Freakonomics Q&A
I just did a Q&A on the Freakonomics blog. Nothing regular readers of this blog haven’t heard before, but it was fun all the same. There’s also a Slashdot thread on the Q&A.
Entries Tagged "web"
Page 10 of 14
SANS Top 20
Every year SANS publishes a list of the 20 most important vulnerabilities. It’s always a great list, and this year is no different:
The threat landscape is very dynamic, which in turn makes it necessary to adopt newer security measures. Just over the last year, the kinds of vulnerabilities that are being exploited are very different from the ones being exploited in the past. Here are some observations:
- Operating systems have fewer vulnerabilities that can lead to massive Internet worms. For instance, during 2002-2005, Microsoft Windows worms like Blaster, Nachi, Sasser and Zotob infected a large number of systems on the Internet. There have not been any new large-scale worms targeting Windows services since 2005. On the other hand, vulnerabilities found anti-virus, backup or other application software, can result in worms. Most notable was the worm exploiting the Symantec anti-virus buffer overflow flaw last year.
- We have seen significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications. These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets.
- Users who are allowed by their employers to browse the Internet have become a source of major security risk for their organizations. A few years back securing servers and services was seen as the primary task for securing an organization. Today it is equally important, perhaps even more important, to prevent users having their computers compromised via malicious web pages or other client-targeting attacks.
- Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year. These vulnerabilities are being exploited widely to convert trusted web sites into malicious servers serving client-side exploits and phishing scams.
- The default configurations for many operating systems and services continue to be weak and continue to include default passwords. As a result, many systems have been compromised via dictionary and brute-force password guessing attacks in 2007!
- Attackers are finding more creative ways to obtain sensitive data from organizations. Therefore, it is now critical to check the nature of any data leaving an organization’s boundary.
Much, much more information at the link.
Security by Letterhead
This otherwise amusing story has some serious lessons:
John: Yes, I’m calling to find out why request number 48931258 to transfer somedomain.com was rejected.
ISP: Oh, it was rejected because the request wasn’t submitted on company letterhead.
John: Oh… sure… but… uh, just so we’re on the same page, can you define exactly what you mean by ‘company letterhead?’
ISP: Well, you know, it has the company’s logo, maybe a phone number and web site address… that sort of thing. I mean, your fax looks like it could’ve been typed by anyone!
John: So you know what my company letterhead looks like?
ISP: Ye… no. Not specifically. But, like, we’d know it if we saw it.
John: And what if we don’t have letterhead? What if we’re a startup? What if we’re redesigning our logo?
ISP: Well, you’d have to speak to customer—John (clicking and typing): I could probably just pick out a semi-professional-looking MS Word template and paste my request in that and resubmit it, right?
ISP: Look, our policy—John: Oh, it’s ok, I just sent the request back in on letterhead.
Ha ha. The idiot ISP guy doesn’t realize how easy it for anyone with a word processor and a laser printer to fake a letterhead. But what this story really shows is how hard it is for people to change their security intuition. Security-by-letterhead was fairly robust when printing was hard, and faking a letterhead was real work. Today it’s easy, but people—especially people who grew up under the older paradigm—don’t act as if it is. They would if they thought about it, but most of the time our security runs on intuition and not on explicit thought.
This kind of thing bites us all the time. Mother’s maiden name is no longer a good password. An impressive-looking storefront on the Internet is not the same as an impressive-looking storefront in the real world. The headers on an e-mail are not a good authenticator of its origin. It’s an effect of technology moving faster than our ability to develop a good intuition about that technology.
And, as technology changes ever increasingly faster, this will only get worse.
World Series Ticket Website Hacked?
The Colorado Rockies will try again to sell World Series tickets through their Web site starting on Tuesday at noon.
Spokesman Jay Alves said tonight that the failure of Monday’s ticket sales happened because the system was brought down today by an “external malicious attack.”
There was a presale that “went well”:
The Colorado Rockies had a chance Sunday to test their online-sales operation in advance.
Season-ticket holders who had previously registered were able to log in with a special password to buy extra tickets.
Alves said the presale went well, with no problems.
But some people found glitches, such as being told to “enable cookies” and to set their computer security to the “lowest level.” And some fans couldn’t log in at all.
Alves explained that those who saw a “page cannot be displayed” message had “IP addresses that we blocked due to suspicious/malicious activity to our website during the last 24 to 48 hours. As an example, if several inquiries came from a single IP address they were blocked.”
Certainly scalpers have an incentive to attack this system.
EDITED TO ADD (10/28): The FBI is investigating.
Cheating in Online Poker
Fascinating story of insider cheating:
Some opponents became suspicious of how a certain player was playing. He seemed to know what the opponents’ hole cards were. The suspicious players provided examples of these hands, which were so outrageous that virtually all serious poker players were convinced that cheating had occurred. One of the players who’d been cheated requested that Absolute Poker provide hand histories from the tournament (which is standard practice for online sites). In this case, Absolute Poker “accidentally” did not send the usual hand histories, but instead sent a file that contained all sorts of private information that the poker site would never release. The file contained every player’s hole cards, observations of the tables, and even the IP addresses of every person playing. (I put “accidentally” in quotes because the mistake seems like too great a coincidence when you learn what followed.) I suspect that someone at Absolute knew about the cheating and how it happened, and was acting as a whistleblower by sending these data. If that is the case, I hope whomever “accidentally” sent the file gets their proper hero’s welcome in the end.
Then the poker players went to work analyzing the data—not the hand histories themselves, but other, more subtle information contained in the file. What these players-turned-detectives noticed was that, starting with the third hand of the tournament, there was an observer who watched every subsequent hand played by the cheater. (For those of you who don’t know much about online poker, anyone who wants can observe a particular table, although, of course, the observers can’t see any of the players’ hole cards.) Interestingly, the cheater folded the first two hands before this observer showed up, then did not fold a single hand before the flop for the next 20 minutes, and then folded his hand pre-flop when another player had a pair of kings as hole cards! This sort of cheating went on throughout the tournament.
So the poker detectives turned their attention to this observer. They traced the observer’s IP address and account name to the same set of servers that host Absolute Poker, and also, apparently, to a particular individual named Scott Tom, who seems to be a part-owner of Absolute Poker! If all of this is correct, it shows exactly how the cheating would have transpired: an insider at the Web site had real-time access to all of the hole cards (it is not hard to believe that this capability would exist) and was relaying this information to an outside accomplice.
More details here.
EDITED TO ADD (10/20): More information.
EDITED TO ADD (11/13): This graph of players’ river aggression is a great piece of evidence. Note the single outlying point.
Hacker Firefox Extensions
If I could only install one “offensive” extension, it would absolutely be Tamper Data. In the past, I used Paros Proxy and Burp Suite for intercepting requests and responses between my Web browser and the Web server. These tasks can now be done within Firefox via Tamper Data—without configuring the proxy settings.
If the Website you’re trying to break into requires a unique cookie, referrer, or user-agent, intercept the request with Tamper Data before it gets sent to the Web server. Then, add or modify the attributes you need and send it on. It’s even possible to modify the response from the Web server before the Web browser interprets it. It’s a very nice tool for anyone interested in Web application security.
Paros and Burp both have features not yet available in Tamper Data, such as site spidering and vulnerability scanning. Switching over to one of them as a proxy is much easier with SwitchProxy, which helps you quickly configure Firefox to use Paros and Proxy. It’s not a purely “offensive” extension, but SwitchProxy it makes the configuration of proxies for Firefox much quicker.
Security Risks of Online Political Contributing
Security researcher Christopher Soghoian gave a presentation this month warning of the potential phishing risk caused by online political donation sites. The Threat Level blog reported:
The presidential campaigns’ tactic of relying on impulsive giving spurred by controversial news events and hyped-up deadlines, combined with a number of other factors such as inconsistent Web addresses and a muddle of payment mechanisms creates a conducive environment for fraud, says Soghoian.
“Basically, the problem here is that banks are doing their best to promote safe online behavior, but the political campaigns are taking advantage of the exact opposite,” he says. “They send out one million e-mails to people designed to encourage impulsive behavior.”
He characterizes the current state of security of the presidential campaigns’ online payment systems as a “mess.”
“It’s a disaster waiting to happen,” he says.
Fraudsters could easily send out e-mails and establish Web sites that mimic the official campaigns’ sites and similarly send out such e-mails that would encourage people to “donate” money without checking for the authenticity of the site.
He has a point, but it’s not new to online contributions. Fake charities and political organizations have long been problems. When you get a solicitation in the mail for “Concerned Citizens for a More Perfect Country”—insert whatever personal definition you have for “more perfect” and “country”—you don’t know if the money is going to your cause or into someone’s pocket. When you give money on the street to someone soliciting contributions for this cause or that one, you have no idea what will happen to the money at the end of the day.
In the end, contributing money requires trust. While the Internet certainly makes frauds like this easier—anyone can set up a webpage that accepts PayPal and send out a zillion e-mails—it’s nothing new.
Chinese National Firewall Isn't All that Effective
Interesting research:
The study, carried out by graduate student Earl Barr and colleagues in the computer science department of UC Davis and the University of New Mexico, exploited the workings of the Chinese firewall to investigate its effectiveness.
Unlike many other nations Chinese authorities do not simply block webpages that discuss banned subjects such as the Tiananmen Square massacre.
Instead the technology deployed by the Chinese government scans data flowing across its section of the net for banned words or web addresses.
When the filtering system spots a banned term it sends instructions to the source server and destination PC to stop the flow of data.
Mr Barr and colleagues manipulated this to see how far inside China’s net, messages containing banned terms could reach before the shut down instructions were sent.
The team used words taken from the Chinese version of Wikipedia to load the data streams then despatched into China’s network. If a data stream was stopped a technique known as “latent semantic analysis” was used to find related words to see if they too were blocked.
The researchers found that the blocking did not happen at the edge of China’s network but often was done when the packets of loaded data had penetrated deep inside.
Blocked were terms related to the Falun Gong movement, Tiananmen Square protest groups, Nazi Germany and democracy.
On about 28% of the paths into China’s net tested by the researchers, blocking failed altogether suggesting that web users would browse unencumbered at least some of the time.
Filtering and blocking was “particularly erratic” when lots of China’s web users were online, said the researchers.
Age Verification for Movie Trailers
Completely ridiculous:
It seems like “We want to protect children” really means, We want to give the appearance that we’ve made an effort to protect children. If they really wanted to protect children, they wouldn’t use the honor system as the sole safeguard standing between previews filled with sex and violence and Internet-savvy kids who can, in a matter of seconds, beat the impotent little system.
Evasive Malicious Code
New developments in malware:
Finjan reports an increasing trend for “evasive” web attacks, which keep track of visitors’ IP addresses. Attack toolkits restrict access to a single-page view from each unique IP address. The second time an IP address tries to access the malicious page, a benign page is displayed in its place.
Evasive attacks can also identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, and reply to these engines with legitimate content such as news. The malicious code on the host website accesses a database of IP addresses to determine whether to serve up malware or legitimate content.
Just another step in the neverending arms race of network security.
Sidebar photo of Bruce Schneier by Joe MacInnis.