Thursday, December 25, 2008
Wednesday, December 17, 2008
Tuesday, December 16, 2008
Need more distractions
If anybody can give me any advice or pointers on how to manage my time better when I have too much time let me know, I'm open to all suggestions. It's such a ironic paradox for me, do you guys have the same problems also? The less time I have, the more I get done and the more time I have the lazier I get :( Perhaps we all perform better under pressure? Well I hope everybody has a happy holiday and a wonderful New Year.
My philosophy make your New Year's resolutions now so that by the time Jan 1st rolls around you've brainwashed yourself into it.
As for Asian people, we have the Lunar New Year, (you know what I'm talking about), so if our friends get on us about not keeping our promise we can say that it's not our New Year, it's a Roman calender and that we follow the Asian calender :)
University of London External System - EMFSS Study Weekend at LSE
Four XSS flaws hit Facebook
Project XSSed, the clearing house for cross site scripting flaws has just released details on four flaws affecting Facebook’s developers page, iPhone login page and the new users registration page, potentially assisting malicious attackers into adding more legitimacy to their campaigns. With yet another critical XSS flaw hitting Facebook in May earlier this year, what’s the potential exploitability of such flaws if any in the wake of the ongoing Koobface worm’s rounds across the social networking site?
It’s worth pointing out that in both of these cases there were no known cases of active exploitation, perhaps due to Facebook’s quick reaction upon being notified of them. The very same lack of active exploitation was also present in several other cases throughout the year, namely, the recent XSS affecting Google’s login page, and the multiple HSBC sites (still) vulnerable to XSS flaws. And if we are to exclude the XSS worm at Justin.tv which infected 2,525 profiles in July, active exploitation of such flaws is no longer favored compared to the less noisy social engineering tricks exploiting the weakest link - the Internet user social networking with a false feeling of security.
Take Koobface for instance. It scaled so efficiency without exploiting any social networking site specific flaw, only through social engineering tactics forwarding the entire spreading process to the already infected user, which in a trusted environment of friends proved to be a successful form of spreading. Despite the possibility for active exploitation of such flaws in phishing and malware campaigns, cybercriminals appear no be no longer interested in such noisy approaches, at least not while attempting to spread malware across social networking sites. Among the main reasons for this is the fact that their entire campaign would be based on a single propagation vector, which when taken care of through technical measn would render their campaign useless. Instead, just like the Koobface gang continues to do, they mix the social engineering vectors by abusing legitimate brands as redirectors to the malware infected hosts serving the fake YouTube videos.
The Web in general is an entirely different topic, since I can easily argue that the long tail of SQL injected sites can outpace the traffic that could come from a single high-page ranked site that’s participating in a malware campaign. Case in point - the recent Internet Explorer zero day flaw is currently being served through SQL injections affecting vulnerable sites across the Web, a pretty logical move on which I speculated given the fact that it was originally used on Chinese forums and sites only.
For the record, the Facebook security team has been notified of the recently published flaws.
Gmail, Yahoo and Hotmail systematically abused by spammers
With the industry’s eyes constantly monitoring the usual suspects’ use of phony hosting providers, another market segment within the underground marketplace has been developing beneath the radar, aiming to build a malicious infrastructure (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) through efficient CAPTCHA recognition.
The latest MessageLabs Intelligence annual report for 2008 indicates that on average, 12 percent of the spam volume that they were monitoring in 2008 came from legitimate email providers such as Gmail, Yahoo Mail and Hotmail, followed by its September’s peak of 25%. Earlier this year, more vendors emphasized on this ongoing development, citing machine learning CAPTCHA breaking techniques as the cause of it. In reality though, the very same humans that CAPTCHA was meant to identify continue undermining it as an anti-bot registration measure.
Researching the market segment throughout the year (Microsoft’s CAPTCHA successfully broken; Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers; Spam coming from free email providers increasing; Spammers attacking Microsoft’s CAPTCHA — again; Inside India’s CAPTCHA solving economy) it’s time to assess the current situation and speculate on the upcoming efficiency model.
“In 2008, spammers developed an affinity for spamming from large, reputable web-based email and application services by defeating CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) techniques to generate massive numbers of personal accounts from these services. In January, 6.5 percent of spam originated from these hosted webmail accounts, peaking in September when 25 percent of spam originated from these sources, averaging about 12 percent for the remainder of the year.”
Three of the most popular free email providers continue being systematically abused by cybercriminals so efficiently, that they often top the charts (Gmail; Yahoo; Microsoft) of major anti-spam organizations such as Spamhaus. Despite that the affected companies are aware of this ongoing abuse, some of their mail servers have such a bad reputation due to the outgoing spam that it would be hard not to assume that sent email may not be reaching its destination. Moreover, BorderWare’s ReputationAuthority.org also comes handy when assessing the reputation of Gmail, Yahoo Mail and Hotmail. Who’s got the worst reputation varies, but for the time being, Microsoft’s web properties appear to be ahead of Gmail and Yahoo’s.
Is the supply of pre-registered accounts at these services driving the market, or is the customer’s demand that’s actually driving it? Whatever the case, supply is pretty efficient for the time being. For instance, I’m currently monitoring several web based bogus account registration services, with an average price for a thousand accounts at any of these email providers of $10. That’s right, for $10 a spammer could get his hands on a thousand pre-registered email accounts if we are to exclude the discounts offered for a bulk purchase. And whereas I still haven’t been able to establish a relationship between these services and Indian CAPTCHA breakers, theoretically, the supply of bogus accounts offered by a Russian service could be in fact outsourced as registration process to human CAPTCHA breakers, and the service itself acting as an intermediary. Whether it’s the use of malware infected hosts, or through human CAPTCHA solvers, the hundreds of thousands of accounts offered for sale remain there.
et’s talk about efficiency. A research paper entitled “Exploiting the Trust Hierarchy among Email Systems” released earlier this year, and surprisingly receiving zero media attention, shows a proof of concept allowing the researchers to not only bypass Gmail’s messages limit for bulk messages, but also, abuse Gmail’s email forwarding function in order to successfully deliver emails classified as spam by relaying them through white listed Gmail servers — now DomainKeys empowered :
“The presented vulnerability enables an attacker to bypass blacklist/whitelist based email filters and freely forge all fields in an email message by having Google’s SMTP servers tricked into behaving like open SMTP relays. We were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages). Although we have limited the number of messages in our example to 4,000+, no counter measures took place that would have prevented us from sending more messages, and for that matter sending an unlimited number of messages.”
What this means is that the potential spamming speed achieved through a single automatically registered Gmail account could be greatly increased. From another perspective, a bogus account wasn’t worth as much as it is worth today, since it allows automatic access to all of the company’s web properties allowing spammers and cybercriminals (Cybercriminals syndicating Google Trends keywords to serve malware) to abuse them even further. CAPTCHA is dead, humans that were supposed to recognize it killed it by starting to recognize it efficiently and monetizing the process.
The bottom line, ask yourself the following - how many incoming anti-spam solutions can you think of right now, and how many outgoing anti-spam solutions are you aware of? Before spam comes it has to go out first.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response. Dancho is also involved in business development, marketing research and competitive intelligence as an independent contractor. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis.
Major Web browsers fail password protection tests
That nifty password management feature in your favorite Web browser could be helping identity thieves pilfer your personal data.
That’s the biggest takeaway from the results of this test which shows that all the major Web browsers — including IE, Firefox, Opera, Safari and Chrome — are vulnerable to a total of 20 vulnerabilities that could expose password-related information. Among the problems are three in particular that, when combined, allow password thieves to take passwords without the user’s knowledge. They are:
- The destination where passwords are sent is not checked.
- The location where passwords are requested is not checked.
- Invisible form elements can trigger password management.
Google’s shiny new Chrome browser was among the worst offenders. According to the study, Chrome’s password manager contains multiple unpatched issues that “form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity.”
Apple’s Safari for Windows browser was also failed a majority of the tests (click image for full version):
For the test results, click HERE
Monday, December 8, 2008
For 3rd year students
http://www.careers.lon.ac.uk
Thursday, December 4, 2008
The WALL
Wednesday, December 3, 2008
What I Do On Those Days
Been falling behind on studies and kinda losing motivation, anyways, to get through this I've been going through at least 3 to 5 pages of each book just to keep the flow going. I know these things come in waves, keep reading a little bit until the motivational push comes back and read a lot and then taper down, etc.