LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Announcements
->One big page
This page
Previous weekFollowing week
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityStriking back against web attackersThere are probably very few system administrators who haven't at least contemplated some kind of retribution against attackers. Some may have envisioned something physical—perhaps involving red hot pokers—but it's likely that the majority considered extracting a payback via the same route they were attacked: the internet. A French company has taken that idea to its logical extreme by presenting thirteen "zero-day" exploits against tools used by attackers at the SyScan security conference, which was recently held in Singapore. Many attackers use various applications—exploit packs and toolkits—that they install on the web sites they have compromised. These applications launch attacks against the web browsers of site visitors by probing for vulnerabilities, often in plugins like PDF or Java, and using those it finds to compromise the visitor's machine. TEHTRI-Security investigated several of these applications and found exploitable vulnerabilities in half a dozen of them. Unlike what it might have done for more benign applications, TEHTRI released the information at the conference with no warning to the projects and, not surprisingly, those who usually clamor for "responsible disclosure" were rather mute. These exploit toolkits typically have two components: the payload delivery mechanism and an administrative interface. Payload delivery runs on the compromised web site, looks at the browser to try to find vulnerabilities, and then delivers the appropriate exploit. The web-based administrative interface often aggregates information from multiple compromised web sites and allows the attacker to see what browsers were successfully attacked, which vulnerabilities were used, where the user came from, and so on—essentially a web analytics tool for malware purveyors. TEHTRI found vulnerabilities in both of these components, which could lead to administrative interface defacement, attack management database destruction, authentication cookie disclosure, disclosure of attackers' IP addresses, and more. The kinds of vulnerabilities that were found read like a laundry list of the most common web application flaws: cross-site scripting, SQL injection, cross-site request forgery, remote file disclosure, authentication bypass, and so on. Even those who exploit web application flaws for a "living"—exploit packs typically cost $500-1000 or more—seem to be unable or unwilling to write code that avoids those same flaws. It is rather ironic that the victims of these web attacks can turn around and use the same techniques to attack the attacker. As TEHTRI and others point out, though, it may well be illegal to turn the tables on the attackers, no matter how satisfying—and reasonable—the idea seems. Self-defense is likely not a defense against computer crime statutes, at least in many jurisdictions. The administrative interfaces typically run on systems under the control of the attacker, but not necessarily a host that is "owned" (in the legal sense) by them. It is probable that an unsuspecting victim's server has been compromised to the extent that the web interface could be installed, which makes an attack against it even riskier. While some specifics were given at the SyScan talk, TEHTRI is keeping the details of these vulnerabilities (and others that it hints about) to itself for now. There is another SyScan conference in early July (in Hangzhou, China) where TEHTRI's Laurent Oudot is once again presenting on this topic so, in order to keep up the interest in the talk, "it has been decided that we would not disclose the whole content of our findings before this upcoming event", he said. As with much security research, TEHTRI clearly sees these vulnerabilities as a marketing tool, and is, unfortunately in some ways, treating them as such. On the other hand, it's hard to feel much in the way of sympathy for the developers or users of the tools, so disclosure of the flaws, and how to exploit them, is not a particularly high priority. Given that there aren't enough details, yet, to actually strike back against attackers using these exploit toolkits, there is some time to consider the ramifications of "defensive attacks". Computer crime statutes are typically written rather loosely, such that any access other than what the site owner wants can be considered a violation. As various folks have found out, intent means very little when it comes to computer "crime". In addition, judges and lawyers are not terribly savvy about these technical issues, which makes it that much harder for "white hats" to defend themselves. All of that makes it extremely risky for anyone to use these exploits (or other offensive methods) against attackers. One way to use the vulnerabilities that TEHTRI has found would be by, or in conjunction with, law enforcement. Exploiting some of those holes could lead to other systems under the control of the attacker, potentially including a host that can be associated with a specific individual or group. That could lead to prosecution, and possibly unravel a larger network of attackers. Unfortunately, except for high-profile attacks, there seem to be few resources available to track down and prosecute these crimes. In the end, the lasting legacy of these vulnerabilities is likely to be their amusement value. It's probably too risky for "white hats" to use them, and those who could use them without fear of prosecution (e.g. police) don't have enough time, money, or interest to do so. That's sad in many ways, and disappointing to system administrators who would like to extract a small measure of retribution, but it's also hard to see it changing anytime soon.
Brief items Quotes of the week
With this information, it is possible to reconstruct what would appear to
be [NY Times CEO] Janet Robinson's E-mail address, with one missing
letter. It only remains to try all 26 combinations to see which one is
accepted by the NY Times mail server.
-- Rajstennaj
Barrabas on "How not to redact images"
I mean, even IPSEC RFC's are easier for me to understand, and that's saying
a lot...
-- Linux kernel hacker Ted
Ts'o complains about SELinux complexity
Researcher Builds Mock Botnet Of 'Twilight'-Loving Android Users (Forbes)Forbes reports from Jon Oberheide's SummerCon talk on Android security. "Oberheide, who works for security startup Scio Security, developed an application called 'RootStrap' to demonstrate that trust problem for Android apps. After it's installed, Rootstrap periodically 'phones home' to check for any new code that Oberheide wants to add to the program, including any hidden control program or 'rootkit' that he wished to install--hence the program's name. 'This is probably the most effective way to build a mobile botnet,' Oberheide told SummerCon's audience of hackers and security researchers." The article links to the slides from the presentation which contain some more hard information.
https-everywhere from the EFFThe Electronic Frontier Foundation has released a beta version of https-everywhere, a Firefox extension which causes the browser to use SSL whenever possible. "Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS."
Linux security summit schedule now availableThe 2010 Linux security summit, which will be held just prior to LinuxCon in Boston on August 9, has announced the main talks that will be presented. Speakers include Dan Walsh, Stephen Hemminger, Elena Reshetova, Brad Spengler, Mimi Zohar, Kees Cook, and others. "The event is open to all registered LinuxCon attendees. You do not have to be a "security person" to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. There will be panel and lightning talks sessions in addition to brief, selected presentations, with a strong focus on discussion." Click below for the full announcement.
New vulnerabilities beanstalkd: unauthorized execution of beanstalk client commands
cups: multiple vulnerabilities
drupal-cck: access bypass
drupal-views: multiple vulnerabilities
fastjar: overwrite arbitrary files
firefox et al: multiple vulnerabilities
moodle: cross-site scripting
opie: denial of service
pmount: insecure temporary file
squirrelmail: unauthorized port scanning
tiff: multiple vulnerabilities
znc: segfault under certain conditions
Page editor: Jake Edge |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||