German XSS Madness

Thanks to the EOF Projekt for their drive-by list of European banks vulnerable to cross site scripting -- specifically IFRAME insertion attacks.

I still maintain that live XSS phishing attacks are rare in the real world -- they're not very repeatable, and depend on a weakness in the target bank's infrastructure -- but well-documented failures in web site design certainly aren't helping.

Oracle's daring "Kick Me!" marketing campaign

This morning, a visit to Oracle's front page delivered a word now synonymous with security geek sardonic cynanicism: "Unbreakable." Yep, it's back -- this time with Oracle's branded enterprise linux support.

The first time Oracle unveiled its "Unbreakable" campaign, it didn't take too long for the esteemed Litchfields (among others) to uncover serious security flaws in Oracle 9i.

So, the race to Oracle Linux 0day is on, I guess. My money's on remote 0wnage by Halloween.

Myspace phishing in practice

So, yes, this is about the twentieth post here about Myspace: Netcraft is reporting a sighting of a Myspace phishing page.

Now, this is a more old-school definition of phishing -- after all, this is merely a user/pass collection scheme, rather than a financial attack. And does it really matter if your Myspace account is hijacked?

Well, probably -- it's not too much of a stretch to believe that if a victim is on Myspace, he shares a user/pass between that and his e-mail, and if he does any sort of business online, you can bet that he shares a password with that service, too. Or, at the very least, can the attacker can hit a button that says "I forgot my password" and get a reset notification sent to his victim's compromised e-mail account.

Oh, and as of this writing, the fake login page is still up. I'm sure Myspace has a reason why takedown is lagging so far behind the report. Check it out. If you have a Myspace account, um, don't log in.

Click "Approve" To Ruin Your Computer

I maintain a Myspace account, mostly because I'm a pathetic wannabe-teenager loser, partly because I think Myspace is an important cultural artifact that Internet security people should pay attention to.

Like anyone else, I get my share of Myspace spam invites, which I tend to investigate since they often have cool Flash tricks to seize control of (my VM-sandboxed) browser and make it do dumb things.

But today, I was just struck by this sentiment, posted on one of said-spammer's "Comments" section of her (okay, his) profile page.



Why go through all the technical trickery if a sizable fraction of Myspacers will click on basically any button you ask?

Bottom line is, Myspacers (and the associated demographic of kids who've grown up on the Internet) have basically no fear at all, of anything.

Monkeyspaw Press

Today, Tippingpoint issued a press release describing Monkeyspaw, my Greasemonkey web forensics tool. My favorite article title so far is easily DarkReading's Monkeyspaw Grabs Phishers. This close to Halloween, it's a suitably creepy mental image.

For my tiny personal userscript library, go here.

Two locks must be extra secure

Here is a screen shot of a popular online financial institution. It's a little bit wide, because I wanted to ensure that you could see the entire location bar.

Take a look. Notice that this site boasts not just one "secure lock" icon, but two! This login form must be extra secure!

Not much else to say on this, but it drives me nuts that the login forms presented by financial institutions are not presented over SSL -- and this site isn't the only one. In this day and age, it's not prohibitavely expense to just shunt everyone over to SSL when they're supposedly performing secure transactions.

Online gambling nearly illegal in the U.S.

Over the weekend, while everyone was tittering over salacious e-mails, the US House of representatives voted to pass HR 4411: "Internet Gambling Prohibition and Enforcement Act."

It may be hyperbole, but this, I believe, will make it basically impossible to effectively track the real bad guys when thousands and thousands of Americans start to dabble in amatuer money laundering to escape this stupid law.

This is the letter I just sent to my representative:

Mr. McCaul --

I'm writing to you today to express my disappointment in your vote for HR 4411, "Internet Gambling Prohibition and Enforcement Act." You, along with your fellow Representatives who voted in the affirmative, have basically handed criminal organizations a golden ticket to a massive money laundering enterprise. By forcing otherwise "innocent" online gambling funds into the same black market channels as those funds directed towards international child exploitation, terrorism, and drug trafficking, you have made it that much more difficult to track, catch, and convict those people who are truly doing harm to Americans here and abroad.

This has been a massive mistake, and I think you know that -- otherwise you would not have passed this legislation on a weekend.

Shameful.

Your regretful and Republican constituent --

Tod Beardsley
Election Judge for Travis County, TX