My Security Planet

Feeds

8068 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Recent items

Schneier on Security

• 

  The Pros and Cons of Password Masking

  Posted: July 3rd, 2009, 1:42pm CDT

  Tags:    [edit]

  Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong. I was certainly too glib. Like any security countermeasure, password...
• 

  The Insecurity of Secrecy

  Posted: July 3rd, 2009, 7:18am CDT

  Tags:    [edit]

  Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy. Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by...

Mark Curphey - SecurityBuddha.com

• 

  Most Amazing Resume Ever

  Posted: July 3rd, 2009, 6:46am CDT by mcurphey

  Tags:    [edit]

  

SecurityFocus News

• 

  Brief: Researcher aims to tweet Month of Bugs

  Posted: July 3rd, 2009, 12:00am CDT

  Tags:    [edit]

  Researcher aims to tweet Month of Bugs

Mozilla Webdev

• 

  Improving Accessibility Through ARIA

  Posted: July 2nd, 2009, 10:43pm CDT by rdoherty

  Tags:  Uncategorized   [edit]

  Accessibility is a pretty hairy issue in web development. When attempting to determine if your site is accessible, there are so many standards and recommendations to follow. 508, WCAG, WCAG 2.0, WAI Priority 1, 2 & 3.

  Well, now there is a new standard from the W3C called WAI-ARIA (Web Accessibility Initiative - Accessible Rich Internet Applications)

  The simplest definition of ARIA is adding UI semantics via HTML element attributes. Simply, you add things like ‘<div role="nav">‘ or ‘<form role="search">‘ to specific HTML elements to give screen readers a better understanding of your content.

  The ARIA spec is huge (160 pages), so I won’t go over every part of it in detail. The four areas I will focus on are landmarks, required, invalid and live regions.

  ARIA Landmarks

  Today, when a blind user encounters a website, navigation between elements of the page can be difficult because there is no established method of marking areas of the page as navigation, content, footer, etc. Luckily with ARIA, we can.

  Here’s some example markup of a typical webpage:

  <div id="header">
      <h1>My Awesome Website</h1>
      <form> </form>
  </div>
  <div id="content">
      <ul id="nav"></ul>
      My website rocks!
  </div>
  <div id="footer"></div>
  

  And here’s what it looks like with ARIA Landmarks:

  <div id="header" role="banner">
      <h1>My Awesome Website</h1>
      <form role="search"> </form>
  </div>
  <div id="content" role="main">
      <ul id="nav" role="navigation"></ul>
      My website rocks!
  </div>
  <div id="footer"></div>
  

  What I’ve done is add ARIA roles to certain parts of the page (header, nav, search form, primary content). Because the roles are a defined spec, screen readers can parse the page for roles and allow a user to jump to each part without having to navigate through all the content.

  ARIA Required & Invalid

  Another part of the ARIA spec is the attribute ‘aria-required’ and ‘aria-invalid’. These attributes are for communicating to screen readers that a particular form field is required and/or invalid without requiring the user to look for asterisks or other text near the field. The screen reader would alert the user to this information. Here’s an example:

  <form id="searchform" role="search">
        <p class="error">You did not enter a search term</p>
        <input name="query" value="" aria-required="true" aria-invalid="true" />
  </form>
   
  

  The above code has the ‘aria-required’ and ‘aria-invalid’ attributes set to true. When a screen reader encounters this code, it will read aloud ‘required’ and ‘invalid’. This is a lot simpler for a user than attempting to find error messages and/or asterisks in the page.

  ARIA Live

  A particularly difficult area of accessibility is dealing with AJAX. How can you communicate to a screen reader that content is loading or has changed? Thankfully, with ARAI Live Regions, it is quite simple. Here’s an example:

      <div id="sidecontent" aria-live="polite"> AJAX content goes here... <div>
  

  Adding the ‘aria-live’ attribute to an element alerts a screen reader that content will change in this region and to read it aloud when it does. The aria-live attribute has ‘politeness’ levels, which allow you to specify how polite the updates should be. The four levels are

  • off - updates are not communicated
  • polite - notify of changes only when the user is not doing anything
  • assertive - announce as soon as possible, but not interrupting the user
  • rude - which will be read aloud immediately

  The various levels of politeness allow for different situations where users would need to be notified immediately of important information or for content that is not as important.

  Summary

  This is just a quick overview of ARIA and its uses, but I’m really excited about the possibilities it creates. We can communicate the intent of our content much more explicitly. There’s also a lot of other aspects to ARIA including widgets (slider, checkbox), application structure (alerts, log, progressbar) and document structure (article, grid, definition) that are exciting.

  Further Reading

  • Longer ARIA overview
  • ARIA Spec
  • Setting up a screen reader
  • Accessible widgets with ARIA

SEO BlackHat: Black Hat SEO Blog

• 

  Micheal Jackson Death Most Clicked Story Ever

  Posted: July 2nd, 2009, 9:04pm CDT by QuadsZilla

  Tags:  SEO   [edit]

  According to Yahoo,

  The story “Michael Jackson rushed to hospital” was the highest clicking story in our history. It generated a whopping 800,000 clicks within 10 minutes and news of his death saw 560,000 clicks in 10 minutes. Also, the news area on our front page experienced five times the amount of traffic it normally receives.

  Yahoo! News set an all-time record in unique visitors with 16.4 million people, surpassing our previous record of 15.1 million visitors on election day. Four million people visited the site between 3-4pm Pacific time, setting an hourly record. We also recorded 175 million page views yesterday, our fourth highest after Inauguration Day, the day after the Inauguration, and Hurricane Ike.  

  Also Interesting are the related searches that have been spiking:

  * Who is the girl in the Thriller video?
  * Who is the most famous person in the world?
  * Who bought Neverland ranch?
  * When did Michael Jackson turn white?
  * How did Michael Jackson bleach his skin?
  * Who was in the Jackson Five?
  * Who owns the Beatles catalog?
  * How is Randy Jackson related to Michael Jackson? (not related)
  * How much was Michael Jackson worth?
  * How tall was Michael Jackson?
  * Is the real Michael Jackson dead?
  * Was Michael Jackson a muslim?
  * What is Michael Jackson’s favorite color?
  * What is Michael Jackson’s favorite number?
  * Where will Michael Jackson be buried?

  The Interest, while interesting, is not surprising. He’ll be remembered as one of the greatest Artists of All Time.

SecuriTeam Blogs

• 

  Want vulnerability information? Pony up the cash

  Posted: July 2nd, 2009, 6:05pm CDT by Aviram

  Tags:  Commentary   [edit]

  The startup VoIPShield is changing its disclosure policy to stop giving out VoIP bugs for free and start charging vendors for it. CEO Rick Dalmazzi writes:

  Avaya doesn’t “have to” pay us for anything. We do not “require” payment from you. It’s Avaya’s choice if you want to acquire the results of years of work by VoIPshield. It’s a business decision that your company will have to make. VoIPshield has made a business decision to not give away that work for free.

  I can totally see his point. While we would like to see all vulnerabilities out in the open, for free, companies and researchers that have worked hard to find security vulnerabilities should be compensated.

  But I do think Rick is taking the long and hard path by asking the vendors directly - there’s still a long way to go there. We’ve been helping researchers sell their research to organizations who wanted to pay for 0-day vulnerability information through our SSD (SecuriTeam Secure Disclosure) program and the main conclusions so far are that there are organizations willing to pay for this information to protect themselves, but those are not the vendors (yet).

  What we see is that organizations use this information as leverage on the vendors. Since they have information about undisclosed vulnerabilities, they can easily exercise this (better than we can, as researchers) to force the vendors to plug those holes. After a while, maybe vendors will choose to drink upstream and subscribe for this information. But that may take a while (a friend of mine that is responsible for product security for a very large vendor says that will be a cold day in hell).
  In any case, good luck to VoIPShield and their new paid-disclosure program. If they are successful I think security researchers will benefit, and in the long run customers will be more protected as vendors get direct access to zero-day vulnerabilities.

  -

  Let the experts make sure your website is safe. Vulnerability Assessment is the answer.

terminal23

• 

  mcgrew takes down a bad guy

  Posted: July 2nd, 2009, 2:59pm CDT by michael

  Tags:    [edit]

  McGrew is starting his posts about hunting down and getting a hacker arrested for what amounts to a SCADA attack. Via Liquidmatrix I was pointed to a very informative Register article as well.
  
  I sometimes state that I wear a grey hat now and then, but it really is far beyond the line to actually attack a system that has as much importance as an HVAC in a medical clinic; something that can jeopardize lives both directly and indirectly. It is also a gross negligence to subvert the trust placed in someone like a security guard who is meant to protect. Highest kudos to McGrew for doing something about it rather than just ignoring the incident.
  
  After McGrew dropped the name in IRC the other night, I did some of my own quick searching on the person. Hacker kids and little hacker groups and even minor defacements are one thing, but escalating to a degree like this is trouble. Role-playing and playing at this kind of thing is fine, if you ask me (yes, even if you find it cool to wear a gas mask), but you don't toe that moral right and wrong line. People who do that and have certain psychological dispositions are trouble, as they really have no where else to go but further escalation past that line.
  
  What I found most ironic was a post on a profile that said his dream job was to be with the FBI Cyber Corps. Well, at least he got an up close introduction!

Schneier on Security

• 

  Information Leakage from Keypads

  Posted: July 2nd, 2009, 12:09pm CDT

  Tags:    [edit]

  Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234....

terminal23

• 

  identity theft issues still hard to grasp for most

  Posted: July 2nd, 2009, 11:36am CDT by michael

  Tags:    [edit]

  ID theft has been around a very, very long time. Only with the relatively recent explosion of the Internet has it become more than just an acceptable "cost of business." So in recent years you'd think places, like, oh I don't know say, local banks, would have a lot more awareness of the issues and do simple things like, I don't know, shred or securely dispose of paper waste. I guess not. Even today...

  Federal agents say Nelson said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters.

  My only complaint on the news article is this part:

  CBS13 was able to find processed deposit slips and junk mail with full names and addresses in the garbage of a local bank.

  With absolutely no reference on why that sort of information might be useful or dangerous. Is my full name and address sensitive information? I would hope not since it's public...

Curiouser and Curiouser

• 

  Obey Giant

  Posted: July 2nd, 2009, 11:22am CDT

  Tags:  Miscellaneous   [edit]

  I wish more of these prints were available for sale, or at least in a large format image for printing. I love this style of art.

  [ Image Link ]

  [ Image Link ]

  [ Image Link ]

  [ Image Link ]

  [ Image Link ]

  The final image especially reminds me of Todd McFarlane's artwork in Pearl Jam's Do The Evolution Video (which contains one of my favorite guitar riffs of all time).

  [ Video Link ]

  When I was in London last year I snapper this photo of Andre/Obey graffiti coming in from Heathrow.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [3] - Reply - Recommend

Schneier on Security

• 

  More Security Countermeasures from the Natural World

  Posted: July 2nd, 2009, 6:11am CDT

  Tags:    [edit]

  The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten...

Ivan Ristic

• 

  The analysis of Googlebot's frugal cipher suite list

  Posted: July 2nd, 2009, 3:21am CDT by Ivan Ristić

  Tags:    [edit]

  Two weeks ago, I announced SSL Labs and my technique for passive SSL cipher suite analysis. It won’t surprise you to learn that I've been carefully observing the cipher suites used in the requests that came to the web site since. (In fact, I announced the site slightly earlier than I had planned because I wanted to get my hands on some real-life data.) One client’s SSL fingerprint immediately caught my attention, because it supported only 4 cipher suites. It was Googlebot.

  There were 115 visits from Googlebot in the two-week period, using 5 different User-Agent strings (although Googlebot will sometimes send a request without User-Agent set):

  • Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
  • SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)
  • DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)
  • Googlebot-Image/1.0
  • Feedfetcher-Google; (+http://www.google.com/feedfetcher.html; feed-id=9430846974815548184)

  The first one is by far the most common, although the other ones appear on regular basis. I used reverse DNS to verify that the IP addresses belong to Google, with the exception of one Feedfetcher request, for which I had to use ARIN.

  As I’ve already mentioned, Googlebot's SSL fingerprint is quite short:

  h2,03.01,010080,04,05,0a

  The first token indicates the version of the SSL handshake used. In this case it’s h2, which is a code for the SSL v2 handshake. The second token indicates the highest SSL version a client is willing to support. Googlebot’s choice, 03.01, indicates that is willing to go as far as TLS v1.0. Modern browsers do not support SSL v2.0 so it's generally rare to see a browser use a SSL v2 handshake. Search engines don’t care about security but they do care about accessing as many servers as possible: they’ll compromise and support the weaker protocols.

  What follows is the most interesting part: the codes for only 4 cipher suites. They are:

  • SSL_CK_RC4_128_WITH_MD5 (0x010080)
  • SSL_RSA_WITH_RC4_128_MD5 (0x04)
  • SSL_RSA_WITH_RC4_128_SHA (0x05)
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA (0x0a)

  The first suite is only valid with SSL v2.0, while the three remaining ones work in SSL v3.0 or TLS v1.0. It's obvious that, unlike with most other SSL clients, the cipher suites on this list were hand-picked. If I would have to guess, I would say that the motivation was to save on bandwidth. It’s likely that all SSL v2.0 servers support the one SSL v2.0 cipher suite, while 3 suites are needed to support the rest of the Internet.

  Assuming the reason for such a short list of cipher suites is frugality, I am surprised it doesn’t contain suites with weaker ciphers. A search bot doesn’t really care about security so it could afford to negotiate a weaker cipher and perhaps save some CPU cycles. Similarly, 3DES is significantly slower (than, for example, RC4) so it would be my first candidate for removal if I am concerned with performance. Thus, I am guessing it’s there for interoperability.

  It would be interesting to get someone from Google to comment.

  Interestingly, my net caught one search engine imposter, who claimed he was Googlebot, but wasn't. While I could have also used a reverse DNS lookup to determine what the imposter wasn’t, in this case I was also able to identify what it was—someone browsing the Internet using a Firefox 2.x browser with and altered User-Agent field. Nice!

funkatron.com

• 

  Links for 2009-07-01 [del.icio.us]

  Posted: July 2nd, 2009, 2:00am CDT

  Tags:    [edit]

  • Running IE6, IE7 and IE8 on your Mac — The Mozmonkey Blog
    You'll need a virtualization tool like VMWare Fusion or VirtualBox
  • jQuery Metadata plugin
    This plugin is capable of extracting metadata from classes, random attributes, child elements and HTML5 data-* attributes.

  

Schneier on Security

• 

  MD6 Withdrawn from SHA-3 Competition

  Posted: July 1st, 2009, 2:27pm CDT

  Tags:    [edit]

  In other SHA-3 news, Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list: We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward. Basically, the issue is that in order for MD6 to be...

1 Raindrop

• 

  Re-branding security "policy"

  Posted: July 1st, 2009, 2:18pm CDT by Gunnar Peterson

  Tags:    [edit]

  In my experience the concept of "policy" is a hard one for many developers to get their heads around, they don't immediately grok what "policy" is or what its supposed to do and it conjures up eastern european cold war regimes. Unfortunately policy is a central concept throughout information security. 

  
  I have been thinking that we need another way to express the same concept to developers. What developers really interact with are Policy Enforcement Points, Policy Decision Points, and Policies. 
  The Policy Enforcement Point has two responsibilities, one structural and one behavioral. The structural responsibility is to mediate communication between the subjects and objects. The behavioral responsibility is to collect the message exchanges and send them to the Policy Decision Point. I propose the term "Container" for these responsibilities.
  The Policy Decision Point owns the workflow that renders the Y/N/DK policy decision, it uses the information that the Container sends it and may pull in dynamic data or other programs to make the decision. Some of the workflow is static and some dynamic. In some cases its a simple workflow, in other cases lots of nested logic. I think "Rules" or "Strategy" can illustrate this.
  So if we take these two concepts the developer implements a container that makes access control decisions based on security rules and/or strategy combinations/permutations.
  The other reason I think a re-branding is necessary is that "policy" sounds like a passive thing, in the responsibilities above you can see that the act of enforcing policy is quite active and dynamic.
  Not sure if this is any better, but it seems better than policy. What do you think?

Liminal states

• 

  Ethnographic observations and you!

  Posted: July 1st, 2009, 12:53pm CDT by jon

  Tags:    [edit]

  An as-yet-unnamed potential startup company is planning to develop some revolutionary software that relates to how people work together.  One of our first steps is to set set up a research community and making some ethnographic observations — in other words, getting an understanding of how people work today.  We’re especially trying to get a diverse set of participants: not just techies, not just straight white guys, not just Microsoft-related people.

  At the end of the first round of observations, we’ll provide all the participants with a summary of our findings.  And as a way of showing our appreciation, we’ll also give them each a free copy of our first product once it’s available.

  Interested in being a part of it?   We’ll need two to three hours of your time.

  At a time that works for you, two members of our team will come to your workplace, sit by your side as you do your work, take pictures of your environment from time to time.  It’d be ideal if this time includes at least one meeting or conference call.  Our focus will be on what communication tools you use to interact with others, how you use these tools, and what’s working or not working for you.

  During the observations, we may ask you some questions, but will try not be too intrusive so you can go about your normal business.  After the observations, we’ll conduct a 15-20 minute interview to discuss what we saw.  Everything we see while we’re there will be held as strictly confidential and will not be shared with anyone outside of our team. Our notes will focus on how you manage your workday, and will not include any details about your work or your company.   And of course it’s up to you whether we share your name and company name with anyone outside of our team.

  If you’d like to participate, please leave a comment here or contact me via Twitter, Facebook or MySpace.  We’re starting in the Seattle area; over time, we’ll branch out more broadly.

  Thanks much!

  jon

  PS: If this is too big of a time commitment for you, no worries; we’ll be gathering information in other ways as well.  Stay tuned for more!

SecuriTeam Blogs

• 

  The month of twitter bugs

  Posted: July 1st, 2009, 12:44pm CDT by Aviram

  Tags:  Web   [edit]

  Somebody had to do it, and I’m glad it’s Aviv Raff who finally went for it. This is just the first of what I’m sure will be many twitter-related vulnerabilities.
  There’s a lot to check in twitter, and I’m sure this will be an interesting month. While Aviv is bringing home the meat, here’s a question to ask yourself in the meantime: How many web services have your twitter password? More than 5? More than 10? How many of them are still active and what happens if one of them goes bankrupt and sells the list to someone?

  Update: apparently this was fixed after a few hours. The power of “Month of Bugs” I guess.

  -

  Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!

Sunnet Beskerming Security Advisories

• 

  Learning Information Handling Lessons From Celebrity Tragedy

  Posted: July 1st, 2009, 12:23pm CDT

  Tags:    [edit]

  In the space of a week and a half the world has lost some major celebrities, with Billy Mays, Farrah Fawcett, Ed McMahon, and Michael Jackson all passing away. Although each passing is tragic, it is the sudden death of Michael Jackson that has had the most effect on the online world, though there are reports that the deaths of the others have also led to online scam attempts.

  Jackson's unexpected death demonstrates the power that "non-reputable sources" can have in being able to break and follow important news that is normally ignored until a more "reputable" source picks it up. The Internet may make it possible for anyone to have a voice, but it also means that carrying authority and reputation with that voice still takes time and effort. Michael Jackson's passing was first identified and reported on by TMZ, however the "reputable" news agencies and sources were much slower to pick up the story and run with it. One of the primary reasons why is that they had a much stronger reputation and weight of authority to risk running with a potentially inaccurate story, especially one that could be damaging if it was inaccurate. When everyone on the Internet is able to go and visit the originating source site, then the decision to delay the coverage of his death can result in lower overall readership of their particular coverage of the story.

  Savvy online users and the skeptical will still try to get independent validation of the breaking story, something that came with time even though many of the early 'reputable' stories were derived almost exclusively from TMZ material. This sudden rush of Internet users seeking out independent validation in a very narrow timeframe led to some interesting side effects for Google and major news sites. Google's side effect was that the massive wave of traffic was initially identified as an attack and so accurate information was withheld for a short period while Google's defences were activated to deal with the significant but legitimate traffic flow.

  Twitter was another service which found itself struggling to cope with the increased traffic that came as a result of Jackson's death. Various elements and features of the service were temporarily disabled to allow it to carry the messages being created by its users. Reportedly this was in the vicinity of 66,000 messages per hour, but that figure seems extremely low. If the service is going to struggle on 1,100 messages per minute, then it needs to be re-engineered to be able to carry more capacity if it is going to have wider appeal and usefulness.

  Sites that were reliant upon third party advertising hosting found that serving the external ads was causing bottlenecks when serving up news reports, so much so that it made the overall sites seem unresponsive, despite the site itself still being responsive and fully functional.

  Not only were mainstream "reputable" media sites and sources scooped by a non-traditional source and means, but there are questions about the appropriateness of media organisations self-censoring material that would normally be published.

  When that material is suppressed because it pertains to a reporter that they employ it leads to accusations of double standards from external observers.

  Not only was news of the reporter's kidnapping suppressed from traditional media sources, but an active and successful campaign was led to keep the information suppressed from Wikipedia, where the reporter already had a page describing their life and employment. Critics of Wikipedia have seized on this as a clear example of how Wikipedia is not the neutral, freely-editable source of information it claims to be. Political and commercial interests can trump the efforts of contributors to improve and enhance the usefulness and accuracy of the site.

  Even though each of the situations described above took place recently, it isn't quite yet the case where people can claim that "The Emperor has no clothes", but it is beginning to look that way. How each situation came about and was resolved should provide lessons to the companies and organisations involved to help them provide better results the next time something similar takes place or else they will find themselves with no clothes.

  

Curiouser and Curiouser

• 

  Schneier on Security: Security, Group Size, and the Human Brain

  Posted: July 1st, 2009, 12:18pm CDT

  Tags:  Miscellaneous   [edit]

  The smallest, three to five, is a "clique": the number of people from whom you would seek help in times of severe emotional distress. The twelve to 20 group is the "sympathy group": people with which you have special ties. After that, 30 to 50 is the typical size of hunter-gatherer overnight camps, generally drawn from the same pool of 150 people. No matter what size company you work for, there are only about 150 people you consider to be "co-workers." (In small companies, Alice and Bob handle accounting. In larger companies, it's the accounting department -- and maybe you know someone there personally.) The 500-person group is the "megaband," and the 1,500-person group is the "tribe." Fifteen hundred is roughly the number of faces we can put names to, and the typical size of a hunter-gatherer society.

  Interesting look at group dynamics. Explains why I feel most of "the company" are soulless whores whose job is to tell me "no." ;-)

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend

Ivan Ristic

• 

  Improved handling of SSL warnings in Firefox 3.5

  Posted: July 1st, 2009, 11:56am CDT by Ivan Ristić

  Tags:    [edit]

  Slightly over a year ago I discussed the SSL certificate error handling in Firefox. Where Firefox 2.x allows users to simply click through a warning about an invalid SSL connection, Firefox 3.0.x improves the handling and makes it difficult to access the invalid web site.

  My blog post turned out to be quite popular, sparking a lively discussion, which spilled onto the Mozilla's Bugzilla when I filed two bug reports for Firefox:

  1. Exceptions for invalid SSL certificates are too easy to add
  2. Handling of invalid SSL certificates lacks in usability

  The first bug report was rejected after a short discussion (still, I was happy to have been heard), but the second lingered on and, one year later, resulted in the change in how Firefox handles invalid SSL certificates. In Firefox 3.5, when you encounter an invalid SSL web site, you get a screen similar to this one:

  

  Notice the improved language. The message now ways "[...] we can't confirm that your connection is secure", instead of "[a site] uses an invalid security certificate" (followed by technical mumbo-jumbo). Clicking the two headings at the bottom uncovers the hidden areas, which contain more information and the button to create an exception:

  

Schneier on Security

• 

  New Attack on AES

  Posted: July 1st, 2009, 11:49am CDT

  Tags:    [edit]

  There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher...

hackademix.net

• 

  ABE Warnings Everywhere OMG!

  Posted: July 1st, 2009, 10:15am CDT by Giorgio

  Tags:  ABE   [edit]

  Many people use their hosts file for resources blocking purposes, especially against ads or known malicious sites.

  Since your hosts file takes precedence over your DNS in domain name resolution, you can redirect undesired domain to invalid IP addresses, saving both bandwidth and CPU because resolved IPs are cached.

  Unluckily, most information sources about this useful technique, including the Wikipedia article above, instruct the reader to use 127.0.0.1 (the local loopback IP) as the dead-end destination, rather than a truly invalid address such as 255.255.255.0. This is not very smart, especially if you installed a web server on the loopback interface (like many web developers do), because you’re spamming it with dummy requests whenever you browse an ad-laden web site.

  Furthermore, I’m currently receiving several reports about ABE warnings popping up everywhere. If you read my post about ABE yesterday, you know that it ships with a built in “SYSTEM” ruleset containing just one rule which alone implements the whole LocalRodeo functionality:

  
  # Prevent Internet sites from requesting LAN resources.
  Site LOCAL
  Accept from LOCAL
  Deny
  
  

  Such a rule blocks any HTTP request for resources placed in your local network, including localhost (127.0.0.1) and any other LAN IP, unless it is originated from your local network as well. This protects your internal servers and devices (e.g. routers and firewalls exposing web interfaces) against CSRF and XSS attacks performed from the internet.

  As a side effect, though, if you’re redirecting arbitrary hosts to 127.0.0.1, you’ll get bombed by a storm of ABE warnings whenever those sites are linked from external web sites. The solution is simple: just open your host file and replace 127.0.0.1 with 255.255.255.0 everywhere it’s used to block something, but being careful to keep 127.0.0.1 on the localhost entry and other really local domains, if any.

1 Raindrop

• 

  Radical Transparency

  Posted: July 1st, 2009, 10:11am CDT by Gunnar Peterson

  Tags:    [edit]

  Inspired by the new federal IT dashboard, here is a sample infosec dashboard that details where information security groups elect to invest their shareholders' money

  
  
  

ha.ckers.org web application security lab

• 

  Mozilla’s Content Security Policy

  Posted: July 1st, 2009, 9:59am CDT by RSnake

  Tags:  General News   [edit]

  Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous. In reality I’ve been talking about this for close to 5 years privately with the Mozilla team - back when their offices were about 2000 square feet and the entire office smelled like feet. Ahh, those were the days. Well, we are creeping very close to seeing Content Restrictions (now named Content Security Policy) in reality, finally! Thanks in huge part to Gerv and Brandon over at Mozilla.

  I hear rumors that it should be released in Firefox-next (also known as 3.6 - scheduled for early to mid 2010). So give it another year or so and we should have a workable defense against XSS on pages that must allow user submitted HTML and JavaScript - think eBay, MySpace, and so on. The only trick is making sure the companies who have these problems have projects in their pipelines to use this header once it becomes live. So if you happen to know someone who works for a company who has this problem or happen to work there yourself, please make sure others are aware of this well ahead of time. I for one am very excited to see this approaching reality after all these years, and I encourage you to watch their website for updates if you are at all interested in building user submitted widgets and the like.

  On a less thrilling note it also has some clickjacking defenses in it, but just like Microsoft’s X-FRAME-OPTIONS header, I think it’s really not particularly interesting, it’s an opt-in model and clickjacking is so prevalent as an avenue for attack. Opt in security models work on sites that know they’ve got a problem (like user submitted HTML and JS) not on sites that don’t know they’ve got a problem (like wireless access points and web enabled firewalls). Alas - I digress, and I don’t mean to diminish the overall positives of this solve. Indeed, I’m very excited by the future of Content Security Policy as it may make surfing “fun” sites safe again - even with JavaScript and Flash enabled! Wouldn’t that be a crazy thought?

  In unrelated news, I did a podcast with Dennis Fisher over at Threatpost on some of the RFC1918 issues I discussed a few weeks back and Slowloris. If you’re interested, please feel free to have a listen!

BlogSecurity

• 

  WordPress Plugin DM Albums 1.9.2 vulnerabilities

  Posted: July 1st, 2009, 8:33am CDT by DK

  Tags:  Advisories   [edit]

  DM Albums™ is an inline photo album/gallery plugin that displays high quality images and thumbnails perfectly sized to your blog. Two vulnerabilities have been made public: 1. Stack released  a “remote file disclosure vulnerability” (Low-Medium Risk Level) 2. Septemb0x released a “remote file include vulnerability” (Critical Risk Level) An attacker could use these vulnerabilities to potentially gain full access [...]
• 

  WordPress Plugin Related Sites 2.1 Blind SQL Injection Vulnerability

  Posted: July 1st, 2009, 8:26am CDT by DK

  Tags:  Advisories   [edit]

  A critical vulnerability has been discovered in the WordPress Plugin Related Sites plugin. An exploit is available in the wild and available on Milw0rm, making this attack easier to exploit. Although, the vulnerability says that version 2.1 is vulnerable. You should assume previous versions are vulnerable as well. BlogSec have confirmed that the current version (at the [...]

Schneier on Security

• 

  Security, Group Size, and the Human Brain

  Posted: July 1st, 2009, 6:51am CDT

  Tags:    [edit]

  If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with. Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking"...

SecurityFocus News

• 

  Brief: Mozilla adds more privacy in Firefox 3.5

  Posted: July 1st, 2009, 12:00am CDT

  Tags:    [edit]

  Mozilla adds more privacy in Firefox 3.5
  
  >> Advertisement <<
  Can you answer the ERP quiz?
  These 10 questions determine if your Enterprise RP rollout gets an A+.
  [www.findtechinfo.com]
• 

  Brief: Juniper pulls talk on ATM vulnerabilities

  Posted: July 1st, 2009, 12:00am CDT

  Tags:    [edit]

  Juniper pulls talk on ATM vulnerabilities

CGISecurity.com: Your Web Site and Application Security Resource

• 

  Researcher barred for demoing ATM security vuln

  Posted: June 30th, 2009, 3:29pm CDT by Robert A.

  Tags:  Events   [edit]

  "A talk demonstrating security weaknesses in a widely used automatic teller machine has been pulled from next month's Black Hat conference after the machine vendor placed pressure on the speaker's employer. Juniper Networks, a provider of network devices and security services, said it delayed the talk by its employee Barnaby Jack...

SecuriTeam Blogs

• 

  Iraq cybersquatting Israel gov’t domains

  Posted: June 30th, 2009, 3:13pm CDT by Aviram

  Tags:  Web   [edit]

  A few years ago, the personal blog of the Iran president Ahmadinejad included a special piece of malware code that would only be displayed for Israeli IP addresses, attempting to infect Israeli machines visiting the site while preserving a seemingly harmless appearance for any western visitor that is not an Israeli. I thought that was quite a clever attack at the time.
  But now the Iraqis are flexing their cyber-muscles too. According to a Hebrew article in law.co.il (this is not yet available on their English site, but may be soon), several domain names of Israeli government entities and large Israeli institutions have been registered by users outside Israel, some users having addresses in Iraq.

  These domains use names with Hebrew characters, which are now available under the IDN. However, the method of typing Hebrew domain names is not in wide use and companies still prefer the English domains with the .il or .com suffix, which is why those Hebrew domains were available for purchase. Some of the domain names that were purchased include the Mossad, the Shabak (the “Shin Bet”), the IDF, Israel Police, Knesset, and several major banks.

  Since the domain name is in Hebrew and contains the full name of the company or institution, it is incredibly useful for phishing attacks. law.co.il traced many of the domain names, particularly those of major ministries and public service names to a company called “ICU Agency” with a registered address in Baghdad. I’m sure there are other clever uses for such domains in war time that exceed simple phishing. With the speed in which news travel on the Internet these days, it shouldn’t be difficult to do some psychological warefare if you own “credible” domain names.

  -

  Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!

ha.ckers.org web application security lab

• 

  CSRF And Ignoring Basic/Digest Auth

  Posted: June 30th, 2009, 2:51pm CDT by RSnake

  Tags:  Webappsec   [edit]

  One of the single most annoying things about CSRF and router hacking etc… is that you get the annoying popups on Basic and Digest authentication pages, asking you to log in. More and more devices are moving away from these popup style alerts and moving more towards form based authentication, which is better from a hacking perspective. But still, I would say the vast majority of firewall/switch/router devices out there use Basic or Digest based authentication. The problem with that from an attacker’s perspective is that it creates a noisy popup if it fails (if the user isn’t authenticated) that the user is bound to notice and question. Well, now we have an answer - at least in Internet Explorer:

  <DIV STYLE="background-image: url(http://router/path.to.hack)">blah</DIV>

  I know there are others tags that work, but probably not as well as this method from what I’ve seen so far. I haven’t found a reliable way in other browsers to allow this to happen, but I’ve only barely scratched the surface of the vast number of CSRFable tags out there. But anyway, yes, this doesn’t cause the Basic or Digest auth dialog to fire so it will be more stealthy upon performing a CSRF that fails. Of course for POST based CSRF you’re still out of luck…

Schneier on Security

• 

  Cryptography Spam

  Posted: June 30th, 2009, 1:36pm CDT

  Tags:    [edit]

  I think this is a first. Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can...

CGISecurity.com: Your Web Site and Application Security Resource

• 

  Masked passwords must go?

  Posted: June 30th, 2009, 12:00pm CDT by Robert A.

  Tags:  IndustryNews   [edit]

  "Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in....

1 Raindrop

• 

  Using Attack Surface in Threat Models

  Posted: June 30th, 2009, 10:32am CDT by Gunnar Peterson

  Tags:    [edit]

  Last week, I blogged about using threat models to identify and locate countermeasures. Now, I would like to add a little more detail and context. Recall, the purpose of the threat model is to map threats to countermeasures, but he catalyst comes through some part(s) of the attack surface. There are several attack surface models out there, I use a simple one where the attack surface is the sum of the data +  method + channel, that entail the ways the system can be attacked. 

  
  So in an example Web services application we would have an attack surface that includes

  • Data: XML
  • Method: SOAP or HTTP Verbs 
  • Channel: HTTP 

  Relating the attack surface construct to our threat model yields interesting possibilities for countermeasure combinations and permutations. Let's assume you are doing security design for a REST Web service and are looking at the constraints and capabilities that REST, HTTP, XML and other standards will help you deal with threats. The combination of the attack surface model and threat model gives you a way to be more precise with mapping countermeasures to threats.
  

   

  Threat	Countermeasure Located in Attack Surface
  Data	Method	Channel
  Spoofing	XML Signature (response only)	None	TLS/SSL
  Tampering	XML Signature (response only)	None	TLS/SSL
  Dispute	None	None	None
  Information Disclosure	XML Encryption (response only)	None	SSL
  Denial of Service	None	None	None
  Elevation of Privilege	Oauth	Oauth	None

  
  
  This is just an example, but the attack surface is a nice refinement for drilling down on the countermeasure side of the threat model ledger. The location context gives the security designer some flexibility in finding cost effective ways to address security in the software design. In a nutshell, the threat model identifies countermeasures and attak surface locates the countermeasures in the software architecture.
  

deep inside | security & tools

• 

  NIST Static Analysis Tool Exposition special publication released

  Posted: June 30th, 2009, 10:30am CDT by Romain

  Tags:    [edit]

  The NIST SAMATE project conducted the first Static Analysis Tool Exposition (SATE) in 2008 to advance research in static analysis tools that find security defects in source code. The main goals of SATE were to enable empirical research based on large test sets and to encourage improvement and speed adoption of tools. The exposition was planned to be an annual event.

  SATE 2008 was one of my last project at NIST. I really enjoyed working on this project from the beginning, it was challenging especially because we had to create so many artifacts to make the tool reporting the weaknesses the same way, integrate them all together and provide ways for assessors to make meaningful reviews.

  In a nutshell, we selected 6 different open-source programs (3 en C, 3 in Java) and made tool vendors running their tool on these test cases. Tool vendors were allowed to customize their tool if their tool provide such capability. Fortify was the only vendor who created a custom rule (to help the tool with a validation routine for MVNForum). Our goal was then to combine the results all together and analyze: provide information on the correctness of the tool.

  If you are interested, you can download the SATE data and the NIST SATE Special Publication.

  Thanks to all the SAMATE team for this effort, and especially Vadim Okun and Paul E. Black.

  For more information, you can reach the SATE page at NIST.

  

1 Raindrop

• 

  MetriCon 4.0 Preliminary Agenda

  Posted: June 30th, 2009, 10:08am CDT by Gunnar Peterson

  Tags:    [edit]

  MetriCon and the SecurityMetrics list have for several years been host to the most interesting discussions on Security Metrics. This year the MetriCon 4.0 Workshop will be held on Tuesday, August 11, 2009, in Montreal, Quebec, co-located with the USENIX Security Symposium. The formal Call for Participation is still available for your review. As with all MetriCon events, MetriCon 4.0 is by invitation; invitations for attendance-only remain available. If you wish to attend, communicate via email to the MetriCon 4.0 program committee at your earliest convenience.
  

  Preliminary Agenda

  1. Baseline Scoring Methods
  Reproducible Measurement as a Foundation for Security Assessment Metrics
  SCAP Metrics

  2. Measuring Impact
  Business Focused: Foundations for Security Business Intelligence
  Metrics for Detecting Compromised Systems

  3. Enterprise Security Management
  Security Metrics in Governance, Risk and Compliance
  Using Security Metrics to Motivate a Response to A Critical Vulnerability
  Foundational Control Practices

  4. Software Security
  The Building Security In Maturity Model
  Does Software Quality Matter?

  5. Trends and Stats
  Measuring the Future Basis of Competition among AV Products
  Crunching Metrics from Public Data
  Data Loss DB

  6. Security Manager Panel
  Asset Profiles
  Initiative Alignment
  Metrics for Predictive Analysis

  7. Discussion Groups on Topics of Mutual Interest
  Enterprise Network Security Metrics
  PCI DSS Statistics & Metrics
  SOX Material Weakness
  Vulnerability Response Decision Assistance

Zero in a bit

• 

  The Mobius Defense – An Impetus for Application Security

  Posted: June 30th, 2009, 9:38am CDT by Tyler Shields

  Tags:    [edit]

  The “Mobius Defense” is a somewhat novel defense model proposed by Pete Herzog, founder of ISECOM and lead author of the Open Source Security Testing Methodology Manual (OSSTMM). Before continuing to read the following post I suggest you take a few minutes and breeze through the slide deck linked here. It’s an easy and interesting read so get to it…

  Mr. Herzog suggests in this presentation that the “Defense in Depth” strategy, with regards to network defense, is ineffective and antiquated, and needs to be replaced with a new and updated defense model. His proposed model is called the “Mobius Defense”.

  The basic tenet of this defense is one in which each individual asset should be protected as if it were the only asset in the model as opposed to forming lines of defense to secure the entire asset base as a whole. Two important facets are stated in his presentation:

  • Network security is a zero sum game in which a single compromise is all that is required to “win”
  • The network perimeter is truly nonexistent

  If we take the above two statements to be true, then there really are no clearly defined lines of defense in which we can accurately create a defense in depth model and instead we should secure the individual asset by limiting its in and out dataflow, minimizing trust, and implementing a minimal interconnectedness policy across the board. Distilled, the Mobius model creates a network security design that disregards network boundaries and theoretical demarcation lines in favor of “guerilla defense” in which every actor fends for themselves.

  So what does this mean for the application security landscape? If what Mr. Herzog presents is reality, then the application layer truly is the last, and best, line of defense (pardon the pun). With the degradation of the network perimeter, thanks in part to the iPhone, Blackberry, Web Browser, and other assorted peripherals and client based designs; there is a new found urgency to secure each individual network touch point to the best extent possible. It’s with this urgency in mind that application security assessments should move upward in the prioritization of security spending. While I don’t suggest that defense in depth should go away and die, I do suggest that we should focus on securing the most common target of attack, the application layer. If the paradigm of the network has changed shouldn’t our defense models change as well?

Schneier on Security

• 

  Growth of the CSE

  Posted: June 30th, 2009, 6:32am CDT

  Tags:    [edit]

  The Communication Security Establishment (CSE, basically Canada's NSA) is growing so fast they're running out of room and building new office buildings....

It's a shampoo world anyway

• 

  NoScript now includes LocalRodeo-like functionality

  Posted: June 30th, 2009, 4:45am CDT by Maddin

  Tags:    [edit]

  Giorgio Maone just announced that NoScript now includes ABE (a framework for CSRF protection) by default. Among others, ABE contains rules which enforce LocalRodeo's intranet protection functionality. Also, Mozilla has apparently finally fixed Firefox's DNS rebinding issues with the release of 3.5 (at least Kanatoko's testcase fails now). Hence, if you are already a NoScript user, there should currently be no need for additionally installing LocalRodeo.

Curiouser and Curiouser

• 

  When can I use...

  Posted: June 29th, 2009, 10:44pm CDT

  Tags:  Miscellaneous   [edit]

  A depressing look at "future" browser features.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend

BindShell.Net

• 

  Module: Redirect Page

  Posted: June 29th, 2009, 10:25pm CDT

  Tags:  Events   [edit]

  Here is a simple module that will redirect the zombies' pages to an arbitrary location. The location is set in the module configuration page BeEF - simply enter the URL, select the target zombies and click send.

extern blog SensePost;

• 

  Watch out Amazon...

  Posted: June 29th, 2009, 10:15pm CDT

  Tags:    [edit]

  'cause theres some serious cloud computing competition on the horizon..

  A google search for Cloud Provider returns the following paid ads..

  

  Now i know conventional logic says its a bad idea to judge a book by its cover, but..

  

Curiouser and Curiouser

• 

  Content Security Policy Details

  Posted: June 29th, 2009, 10:01pm CDT

  Tags:  Miscellaneous   [edit]

  The main goal of Content Security Policy is to prevent malicious code from being injected into a website and executed within the context of that site.

  This could be huge. At the fullest implementation the only JavaScript that will be allowed to execute is external JavaScript files that are specifically white listed by the server. Good bye attribute injection, javascript URIs, and plain SCRIPT tags. No dynamic code execution either! no eval(), no setTimeout() or setInterval() with a string of code. Goodbye obfuscated JavaScript problem. Thanks to native JSON parsing functions, we don't need you anymore.

  Some excellent innovation coming out of these Browser wars...

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Who Needs Clip Art? OffiSync 2.0 Integrates Google Image Search Into Microsoft Office

  Posted: June 29th, 2009, 9:46pm CDT

  Tags:  Miscellaneous   [edit]

  The biggest addition to the plugin is integrated text and image search. While Office comes with a directory of clip art, it leaves something to leave desired — I almost always find myself just going straight to Google Image search. Now, using OffiSync, you can search Google Images directly from within Office. The plugin supports advanced searches, like sorting by color, size, and usage rights. Once you’ve found an image you like, simply hit ‘Insert’ and the picture will appear wherever your text cursor was. There’s also an integrated browser: just navigate to the page you’d like to quote, highlight the text, and hit Insert.

  This is damn helpful!

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend

CGISecurity.com: Your Web Site and Application Security Resource

• 

  Blind Hacker Sentenced to 11 Years in Prison

  Posted: June 29th, 2009, 7:59pm CDT by Robert A.

  Tags:  Incidents   [edit]

  "A legally blind Massachusetts phone hacker was sentenced Friday to over 11 years in federal prison, following his guilty plea on computer intrusion and witness intimidation charges earlier this year. Matthew Weigman, 19, was sentenced in Dallas by U.S. District Judge Barbara M.G. Lynn, according to the U.S. Attorney’s Office there....

hackademix.net

• 

  Meet ABE

  Posted: June 29th, 2009, 6:47pm CDT by Giorgio

  Tags:  ABE   [edit]

  I’m pleased to announce that ABE, the Application Boundaries Enforcer meant to fight CSRF and related web attacks, has finally been included in a stable NoScript release: version 1.9.5, available here.

  It’s been quite a long development journey since my first announcement, made possible by NLNet’s foresight, and it required more than one month of beta testing: among the thousands of testers victims I inflicted twenty builds upon, I must especially thank therube, GµårÐïåñ, Tom T., Alan Baxter, dhown and the other friends at the NoScript forum, who devoted their time to aid debugging and optimization. A special thanks goes also to Edoardo “Sirdarckcat” Vela, talented hacker and loyal NoScript fan, who offered many useful suggestions to model the threats which ABE can counter react.

  Great but.. now that I’ve got ABE, what can it do for me?

  If you’ve got latest NoScript version installed on Firefox 3.0.11 or another compatible Gecko >= 1.9 browser, you’ll notice a new “ABE” tab in NoScript Options|Advanced. There you can find a list of the loaded “Rulesets”, i.e. groups of firewall-like rules (syntax specification PDF).
  Rulesets can be:

  1. Built-in like the “SYSTEM” ruleset, shipping with ABE and meant to provide automatic protection against “general” threats; you don’t want to edit them unless you know exactly what you’re doing.
  2. User-defined like the “USER” ruleset, which is empty for you to customize according to your needs.
  3. Subscription-provided, coming from a centralized location which delivers “trusted” rules (not supported yet).
  4. Site-specific, created and made automatically available by site developers or administrators to protect their own web applications.

  All these rulesets (built-in, yours, centralized and site-specific) cooperate to properly insulate your most sensitive web applications and prevent them from being abused by unrelated malicious web sites.

  Drop-in LocalRodeo replacement

  The “SYSTEM” built-in ruleset currently contains just one rule definition:
  

  Site LOCAL
  Accept from LOCAL
  Deny
  
  

  
  This simple rule protects your local network from CSRF attacks coming from outside, for instance from a malicious web page trying to hack your router. If this scenario does not sound new to you, maybe you’ve heard of LocalRodeo, an experimental Firefox extension which was meant to defeat exactly this kind of internet-to-intranet threats. In facts, the default ABE configuration shipping with NoScript 1.9.5 and above is as effective as LocalRodeo at least, but more performant, especially when DNS queries are involved, and much more flexible, since it’s not limited to this specific attack scenario: if you’re using both NoScript and LocalRodeo, it’s time to uninstall the latter.

  ABE for web authors

  While centralized subscriptions aimed to protect the most popular web applications have been planned but are not implemented yet, you as a web author can already start experimenting how to protect your own web application by enforcing your own rules.
  Just deploy your rules.abe file at the root of your HTTPS site and be sure to check Allow sites to push their own rules in the ABE options panel. This preference is initially disabled in 1.9.5, but this default will be likely inverted in next stable iteration, as soon as it gets enough testing.
  More details here.

SEO BlackHat: Black Hat SEO Blog

• 

  Amazon: Live Free or Die!

  Posted: June 29th, 2009, 5:52pm CDT by QuadsZilla

  Tags:  SEO   [edit]

  The State Motto of Rhode Island is “Live Free or Die”.

  Their state assembly passed a law to try to impose sales tax on Amazon.com. The Law essentially states that because some of amazon’s associates have a physical presence in the state, that amazon must pay sales tax.

  Amazon’s response? “Alright, then we’ll shut down the affiliate program in your state.

  “In an email sent Sunday to its Rhode Island associates — which receive a cut from Amazon for sending customers on to Amazon’s Web site from their own — the company said it was closing its program due to what it called an “unconstitutional tax collection scheme” passed by the General Assembly.

  The bill has yet to be signed.

  Last week, Amazon shut its associates program in North Carolina and shot off a letter to California lawmakers, warning them that a similar bill introduced in that state’s Assembly would force Amazon to end its program in the wealthiest U.S. state.  

  They mean business!

CGISecurity.com: Your Web Site and Application Security Resource

• 

  Max Vision Pleads Guilty To Wire Fraud/Carding

  Posted: June 29th, 2009, 2:58pm CDT by Robert A.

  Tags:  Incidents   [edit]

  "A San Francisco man pleaded guilty today in Pittsburgh this afternoon to federal charges of hacking into computer systems of financial institutions and other hackers to steal nearly 2 million credit card numbers, which were used to rack up more than $86 million in fraudulent charges. Max Ray Vision, formerly Max...