Thursday, February 28, 2008

Use SSL When Available - Browser Setting

It would be safer if you could force your browser to use SSL whenever available and alert you if the SSL encryption level being used is a version that has some security limitations and can potentially be hacked.

As far as I know this doesn't exist other than forcing ALL sites into SSL which is not very convenient.

Most banks now are forcing users into SSL for ALL web browsing - this is something I think more people should do and someone needs to implement a better way to discover and block invalid certs - and also track down the people doing it and prosecute them.

SSL is the only way I know of to verify you're at the site you think you're at that is stadard in all browsers. If you use http, could be your DNS cache is poisoned or you're using a cached copy or...?

This area of web browsing definitely needs to be improved.

Wednesday, February 27, 2008

Paypal Spoof

Return-Path:
X-Original-To: x@x.com
Delivered-To: x@x.com
Received: from p1119-ipbf09daianji.nara.ocn.ne.jp (p1119-ipbf09daianji.nara.ocn.ne.jp [221.187.221.119])
by mail14.intermedia.net (Postfix) with ESMTP id 6977443A9E;
Wed, 27 Feb 2008 08:34:16 -0800 (PST)
Received: from [221.187.221.119] by abralise.com; Thu, 28 Feb 2008 01:47:43 +0900
Date: Thu, 28 Feb 2008 01:47:43 +0900
From: update@paypal.com
X-Mailer: The Bat! (v2.12.00) Personal
Reply-To: akstcabralisemnsdgs@abralise.com
X-Priority: 3 (Normal)
Message-ID: <709683931.16551075140727@abralise.com>
To: x@x.com
Subject: PayPal® Account Review Department
MIME-Version: 1.0
Content-Type: text/html;
charset=Windows-1252
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

<style type="text/css">
<!--
style3 {font-size: 14px}
style4 {font-size: 12px; }
-->
</style>
<table width="522" border="0">
<tr>
<td><a href="https://www.paypal.com"><img src="https://www.paypal.com/images/paypal_logo.gif" width="117" height="35" border="0" /></a></td>
</tr>
<tr>
<td width="516"><P class="style3">Dear <strong>PayPal ®</strong> customer,</P>
<P class="style3">We recently reviewed your account, and we suspect an unauthorized transaction on your account.<BR>
Protecting
your account is our primary concern. As a preventive measure we
have temporary<strong> limited</strong> your access to sensitive information.<BR>
Paypal features.To ensure that your account is not compromised, simply hit
"<strong>Resolution
Center</strong>" to confirm your identity as member of
Paypal.</P>
<ul class="style3">
<li> Login to your Paypal with
your Paypal username and password.</U></li>
<li> Confirm your identity as a card memeber of
Paypal.</U></li>
</ul>
<P class="style3"> </P>
<TABLE cellSpacing=0 cellPadding=5 width="100%" align=center
bgColor=#ffeeee>
<TBODY>
<TR>
<TD class="style3"><SPAN class=emphasis>Please confirm account information by clicking here <A
href="http://paypal-user-confirm.com/acc/login.php "target="_self">Resolution
Center</A> and complete the "Steps to Remove Limitations." </SPAN></TD>
</TR>
</TBODY>
</TABLE>
<P class="style4"> </P>
<P class="style4"><strong>*</strong>Please do not reply to this message. Mail sent to this
address cannot be answered.</P>
<P><span class="style
<P><span class="style3">Copyright © 1999-2007 PayPal. All rights reserved.<BR>

</BODY></HTML>

VMWare Hack

There's a vulnerability in VMWare - a program a lot of testers use to test software applications among other things.

VMWare Hack

February 24, 2008 (Computerworld) A critical vulnerability in VMware Inc.'s virtualization software for Windows lets attackers escape the "guest" operating system and modify or add files to the underlying "host" operating system, the company has acknowledged.

As of Sunday, there was no patch available for the flaw, which affects VMware's Windows client virtualization programs, including Workstation, Player and ACE. The company's virtual machine software for Windows servers and for Mac- and Linux-based hosts are not at risk.

Sunday, February 24, 2008

Open Dns Resolvers - Problem

Open DNS Resolvers are a problem according to this article:

Open DNS Resolver Survey

This list shows the open resolvers - many of which are on networks that have been causing us prolems:

Open DNS Resolvers

Pondering favicon.ico

When someone requests the favico on a site a full request with complete information is not sent (apparently) Is this expected behaior? I guess I need to see the W3C spec for proper submission of requests and how it relates to multiple files requested by the same request. Does the first request include the full request information and subsequent related requests such as images, etc. come through with less than complete information? And is this useful for hackers in hiding particular details of their activities? More research is needed. Just pondering the implications of this particular request behavior.

Also I just realized while digging into this issue that my application was not thread safe and there is a trade off between making it thread safe to ensure no data is lost and keeping performance at optimal levels. Ugh. All this because of a favicon.ico request.

Saturday, February 23, 2008

Frequent JavaScript Errors on Major Web Sites

I have been seeing more and more JavaScript errors on all kinds of web sites.

I wonder if the owners of these web sites don't notice the errors because they have turned off JavaScript error reporting in their browsers (if you care about your security and your web site I would recommend not doing this and report any errors you find to the owner of the web site).

The other option is, the owner of the web site never sees the JavaScript error. Because JavaScript is a client side technology its execution will occur on the machine that is requesting the web site. If something is different on that machine then the web site owner may not see that error, unless they are testing every browser combination - and even if they are in the case of XSS and other client side attacks.

For instance I have some JavaScript that loads up some frames. I have one user that gets a bogus site when logging in and those frames are loaded up. That doesn't happen to any other user. Chances are that error is something specific to that computer or that network that I would never see had that person not reported the error.

That is why it is important for everyone to report any errors they see to the web sites they use regularly.

Sometimes the owners of the web site cannot see what you are seeing.

And on that note web site owners that support hundreds or millions of customers need to make their support staff aware that these things CAN and DO happen and not treat customers like morons who report them because the staff is looking at the page and not seeing the same thing.

One other comment on this topic is that one site having this problem is using Urchin which has some JavaScript and an iframe containing who knows what. A lot of major web sites use Urchin and all sorts of software to track advertising and marketing. Many times the marketing staff demands to do these partnerships which put their customers at risk, and actually can hurt rather than help their business. I would suggest never include an iframe on any page other than static html and definitely not on a login page or e-commerce web site - and even then, an iframe can be used to change the content the user is getting in the main page on a static site - so I would personally never use one with content hosted by a third party and/or code that is not highly scrutinized by security experts - not the average web developer. Also when using Urchin, etc. it is crucial to constantly test an monitor - client side, not just server side code execution. Also hackers are smart enough not to send their malicious code to your monitoring system in many cases.

Prefix Hijacking and Intercepting (MITM Attack)

Here's a paper by some students on prefix hijacking and how that can lead to a man in the middle attack.

Make sure you are using the latest version of Adobe Acrobat Reader before opening any PDF files.

Prefix Hijacking - Man In The Middle Attack

Contracting On Insecure Computers

Every time I get on a new assignment at a new company the first thing I have to do - every time - for any company large or small, is secure my computer. Each time I go in it seems like firewalls are off and patches are severely out of date, insecure end of life or out of date software is running (including Flash, Quicktime, etc). The one thing I cannot always do is turn off all unneeded services because I am not sure what is and is not required by the company but typically there are some that I know can be turned off which are hack-prone.

If this happens at even some of the biggest companies that tells you IT has a big problem. Machines are set up with insecure configurations and even if they are not - if someone leaves their desk with the machine logged in - someone else could jump on there and install some computer software as soon as you walk away. For instance at one company they had me log in and then go get coffee on a machine that was right next to another contractor I didn't know. Perhaps the guy is the greatest guy ever, but he's a contractor right? What if as soon as we walked away he jumped on my machine and installed something that gave him a back door into my machine??

Don't assume I am just paranoid. Read the security articles across web sites as I do every day and then tell me it is not possible. The number one source of security breaches is from internal employees - whether malicious, on purpose, or someone just trying to sabotage or skim.

Personally I think all employees should be told to lock their computer when away from their desk.

One company I was at had Ubuntu and that actually made me nervous because I wasn't quite sure how to secure Ubuntu as well as Windows. And since Ubuntu is made by some guy in South Africa and open source, how is this thing being audited for security? I have no idea.

But then if a company uses Microsoft products and doesn't install service packs until after they've been out for almost a year, might as well use Ubuntu. It's free.

IT Admins Should Be Checking Vulnerabilities Daily

Anyone working in IT supporting any systems that could possibly be hacked (which means anything) should be reading this list:

Secunia - Security Updates


Wednesday, February 20, 2008

HackerSafe - False sense of Security

This article suggests HackerSafe may lull web site owners into a false sense of security:

Hacker Safe - false sense of security

HackerSafe only tests a particular layer of hacking and as one consulting firm suggests, cannot provide in depth page by page testing of a company doing the work hands on. Additionally the article states that some hackers claim they have hacked hackersafe sites.

Ethical Hacking - Articles

Here's a whole list of articles from the Ethical Hacking web site which cover a wide range of hacker related topics from rootkits to data embedded in jpgs - wireless hot spots to audio and video and hacking the stack among other things:

Ethical Hacker Articles

More on Man-In-The-Middle Attacks

More on man in the middle attacks, on VPNS, banking sites, hot spots and more.

Man in the middle attack

Don't accept invalid certificates at a hot spot

This article shows hot spot exploits...and ways to validate SSID's however how many people actually do that...

http://www.ethicalhacker.net/content/view/66/24/

This is kind of scary for anyone using a hot spot.

The question is...what can Starbucks and T-mobile (among other popular hot spots) due to protect users of hotspots from this type of attack?

Tuesday, February 19, 2008

PHP hackers

Two related php hackers apparently referred by: http://www.delire.ru//modules/4nAlbum/public/doc/safe.txt?

61.250.95.201
inetnum: 61.248.0.0 - 61.255.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR



64.13.224.85
OrgName: Media Temple, Inc.
OrgID: MEDIAT-10
Address: 8520 National Blvd.
Address: Building A
City: Culver City
StateProv: CA
PostalCode: 90232
Country: US

NetRange: 64.13.192.0 - 64.13.255.255

Sunday, February 17, 2008

Tool for Phishers - Is your Browser Vulnerable?

It is a bit bothersome to me that this is not yet fixed:

http://secunia.com/internet_explorer_7_popup_address_bar_spoofing_test/

Test your browser to see if you're a potential victim.

This could be used by phishers to pop up windows that look like links are pointing to valid sites when they are not, and trick someone into thinking they are at a bank for instance, instead of some hacker web site.

Not sure why this bug is not considered a top priority.

Tuesday, February 05, 2008

Facebook Image Uploader Exploit

Flaw in Facebook image uploader allows exploit of user machines:

http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060025.html

Saturday, February 02, 2008

Antivirus Comparison

Here is a comparison of antivirus programs for 2008

Not sure if the source is good (haven't researched this or heard of them) and make sure you read the legend or some things may be misleading.

http://www.sunbelt-software.com/ihs/alex/avtestresults_2D2008q1.pdf

Friday, February 01, 2008

Man-In-The-Middle Attack - Mail Systems

What are the chances your webmail is affected by a man-in-the-middle attack?

Today I found some instructions for my webmail company's product that did not match the product I see when I login.

I also found it odd when I signed up that certain features that were supposed to be in there were not and "their programmers" had to fix it.

Additionally the SSL certficate isn't working (should it be? Are we getting to an imposter?) and we cannot send mail without errors to one of their domains but they are telling us the messages are still encrypted - are they?

In the instructions I found online I went to the site that was supposed to be the admin site. I got a page not found. Then I typed in the IP - and the admin site showed up - but my admin password does not work on that site. It does work on their main web site however.

For another mail company I tried out I called them up on the phone because the whole login thing did not make sense. When I was asking the guy on the phone where and how to login, and option that he was seeing on his screen was simply not on my screen - and I talked to two different people that said the same thing and the instructions did not match what I was seeing.

What are the chances that all these webmail systems out there that people are using every day to communicate are hacked? Gmail was hacked - people could login and read gmail messages of other people - so it could be happening to a lot of other mail companies with less resources.