« | Home | Categories | »

You can relax about the SSL break, mostly.

Posted on November 10th, 2009 at 21:24 by John Sinteur in category: Security

[Quote:]

I have some good news for all of you. You can relax. Mostly…

As Moxie Marlinspike has pointed out in a couple of news media interviews, the impact of the attack scenarios that have been described so far is equivalent to a well understood vulnerability – Cross Site Request Forgery. Most major web applications already have protections against CSRF. So this SSL vulnerability is not a big deal, right?

For the most part, yes, but there are some corner cases that could still be a concern.

Let me describe the two attacks so that you can see how they are similar. I’ll start with CSRF. Imagine an online bank that will perform a funds transfer when a logged in user performs a GET request to a particular URL. An attacker could craft a link to that URL with variables setup so that the attacker’s account is credited whenever the link is accessed. The link could be embedded in an image tag on a web page, for example, so that whenever someone accessed that web page, the GET request would be performed automatically.

All the attacker would have to do is entice a currently logged in bank customer to view that web page. The user’s browser would automatically perform the GET request to the bank when attempting to load the image. Their browser would include their bank login cookie along with that GET request, authenticating it, and the bank would happily transfer money into the attacker’s account. That’s Cross Site Request Forgery. It is a means of getting the victim to access a URL of the attackers choosing with the victim’s cookies or other credentials.

Thats exactly what this new SSL man in the middle vulnerability allows. For example, the attacker intercepts his victim’s https connection to the bank, sets up his own connection over which he requests the funds transfer URL, and then forces a ciphersuite renegotiation, which he passes through to the victim. The victim completes the ciphersuite renegotiation and submits his HTTP request, including his cookie. The web server accesses the URL specificed by the attacker using the cookie specified by the victim. Different attack but similar result.

Most, if not all, major web applications have implementation level protections against CSRF, such as random nonces in web forms that must be submitted along with any request. Those protection measures are effective against this new SSL man in the middle attack. Therefore, this vulnerability has minimal security impact for most websites and Internet users.

Its important to note that although the security implications of these attacks are similar, they are not the same attacks. Network level protections against CSRF such as IPS signatures or WAF rules will not prevent this new SSL MITM attack from working. Only implementation level anti-CSRF features will work.


Write a comment

Does what is says on the tin

Posted on November 10th, 2009 at 21:10 by John Sinteur in category: ¿ʞɔnɟ ǝɥʇ ʇɐɥʍ

http://www.twoyoutubevideosandamotherfuckingcrossfader.com


Write a comment

Catholic priests, scientists head to Rome to ponder alien life

Posted on November 10th, 2009 at 16:40 by John Sinteur in category: Pastafarian News

[Quote:]

Last year, Vatican Observatory boss José Gabriel Funes told Papal inhouse paper L’Osservatore Romano: “To say it with St Francis, if we can consider some earthly creatures as ‘brothers’ or ‘sisters’, why could we not speak of a ‘brother alien’? He would also belong to the creation.”

Funes even suggested aliens might not suffer from that human burden original sin. Which would arguably make it easier for the Vatican to accommodate alien life, as it wouldn’t feel duty bound to covert any aliens it encountered.

But Kaufmann quotes one of the conference’s speakers, Paul Davies, a theoretical physicist and cosmologist from Arizona State University, who believes the issue is being downplayed by religious leaders.

“The real threat would come from the discovery of extraterrestrial intelligence, because if there are beings elsewhere in the universe, then Christians, they’re in this horrible bind. They believe that God became incarnate in the form of Jesus Christ in order to save humankind, not dolphins or chimpanzees or little green men on other planets.”


Write a comment

Comments:

  1. What if some aliens are gay? Or are led by women, not men … the horror! Pope Palpatine would need to wage a crusade! And I’m not sure he’s really up for such a challenge…

  2. If an alien species propagates via asexual reproduction, does that make them “gay”? What does that do to the anti-cloning laws? Why do we care?

  3. What if they’re all Muslim?

Al Jazeera English – Taliban displays ‘US weapons’

Posted on November 10th, 2009 at 16:39 by John Sinteur in category: News

[Quote:]

Al Jazeera has obtained exclusive footage showing the Taliban in Afghanistan displaying what appears to be US weapons.

The fighters say they seized the arms cache from two US outposts in eastern Nuristan province.

Days after the alleged assault, the US military pulled out its troops from the area.

Looks like Al Jazeera is the only one reporting this…


Write a comment

Mount Alvernia College bans girl for shaving head

Posted on November 10th, 2009 at 14:34 by John Sinteur in category: News

[Quote:]

A 15-YEAR-old Brisbane school girl has been suspended for shaving her head to raise money for vital cancer research.

Emily Pridham and her family told Channel Nine News her father is battling leukemia.

He underwent a bone marrow transplant a few weeks ago but has been given only a few months to live.

Ms Pridham decided to shave her head as part of a fundraiser for cancer research.

“Basically my way of coping is to try and help other people going through the same thing,” she said.

Ms Pridham said she has been banned from Mount Alvernia College until her hair grows back.

Since Mount Alvernia Collage is a Catholic school, let me quote the Bible on them…

“‘Do not cut the hair at the sides of your head or clip off the edges of your beard.”

Leviticus 19:27

Oh, wait, not that one… this one:

But when Jesus saw it, He was much displeased, and said unto them, “Suffer the little children to come unto Me, and forbid them not: for of such is the kingdom of God. But not that one with the shaved head. I fucking hate her. Tell her she can come back when her hair has grown longer than a nun’s crop.”

Mark 10:13-14

Naah, I made that one up – but this one is real:

From there Elisha went up to Bethel. As he was walking along the road, some youths came out of the town and jeered at him. “Go on up, you baldhead!” they said. “Go on up, you baldhead!” He turned around, looked at them and called down a curse on them in the name of the LORD. Then two bears came out of the woods and mauled forty-two of the youths.

2 Kings 2:23-24

And note that the school only claims that “the full facts of the situation are not able to be revealed”, which isn’t helping much.


Write a comment

People Who Oppose Abortion Are Officially More Important Than You

Posted on November 10th, 2009 at 14:29 by John Sinteur in category: ¿ʞɔnɟ ǝɥʇ ʇɐɥʍ

[Quote:]

A long, long time ago, I was working for a fundraising firm. One of our biggest clients was NARAL — then the National Abortion Rights Action League, now NARAL Pro-Choice America. One of my jobs was to identify and counter common objections to fundraising appeals and someone came to me with one that I thought was pretty much a gimme. People were objecting that, while they were supportive of a woman’s right to choose, they were also sympathetic to complaints by anti-abortion types that they shouldn’t have to their tax dollars paying for abortion. This just wouldn’t be fair.

The first words out of my mouth were, “What makes them so special?” After all, the number of Americans who can’t point to some use of taxpayer money that they’re against is probably so tiny as to be almost non-existent. By this argument, should Quakers be forced to pay for the military, should environmentalists be forced to subsidize roadbuilding in wilderness areas, should privacy advocates have to fund the NSA and human right supporters have to foot the bill for Gitmo?

[..]

But, in Washington, never bet against the absurd. When the legislative sausage is made, a key ingredient is often a heaping scoop of stupid. Or, as was the case this weekend, Stupak.

See, the House passage of a healthcare reform bill this weekend came with a price. Ambulance services wouldn’t be covered, because of the deep religious beliefs of the Amish. No, wait. I misread that. Anti-abortion people won’t have to pay for abortions. In fact, no one will. Abortion, a legal medical procedure, has been made all but illegal for insurers to cover. For this, we can thank Rep. Bart Stupak and 240 members of Congress.


Write a comment

Comments:

  1. This actually makes sense. These anti-abortion people *are* more important, since there are many of them and legislators are elected by majority vote. I don’t think my tax dollars should go towards killing people, either, but I still pay my federal taxes even though the military is supported by those. So what do I do? I don’t vote for politicians who support war. I would not reelect such a politician. If there is a majority of me in a district, the politician that represents it will probably share my point of view, or he wouldn’t be elected.

Ministers “cancel” ‘Big Brother’ database

Posted on November 10th, 2009 at 14:27 by John Sinteur in category: Privacy

[Quote:]

Plans to store information about every phone call, email and internet visit in the United Kingdom have in effect been abandoned by the Government.

The Home Office confirmed the “Big Brother” scheme had been delayed until after the election amid protests that it would be intrusive and open to abuse. Although ministers publicly insisted yesterday that they remained committed to the scheme, they have decided not to include the contentious measure in next week’s Queen’s Speech, the Government’s final legislative programme before the election.

The Independent is wrong – this is no cancellation, the plan will go full ahead after the election – they’re just afraid you’d base your voting decisions on it…


Write a comment

Comments:

  1. And they’re afraid you will hold them accountable.

Microsoft Tries To Censor Bing Vulnerability

Posted on November 10th, 2009 at 13:29 by John Sinteur in category: Microsoft, Security

[Quote:]

“Microsoft’s bing search engine has a vulnerability with its cash-back promotion, which impacts both merchants and customers. In traditional Microsoft fashion, the company has responded to the author of the breaking bing cashback expoit with a cease & desist letter, rather than by fixing the underlying security problem. It is possible for a malicous user to create fake bing cash-back requests, resulting in not only fake cash-back costs for the merchant, but also blocking legitimate customers from receiving their cash-back from bing.

Here’s the current post:

[Quote:]

The purpose of my post was to show an implementation problem, not to encourage defrauding Microsoft. I am surprised they would go through this much trouble to make me take down information that is obvious to anyone reading their documentation. I don’t like dealing with lawyers, so I’ve decided to comply with their request. The post is gone. I will still write a “non-technical” post on all the problems I see with Bing Cashback in the next few days.

Well, Microsoft, welcome to the Streisand Effect:

[Quote:]

I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let’s see how these transactions might have “accidentally” got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20.  Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index?
jftid=0&jfoid=<orderid>&jfmid=<merchantid>

&m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated. Bing doesn’t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID.  When a store uses predictable order ID’s (e.g. sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant.  And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings.  In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.


Write a comment

Comments:

  1. Meh.. they always commit the same crimes. Every big company tries to put a lid on the problems. And they open a can of worms. When will they learn?

The ‘anti-Catholic!’ cry is a cheap, easy accusation

Posted on November 10th, 2009 at 9:45 by John Sinteur in category: Pastafarian News

[Quote:]

It is unfortunate that Archbishop Timothy Dolan of New York, new to the national stage and responsible for one of the most visible and potentially most influential sees in the nation, chose to play the tired anti-Catholic card so early in his tenure. His recent blog posting accused The New York Times and the wider culture of indulging in rampant anti-Catholic activity.

In doing so, he wastes the authority of his office by aligning it with such imprudent screamers as William Donohue and his Catholic League, which exists to raise money so it can continue to scream Fire! in the crowded theater of overcharged religionists.

[..]

The anti-Catholic narrative is a canard, however, another attempt to deflect attention away from what most of us in the pews and beyond know is long overdue: a deep, introspective and honest look at the culture of hierarchy and whether it begins to reflect today the mandates of the Gospel of the Suffering Servant.

[..]

Several members of the hierarchy, most notably Archbishop Charles Chaput of Denver and now Archbishop Dolan, have attempted to distract our attention away from the severity of the sex abuse crisis in the church by pointing the finger at others — at teachers, Boy Scouts, the culture at large, the press — but it is an ineffective strategy. There are several principal reasons the church continues to come under scrutiny for its handling of crises and scandals related to sex, and none of them has to do with the press or an anti-Catholic culture.


Write a comment

Comments:

  1. There are so many other antiquated freaks out there-the Orthodox in eastern Europe, the Haredim Jews, about 90% of the Muslims, Hindus and Buddhists (I’m not talking about the “Free Tibet” upper class White “Buddhists” in the West). Why limit yourself to a bunch of old mics and dagos in drag? There’s a world of nutjobs; go and explore!

EU officially objects to Sunacle deal

Posted on November 10th, 2009 at 6:50 by John Sinteur in category: News

[Quote:]

The European Union has officially raised objection to Oracle’s proposed $7.4bn acquisition of Sun Microsystems.

According to a Sun Securities and Exchange Commission filing, the EU issued a “statement of objections” involving the merger today, and these objections were limited to concerns over Oracle acquiring MySQL.

“The Statement of Objections sets out the Commission’s preliminary assessment regarding, and is limited to, the combination of Sun’s open source MySQL database product with Oracle’s enterprise database products and its potential negative effects on competition in the market for database products,” the filing says.

Oracle responded with a statement that the EU’s assessment “reveals a profound misunderstanding of both database competition and open source dynamics. It is well understood by those knowledgeable about open source software that because MySQL is open source, it cannot be controlled by anyone. That is the whole point of open source.”


Write a comment

Comments:

  1. And what do you think about this?

  2. I’m not sure. On one hand Oracle has a point that it can be forked, on the other hand, there’s a fork started the moment Oracle bought MySQL and it’s not getting anywhere. Forking is *not* easy, so perhaps the EU understands Open Source better than Oracle wants us to believe.

Cartoons

Posted on November 10th, 2009 at 6:45 by John Sinteur in category: Cartoon


Write a comment

Paranoia Strikes Deep

Posted on November 10th, 2009 at 6:40 by John Sinteur in category: News

[Quote:]

What all this shows is that the G.O.P. has been taken over by the people it used to exploit.

[..]

And if Tea Party Republicans do win big next year, what has already happened in California could happen at the national level. In California, the G.O.P. has essentially shrunk down to a rump party with no interest in actually governing — but that rump remains big enough to prevent anyone else from dealing with the state’s fiscal crisis. If this happens to America as a whole, as it all too easily could, the country could become effectively ungovernable in the midst of an ongoing economic disaster.

The point is that the takeover of the Republican Party by the irrational right is no laughing matter. Something unprecedented is happening here — and it’s very bad for America.


Write a comment

Comments:

  1. I wonder if the paranoia is deeper on the right or the left.
    Sometimes I wonder.

  2. Assume imperfect information on both sides, and both sides are paranoid.
    Side X reacts by limiting human rights.
    Side Y reacts by accusing Side X of over-reacting.

    It seems to me that Side Y is less dangerous than Side X.

    How about money?
    Side X says that Side Y is wasting money by spending it on frivolities like health care and education.
    Side Y says that Side X is wasting money by spending it on frivolities like war & unregulated financial orgies.

    Round 2 also, IMHO, goes to Side Y.

    Although this is a fun game, I don’t want to turn John’s comment space into a flame war, so I’ll stop here.
    (Showing respect for someone else during a reasoned debate? Round 3 goes to Side Y! 😉

  3. Sorry for your round 1. Side Y did the same 😉 You might remember Patriot act – under a different name – was introduced by Side Y when Side Y had a President. Only Side X voted it down because that would be unconstitutional 😉