18 posts from January 2012
January 30, 2012
 Facebook Bug Hunting
Pin It

BusinessWeek is running a great article on bug hunting by companies such as Facebook, Google and more.  One of the featured bug hunters is Imperva's Tal Be'ery.  Here's Tal's account of finding that particular problem with Facebook and how it was reported.

On the 29th of July, Imperva's ADC team was exploring the login mechanisms of several prominent web applications including Facebook.

We were hoping to learn about the adoption of advanced security mechanisms, but you can imagine how surprised we were when we found out that Facebook's registration process was performed over HTTP with no encryption at all – leaving all the registration details including the password exposed for an eavesdropper.


For the sake of brevity, some irrelevant HTTP headers were removed, but here are the relevant part of the POST parameters:


This was a violation of Facebook's current privacy policy:

We keep your account information on a secured server behind a firewall. When you enter sensitive information (such as credit card numbers and passwords), we encrypt that information using secure socket layer technology (SSL).

Moreover, it was a risk to the privacy of Facebook's user base, about 500M at that time.

After we made sure that the violation is indeed valid and not an artifact of our testing environment, we reported the issue to Facebook.  They had acknowledged the security vulnerability and fixed it by August 15th.


January 28, 2012
 Massive Virus Hits Android
Pin It

According to this article:

a bug by the name of Android.Counterclank has infected between 1 million and 5 million Android users as of this afternoon. 

This incident points out the problem of having a decentralized distribution system.  In other words, anyone can disseminate Android applications anywhere--including virus writers.  Without a middleman to ensure consumers can trust the applications being downloaded, expect these type of incidents to grow and continue.  In March 2011, IDC predicted that “Android is poised to take over as the leading Smartphone operating system in 2011 after racing into the number 2 position in 2010.”  Not surprisingly, hackers follow consumers.

By contrast, Apple's centralized iTunes model is proving more secure.  Certainly, there have been incidents, like this iTunes hack, but they aren't commonplace.  Both BlackBerry and Microsoft adhere to a centralized model as well.

Google may need to rethink their distribution model for apps for two reasons:

  1. If Android users are forced to install AV while their Apple, Microsoft and BlackBerry friends are just paying for games, it will make for quite a market contrast.
  2. If enterprise users experience problems, IT departments may decide to walk away from Android.



January 27, 2012
 How Time Warner Profits from Anonymous
Pin It

This is entertaining.  The gist:

[Anonymous'] disguise is earning big bucks for a major media conglomerate. Warner Brothers, the Time Warner subsidiary who produced the movie, owns the rights to the Guy Fawkes mask – and they earn royalties on every sale. (Obligatory disclaimer: Time Warner is also TIME’s parent company, so in an extremely roundabout way, we’re also profiting from this.) While Time Warner hasn’t released any data related to their earnings from the masks, it’s safe to say that the hundreds of thousands of Guy Fawkes masks sold each year helps to bring sure profit to the company.


January 26, 2012
 Anatomy of Business Logic Attacks
Pin It

Today we published our second Web Application Attack Report (WAAR).  The full version is available here (no reg required).

Last report we described the most common attacks against applications which included SQL injection, Local File Inclusion, Cross Site Scripting and Directory Traversal.  This time we added Business Logic Attacks.  Here's an excerpt from our WAAR detailing the nature of attack.

Business Logic Attacks
A Business Logic Attack (BLA) is an attack which targets the logic of a business application. “traditional”, technical, application attacks contain malformed requests. On the other hand, business logic attacks include legitimate input values. This lack of unusual content attributes makes a business logic attack difficult to detect. BLAs abuse the functionality of the application, attacking the business directly. A BLA is further enhanced when combined with automation, where botnets are used to challenge the business application.

BLAs follow a legitimate flow of interaction of a user with the application. This interaction is guided by an understanding of how specific sequences of operations affect the application’s functionality. Therefore, the abuser can lead the application to reveal private information for harvesting, allocate her a disproportionate amount of shared resources, skew information shared with other users, etc. The motivation for BLAs is that the attacker can convert these effects to monetary gains.  We followed two types of BLAs:  email extraction and comment spamming.

Email Extraction
Email extraction (also called email scraping) is the practice of scanning web applications and extracting the Email addresses and other personal contact information that appear in it. These emails are then used for promotional campaigns and similar marketing purposes. Email extraction is one of several activities that harvest data from web applications against the intent of the data owners and the applications’ administrators.

On average there were 20000 such attacks each month, but clearly there was a peak of activity during September-October and much lower activity during other months:

Email extraction is a “grey area” practice: attackers earn easy money by selling information extracted illegitimately from web applications. The attack does not exploit vulnerabilities in the application. Rather, the data is extracted by automatically scanning the targeted application, while imitating a user’s browsing activity. To speed up the attack and avoid black listing, several scans are run concurrently using web proxies.

Email extraction is offered on the web both as an online service (i.e., “pay on delivery”) and as software tool for download. The notorious “Beijing Express Email Address Extractor”, a software tool freely available on the web, was responsible for over 95% of the Email Extraction activity we identified. Usage of the commercial software Advance Email Extractor was also seen in the traffic.  This is the Beijing Express Email Address Extractor:


Hosts that sent Email extraction traffic to the observed application had very unusual geographic locations: Of the 9826 hosts, 3299 (34%) were from Senegal and 2382 (24%) were from Ivory Coast. Other unusual countries (Thailand, Malaysia, Ghana and Nigeria) were also prominent in the list of attacks’ geographic sources. Obviously, attackers are hiding their tracks by employing remote and perhaps less monitored hosts for this attack type.

Comment Spamming
Comment spamming is a way to manipulate the ranking of the spammer’s web site within search results returned by popular search engines. A high ranking increases the number of potential visitors and paying customers of this site. The attack targets web applications that let visitors submit content that contains hyperlinks: the attacker automatically posts random comments or promotions of commercial services to publicly accessible online forums, which contain links to the promoted site. 

Comment spamming is based on automatic tools that masquerade as a human that surfs the web, but with a “hidden agenda” of leaving traces of good feedback (in various forms) to promoted sites. The observations from the last 6 months show a long term trend of growth in traffic related to comment spam. It should be emphasized that not all of this traffic contains the actual spam – the automatic tools must interact with the application like a user (for example, find a forum for posting data, register as a user, login and find a popular thread for posting the spam) before actually injecting the spam link into the site.  The volume of traffic associated with comment spamming is:


We have observed several variants of comment spamming within the monitored traffic. For example:

  • The spammer posted comments to an application’s web forum. In some of these posts the Referer HTTP header was a URL of a Facebook page promoting specific prescription drugs were given in posts. This URL would show up in the spammed site’s logs, increasing the ranking of the promoted site in search engine results. (See picture below).
  • The spammer promoted the reputation-based ranking of specific answers in a discussion forum. In this application, experts answer questions posted by users. Answers and experts are ranked and displayed based on users’ feedback (e.g. based on correctness and usefulness). By artificially increasing the good reputation of specific answers, this promoted content becomes more visible.


An unusual attribute of the observed Comment Spamming attacks is the geographic locations of the involved hosts: Hosts from Russian Federation, Ukraine, Latvia and Poland were very active in this sort of attack. We note that this phenomenon was also detected by other researchers through other means.

Comment spamming can be tricky to identify, since a large part of the spammers traffic looks no different than the traffic generated by an innocent user. Good indications of potential malicious activity of this kind are black lists of User Agent values and hosts’ IPs, based on activity observed in many applications. Generic indications of automatic attacks, like high rate of requests and missing HTTP headers that are normally sent by browsers, are relevant as well.

One of the mechanisms used by applications to defend against comment spammers is CAPTCHA challenges, which require the user to visually identify a specific text within a non-trivial image. We have observed attempts by automatic tools to answer these challenges, probably using a predefined pool of responses to challenges. Even if these attempts are mostly unsuccessful, with enough retries the automatic spamming tool has a chance to eventually get the answer right and complete its spamming task.


January 25, 2012
 Perspective on the EU Data Privacy Proposal
Pin It

The EU has come out with a data protection proposal.

First, the good stuff:

  • The new EU privacy law takes a good step forward for privacy.  The ability to control and even delete individual data profiles is a needed move. 
  • Unifying laws across the member EU states makes sense.

However, the proposal doesn’t do enough to protect data.  Since it mainly proposes fines, it will not help keep EU citizen data safe from hackers or insiders.  Such approaches have not met with success in the past.  Why?  Fines enable companies to game the system. They can risk a breach without having put in place the basic elements of cyber defense. 

Rather, the EU should put in place fines coupled with a more prescriptive approach, working with industries to identify specific actions firms should take to protect data.  The payment card industry, PCI, adopted this approach through self regulation and has managed to lock down data better than any regulation in existence today.  This prescriptive method makes gaming the system much tougher.  More importantly, by involving the industries and not just spanking them, private enterprise has real skin in the game.



January 24, 2012
 Anonymous Takes Down Brazilian Websites
Pin It

Yesterday we mentioned that the Polish government experienced numerous DDoS attacks.  Today, it is Brazil's turn.


This pastebin site shows that several Brazilian government sites were brought down: 

Here's an image of a downed Brazilian government site:

All in all, many websites were taken down. The fact that most of them are up again indicates that this was not the most sophisticated attack. However, the speed and power of the DDoS attacks is something to worry about.  

Looking at the LOIC downloads in Brazil, they were high but not compared to the US, Poland or France. It seems these attacks were propogated mostly through websites which enabled DDoS attacks.



 Wikileaks and SharePoint
Pin It

Bradley Manning is on trial.  For some reason, we didn't find this Wired article linking Manning's document download spree with SharePoint until now.  Here are the key passages:

Special agent David Shaver, who works for the Army’s Computer Crime Investigative Unit, said that on one of two laptops that Manning used he found a folder called “blue,” in which he found a zip file containing 10,000 diplomatic cables in HTML format, and an Excel spreadsheet with three tabs.

Shaver discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same, Shaver testified.


January 23, 2012
 LOIC Downloads Slowing
Pin It

Our blog last week caught an early snapshot of LOIC downloads being used to DDoS various websites.

Today, the download picture has changed.  Year to date, there were 90,000+ downloads with a peak of 33,007 on the 20th of January.  Today, downloads are trending back to pre-campaign levels (click to BIGGIFY):


And downloads by country hasn't changed in any dramatic fashion.  The US is still the lead nation, followed by France and Brazil.  The only big change is that Poland moved up quite a bit:


The increase in Polish downloads is likely due to an attack on Polish government websites which has been reported in Polish and German press.



January 20, 2012
 Anonymous Campaign: Meet the New DDoS, Same as the Old DDoS
Pin It

Once again, Anonymous is using the low orbit ion canon (LOIC) to DDoS websites.  This tool was developed by white hat hackers stress test websites.  

Not surprisingly, the tool they are using is exactly the same one used for Operation Payback which took place about a year ago.

Looking at the LOIC downloads so far this year, its clear there has been a sudden, sharp increase in the past few days which coincides with the latest Anonymous campaign (click image to BIGGIFY):


And the top country downloading the attack tool?  The US though not with a huge lead.  France and Brazil are not far behind.  Click image to BIGGIFY:


(NOTE:  These above numbers are current as of 8:30ish AM PST.  The stats will change.)

In addition to the version of LOIC that is downloaded and used locally, several websites have been developed that automatically DDoS simply by loading them.  Here is one example:


Typically, these sites use a JavaScript to iterate attacks.


 IE Bug Redux
Pin It

PC World covered Tal Be'ery's discovery of an IE flaw.  Interestingly, the article features an argument that the issue isn't a bug after all.  Tal's response:

Apps should definitely not trust client’s input and sending it back unsanitized in the response is a security vulnerability. The relevant real world question is whether or not this vulnerability is exploitable.

In the case of the reflected XSS, the attacker cannot control the encoding of the URL. Therefore, for the example specified in the blog entry, had IE implemented the URL encoding according to the RFC (as Chrome and FireFox do) the vulnerability would not be exploitable.

Even if XSS is caused by poorly written apps, the browser made it their business to protect against it. In fact, Microsoft takes pride in their XSS filter. Implementing a fancy filter on one hand, and then helping XSS attackers by being noncompliant with proper security standards on the other, is like having a fancy shield and then shooting yourself in the foot.



Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: