This actually comes a few months late, but I’ve read enough about it that I think it’s worth talking about. There’s an article on the Silicon Insider talking about the newest integration between Facebook and Blockbuster, Fandago and others. Had I not already heard all the details and fallout I probably would have said, “Sounds like a complicated threat model. I hope someone did their homework.” Alas, they did not.

What’s fallen out from this is a privacy issue that’s complex and fascinating. Firstly, the title of the Silicon Insider article is pretty telling, “Do You Want Your Grandmother to Know You Bought Porn? Well Learn to Opt Out” Facebook has taken an interesting stance towards your privacy. You can opt out of them giving it to people you are friends with. The opt out process is in question as is the concept in general. One of the best examples of why this was a problem I’ve heard is that it ruined people’s x-mas presents, because it was displayed on their friend’s Facebook profile.

It’s clear that this is just another way to monetize their users, and not a use feature that consumers typically feel comfortable with. Of course, if you aren’t buying anything bad, you have nothing to worry about. But even still, do you really feel comfortable with your friends knowing everything you’re buying? Do we have any privacy anymore? This is getting to be a pretty voyeuristic society - because it’s easy to monetize people’s privacy by taking it away from them.

I’m not particularly upset with Facebook, in particular - they are hardly the first company to forsake people’s private information for monetary gain. But I think this sort of behavior is only making people distrust social networking. It should be noted that some of the people who built some of the largest social networking sites in the world are also data mining experts - it’s not a leap to figure out why those two are a dangerous combination for privacy. So while I’m not upset with Facebook - you won’t find me building a profile there anytime soon.

There is some interesting commentary on The Register and even better detail on Light Blue Touch Paper about a proposed ban in the UK against dissemination and the eventual use of hacking tools. So if you run a site out of the UK with worm code on your site, that can be used to commit a crime, you should pay attention to whether this law is passed or not.

I suppose it’s not dissimilar from putting a handgun in a schoolyard although it’s really hard to tell intent in either case. Often times the research done on this site and others of it’s kind are academic and are helping to solve the problems. Granted that same information can empower less scrupulous types, so that’s at least partially the intent of the law. However, I would bet money that this does little, if anything, to stop the proliferation of exploitation materials. This will no doubt simply force hackers to move their equipment offshore or go more underground - which could be bad for investigators, and for researchers alike.

In talking with one of my clients the topic of special characters came up and one of the things they mentioned being worried about was symbology changes at NASDAQ. For those of you who don’t follow this kind of stuff, the old ticker symbols constituted a fairly small subset of possible combinations. The symbology change was designed to allow greater flexibility in the future of the naming conventions (think about it being like the difference between IPv4 and IPv6 in the stock market). Click here to read more details.

That would probably be all fine and dandy except some of the characters actually mean things in programming languages. for instance % * # $ ~ + ! @ are included in the list of possible legal characters. How many lines of code do you think need to be reviewed and fixed before this actually will work seamlessly? My guess is many millions. How many new exploits do you think this will open? Hard to say, but it should be interesting to watch.

Time to take a step back and look at PCI. We all know and love it, or love to hate it for various reasons, but I’d like to go back to the roots of it all and ask one question, “What is PCI for?” The simple answer that I can get on board the most with is that it’s to promote spending by increasing consumer confidence. So the obvious goal is to reduce account take-overs, and information disclosure wherever possible - not necessarily to eliminate it, but to increase buyer confidence by lowering the statistical probability that they will be compromised by purchasing online.

I’ve always been an advocate of increasing the potency of PCI by making it more stringent for which I have been told I am anti-business. Not exactly. Let’s use an example. Let’s say I’m mega huge company-A and I follow every security restriction on the planet that I can to ensure that data isn’t leaving our site, but meanwhile mega huge company-B is doing nothing, or the bare minimum. Since we will most likely share a great deal of users if we have any amount of web presence company-A is now at the mercy of company-B. Users tend to use the same passwords, answer the same answer to secret questions and so on, so once a user on company-B is compromised, they are also compromised on company-A. Same exploit another day.

I remember a long time ago there was one of those giant worms going around where the solution was easy enough - egress filtering. You couldn’t stop it ingress, but if you and everyone else blocked egress the worm would stop spreading. But how as an IT administrator can I tell my management that we need to do egress filtering, which will do little to nothing for the worm as it stands at the moment, but will stop us from infecting other people? It’s a tough sell. Yet, it’s a similar problem. My security directly impacts a lot of people who read this site, whether they want it to or not, and therefore it also impacts their businesses and their personal lives which bleed onto many other sites. If I were to have a major 0-day exploit on this site, it would be a problem, not just for me, but for everyone who visits the site who would be vulnerable, and any sites they then use.

So PCI, while not an easy sell and even tougher for people who lack a sense of altruism, has the potential of solving a lot of problems with an amendment of more stringent requirements. Yes, it’s tough on companies now, and yes, they will often go to the low cost solutions as a result, but raising that bar actually has the potential to improve consumer confidence. That’s the theory anyway. Perhaps in practice we’ll find that the end result is that we’ll stop seeing small hacks and start seeing a lot more huge ones to make up the difference in any improvement in security since we all know we can’t be 100% perfect in security. It’s an interesting case study anyway.

The other day, I wrote up a pretty thorough writeup on Darkreading, about the consequences for TJX after their huge privacy breech. As many of you know, having this blog long enough, I’m a huge consumer advocate, and I spend a lot of time talking with “normal” people (people who know little to nothing about technology), as it helps me gain perspective on what their lives are like. Say what you will about consumers, not understanding them is not understanding how to build secure interfaces. Anyway, the important part of that article was this quote:

Interestingly, we collected anecdotal evidence from some users who said that they won’t stop shopping at TJX stores, but they will stop using their credit cards there. That’s a double win for TJX. Not only are they retaining their customers, but they are cutting their credit card chargebacks and processing fees for a percentage of their clients.

So it’s a win for TJX to lose nearly 100MM credit card numbers. But then I started talking to people about the recent news about Burlington Coat Factory, JCPenney, and Macy’s selling raccoon dog fur (a type of dog). Now _that_ got a different reaction. Sure, ID theft is bad, but not bad enough to stop getting great deals. But if you kill a dog, every person I asked about it (most of whom had never heard this by the way) said they either had serious reservations about ever shopping there again, or flat out decided to boycott them entirely. I doubt that makes enough of a difference to make them opt for different types of fur or against fur entirely, but it’s at least something to make you stop and think about where the social values of the American public lies.

I was asked to take a look at ThreatSTOP the other day. Although it’s not very clear from the website after signing up I found out the basics. It’s essentially a lot like OpenDNS. In fact, it’s so much like OpenDNS that I actually confused id when I said what it was because he thought that’s what I was talking about. It’s not exactly like OpenDNS - there are a few differences.

First the similarities. They both rely on DNS to protect consumers (not websites) from contacting “bad” sites. They both require that you use their sites to perform the lookups on your behalf. They also share some of the same negatives - bad guys who use IP addresses are unaffected by this mitigation. It’s always reactionary - meaning it won’t block you from going there until it knows it’s bad. And if you’re paranoid, don’t forget that they both get to see every site you intend to contact.

Now for the differences. It appears that OpenDNS has quite a bit of added customization that you can put in front of it - allowing customized blocklists. OpenDNS also uses a block page, which theoretically could see the actual URLs you are going to (since it takes over the DNS for them - rather than simply blocking the request completely). Lastly, and the most import difference between the two: OpenDNS focuses on Phishing and ThreatSTOP focuses on malware infested websites.

Maybe one of the two companies should just buy the other? Not that I use this kind of stuff, but for those who do, it seems like you’d want to be protected from both threats as a consumer, not just one or the other.

Once upon a time the name of the game was buffer overflows. We spent countless hours banging on IDA Pro trying to get some debugger to give us the magical EIP as we smashed on our keyboards for hours. Life was a lot simpler back then - we banged on our own computers, trying to make them crash. We weren’t hurting anyone, and it made sense that we had a disclosure policy that matched that. Rain Forrest Puppy released an epic document called RFPolicy that was designed to solve the problem of responsible disclosure. It allowed the industry time to solve the challenges of patching, while still giving the researcher the credit for their work. The companies were forced to explain what happened when they released their patches, at which point it made sense to credit the researcher. Times have changed.

While RFPolicy is absolutely still practical and useful, even RFP admitted to me that it doesn’t cover the one area a lot of us now work in the most - web server vulns. Unlike hacking your own computer, when you hack a website it’s got all sorts of implications. But here’s the mostly likely worst cases: the owner may do nothing, they may fix it and not tell anyone, or they may decide it’s illegal for you to be finding the vulns and try to prosecute you. None of which are any good for the poor researcher looking to help the website and/or possibly trying to increase their own name brand in doing so.

Along comes RSPolicy (obviously incomplete). In the same vein as RFPolicy I wanted to create something that solved the unique problems that web researchers face, which is that they want either a) to be recognized b) to get the hole fixed or c) both. In any case, they still fear the worst cases as mentioned above. RSPolicy was both a tool and a policy designed to set timeframes within which exploits should reasonably, in a worst case, be fixed. Additionally, I was going to build a tool (essentially an anonymous one-directional webmail) to prevent the companies from knowing who was reporting the vuln as to prevent prosecution in the worst case.

The goal was to get companies to agree to the RSPolicy, and throw up a page, explaining at a high level who found the hole, what it was, and potentially dates that it was found and closed. It all seemed like a lofty goal. Now I needed to get a few big companies to agree to timeframes. Here’s where it got ugly.

In order to protect the companies I picked I’m not going to use their names here, but trust me, you’ve heard of the companies. I picked them because they were huge, and they have these problems all the time. That means that they aren’t quick on their feet, which is perfect since I was really looking for a worst case anyway. Alas, one of the companies was unwilling to put limits on anything - fearing reprisal or even lawsuits from their customers. Another company felt the impact of this would be pretty massive to their ability to be able to fix flaws (in a good way) but never bought off on verbiage and also never put a line in the sand. Then I started talking to people in the industry.

I spoke with RFP, of course, and I didn’t get the feeling he felt it was providing enough of a mechanism. I spoke with a few others who felt that people wouldn’t adopt the tool portion (which I don’t care about but it’s a good point). And when it came down to it the major beef I heard was that it actually wasn’t a policy, so much as a moving line in the sand that was ill defined. I agree. And henceforth I have given up on the project. While a noble goal, I think I’m just exhausted by the concept. The companies have all completely dropped the ball at this point, despite the fact all three have had vulnerabilities found in their sites within the last month that I am personally aware of. So despite the ball dropping the problem hasn’t gone away.

I’m not looking for the community to pick up where I left off - that’s not my goal. My goal at this point is just to let everyone know that perhaps there is an alternative out there, and there is no reason you cannot make up your own policy at any time that makes sense for whatever application you need it for. I chose RSPolicy because I thought it fit a need. Perhaps it will for some, but I’m not going to build the tool, host it, or work on RSPolicy anymore, which is why it is in the state is (incomplete). The companies mentioned who read this (and they all do) all continue to have the opportunity to work with the community however they see fit - I’m just not going to facilitate.

Update: Apparently this is super old, but no one noticed. I guess not that many people use that service because it’s been around since Feb. Which also means some of these may have been pointing to us at that time - so maybe Dean isn’t as inept as I initially thought he was - except for the whole thinking we are spreading destruction without warning people ahead of time. Uhm, ya.

Here we go again. People who have been reading this blog for a while will remember that we have been told we were hacking websites by hosting JavaScript and we have been marked as a phishing site as well. Well, as Michael pointed out, McAfee has marked ha.ckers.org as a site that attempts to exploit you. Way to go guys, very nice indeed.

So let’s dissect what I think happened here. At some point someone looked at one of the examples and said, “Wow this site is bad.” because they are clueless and didn’t bother to even look at the rest of the site. A gentleman by the name of “mr.anderson” then put up a stunning review of the site:

Exploit server

Wow… amazingly thorough review! I wish they would at least put which page they thought was owning them, that would have been amusing to make fun of him at least. But alas, no such luck. Then the big gun arrived. His name is dean and he has been marked as a “experienced reviewer”. Thank god, I’m saved, right? Someone who knows what they’re doing at least?

What mr.anderson said… According to Exploit Prevention Labs’ LinkScanner, this site contains malicious code. The IP address of this domain is 69.12.144.65 and it is shared by seven other domains. These sites are listed below:

advicegalaxy.com
barbarycoastfilms.com
fthe.net
mydickisbiggerthanyours.com
s-alchemy.com
secureseo.com
seodymanics.com

And then just to make sure he’s gotten his point across dean writes:

I forgot to add in my previous review that the other sites listed also contain exploits.

Wow. Just. Wow. Let’s actually take a look at this great find here that dean, our experienced reviewer came up with. Let’s look at advicegalaxy.com:

Name: advicegalaxy.com
Address: 8.15.231.1

Uhm… doesn’t appear to be on 69.12.144.65 to me and it looks like some domain squatter. But maybe that’s just an anomaly. Let’s look at another one:

Name: barbarycoastfilms.com
Address: 69.12.144.101

At least this one is on the right subnet, but still, wrong IP. And it appears to be a movie review site. Alas, not the malware spewing site I had hoped to find.

Name: fthe.net
Address: 69.12.144.99

Again! Close! But alas, wrong IP and even still, it’s a site that is supposed to be funny (we do try, but alas, sometimes we just fail miserably). Hardly the browser exploit factory.

Name: mydickisbiggerthanyours.com
Address: 69.12.144.101

Yes, id sure does have a good sense of humor, doesn’t he? Same deal as fthe.net.

Name: s-alchemy.com
Address: 69.12.144.65

There we go! Finally a match with the IP address that dean listed. Let’s go check it out. Wait, nothing there? How is it going to spread malware when it’s not even alive? Strange….

Name: secureseo.com
Address: 69.12.144.99

Okay, now we’re getting somewhere. It’s at least talking about browsers. But wait, it’s only got a few posts and alas one of them is about helping browser companies detect blackhat SEO tactics. Weird. There has GOT to be malware here! Dean said so! And that man is experienced!

Name: seodymanics.com
Address: 69.25.212.153

Whoah, not even close to the right IP range, and also looks like domain squatting. Alas, nothing to do with us. So now let’s look at ha.ckers.org since that appears to be the offending site.

Name: ckers.org
Address: 69.12.144.99

But wait! Dean clearly said ha.ckers.org was living on .65, not on .99! Maybe they have the wrong site? Now I’m just confused! Just because you use handy dandy outdated IP to hostname lookup and correlation tools doesn’t make you experienced. In fact, it makes you lazy and wrong it turns out. However, let’s get back to the matter at hand. Apparently Exploit Prevention Labs’ LinkScanner thinks I’m a bad bad man. So I go ahead and run it against every URL on ha.ckers.org I think could possibly be scaring it. Alas, nothing. Everything I can think to test comes up as thumbs up, as nice as rainbows and lollipops.

Okay, enough sarcasm. Herein lies some serious problems. How one site can maintain the reputation of other sites in such a way obviously leads to all sorts of false positives and false negatives. Even if you think this site is bad, without contacting me, or explaining what exactly is wrong with the site, how can I even fix the problem to get it up to snuff?

Now we are relying on the reputation of someone named, “dean” and “mr.anderson” to make judgment calls, when it’s clear the more experienced of the two doesn’t have a clue about the site he is reviewing or the other sites (all of the sites listed have now been reviewed as bad by dean including s-alchemy which is not even online and hasn’t been since our server crash months ago). Great job guys. I hope someone at McAfee is reading this and fixes it. Also, if anyone has a copy of Exploit Prevention Labs’ LinkScanner Pro, I’d appreciate a heads up as to what it found on ha.ckers.org that it thinks is bad.

Until we get to the bottom of this, maybe you should take McAfee’s word for it and steer clear of this site and the .65 IP address - they wouldn’t mark this site bad if it weren’t. If I can’t figure out how we’re exploiting you, you should be afraid - very afraid!

This is a post I’ve been meaning to make for several years now, and I just now got around to doing it. Netscape is one of the few browsers out there that’s old enough to pre-date most of the security people who hack on browsers. It’s got a long trying history, with lots of problems and lots of successes and in a lot of ways it was one of the most influential browsers out there. I owe a lot to my understanding of the web to Netscape in the early days. There’s a lot to be said for the history. But we aren’t living in the past. Let’s talk about now.

Netscape’s new model is not as the role of a browser company, but more as a wrapper around IE and Firefox. Using versions of Firefox and IE, Netscape wraps them in certain ways depending on the user, to give the maximum browsing experience. Netscape has come a long way in terms of installers too, and their bookmarklets are very cool. However, there is a fundamental flaw in their design - they aren’t current.

Because they do not update as quickly as the other browser manufacturers that they wrap they are always behind the times in terms of vulnerabilities. That means any user who uses Netscape is vulnerable to old Firefox vulnerabilities for months longer than they would be if they used Mozilla. I haven’t seen a shift in that mentality in the nearly four years I’ve been meaning to write this and I don’t see it changing any time soon. If you are using Netscape you are wildly behind the security patching process. I’d love to see Netscape fix this and start updating in near-real-time along side their rivals who they wrap. I don’t see them as a serious competitor to Mozilla or IE, but still. I’d rather them not disappear completely from the planet - if only for nostalgia.

A la Caezar’s Challenge, I wanted to create my own such challenge for the people who are able to attend Blackhat/DefCon and those who are unable alike. However, unlike Caezar’s challenge, this isn’t so much a better humanity type challenge - this is just a game for people looking to solve hard problems. The goal? Find the clues, solve the puzzle and win a ha.ckers/sla.ckers branded tee-shirt. If you aren’t coming to the con, no worries, we’ll ship you one. Here’s the ha.ckers.org challenge.

I must warn you - if you don’t know HTTP inside and out, there’s a good chance you won’t get past the first clue. It’s tough, very tough. I don’t expect anyone to solve it, although it can be solved in under ten minutes if you know what you’re doing. The rules are on the challenge. Good luck and see you in Vegas if you are coming!

Update: I’m going to cap it at 10 people. I’ll announce a list of winners that want their names to be mentioned along with how to solve the challenge once the answers come rolling in.

Update 2: We have our winners! In order of response :

WhiteAcid

Billy Rios

Shawn Lauriat

Tyler Reguly

Chris Soghoian

Ryan Platt

Wesley McGraw

Sid Stamm

Georgie

The spoiler is located here if you just want to know how it happened. Congrats to the winners. We had all of them in within just a few hours! Amazing! That definitely says something about the readership! This wasn’t an easy test. Maybe the next one will be harder.