Okay, so a few days ago I found a ton of XSS vulnerabilities on various high profile web sites, and on the whole, after eventually managing to contact the relevant teams for the sites, everyone was very grateful.

When will web sites owners learn that it’s a good idea to have a security contact e-mail address on their sites!

However there was one, whose name I’m not going to mention here, that came back to me with the worst possible answer ever.

This is an online retailer, and my e-mail went to their help desk, but still!

Here’s the full e-mail trail (I’ve removed certain bits of info though so that the site or the attack vector cannot be identified.) Please also note that due the nature of what this company does they are required to be PCI DSS compliant.

===============================

—–Original Message—–
From: xyberpix [mailto:xyberpix@blahblah.com]
Sent: 05 January 2010 07:53
To: help@xxx.com
Subject: Website enquiry: General - www.xxx.com

Sent Date: 2010-01-05 07:52:58 (GMT/UTC)

Hi There,

I have discovered a security vulnerability on your web site, and would like to please disclose this to yourselves responsibly. Could you please either contact me with the name of someone who I should report this to, or could you please get someone to contact me at this e-mail address please. If this could please be treated as urgent.

Thank you
xyberpix

===================================
On 5 Jan 2010, at 16:40, XXX Support User2 wrote:

Hi Xyberpix,

Thank you for your email message.

Can I please ask you to supply the screenshot of the page so that we can look into this for you?

I look forward to your reply, upon which I will do my very best to assist you.

Kind Regards,
Alex | Customer Services Representative
Note: Please do not delete the previous correspondence if you are replying to this e-mail. This will help us to assist you better. www.xxx.com

===================================

—–Original Message—–
From: xyberpix [mailto:xyberpix@blahblah.com]
Sent: 05 January 2010 16:59
To: XXX Support User2
Subject: Re: XXX

Hi Alex,

No problem at all please find attached a screenshot.

Also the string that was used in the main search bar to prove this was the following:

‘;alert yadayadayada

Kind Regards,
xyberpix

==================================

Hi,

Thank you for contacting us and sorry for the inconvenience caused here.

May I kindly request you to clear the cache and cookies from your internet browser and then try placing your order opening a new browser.

If you have any further queries please do let us know.

Kind Regards,
Edwin | Customer Services Representative
XXX!

Note: Please do not delete the previous correspondence if you are replying to this e-mail. This will help us to assist you better.

Rev. 6:6, OCD [1]

“Then it was as if I heard a voice saying: And they shalt go into the storehouses, and look there for the snack foods made from corn [2] which the hands of men have made into hollow cones or cornets [3].  And they shall go unto the Save-On, and unto the Shoppers Drug Mart, and unto the Safeway, and even unto the Zellers, which is the store of last resort when old stock is being cleared out.  And they shall find them not.  And, having no proper snack foods for the parties of the new year, the new year shall come not, and thus shall be the end of times.”

[1] Old Canadian Deviant translation, as opposed to the New American Standard

[2] Some ancient manuscripts add: “And this is not that barelycorn which was known even in Ur of the Chaldees, but that which came from the land newly found by him who gave his name unto a seventies TV detective show, but of whom we may not, at this time, speak”

[3] Scholars debate the meaning of this word.  Most believe that it is simply a reference to “little objects made from corn.”  However, some feel that it is similar to the word for “trumpets,” or, possibly “bugles.”

As it’s been a while, here’s a little light-ish relief from my semi-recreational blog….

http://dharley.wordpress.com/2009/09/19/a-myth-laid-to-rest/

As part of some research into the security risks of social networking, I did an ego search on myself.  (Hey, it’s legitimate research, all right?)

On Altavista, the first hit was the Wikipedia page someone created about me.  The second result was http://www.robertslade.com/ which I hadn’t known existed.  As well as correctly listing his published books, this page informed him that me that I was mentioned on the Wikipedia entry for the RISKS-Forum Digest (which is a definite ego boost).  It also provides a photograph of someone else.  As well as two pictures I didn’t take, and three videos I have nothing to do with.  Two different boxes provide links to buy books, some of which are mine, and most of which aren’t.

I expected to find entries that weren’t me: I know there are a lot of Robert Slades on the net.  But it’s a bit weird to find out that there is a domain about me that I didn’t know about.
I also found the church I’m buried in, so currently I’m not feeling too great …

As the Wordpress team scramble around trying to resolve the latest set of security issues, and doing all the wrong things like giving their users a 14-step process for upgrade, the following Jewel came up:

4. WordPress is Not Secure: WordPress is incredibly secure and monitored constantly by experts in web security. This attack was well anticipated and so far, WordPress 2.8.4 is holding. If necessary, WordPress will immediately release a update with further security improvements. WordPress is used by governments, huge corporations, and me, around the world. Millions of bloggers are using WordPress.com. Have faith they are working overtime to monitor this situation and protect your blog.

This is funny on so many levels.
(HT: Jericho, AKA security curmudgeon)

A new company is telling everyone which new companies are worth investing in.  Is this something we should get into?

http://news.bbc.co.uk/go/em/-/2/hi/technology/7900463.stm

“The software measures the “buzz” surrounding a company via blogs and media reports along with a variety of factors including website traffic.”

We should all blog and Twitter about this.

Then we should all blog about how blogging is so last year.

This would be hilarious, except for the fact that I think the guy who wrote it (some years back, but still) was serious.

I don’t know if that makes it more funny, or less …

Even the domain name is funny, as in “delusions of adequacy” …

Virtually everyone has probably heard the “new” term “virtualization.”  That’s because virtually every vendor has jumped on the virtualization bandwagon.  Virtually anything can be virtualized, it seems.

Also, virtually nobody can again on what virtualization really means.  Virtualization seems to be a conflation of two old ideas: virtual machines (what do you think VM and VMS stood for?), and distributed computing.  (Which is now being sold as “cloud computing,” an amazingly cloudy concept that’ll be the subject of another post.)

We used virtual machines a lot in the old days, and they were great for security.  We used them as goat or bait machines for viruses.  Very secure way to protect yourself when dealing with dangerous software.

Of course nowadays they use virtualization in some virtually explosive ways.  Like putting your Kerberos  KDC on the same physical box as your Web server …

I wonder why it took so long.

He even has 2 nice recommendations. Quite an effort was put on his profile:

And it’s only the contact information that tells the sad story. Note how many variations of ‘bill gates’ were taken in gmail that the pranksters had to use this one:

GoDaddy has decided to start giving away security seals to web sites. What is this security seal about? Well, it doesn’t say much beside telling you that GoDaddy verified something - what did they verify? It doesn’t say.

How does it work?

You are supposed to put a script tag inside your site, with the source reference of https://seal.godaddy.com/getSeal?sealID=[removed]

This generates HTML code that contains references to:

https://seal.godaddy.com:443/flash/sitesealgd_t_medium.swf?domainName=www.putyournamehere.com&color=000000

Changing the www.putyournamehere.com to www.re-electbush.com, www.mcainwon.com or even obamaisournewleader.com will show that you have been verified by GoDaddy - yeah!

Try it out yourself and see how you can get a godaddy seal with no effort - joy to the world

The Daily WTF has a good story that may sound a little too familiar to some:

How the aptly-named Super Hacker had managed to shut down the system remotely and provide a fix so quickly intrigued Kiefer. After poking around the network, he finally found the Python file that contained the Super Hacker’s fix:
#!usr/bin/python
# Paying someone $10 to pull a power cord for $3500
print “(C) [Name Removed] 2008.”

The moral of the story: when all else fails, use social engineering.

SANS ISC has collected a very coverage list of April Fool’s Day stories.

It can be found here:

isc.sans.org/diary.html?storyid=4225

My own favorite is Gmail’s new Custom Time feature

I’d love to hear the background story behind this one:

[CiscoWorks IPM] version 2.6 for Solaris and Windows contains a process that causes a command shell to automatically be bound to a randomly selected TCP port.

Why on earth? And why a random port?

And if you’re still wondering, yes - it’s a remote root shell with no authentication

Remote, unauthenticated users are able to connect to the open port and execute arbitrary commands with casuser privileges on Solaris systems and with SYSTEM privileges on Windows systems.

Cisco is being cruel and only disclosing the technical info. Common Cisco, share the juicy parts! We want Full Disclosure!

I just wrote an OT post to my personal blog about the CCC Camp, but I figured it was a security camp after all, so I will link to myself here:

http://gevron.livejournal.com/8859.html

Foxnews.com has taken an unsuspected turn and become an open wiki site. For more info see http://linuxinit.net/site/?id=664. Summary:

While browsing around the Fox News website, I found that directory indexes are turned on. So, I started following the tree up, until I got to /admin. Eventually, I found my way into /admin/xml_parser/zdnet/, in which, there is a shell script. Seeing as it’s a shell script, and I use Linux, I took a peek. Inside, is a username and password to an FTP. So, of course, I tried to login. The result? Epic fail on Fox’s part. And seriously, what kind of password is T1me Out. This is just pathetic.

http://www.foxnews.com/admin/xml_parser/zdnet/grab_zd_files.sh

And here’s something just too funny, something I hope will turn up on xkcd.com

(originally located at http://www.foxnews.com/images/root_images/071907_velociraptor1.jpg, this is a mirrored copy)

1. Phish an hotmail acount.
2. Send email from the stolen acount to all the friends listed for the person, saying you are stuck in Nigeria and are in an emergency, asking your friends for money to be wired.

http://www.rediff.com///news/2007/jul/16tps.htm

Hillarious!
(thanks Suresh)

Gadi Evron,
ge@linuxbox.org.