Comerica bank seems to think disclosing cross site scripting vulnerabilities in the bank’s web site is illegal:

“Comerica hereby demands that the above-referenced Subject Site be shut down immediately and that the identity of the account holder be provided to the undersigned.

Comerica’s demand is based upon the fact that the Subject Site is designed to enable that subscriber and anyone else viewing the site to take actions to attempt to impersonate Comerica to its customers”

(full document here)

No Comerica, it’s not the “how to use Comerica com to phish their customers” that enables that, it’s comerica.com that enables that. But at least I finally know why I’m receiving a flood of Comerica phishing emails in the last few weeks (I haven’t even heard of the bank before then).

Needless to say, they haven’t fixed the problem. Of course, for them the problem is not that phishers can attack Comerica bank customers but that somebody is saying it out loud.

(more pictures here)

(via @lancejssc)

It’s nice to have milw0rm around: http://www.milw0rm.com/exploits/9137.

Be careful out there, firefox 3.5 users.

Seems like milw0rm will stay up for the near future. In an email from Str0ke, he wrote:

Way to[o] many people unhappy with me over the
idea of closing shop.  I just needed help which I have alot of people to choose from now

So the good news, is that we’ll still see milw0rm posting information. But for all of you who were disappointed by milw0rm almost closing: if you want to see it stay open, here’s your chance to help. Just write to str0ke and offer him help – managing a vulnerability database is one of the best ways to gain expertise and learn the field. Plus, you’ll be helping a valuable resource, and making friends along the way.

From a personal experience, I can very much recommend it. We started our own vulnerabilities database much like milw0rm a while back, and it gave us the expertise to build a vulnerability scanner, a fuzzer, and build a profitable business while having fun doing it. So much so, that the original SecuriTeam team is still actively working on editing and posting information.

So whether you are looking to sharpen your skills for fun or want to give a boost to your professional career, I highly recommend joining milw0rm (do it now, while str0ke is still accepting applications!)

I saw a message from Jericho giving his goodbyes to str0ke, and had to see it for myself. Indeed:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t . For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

We all hope it’s just temporary and str0ke will bounce back. And  if that doesn’t happen, hopefully someone else will pick it up and continue. It’s a thankless job of tedious work but it gives “the good guys” a fighting chance by putting together in an organized manner things that are already know to the bad people out there.

Hopefully this is not a farewell, but if it is, milw0rm will be missed.

Readers: If you have suggestions for good exploit archives (other than this exploit archive, of course) that should go on the bookmark list where milw0rm was, please post in the comments below.

Update: Good news. As several of you noted, str0ke decided to keep on going. More information here.

Update 2: As of October 2009 they seem to be down again.

The startup VoIPShield is changing its disclosure policy to stop giving out VoIP bugs for free and start charging vendors for it. CEO Rick Dalmazzi writes:

Avaya doesn’t “have to” pay us for anything. We do not “require” payment from you. It’s Avaya’s choice if you want to acquire the results of years of work by VoIPshield. It’s a business decision that your company will have to make. VoIPshield has made a business decision to not give away that work for free.

I can totally see his point. While we would like to see all vulnerabilities out in the open, for free, companies and researchers that have worked hard to find security vulnerabilities should be compensated.

But I do think Rick is taking the long and hard path by asking the vendors directly – there’s still a long way to go there. We’ve been helping researchers sell their research to organizations who wanted to pay for 0-day vulnerability information through our SSD (SecuriTeam Secure Disclosure) program and the main conclusions so far are that there are organizations willing to pay for this information to protect themselves, but those are not the vendors (yet).

What we see is that organizations use this information as leverage on the vendors. Since they have information about undisclosed vulnerabilities, they can easily exercise this (better than we can, as researchers) to force the vendors to plug those holes. After a while, maybe vendors will choose to drink upstream and subscribe for this information. But that may take a while (a friend of mine that is responsible for product security for a very large vendor says that will be a cold day in hell).
In any case, good luck to VoIPShield and their new paid-disclosure program. If they are successful I think security researchers will benefit, and in the long run customers will be more protected as vendors get direct access to zero-day vulnerabilities.

Somebody had to do it, and I’m glad it’s Aviv Raff who finally went for it. This is just the first of what I’m sure will be many twitter-related vulnerabilities.
There’s a lot to check in twitter, and I’m sure this will be an interesting month. While Aviv is bringing home the meat, here’s a question to ask yourself in the meantime: How many web services have your twitter password? More than 5? More than 10? How many of them are still active and what happens if one of them goes bankrupt and sells the list to someone?

Update: apparently this was fixed after a few hours. The power of “Month of Bugs” I guess.

A few years ago, the personal blog of the Iran president Ahmadinejad included a special piece of malware code that would only be displayed for Israeli IP addresses, attempting to infect Israeli machines visiting the site while preserving a seemingly harmless appearance for any western visitor that is not an Israeli. I thought that was quite a clever attack at the time.
But now the Iraqis are flexing their cyber-muscles too. According to a Hebrew article in law.co.il (this is not yet available on their English site, but may be soon), several domain names of Israeli government entities and large Israeli institutions have been registered by users outside Israel, some users having addresses in Iraq.

These domains use names with Hebrew characters, which are now available under the IDN. However, the method of typing Hebrew domain names is not in wide use and companies still prefer the English domains with the .il or .com suffix, which is why those Hebrew domains were available for purchase. Some of the domain names that were purchased include the Mossad, the Shabak (the “Shin Bet”), the IDF, Israel Police, Knesset, and several major banks.

Since the domain name is in Hebrew and contains the full name of the company or institution, it is incredibly useful for phishing attacks. law.co.il traced many of the domain names, particularly those of major ministries and public service names to a company called “ICU Agency” with a registered address in Baghdad. I’m sure there are other clever uses for such domains in war time that exceed simple phishing. With the speed in which news travel on the Internet these days, it shouldn’t be difficult to do some psychological warefare if you own “credible” domain names.

I saw a demo of Green SQL today, and during the demo Yuli showed me a cute sql-injection method for mysql that I’ve never seen before.

This will evade some IDS’s and is also a good reply for the web development if they tell you filtering the words “OR” and “AND” is enough as a generic SQL-injection protection.
It’s not “new”, but it was new to me. The idea is to place two equal signs inside the query so that the query becomes:

SELECT * FROM users WHERE column=’b’=’c’

More information and a very detailed explanation here. It seems to be specific to mysql.

The T-mobile data breach that jbrown wrote about has been confirmed by T-Mobile.
I guess not everything you read on Full Disclosure is fake after all…

The swine flu craze in Asia is almost becoming ridiculous. Flying into Beijing a doctor came on board to check everyone’s temperature before they would let us out of the plane. Before passing immigration we were checked again and filled in forms to prove we are all in top health.

Ironically, on the inbound flight to Beijing I caught the flu from the Chinese girl sitting next to me (I’m talking about the regular flu. No need to call an emergency medical team on me). I spent the week gobbling Chinese medicine herbs which did a great job in preventing me from crashing sick. But the problem is that I am about to fly out back to San Francisco through Tokyo, and I’m trying to think how to convince the Narita officials that my germs are pure and genuine Asian bodies and are were not carried with me from any American pigs (political innuendos not intended).

It seems I’m also a carrier of something else, and again it’s not my fault. All I did was connect my USB stick to a computer on the business center in my Beijing hotel. I just wanted to print a document but didn’t bother locking the stick to ‘read only’. Apparently that was enough to have a Trojan infect the USB stick from the malware infested public computer.

Not that it would matter, really, since my machine runs Ubuntu. In fact, I wouldn’t have noticed it unless someone that borrowed the USB stick from me showed me the Virus warning that popped up as they plugged the stick into their Windows machine. I could have infected dozens of machines by the time I found out about it – all those poor Windows machine, Trojaned just for borrowing my USB stick; I really don’t need that on my conscience.

Once I know the Trojan is there, the cleanup is easy, I will ‘rm’ the files and the stick will be healthy again and stop be a carrier for defenseless Windows machines. Now if only it was that easy to recover from this damn flu.

It must be the 90s again. Nirvana is on the radio, and people are finding remotely exploitable WebDAV vulnerabilities. Using unicode encoding no less – the choice of a new generation. A note to Microsoft: in the 21st century we have this new thing called “a fuzzer”. You might want to google for ‘bestorm’ or ask the SDL team about the general concept.

Another 90s thing is to publish a critical exploit without going through a broker to get paid for it (or waiting for a hacking contest). Don’t get me wrong – we offer both options: the publish your exploits for free, and publish your exploits for profit routes are both open to you. Personally – if you go on the full disclosure path more power to you, but I have to admit nowadays it’s as rare as hearing Nirvana on the radio.

Now I hear there’s a new browser out there nicknamed “mozilla”. I think I’ll check it out, they say it will kick Internet Explorer ass before Y2K…

Read the whole thread to see how far this attack goes.

William Gibson must be proud to see his Panther Modern in action! (BTW, Mr. Gibson – if you’re reading this, thanks for your excellent recommendation for Silicone Sealing Tape! Oh, and thank you for writing Neuromancer too).

I remember a few years back, when I heard about the blackouts in California (oh yes, the good ol’ Enron days). It was quite shocking to hear that major dot-coms were down for hours. Even the “365 Main” facility in San Francisco with its earthquake proof infrastructure lost power, proving that no matter how equipped, no single location can withstand a big disaster.

Nowadays this is less and less a real issue – hurricanes and power failures are not an excuse to stop providing service: Amazon and google showed that you can reach close to 100% reliability (barring software bugs) by eliminating all physical single points of failure. Today in the cloud age, every web site service can get Amazon-like reliability without worrying about a power failure in its office in Mountain View or a natural disaster in its colocation farm – and all this for hundreds of dollars a month.

But as the local disaster problem is solved, there’s a new one that may shape the way we think of disaster recovery. Register.com got hit by a massive DDoS attack on its DNS servers. This attack will have many casualties – not just register.com’s users who may have their web sites unavailable if they used register.com’s DNS services but also all those hit by the collateral damage; we don’t yet have a technical information on how the attack was done, but a DDoS attack is typically logical and not geographical – if your site is somehow ‘logically’ connected to a site that is being attacked, you will be DDoS’ed and that won’t be nice. When blue security was DDoS a few years ago the attackers decided to take down Blue Security’s providers along with anything hosted there, in any of the provider’s geographical location.

A DDoS attacks the server wherever he is – if you span your server across multiple physical locations the attack will be done on all of them; there is always a limit to the number of transactions you can handle in a single second, and once the attacking botnet passes this limit your services will effectively be denied. You will then have nothing to do but lean back in your chair and wait for the attack to end, counting the lost visitors/revenue/reputation with every minute passing.

While the cloud can save you from Hurricane Katrina, if someone decides to DDoS facebook.com they only need to pay a fee; there is nothing facebook – with its massive server infrastructure – can do to stop them. In fact, we don’t know of any real way to stop DDoS (snakeoil solutions aside) and Rob is very correct in saying that probably the only solution is raising security awareness to reduce the size of botnets and make DDoS less practical (or more expensive). Until that happens, I wonder who will be the first to use DDoS to take out a competitor?

As I wrote before, I have a very nice gmail address that doubles as an email honeypot.

This is a fun way to pass the time. First, I have a unique peak into other people’s lives. Second, I can see how people treat the possible situation of sending email to the wrong address.

One “Aviram” was on some kind of PTA mailing list. At some point they figured out they are CCing the wrong address and I no longer know what each person brings to those meetings, which is a shame.

Another “Aviram” is co-producing a TV show – seems like some kind of a reality show. If I ever need to know how to convince a “rich bitch” celebrity into joining a reality show that could be useful information. If it ever materializes into an actual show I promise to leak the identity of the winner in this blog.

A more interesting recent addition is the “Aviram” that signed up to a religious dating site. What is so interesting about a bunch of 21 yo girls who are looking to marry? Well, the dating site sent me a registration confirmation to my email, without actually checking if the email is correct. Now all I need to do is login (by selecting “forgot my password”) and change his password, and he is forever locked out.

But to top it off, the site started sending me alerts (it seems there is no shortage of young females looking to marry at this age) and every alert includes: you guess it, the username and password inside the email. And some place on the Internet a lonely guy is waiting for his solemate not knowing the mailbox is overflowing with candiates.

Probably my favorite email received was a confirmation that the transfer for 900,000 NIS (about $215,000) is about to go through as planned. I had to resist the temptation to send an email back with the ‘updated’ account details.

All this got me thinking: What are the legal consequences of receiving those mistaken-identity emails? Lets put aside the discussion of the silly mile-long footers (“if you are not the intended recipient please commit suicide after formatting your hard drive”). What if I receive a standard email, without any disclaimers, and choose to use it: leak the identity of the reality show participant, dating the girls that wanted to meet an “Aviram” or tell the PTA women to bring lasagna to the next meeting?

What about a responsibility to forward these emails to their correct recipient (or letting the sender know he has the wrong address) – am I required to? Would it be “the right thing” to do?

If you ever went to a blackhat you probably think that the security crowd is a bunch of stuck up, unfriendly, egomaniacs.

That’s why I like the local meetups – the gatherings that bring together people who live in the area and like security as much as you do. Suddenly those same egomaniacs become fun drinking buddies who like to have interesting discussion and share interests.

I just saw an announcement about ARBSEC – “an informal CitySec meetup of local security professionals” in Ann Arbor, Michigan. I spoke at a “rubi-con” conference in Michigan once (is rubi-con still around?) and really liked the local guys. I recommend anybody who likes security and is in the MI area to check it out. If I get to the midwest area on that date I’ll be sure to attend.

The problem with these local meetups is that everybody knows where blackhat is held, but not too many people know where their local security ‘meetup’ is, or if one even exists. I know that there used to be a group meeting in the DC/VA area, and a “Security n’ Suds” monthly gathering in Northern California – both were almost secret and if you didn’t know who to ask, you had no chance of knowing they exist. Other groups like Austin Hackers seem to be defunct or at least stopped updating their web site a few years ago.

So what meetups are currently active? Please share if you know of a local security meeting club. If you want to start a local meetup in your area, try your luck here in the comments section and maybe you’ll find others who would like to join…

Richard Stiennon has a nice writeup on TweetTornado. It started with a previous post where Stiennon detailed how TweetTornado may be damaging for tweeter. Judging by this last post it seems the TweetTornado guy is quite the asshole which may indicate that those features in TweetTornado were not really accidental.

I think one of the largest weaknesses of Twitter is the fact that the open API and easy interconnectivity between all users makes it easier for spammers to write clients that ‘cheat’ the system, while its reliance on a single infrastructure will make it easy for someone to take it down or make it practically unusuable for everyone. Look at Orkut, for example.