Wednesday, February 27, 2008

Oh yeah, Hack in the Box Dubai!

There are a couple of conferences this year I’m exceptionally thrilled to be flying out for, one in particular, Hack in the Box Dubai *what? you thought RSA? :)*. I’ve never visited the region though I’ve heard a lot of amazing things. I’ve never attended a HiTB, but many others tell me they rock. For me personally, the best part is I’ve been invited to deliver one of the two conference keynotes. The other is by none other than Bruce Schneier! What an honor. Of course I’m also eager to see some of the top webappsec guys present like Shreeraj Shah and pdp (architect), but also having the opportunity to see talks by experts who don’t make it to the US. I plan to have a amazing time and learning a lot.

I’d like to thank Dhillon Andrew Kannabhiran, Founder/Chief Executive Officer, Hack in The Box for the privilege. And if any of the readers here are attending HiTB, please let me know by emailing and commenting below.

Friday, February 22, 2008

Hooray! Firefox 3 fixes some JavaScript Malware

Today I decided to give the recently released Firefox 3 beta 3 a try because it looks like it has some slick new features. Also there seemed to be a rather large emphasis on security and many of us have been waiting patiently to see how and when Mozilla would address JavaScript malware. According to the release notes much of the newly added security features are directed towards Anti-Phishing, Anti-Malware, and more user friendly SSL. Noble pursuits that I’m sure add value, just not what I’m personally into.

I did notice Firefox added protection against cross-site JSON data leaks, which is the vulnerability my Ajax hacking technique used in GMail 2 years ago. So that’s really good. Next I tested my logged-in detection code and to my amazement it appears Mozilla added the same-origin policy to JavaScript console error messages. Where was this documented!? No matter because this is exactly what I was asking them to add last year. Woot!!! Check out the screenshot below. Thanks Mozilla and move over Stefan, perhaps I am influential after all! :)


The downside is that there’s many more forms of JavaScript malware yet to overcome. Attackers can still can still steal a users browser history (CSS hack), perform Intranet Hacking (port scanning, cross-site printing), and who knows about all DNS Rebinding attacks (I didn’t test). Still progress is thankfully being made. It would really have been nice to see integration of SafeHistory, NoScript, and maybe some semblance of Content-Restrictions. Though I have it on good authority that a project is in the works. We’ll hope for Firefox 4.

Tuesday, February 19, 2008

It pays to be a hacker

Update 02.19.2008: Maybe the title should have read, "It pays to be a Ukrainian hacker." Dan Goodin from The Register follows up by laying it out saying, "Prosecutors with the Justice Department are probably free to file criminal charges against Dorozhko for computer hacking. But given his status as a Ukrainian, it's doubtful they'd succeed. And even if they did, it's even less likely they'd recover the proceeds."


According to the nytimes (via /.), some guy (Mr. Dorozhko) hacked his way into IMS Health and obtained some prerelease earnings information. Mr. Dorozhko soon after invests ~$42K in put options betting the stock will dive, which is does when the information is publicly released, and he makes a cool ~$300K. After the SEC investigation is where the story gets REALY interesting.

Mr. Dorozhko gets to keep this cash because according the judge, “"stealing and trading" or "hacking and trading" does not amount to a violation' of securities laws”. Put another way, Mr. Dorozhko was not an “insider” so therefore can’t be charged with “inside trading.” Apparently the way the SEC laws work is that its legal to trade on information illegally obtained, but illegal to trade on information legally obtained. Wrap your mind around that.

Careful all you would be hackers, this is not to say that Mr. Dorozhko won’t be prosecuted on computer crime charges.

From the story it clearly sounds like what Mr. Dorozhko did was illegal, but what if the attack was more subtle in nature? Take Predictable Resource Location (Forced Browsing) a highly effective approach which exploits the behavior of negligent website owners who post files, but don’t necessarily link them in until a particular date/time has passed. A couple years ago something similar happened in another SEC investigation involving Estonian stock traders. With PRS there is no need to circumvent password prompts, agree to any terms of service, or bypass any security systems. You simply ask for a file on the web server, which may contain some juicy market moving data not yet publicly released.

So is obtaining insider information in this way legal? If so, and IANA, then it would seen to be both legal to obtain insider information this way (via PRS) and legal to trade upon it.

Wednesday, February 13, 2008

3 quick highlights

Posts have been a little slow lately. Mostly that’s because I’ve been traveling around the country and focusing on getting some very cool new stuff out the door here at WhiteHat. However, I still have enough time to keep up on the news and latest chatter so figured why not discuss some of the more entertaining snippets:

1) Mark Potts (CTO of Software, HP) Information Week article offered a real gem when claiming they now have nine out of the world's top 11 security hackers by way of the SPI Dynamics acquisition. Classic statement! I can only imagine how the SPI engineering teams cringed at that one. :) Of course a few bloggers decided to poke a little fun, I mean who can blame them. Then a fellow co-worker here said tongue in cheek that by the same logic its possible that WhiteHat has 2 of the top 3. ;)

2) WASC’s Web Hacking Incidents Database project captured some press recently by releasing the annual report for 2007. For those unfamiliar with WHID, it’s an effort to keep track of web applications related security incidents, mostly those reported in the media. Simply put -- what the hackers hack, why and how. Ofer Shezaf (Breach Security) put a ton of effort into this and the results are well worth it. There are some really interesting statistics in there, especially when contrasted with other reports.

3) Most of us are already aware that the bad guys are hacking “trusted” websites and silently placing malware on them in effort to compromise their visitors Web browsers. This is a highly effect approach and many large name brand name websites have been used as launching pads. However, until I read Dan Goodin's Register article I wasn’t aware just how bad the problem had gotten:

“The findings come as Websense, a separate security firm that's based in San Diego, recently estimated that 51 per cent of websites hosting malicious code over the past six months were legitimate destinations that had been hacked, as opposed to sites specifically set up by criminals. Compromised websites can pose a greater risk because they often come with a degree of trust.”

Whoa. Most websites hosting malware are legit.