New Clipjacking affects all browsers

•September 27, 2008 • 3 Comments

Jeremiah Grossman and Robert “Rsnake” Hansen initially planned to reveal details on a new browser-agnostic clickjacking exploit at the Open Web Application Security Project (OWASP) in New York City this week, but voluntarily pulled the presentation after discovering that the 0-day flaw affected an Adobe product. The term “clickjacking” refers to a process by which a user is forced to click on a link without his or her knowledge—the link itself may be nearly invisible or visible for only a fraction of a second.

Clickjacking isn’t a new attack vector, but according to Grossman and Hansen, it’s one that is “severely underappreciated and largely undefended.” What makes the attack noteworthy, in this case, is that it appears to be completely browser-agnostic, and affects both Firefox 2 and 3, all versions of IE (including 8), and presumably all versions of Opera, Konquerer, Safari, and whatever other extremely marginalized and/or FailCat type of browser one might use to surf the web. The only browsers currently immune to whatever it is the two men discovered are text-based products, such as Lynx.

In this case, “whatever it is,” actually is the only appropriate label for this new attack method; Grossman and Hansen have released virtually no information on how one would actually exploit the vulnerability. Grossman and his teammate appear to have held off publishing after Adobe requested they do so, rather than as a favor to the browser market. In his blog, Grossman writes: “At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional “exploits,” and that guarding against clickjacking was largely the browser vendors’ responsibility.”

Grossman and Hansen have, however, released a bit of information on what won’t protect a user from the exploit. Turning Javascript off is apparently useless—the attack doesn’t use it. Instead, it takes advantage of what the two call a “fundamental flaw” inherent to all modern browsers, and an issue that cannot be fixed with a quick patch. Using a frame buster script will protect a person from assaults that utilize cross-domain scripting, but will not prevent the attack from operating normally if it’s on a page the user is visiting.

As exploits go, this particular one seems a tempest in a teapot. The vulnerability in question may affect all web browsers, but the total dearth of publicly available data means anyone wanting to utilize it has their work cut out for them. Grossman states that this particular attack is capable of some “pretty spooky,” things, but that’s all the detail we get. I’m not a fan of security through obscurity, but that’s not what anyone is advocating—Adobe has acknowledged the problem, and the dev teams on both Firefox and IE are undoubtedly aware of the flaw’s existence. Hopefully they also received a bit more information than the public did.

Advertisements

250k of Harvested Hotmail Emails Go For?

•September 26, 2008 • Leave a Comment

$50 in this particular case, however, keeping in mind that the email harvester is anything but ethical, this very same database will be sold and re-sold more times than the original buyer would like to know about. Moreover, what someone is offering for sale, may in fact be already available as a value-added addition to a managed spamming service.

With metrics and quality assurance applied in a growing number of spam and phishing campaigns, filling in the niche of email harvesting by distinguishing between different types of obfuscated emails by releasing an easily embeddable module, was an anticipated move. What’s to come? Spam and malware campaigns across social networks “as usual” will propagate faster thanks to the ongoing harvesting of usernames within social networks, that would later on get imported in Web 2.0 “marketing” tools targeting the high-trafficked sites and automatically spamming them.

From a spammer’s perspective, geolocating these 250k emails could increase their selling prices since the buyers would be able to launch localized attacks with messages in the native languages of the receipts. Is the demand for quality email databases fueling the developments of this market segment, or are the spammers self-serving themselves and cashing-in by reselling what they’ve already abused a log time ago? That seems to be the case, since there’s no way a buyer could verify the freshness of the harvested emails database and whether or not it has already been abused.

For the time being, we’ve got several developed and many other developing market segments within spamming and phishing as different markets with different players. On one hand are the legitimately looking spamming providers offering “direct marketing services” working with lone spammers who find a reliable business partner in the face of the spamming vendor whose customers drive both side’s business models. On the other hand, you’ve got the spammers excelling in outsourcing the automatic account registration process, coming up with ways to build a spamming infrastructure — already available as a module to integrate in managed spamming services — using legitimate services as a provider of the infrastructure.

Despite that the arms race seems to be going on at several different fronts, spammers VS the industry and spammers VS spammers fighting for market share, the entire underground ecosystem is clearly allocating a lot of resources for research and development in order to ensure that they are always a step ahead of the industry.

Second TJX Case Defendant Pleads Guilty

•September 26, 2008 • Leave a Comment

A second defendant in the so-called TJX Breach case—which also had at least seven other major retail chains as fellow victims—pleaded guilty Monday (Sept. 22), this time to charges of conspiracy, unauthorized access to computer systems, access device fraud and identity theft.

The accused, Christopher Scott, a 25-year-old Miami resident, pleaded guilty after prosecutors said they could prove that he was paid $400,000 for assisting a retail wardriving scheme. Scott’s plea follows the Sept. 11 guilty plea of fellow Miami resident Damon Patrick Toey.

Georgia cyber attacks

•September 14, 2008 • Leave a Comment

So who’s behind the Georgia cyber attacks, encompassing of plain simple ping floods, web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has switched hosting location to the U.S remain ongoing? It’s Russia’s self-mobilizing cyber militia, the product of a collectivist society having the capacity to wage cyber wars and literally dictating the rhythm in this space. What is militia anyway :

Information Warfare.1
“civilians trained as soldiers but not part of the regular army; the entire body of physically fit civilians eligible by law for military service; a military force composed of ordinary citizens to provide defense, emergency law enforcement, or paramilitary service, in times of emergency; without being paid a regular salary or committed to a fixed term of service; an army of trained civilians, which may be an official reserve army, called upon in time of need; the national police force of a country; the entire able-bodied population of a state; or a private force, not under government control; An army or paramilitary group comprised of citizens to serve in times of emergency”

Next to the “blame the Russian Business Network for the lack of large scale implementation of DNSSEC” mentality, certain news articles also try to wrongly imply that there’s no Russian connection in these attacks, and that the attacks are not “state-sponsored”, making it look like that there should be a considerable amount of investment made into these attacks, and that the Russian government has the final word on whether or not its DDoS capabilities empowered citizens should launch any attacks or not. In reality, the only thing the Russian government was asking itself during these attacks was “why didn’t they start the attacks earlier?!”.

Thankfully, there are some visionary folks out there understanding the situation. Last year, I asked the following question – What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of the possible answers still fully apply in this situation :

– It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

– Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

– Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

– In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who’s really behind the attacks

– Don’t know who did it, but I can assure you my kid was playing !synflood at that time

– Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

– A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

– I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn’t necessarily mean I actually care who did it, and pssst – it’s not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

– I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

Departamental cyber warfare would never reach the flexibity state of people’s information warfare where everyone is a cyber warrior given he’s empowered with access to the right tools at a particular moment in time.

British MI5 accuses China of hacking businesses

•December 3, 2007 • Leave a Comment

According to reports in the weekend newspapers, the government has accused China of hacking into the computer systems of leading companies.

According to The Times, the MI5 director-general Jonathan Evans sent a confidential letter to 300 chief executives and security chiefs at financial institutions and legal firms last week warning them that they were under attack from Chinese state organizations.

The summary of the letter, which was posted (securely) on the website of the Centre for the Protection of the National Infrastructure, warned its recipients of the “electronic espionage attack”.

“The contents of the letter highlight the following: the Director-General’s concerns about the possible damage to UK business resulting from electronic attack sponsored by Chinese state organizations, and the fact that the attacks are designed to defeat best-practice IT security systems.

“The letter acknowledges the strong economic and commercial reasons to do business with China, but the need to ensure management of the risks involved.”

According to one security expert quoted in the Times article, one of the techniques used by the Chinese groups were “custom Trojans”, software designed to hack into the network of a particular firm and feed back confidential data.

The MI5 website already acknowledges the UK is a high priority espionage target.

“We estimate that at least 20 foreign intelligence services are operating to some degree against UK interests. Of greatest concern are the Russians and Chinese,” it said.

Technorati Tags:

British MI5 accuses China of hacking businesses

•December 3, 2007 • Leave a Comment

According to reports in the weekend newspapers, the government has accused China of hacking into the computer systems of leading companies.

According to The Times, the MI5 director-general Jonathan Evans sent a confidential letter to 300 chief executives and security chiefs at financial institutions and legal firms last week warning them that they were under attack from Chinese state organizations.

The summary of the letter, which was posted (securely) on the website of the Centre for the Protection of the National Infrastructure, warned its recipients of the “electronic espionage attack”.

“The contents of the letter highlight the following: the Director-General’s concerns about the possible damage to UK business resulting from electronic attack sponsored by Chinese state organizations, and the fact that the attacks are designed to defeat best-practice IT security systems.

“The letter acknowledges the strong economic and commercial reasons to do business with China, but the need to ensure management of the risks involved.”

According to one security expert quoted in the Times article, one of the techniques used by the Chinese groups were “custom Trojans”, software designed to hack into the network of a particular firm and feed back confidential data.

The MI5 website already acknowledges the UK is a high priority espionage target.

“We estimate that at least 20 foreign intelligence services are operating to some degree against UK interests. Of greatest concern are the Russians and Chinese,” it said.

Technorati Tags:

ANI Exploit + SQL injection

•November 29, 2007 • 1 Comment

The is an interesting article over at Security Focus discussing how 25,000 machines were compromised specifically to launch the ANI MS cursor exploit. There are a few interesting parts to this. The first is that it appears that the Dolphin’s stadium hack a while back was not unique – it was just part of this larger attack. The second is that SQL injection was the most likely culprit for the large scale compromise.

I know we’ve all thought about it, but for some reason this one is hitting a little more than others. Partially because I think we all like to think we are unique and every hack needs to be forensically important. Think about if you were running the Miami Dolphins and you were to see this happen to your site. You’d want answers, and you’d want them now. And then after spending countless hours and tons of resources you’d find that the answer is you were just one hack of 25,000. The Dolphins had an interesting website but it was actually insignificant in the grand scheme of the attack.

It’s an interesting thought to think that one attack compromised 25,000 websites, which in turn could have compromised potentially hundreds of thousands or even millions of remote machines via the ANI payload through XSS. And ultimately, the attackers are still at large. Pretty scary concept when you think about the low level of diversity in open source web applications, making them much more susceptible to attack. Maybe that tiny webapp hole isn’t so tiny after all.