Clickjacking (Maybe? Sort of?) Speculation

Late last week, I wrote a couple blog posts speculating about RSnake and Jeremiah Grossman's canceled OWASP talk. After a couple thousand page views, I figure I ought to mention it here. The first post is about evading pop-up blockers through click trickery, the second is a postulation of what the "Clickjacking" problem really is.

To put it simply, human eyeballs don't adhere to the same-origin policy.

I've been spending the morning experimenting some more, and I'm pretty certain now that these techniques can be used to create some pretty convincing phishing sites.

At any rate, it would appear that sites can protect themselves with a frame busting snippet on every page with remotely useful forms. Requiring code like this duplicated all other the place sucks, of course. Practically, though, it's not a whole lot different from the ubiquitous browser detection snippets that litter the Internet.

Palin E-Mail: It's the Paris Hilton Hack

I'm sure I'm not the first to mention this, but according to the Wired story, Sarah Palin's recent e-mail compromise was a result of the Paris Hilton Hack. How does it work?

a) Pick a famous person's data store. T-Mobile account, Yahoo mail account, whatever.
b) Perform a password reset. This will often trigger the data store's authentication mechanism to "fail stupid".
c) If the famous person played by the rules, you will be presented with a series of questions with nonsecret answers.

For Paris Hilton, it was her dog's name (Tinkerbell). For Governor Palin, it was where she met her spouse (Wasilla High).

Note to famous people: Your username is, in fact, your password as well. So keep that secret. Unless you lie on the password reset questions -- which effectively creates alternate passwords for you. You should fill out Yahoo's general security form to get your nonsecret answer changed. Note, this is a huge hassle at most places, unless it's another fail-stupid mechanism, in which case, other people may just do it for you. Shrug, use it and find out.

Personally, I usually use nonsense answers for the secret questions on my various web-based data repositories. I just live with the knowledge that if I forget my main password, I'm pretty much screwed for the follow up passwords.

PacketFu on Windows

Barely a week after I presented PacketFu, I got an idle question about PacketFu's usefulness on Windows.

Last night, while I was waiting for my brother and his family to drive up from Houston ahead of the Hurricane, I got to messing around with compiling PcapRub on Microsoft Vista and Windows XP. Much to my amazement, my goofy hacks worked. The rest of PacketFu is pure Ruby without C extensions or anything, so cross-platform love is already baked in there.

So, the latest revision of PacketFu seems to work fine on XP (I haven't tested the Vista machine yet). It works so well, in fact, that I duplicated the climax of my Lone Star RubyConf talk in the form of a Flash movie (link downloads the FLV, it's not embedded or anything).

How many other packet libraries have screencasts a week after they're built? ZERO, that's how many!

PacketFu

Today, I presented PacketFu at Lone Star Ruby Conf. I'm pretty pleased with it, although the guts are quite horrible still. Now that it's in a demo-able state, time to refactor everything and make it maintainable.

I'm sure the rest of LSRC was great... but I'm not a web app developer or a Rails nerd, so I couldn't really tell. Most of the time I was talking to people who were getting kind of sick with the whole Rails paradigm.

Expect a more detailed blog post at my employer's blog about my adventures with PacketFu.