Simon Willison’s Weblog

Blogmarks tagged security in 2007

Filters: Type: blogmark × Year: 2007 × security ×


The backdooring of SquirrelMail. A SquirrelMail developer’s account was compromised and used to insert a backdoor: the other developers initially missed the hole because it used $_SERVER[’HTTP_BASE_PATH’], which can be set with a Base-Path: HTTP header. # 28th December 2007, 11:40 pm

David Airey: Google’s Gmail security failure leaves my business sabotaged (via) Gmail had a CSRF hole a while ago that allowed attackers to add forwarding filter rules to your account. David Airey’s domain name was hijacked by an extortionist who forwarded the transfer confirmation e-mail on to themselves. # 26th December 2007, 12:16 pm

IPy. Handy Python module for manipulating IP addresses—use IP(ip_addr).iptype() == ’PUBLIC’ to check that an address isn’t in a private address range. # 24th December 2007, 1:19 pm

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes. # 1st December 2007, 8:34 pm

Why Virtual Theft Should Matter to Real Life Tech Companies. Interesting trend: sites that profit from sales of virtual goods (such as Habbo Hotel) are seeing users use phishing attacks to steal those goods from each other. # 18th November 2007, 11:21 am

Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default. # 14th November 2007, 5:05 pm

A Roundup Of Leopard Security Features (via) Thomas Ptacek’s overview of the new security features in Leopard. Guest Accounts are worthless from a security P.O.V., but I still plan to use one for our PowerBook that’s now just a media player. # 31st October 2007, 5:30 pm

Django security fix released. Django’s internationalisation system has a denial of service hole in it; you’re vulnerable if you are using the i18n middleware. Fixes have been made available for trunk, 0.96, 0.95 and 0.91. # 26th October 2007, 9:47 pm

Site-specific browsers and GreaseKit. New site-specific browser tool which lets you include a bunch of Greasemonkey scripts. For me, the killer feature of site-specific browsers is still cookie isolation (to minimise the impact of XSS and CSRF holes) but none of the current batch of tools advertise this as a feature, and most seem to want to share the system-wide cookie jar. # 25th October 2007, 7:56 am

MyOpenID adds Information Card Support. First client SSL certificates, now Information Cards. MyOpenID is certainly taking browser-based phishing solutions seriously. # 18th October 2007, 9:10 pm

Gozi Trojan. The full security paper on the Gozi trojan: how it was discovered, how it was traced and details of the “customer interface for on-line purchases of stolen data” at the other end (which, incidentally, was ridden with security holes). # 17th October 2007, 10:03 pm

Global Hackers Create a New Online Crime Economy (via) Fascinating, detailed look at the evolution of the hacker service economy. Of particular interest: a web application that sells access to hacked machines to identity thieves on a timeshare basis. # 17th October 2007, 9:46 pm

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON. # 9th October 2007, 12:23 pm

The Storm Worm. Bruce Schneier describes the Storm Worm, a fantastically advanced piece of malware that’s been spreading for nearly a year and is proving almost impossible to combat. Its effects are virtually invisible but infected machines are added to a multi-million machine botnet apparently controlled by anonymous Russian hackers. # 6th October 2007, 12:25 am

Rails 1.2.4: Maintenance release. “Session fixation attacks are mitigated by removing support for URL-based sessions”—I’ve always hated URL-based sessions; I’d be interested to hear if their removal from Rails causes legitimate problems for anyone. # 5th October 2007, 11:42 pm

Amazon makes you lie to log off (via) Amazingly, the only way to sign out of Amazon these days is to use the “If you’re not XXX, click here” link—the traditional “sign out” link has quietly vanished. # 2nd October 2007, 1:19 pm

Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application. # 2nd October 2007, 1:14 am

WebRunner 0.7—New and Improved. A simple application for running a site-specific browser for a service (e.g. Twitter, Gmail etc). This is a great idea: it isolates your other browser windows from crashes and also isolates your cookies, helping guard against CSRF attacks. # 27th September 2007, 1:55 pm

Google GMail E-mail Hijack Technique. Apparently Gmail has a CSRF vulnerability that lets malicious sites add new filters to your filter list—meaning an attacker could add a rule that forwards all messages to them without your knowledge. # 27th September 2007, 10:29 am

HTTPOnly cookie support in Firefox. Five years after the bug was filed, HTTPOnly cookie support has gone in to the Mozilla 1.8 branch. This is a defence in depth feature that has been in IE for years—it lets you set cookies that aren’t available to JavaScript, and hence can’t be hijacked in the event of an XSS flaw. # 6th September 2007, 6:27 am

E-Voting Ballots Not Secret; Vendors Don’t See Problem. “You know things are bad when questions about a technical matter like security are answered by a public-relations firm.” # 20th August 2007, 3:19 pm

VeriSign’s SeatBelt OpenID plugin for Firefox. The first good example of browser integration for OpenID. It catches phishing attempts by watching out for rogue OpenID consumers that don’t redirect to the right place. # 17th August 2007, 5:37 pm

Bruce Schneier interviews Kip Hawley. The head of the Transportation Security Administration in conversation with one of his most eloquent critics. # 7th August 2007, 3:23 pm

DNS Pinning Explained. With diagrams. # 7th August 2007, 11:01 am

(somewhat) breaking the same-origin policy by undermining dns-pinning. This is the best technical explanation of the DNS rebinding attack I’ve seen. The linked demo worked for me in Safari but not in Camino. # 2nd August 2007, 12:53 pm

Your browser is a tcp/ip relay. Thoroughly nasty new(ish) attack that breaks the same-domain policy and allows intranet content to be stolen by a malicious site. Using virtual hosts (hence requiring the Host: header) is the best known protection. # 2nd August 2007, 12:53 pm

Side-Channel Attacks and Security Theatre. “In order to mount most of these attacks the attacker must be local [...] every good security person knows that if your attacker has the ability to run stuff on your machine, it is game over, so why are we even caring about these attacks?” # 2nd August 2007, 12:30 pm

CSRF Redirector. Smart tool for testing CSRF vulnerabilities, by Chris Shiflett. # 18th July 2007, 7:45 am

Anyone who recently downloaded GreaseMonkey scripts from userscripts.org should check their scripts. I haven’t confirmed this, but this Jyte claim suggests that userscripts.org was hacked and cookie stealing code inserted in to some of the scripts. UPDATE: Not hacked; just bad scripts submitted through the regular process. # 7th July 2007, 10:43 pm

Safari Beta 3.0.1 for Windows. A nice fast turnaround on fixes for security flaws in the beta. # 14th June 2007, 9:56 am