications Exposed 2. Then in Billy’s best showdown lingo I am given the ultimatum to put up or shut up. Eesh.

I’m really not even sure what Billy thinks we stole, because the one thing we talked about in regards to timing attacks was about measuring JavaScript error time to port scan intranets, which is a concept that is not once mentioned in the paper he cites. The paper is a really good one on other practical uses for timing attacks, however, it neither mentions intranets, nor does it mention port scanning. Not really the same application but similar techniques - you will get no disagreements from me there. I guess I could see why Billy could be confused. As a side note, as maluc pointed out this paper is where the concept of timing attacks originated and is far older than the paper Billy cites. Neither of which have much to do with our talk, but there you have it.

The only other thing I can think of that would confuse Billy is that we talk about our attacks as working with and without JavaScript. The paper Billy cites does mention a JavaScript-less version of an attack, but he was talking about using it to detect if you have been somewhere or not. Jeremiah and I have totally different (and far more accurate) ways to do that, which is actually what we discussed - we didn’t even touch on using timing attacks for that purpose because it’s so much less effective than the ways we have come up with over the last year and a half. Anyway, we didn’t claim to invent JavaScript-less attacks either. I know, I know, it’s crazy to think we came up with and built everything we said we did.

So just to cover my basis in the off chance someone can figure out a way I have trampled all over the intellectual rights of any of the aforementioned papers, I hereby cite Paul Kocher and Edward Felton for the concept of timing attacks, and Al Gore and ARPAnet for the concept of the Internet and every other concept my attacks have been based on over the years. Rest assured, unlike some people in this industry I never steal research, and if I do so inadvertantly, I own up to it and publically retract. I’ve done so dozens of times on my blog whenever I find out I am in error, whether I find my error on my own or when it is communicated to me, and that’s not about to change. And if I know that I am getting awfully close to copying someone else’s work, I always find a way to make it clear that that is what I’m doing. For the record I have no problem with SPI Dynamics - as I’ve been meeting more and more of them I’m getting to know and like them, Caleb, Michael and Jeff are all great guys. Even though we’ve had our bumps in regards to who originally came up with JS port scanning, which I am well beyond done arguing about, I actually like some of the stuff coming out of that camp. Anyway, this post probably isn’t interesting to anyone - unless you just happen to be trying to publically disparage our work… or something.

I’ve been absolutely buried since I got back. Let me try to race through the highlights. Firstly, if you haven’t seen Llana Grossman’s take on the con I suggest you do. It’s pretty funny actually. If you just want to jump to the pics, and avoid all the jibber jabber click here. So where to start?

id and I flew in on Tuesday, managed to find our way to our ghetto hotel (I do not recommend anyone stay at the Imperial Palace - although they do have a good Chinese place on the third floor). I ditched id who had to do work, and found my way over to Jeremiah’s room which vastly outclassed the Imperial Palace.

We all went down and got our badges, and managed to meet up with some Mozilla guys, some more WhiteHat guys and Robert E Lee from Outpost24 for dinner. Mozilla bought sushi for the table, as we talked about breaking the Internet. The speaker party was pretty fun, although I think a lot of people just wanted to bail to get a good night’s sleep. I know I did - we were second in the morning.

The talk went great - it was standing room only, and a few dozen people rushed the stage after it was over to ask questions. It was a really good audience actually. We showed how we could use a lot of the same old tricks we came up with a year ago without using JavaScript. I wanted to get an 0day up and running to explain why I could enumerate files on a Windows box without JS but I couldn’t get the demo working in time. Anyway, what I was able to show is how split VPN tunnels are dangerous. There’s a write-up on a potential (but fairly flawed) mitigation technique here. It’s flawed because it assumes you can block the things that bad guys are going to want to hack (like http://intranet/). To do so would break tons of functionality. But I encourage people to keep thinking about it.

There was another good thought that came out of it here, talking about safe cookies although cookies are only part of the problem. Kerberos, NTLM, basic and digest auth are all huge problems as well. Plus in many cases I don’t need any form of authentication whatsoever - that’s how my demo worked as a matter of fact. So good thought, but it’s a long way from getting us to where we need to be.

After it was over, id and I were having some interesting conversations about some of the other information leakage problems. I’d like to propose that we consider getting plugin manufacturers (noscript seems like a likely candidate) that have a concept of an intranet zone that prohibits referrers from being sent to Internet zones. Just a thought. It could also work in the browser, but I have a feeling it would break stuff.

I saw some good speeches - DNS pinning galore. I was actually pretty impressed by Billy Hoffman’s take on detecting DHTML malware. In talking with some hardcore AV guys, I think it’s kinda a lost cause, but it was a good take on a tough problem that not a lot of people have put much thought into.

As I’m sure you saw if you read my last post, we spent quite a bit of time talking with the Mozilla guys. They were much more interested in talking about Content Restrictions (if you’re unfamiliar with it, it’s basically a way to programmatically tell the browser not to trust your site - a concept I came up with 4 years ago and asked Mozilla to implement). They did, however, ask for me to come up with a few good things to implement. I’ll start another post on this in the next day or two when I collect my thoughts on the most valuable portions of that.

I hung out quite a bit with Dinis Cruz and a number of the other high level OWASP guys. I’ll probably end up doing a few OWASP talks and maybe a whitepaper or two with Dinis, but that’s gotta wait for some of the other stuff to settle down. The Microsoft party was a lot of fun - they got the entire top floor of Pure. I met a lot of interesting people and probably will be working on some interesting projects there. Btw, they also mentioned us on their security researcher thank you page for some of the vulns we’ve disclosed to them.

I also met Lance James (author of the anti-phishing book) for the first time. We’ve exchanged lots of emails and both belonged to APWG, but it was good to put a face to a name. Likewise with Portswigger (who built Burp Proxy) and I had a good long talk. Hopefully there is a lot more being built into the tool in a not too distant future. Rain Forrest Puppy and I chatted a bit about disclosure stuff. I think there may be more coming there in the not too distant future. Lots to be done!

Anyway, I came back with a fist-full of business cards, about 200 urgent emails, three new tricks, four new things to research and a ruined liver. All in all, it was a great time. More follow-ups to come.