VML exploit pushes SANS to "yellow alert"

Unlike some color coded organizations, SANS Internet Storm Center doesn't tend to shift their color ratings of prevailing threats very often. But yesterday, the VML exploit pushed ISC up to yellow. Microsoft is hinting they'll be releasing a patch Real Soon Now. WebSense has available a cute video of a live VML attack which results in a Paypal (and everything else, really) keystroke logger getting silently installed. Metasploit now has a working VML exploit module, and for the first time, there's a well-publicized third-party patch available for IE within a day or two of public disclosure.

All in all, a pretty exciting vulnerability. It's not quite the big one -- yet -- but enough to keep us busy.

Second "new" IE attack in a week

ISC's story is the most complete reference at the moment on the VML exploit spotted in the wild.

I will be curious to see if the events of this week will cause a shift in the market percentages among browsers. I'm more curious to find a reliable and unbiased source of such statistics -- the closest I can get is Wikipedia. Nothing to sneeze at, surely, but there doesn't appear to be a clear leader in web usage stats, even today. Plus, I expect they're mostly going by User-Agent: fields, rather than testing specific javascript/DOM implementations.

Applying economic analysis to ID theft punishments

When I'm not trolling for security or tech news, lately I've been favoring academic economics blogs. In particular, I really enjoy The Becker Posner Blog.

Today, Prof. Becker and Judge Posner tackled a subject near and dear to my heart: Deterring Identity Theft. It's interesting and refreshing to read a judge's take on the problem of identity theft/fraud, not so much because of his position, but because he, and the majority of commenters, are non-security geeks.

Gmail Plus? Actually, it's fake

Over the weekend, an XSS report bubbled up on the Intarnets. Normally a "ho-hum" event, this one was pretty interesting because it detailed an attack involving google.com -- so it affects me, since I do pretty much all of my e-mail through google.com.

Though I'm not usually one prognosticate, I am betting that the Next Big Attack will revolve around an XSS involving one or more webmail services. By XSS'ing Gmail, Hotmail, or YahooMail (or all three at the same time) in an automated way, you instantly get access to about a zillion qualified e-mail addresses, inboxes, and the means of replication.

However, while the initial outbreak will potentially be devestating, all of these individual nodes are under the control of one (or two or three) authorities. It shouldn't take too long for the web-mail providers to clamp down and fix the problem completely, so we won't be left with the vestigates of this worm for years after release.

TOR.de shut down

Caught this on digg today: Reports abound of German authorities seizing TOR exit nodes, since they've been associated with child pornography.

This is unsurprising; while I'm all for Internet privacy, I find the TOR model pretty flawed, since it all depends on the exit nodes acting in a trustworthy way These flaws were discussed recently at AHA 0x0, where HD Moore described a system for de-anonymizing TOR.

In other words, TOR does, in fact, enable criminals to do bad things, but that's okay because it's quite feasable to trace individual TOR users at the exit point anyway.

Here's my cypherpunk tip: If you want to do Bad Things(tm) on the Internet, don't use your network to do it. Use the globally-accessable auto-anonymizing network at SSID:Linksys and a sub-500 dollar laptop which you will promptly throw in a dumpster after your Evil Deed(r).

MyspaceIM Info Disclosure: Silently Fixed

TippingPoint (my employer) provdes quite a few instant messenger filters as part of our IPS device, since some of our customers have fairly strict usage policies for their networks. These guys know that most IM networks are cleartext, get bounced off of third-party servers, can act as P2P file transfer clients, and basically open up all kinds of potential security problems.

So, the other day, I started taking a look at MyspaceIM, which is the newest major entrant in the IM space. And by "taking a look," I mean, "Googling," since my first step in nearly any task is to see if anyone else has already done my job for me.

Turns out, nobody's really looked at it, since most Google-able analysis start and end along the lines of, "It's port 1863, so it's like MSN Messenger." Of course, if you actually take a look at the traffic, you will notice immediately that it's pretty much completely unlike MSN Messenger, except for the port 1863 business. So I had to work after all. Rats!

The divergence from MSN starts with the initial handshake -- it's completely cleartext. No huge deal there, cryptophiliacs. After all, it's just MySpace, and who cares if there's no encryption. Most webmail these days is still cleartext (except Gmail, if you ask nicely). Not to mention the regular old MySpace web application, in which passwords are sent in the clear. So in itself, this is not all that exciting.

But there was one interesting effect of watching the traffic -- while I was messing around with the protocol, it turned out that the MyspaceIM servers returned different responses for "bad username" and "bad password," in a big, obvious way. This was something that the website doesn't do, and so it's interesting.

Combined with the fact that there was no throttling on how many login attempts are thrown at the MySpace servers (aside from normal Internet flakiness), I had myself a pretty effective (if silly) information disclosure attack.

At very nearly the same time, the AHA 0day Carnival was scheduled. So tickled was I with this discovery that I presented it there almost immediately after discovery. My slides, Myspace Account Enumeration, are available here. Of course, this meant that I had to report it to Myspace pretty much immediately, too.

By now, careful readers and grammar nazis will have noticed that I've been mixing my tenses in this narrative, sometimes using the past, and sometimes the present. There's a reason for that.

Turns out, if you report a vulnerability to MySpace, two things seem to happen: a) if it's easy, it gets fixed in under a week (as in this case), and b) they don't acknowledge receipt of the vuln, or tell you thanks, or anything. In other words, they fixed it, and now my slides are all wrong.

That's fine, of course, and ultimately the point of my reporting it. But part (b) hurt my feelings deeply, especially since I work pretty closely with people who make it their business to keep vulnerability researchers well-fed and well-loved. I guess I was naieve, and thought everyone was as considerate, careful, and caring as the fine people at ZDI.

Part (b), of course, is a pretty dangerous practice, at least according to the RFPolicy.

One footnote to this story: Yes, you can do pretty much the same thing by merely trying to "Add" all your e-mail addresses as your MySpace friend. But this is annoying because you have to be logged in, deal with cookies and all that other HTTP cruft, and do it slow enough to avoid getting noticed by the anti-spam controls (assuming there are any). Someone else can tackle that.

Browzar Unmasked

Yesterday, my wife sent me a link to Browzar, asking what I thought. After glancing over the purported feature list, I responded that Firefox has the same functionality (disable history, clear cookies, etc), and unless they're doing some fancy secure-delete, this isn't going to really offer anything that she doesn't already get.

But, more interestingly, she had heard of it. My wife isn't a bleeding edge Web 2.0 type -- I'd put her merely in the top one-third technically savvy users (she owns and manages her own domain, but doesn't read SlashDot). So, these Browzar people must have made something of a media splash to get her attention.

Turns out, though, none of these media outlets bothered to actually look at the product. This morning, TechCrunch reports that Browzar is little more than a well-promoted adware Browser Helper Object -- in other words, a shim that runs in Internet Explorer that just redirects your queries to known adware/link tracking sites.

Way to go, mainstream tech media. Thanks for the link!

AHA!

So there's another blog I'm involved in: AHA!. It's an Austin Hackers thing, and yesterday was the first meeting/microcon/event/thing that wasn't purely just screwing around and playing terrible poker.

It was probably the best security event I've been to in two years, since SummerCon.

Anyway, keep an eye on it, and if you're in Austin, feel free to drop by next time if you have something interesting you've been working on lately and you'd like to share and get feedback.