490 items tagged “security”
2007
Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON.
The Storm Worm. Bruce Schneier describes the Storm Worm, a fantastically advanced piece of malware that’s been spreading for nearly a year and is proving almost impossible to combat. Its effects are virtually invisible but infected machines are added to a multi-million machine botnet apparently controlled by anonymous Russian hackers.
Rails 1.2.4: Maintenance release. “Session fixation attacks are mitigated by removing support for URL-based sessions”—I’ve always hated URL-based sessions; I’d be interested to hear if their removal from Rails causes legitimate problems for anyone.
Amazon makes you lie to log off (via) Amazingly, the only way to sign out of Amazon these days is to use the “If you’re not XXX, click here” link—the traditional “sign out” link has quietly vanished.
Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application.
Designing for a security breach
User account breaches are inevitable. We should take that in to account when designing our applications.
[... 545 words]Currently WebRunner applications share cookies with other WebRunner applications, but not with Firefox. WebRunner uses its own profile, not Firefox's profile. There is a plan to allow WebRunner applications to create their own, private profiles as well.
WebRunner 0.7—New and Improved. A simple application for running a site-specific browser for a service (e.g. Twitter, Gmail etc). This is a great idea: it isolates your other browser windows from crashes and also isolates your cookies, helping guard against CSRF attacks.
Google GMail E-mail Hijack Technique. Apparently Gmail has a CSRF vulnerability that lets malicious sites add new filters to your filter list—meaning an attacker could add a rule that forwards all messages to them without your knowledge.
A typical phishing email will have a generic greeting, such as 'Dear User'. Note: All PayPal emails will greet you by your first and last name.
HTTPOnly cookie support in Firefox. Five years after the bug was filed, HTTPOnly cookie support has gone in to the Mozilla 1.8 branch. This is a defence in depth feature that has been in IE for years—it lets you set cookies that aren’t available to JavaScript, and hence can’t be hijacked in the event of an XSS flaw.
E-Voting Ballots Not Secret; Vendors Don’t See Problem. “You know things are bad when questions about a technical matter like security are answered by a public-relations firm.”
VeriSign’s SeatBelt OpenID plugin for Firefox. The first good example of browser integration for OpenID. It catches phishing attempts by watching out for rogue OpenID consumers that don’t redirect to the right place.
Bruce Schneier interviews Kip Hawley. The head of the Transportation Security Administration in conversation with one of his most eloquent critics.
DNS Pinning Explained. With diagrams.
(somewhat) breaking the same-origin policy by undermining dns-pinning. This is the best technical explanation of the DNS rebinding attack I’ve seen. The linked demo worked for me in Safari but not in Camino.
Your browser is a tcp/ip relay. Thoroughly nasty new(ish) attack that breaks the same-domain policy and allows intranet content to be stolen by a malicious site. Using virtual hosts (hence requiring the Host: header) is the best known protection.
Side-Channel Attacks and Security Theatre. “In order to mount most of these attacks the attacker must be local [...] every good security person knows that if your attacker has the ability to run stuff on your machine, it is game over, so why are we even caring about these attacks?”
E-Trade financial tried using a RSA fob as a second factor of authentication, but as of their 11/07/06 financial report their fraud losses continue to increase. That said, they considered this program a success because users indicated they feel safer and are more likely to provide assets.
CSRF Redirector. Smart tool for testing CSRF vulnerabilities, by Chris Shiflett.
Anyone who recently downloaded GreaseMonkey scripts from userscripts.org should check their scripts. I haven’t confirmed this, but this Jyte claim suggests that userscripts.org was hacked and cookie stealing code inserted in to some of the scripts. UPDATE: Not hacked; just bad scripts submitted through the regular process.
Safari Beta 3.0.1 for Windows. A nice fast turnaround on fixes for security flaws in the beta.
Safari for Windows, 0day exploit in 2 hours (via) Once again, down to handling of alternative URL protocol schemes.
Security Breach. A statement from Dreamhost.
Firefox promiscuous IFRAME access bug. Lets malicious sites “display disruptive or misleading contents in the context of an attacked site” and intercept keystrokes! The demo worked in Camino 1.5 as well. Avoid using Gecko-based browsers until this is patched?
Gaping holes exposed in fully-patched IE 7, Firefox (via) Michal Zalewski released a new Firefox 2.0 vulnerability in addition to the IE cookie stealing one.
IE vulnerability allows cookie stealing. Full exploit against the same-domain cookie origin policy, so malicious sites can steal cookies from elsewhere. Avoid using IE until this is patched.
Massive Dreamhost hack, WordPress not to blame
On mezzoblue, Dave Shea reports that someone had modified every index.php and index.html file on his site to include spam links at the bottom of the page, hidden inside a <u style="display: none;">. Dozens of other people in his comments reported the same thing happening to their sites.
Unsettling. Sounds like there might be a massive scripted hack going on against out of date WordPress installs on Dreamhost. Check your site. See also discussion in the comments attached to this post.
Top XSS exploits by PageRank. Yahoo!, MSN, Google, YouTube, MySpace, FaceBook all feature.