Weak Excuses after Weak Security :: Mozilla's user a/c on Public Server

now this year has been filled with loads of news related to user-data getting leaked from different websites... but it wasn't much disturbing as web-vulnerabilities in Facebook are well known and accepted as cons of the deal and neither 1.3m a/c details leaked from Gawker came as a shock (it was more of a Tweet-Flood)

but
On Dec-17-2010, Mozilla was reported about availability of its user-accounts (partially, which were used on addons.mozilla.org) over a public server.
They have projects like Firefox (super famous web-browser), NSS (one of the most famous libraries for developing secured client-server application), and more... if an organization like them do a mistake like this, oh yeah... hackers paradise

it's how they defend themselves...

• database included 44,000 inactive accounts using older
  

  but don't you think... even inactive users on a site deserve their privacy, and if they were inactive and not important then better purge the information pertaining to account... why keep it instead

• md5-based password hashes
  

  they don't use it now... for active users they support SHA-512 per-user-salt mechanism; now that's good
  

• current addons.mozilla.org users and accounts are not at risk

  so if I don't use Mozilla anymore... they wouldn't respect my a/c details anymore and still keep it... so that in future they could 'arrrrgh sorrry' me, brutally nice

• incident did not impact any of Mozilla’s infrastructure

  it was available on a public server and not a hacked-n-fetched... bravo

• only outsider who accessed the data was the security researcher that reported the mistake to Mozilla

  how are they so sure... if none else reported it doesn't mean that none else saw it, and it is not necessary that everyone accessing it will 'remain in' logs.

References:
http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
http://www.thetechherald.com/article.php/201052/6620/Mozilla-password-disclosure-a-non-event

bypass of user level restrictions, a case of bug in 'Scribd.com'

http://www.youtube.com/watch?v=g-ETsFjRhqsFew weeks back, saw Scribd.com offering me to buy/upload something for downloading a Document uploaded on it. Second time when I opened some document, in another browser it shows disabled 'download', 'print', and 'mobile' option.

As I didn't get that Document to download, I didn't felt like reading it online also... so just thought why not try to download it and if I succeed, then I'll read it online.
And I read it online :)

So, here is a bug (which  has now been fixed) in Scribd.com... that allowed users to get a local copy of documents which were devoid of download and print options.

It's how layered limitation can be broken, and why restrictions must be implemented root-level-up and not just as user-level module.

@YouTube: http://www.youtube.com/watch?v=g-ETsFjRhqs
How-To [ download the not-allowed ]
example: Bypass Scribd.com disabling Downloading/Print/Mobile on some links

Example Website Bug : a bug of Scribd.com (reported & got fixed) from aBionic@Vimeo

so, now you can either Print the document or create a PDF/image printing this document using softwares like PDFCreator.

only '.org' and '.net' domains under DNSSEC protection till now, WHAT ABOUT YOU

Are you protected with DNSSEC:
[] in mid-2010, DNSSEC got deployed over 'root-DNS-server' and '.org' domain
[] on 10-Dec-2010, Verisign deployed DNSSEC in '.net' zone too
   {securing more than 13million registrations online}
[] preparations are up to sign the '.com' zone in first quarter of 2011

Verisign has even launched a cloud based DNSSEC implementation service to ease its implementation in organisations.

Refer to http://www.securityweek.com/verisign-launches-new-dnssec-signing-service
For those who are not much familiar with DNSSEC, its a security layer standardized to be implemented over traditional DNS services... it will help the users counter DNS vulnerabilities exposed by researchers like 'Dan Kaminsky' including DNS poisoning attacks.
Refer to http://www.dnssec.net

Its implementation would require more processing power, bandwidth usage and more storage needs as it uses intensive encryption mechanism over all DNS traffic.

Though, I was surprised hearing initially of its implementation over root DNS server as its alterantive DNSCURVE (suggested by Dan Kaminsky) was conceptually better in security and easy on resources too. Don't know it was fair selection or just another political/community-biased decision.

=begin :footer

# waited about a week to have time doing this post in detail... 

# but more delay would deny its usability... so its here

=end :footer  

XSSed Orkut after Twitter after Facebook <xss/>

'Are you social?'
ohhh... let me rephrase it 'Are you net-social?'
yeah... then how much socially secure are you when the plain-text attacks are htting millions.

2 months back with Facebook
now almost treated as synonym of Social Networking, and more than 400 million active users... Facebook was exposed to be vulnerable of a XSS vulnerability instead of proper implementation of HTTPOnly cookie protection as that doesn't count for XSS. The PoC video is being linked below along with article.
Article: http://www.acunetix.com/blog/news/cross-site-scripting-xss-facebook/
Video: http://www.youtube.com/watch?v=iTddmr_JRYM&hl&fmt=22

Last Week with Twitter
the microblogging favorite of masses, and offering a newer promising UX... Twitter accidently resurfaced the XSS hole while site update procedure. Famous as 'onMouseOver' flaw simply injected the XSS code as tweet to execute the function on mouse hover event by victim
Article: http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html

Previous Day with Orkut
previous day was a 'Good Saturday' (i.e. what 'Bom Sabado' means in Portugese) 'scrapping' off the privacy of Orkut Users. This attack is supposed to originate from Brazil and compromised enormous Orkut accounts in a span of few hours. The code with details can be viewed at the link below.
Article: http://antrix.net/posts/2007/orkut-xss/

Problem with IEEE 802.1x implementation's fallback option

Problem with IEEE 802.1x implementation's fallback option
---------------------------------------------------------
I was just looking over some gyan for 802.1x implementation on Cisco's Portal.
They have a very nice guide over Phase Deployment Model for Identity Based Network Services.
While learning a bit, I saw mention of fallback option for IEEE 802.1x. Then I checked whether Juniper has it or not and it supports it too.

MAB i.e. MAC Authnetication Bypass porviding support for Legacy Devices (say Printers) which are not capable of IEEE 802.1x and hence require some other method of authentication.
And the method provided to them is adding the incapable device's MAC Address to a static (or even dynamic based on implementation) MAC list on 802.1x provider.

There goes the cocroach surviving Nuclear Attack. The super-strong 802.1x bypassed by a MAC ...are they really having faith on this, or have it implemented in super-man style. Though currently I can't think of any super-man for MAC Authentication. All I see is Sipper-Man :( sipping my security away.

Attacker just have to DUPLICATE allowed MAC, and enjoy the falling security.

Seriously, I'm afraid... if anyone know the manner of its implementation hidden to me till now, which makes it secure. Please, let me know asap.

If you want their support to make your environment vulnerable:
Cisco Support: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/standalone_mab.html
Juniper Support: http://kb.juniper.net/KB11429

XSS Defeating PoC : if have any time for Experimentation

It's still in experimental state, if you find some time please try it and let me know of your experience.

Video Demo of the same PoC: http://www.youtube.com/watch?v=ENiiAccY1v0

Project Base: http://sourceforge.net/downloads/sitehoster/v1.0beta%20RC1/

WhitePaper is also available at SourceForge link above

 and at : http://www.slideshare.net/AbhishekKr/whitepaper-abktrick-to-subvert-xss

I was working on a XSS-Patch PoC, which I now feel works proper enough to prove its point.

This neither require Web-Developers for any Filtering/Validation, nor any javascript blocking add-on on user's browser.

I'm not good at explaining still I've tried to do that in the above linked WhitePaper.

And the ZIP file can be extracted, having 'StartDemo.bat' to be executed to start the server already patched with XSS Subverting Module.

Then browse, 'http://localhost/tweet.htm' in any browser... and it lets you Submit any text to Server w/o validation which is as it is saved there. But when retrieved on 'Read...' remains inactive for any

hrberry.com :: php flaw self-inviting DoS, leaked framework and server info [by, ABK]

Posted@ https://sites.google.com/site/abklabs/home/secured/posts.xml

[]Patched:
Yes

[]Product Name:
http://www.hrberry.com
Payroll Helpdesk, serving several prestigious companies

[]Victim Name:
Ascent Consulting Services Pvt. Ltd.
[http://ascent-online.com]

[]Vuln Summary:
There were validation flaws for GET Request Parameters sent to CAPTCHA image generating PHP script on the Portal.
This allowed attacker to trick the app to generate any number of characters consuming processing power.
It had a timout after 30 seconds (too much) and generated error message with full PATH of PHP file.
Also worked on older un-patched version of OpenSSL.

to read detailed Description... click here

Rapid7's neXpose

Rapid7's neXpose
http://www.rapid7.com/vulnerability-scanner.jsp

You can download the Community Edition of this famous and highly efficient Network Vulnerability Scanner by Rapid7.

[] NeXpose Community Edition provides users with:
 > vulnerability scanning for up to 32 IPs at a time
   {limited, but for free it's nice}
 > Regular vulnerability updates
   {everytime I start it, updates get checked}
 > Accurate scan results
   {it gives real detailed analysis of flaws found}
 > Prioritized risk assessment
   {though its priorities don't match mine most of times}
 > Remediation guidance
   {yeah it's good, with required tweaks}
 > Out-of-the box Metasploit integration
   {from the Metasploit v3.31 it can be fully integrated with NeXpose}
    Link: http://www.metasploit.com/redmine/projects/framework/wiki/NeXpose_Plugin
 > Extensive community support at http://community.rapid7.com
   {it's so easy, you wouldn't require it}
 > Simple deployment
   {if you can browse through a new website, you can use it}
 > No cost start-up security solution
   {Community edition afterall}

on 18-Feb-2010 :: NetWitness reported 'Kneber Botnet' {CRITICAL}

On 18-Feb-2010; NetWitness has reported of new malware 'Kneber botnet';

its a variant of Zeus and mainly target stealing Credentials, Key-logging, etc.

... has affected more than 2500 organizations;

... currently no IPS/IDS have adequate signatures detecting it.

... it can also act with other malwares, fav noticed is Waledac (a P2P Trojan)


[] A try to check if Machine is infected by a Kneber (Zeus Variant), is

        The registry key can be found by following this path, he said:

        HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

        normally will have an entry like "C:\WINDOWS\system32\userinit.exe,"
        ZeuS will add itself to the list, typically as 'ntos.'
        But could always change its name; so if any un-relevant entries found here... may be machine is infected.

        If any more entries found, or suspicion is there scan the file listed here.


[] Its suggested to patch all latest MS10-* and Adobe releases on all the machines;
    and as always not open suspicious e-mails
   
   
[]NetWitness said that Kneber was primarily found on corporate and government computers, however home users are likely to attract the infestation as well.
   



[] more details @

*** http://www.netwitness.com/resources/pressreleases/feb182010.aspx ***

http://www.networkworld.com/news/2010/021810-kneber-botnet-faq.html?hpg1=bn

http://www.nytimes.com/2010/02/19/technology/19cyber.html?em

http://www.technewsworld.com/rsstory/69372.html

ABK SiteHoster -=[developing a HTTP Network Server to be secure at implementation]=-

ABK SiteHoster 

Sourceforge Link : http://sourceforge.net/projects/sitehoster/ 

Google Code Link : http://code.google.com/p/sitehoster/

Youtube Demo Link: http://www.youtube.com/watch?v=CogPa646vi8

Currently in it's BETA stage and can only serve URL as per HTTP v0.9, so not secure but basic WebServer

Actually developing it as a HTTP Network Server to be secure at its implementation, normally all WebServer present out there are vulnerable cuz they didn't implemented Security at their very core but as an extra sheild outside.
Here in this project I'll be aiming at making it secure from the core itself and making it self-secured by immunizing it from all kinds of Web-App attacks.


ABK SiteHoster is aLEHNS (a Lightweight Extensible HTTP Network Server). Developed in pure Java. Currently supports HTTP 0.9, easily delivering normal HTML oriented WebSites. Aiming to be a full-fledged WebSite Server with all Web Services.