This feature AutoFill’s HTML form text fields that have specific attribute names such as name, company, city, state, country, email, etc.

<* form>
<* input type="text" name="name">
<* input type="text" name="company">
<* input type="text" name="city">
<* input type="text" name="state">
<* input type="text" name="country">
<* input type="text" name="email">
<* /form>

These fields are AutoFill’ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

---

WhiteHat Security is a leading provider of website security services.

---

A survey by the Consumers’ Association shows that 10% of cardholders write down or share their PIN. This high proportion surely raises serious doubt about whether it’s fair for banks to claim that such people are “grossly negligent” even if the PIN is well disguised (for example, as part of a phone number in an address book with hundreds of other numbers). And if banks don’t want disabled people to share PINs with carers, they ought to come up with an alternative, or be held to account under disability discrimination laws.

Interestingly, Mark Bowerman (PR for the banks) says in this article that customers should not use the same PIN for multiple cards. We heard him on radio saying exactly the opposite a few years ago. Now he tells people to change PINs to something easy to remember (and easier for criminals to guess).

By giving customers contradictory and impractical advice, the banks are placing an unmeetable burden on them.

The banks also frequently give advice that is simply wrong. Look, for example, at this video by Barclays showing how to enter your PIN at a merchant terminal!

I got an email from Erlend Oftedal about a new tool he’s created called MalaRIA. The tool uses weak crossdomain.xml and clientaccesspolicy.xml (so both Flash and Silverlight) to allow a piece of code that resides on his server to use the client’s machine as a proxy to read information off of other websites that are protected in other ways. So think of it like an RIA version of BeEF.

You can read his blog post here or if you’re the visual type you can check out his movie here. We often talk about why poorly written crossdomain.xml files are dangerous, but I think this puts the last nail in that coffin. Yes, it’s dangerous. For real. Incidentally there is no reason you couldn’t deliver a MalaRIA payload over BeEF as well, if you wanted the best of both worlds. Nice job by Erlend!

Update: code available here.

This isn’t exactly an exploit, but I’m sure after reading it, some people will feel like it is, or at minimum it might make people feel uncomfortable. It appears when users connect through AT&T UTMS wireless cards, the system man-in-the-middle’s the connection, and not only does it downgrade the image quality for performance reasons but it also injects a piece of JavaScript located at http://2.2.3.4/bmi-int-js/bmi.js (not live on the Internet). If you’re anything like me and you see a piece of JS installed in your website that you know doesn’t have any JS on it at all, you’re thinking you’re owned at this point. Alas, you probably are owned, but it’s in an effort to save your bandwidth. You can download a zipped copy of this JavaScript file here.

The real questions are when and how this page gets cached, and who owns 2.2.3.4 when it’s not being MITM’d (when you switch from UTMS to another network), and on and on. Incidentally, I tried to do directory transversal and go to http://2.2.3.4/ to see what else might be on that page and it banned me from going there and to the JavaScript file for the rest of the session. Why? Probably to stop guys like me from hacking whatever server that is and MITMing everyone on AT&T’s UTMS network. Clearly reducing the size of the page, is good for them, and is good for some percentage of users who don’t care about the potential issues here. And for the rest of us, we’ll continue to tunnel our traffic so we can avoid AT&T’s MITM craziness.

Update: a few people have sent me a link that this also is happening on other networks as well.

In honor of the USPO’s decision to allow Facebook’s patent for social feeds I decided to patent XSS. Please pay up. You know who you are. Thank you.

Want some of that colorful, homescreen-juggling, Android 2.1 Sense UI that HTC has prepped for the HTC Desire? Well, the previously promised hacked ROM is ready for your Nexus One’s consumption. It’s in alpha right now, so install at your own risk, and does indeed support Flash 10.1, so also beware of the risk of browsing the real internet. What more danger, excitement, and grassroots handset support could you possibly want out of life? Hit up the source link for the full instructions, video of the ROM in action is after the break.

Continue reading HTC Desire ROM shoehorns HTC Sense and Flash 10.1 onto the Nexus One

HTC Desire ROM shoehorns HTC Sense and Flash 10.1 onto the Nexus One originally appeared on Engadget on Sun, 21 Feb 2010 08:58:00 EST. Please see our terms for use of feeds.

Permalink | Email this | Comments

Want some of that colorful, homescreen-juggling, Android 2.1 Sense UI that HTC has prepped for the HTC Desire? Well, the previously promised hacked ROM is ready for your Nexus One’s consumption. It’s in alpha right now, so install at your own risk, and does indeed support Flash 10.1, so also beware of the risk of browsing the real internet. What more danger, excitement, and grassroots handset support could you possibly want out of life? Hit up the source link for the full instructions, video of the ROM in action is after the break.

Continue reading HTC Desire ROM shoehorns HTC Sense and Flash 10.1 onto the Nexus One

HTC Desire ROM shoehorns HTC Sense and Flash 10.1 onto the Nexus One originally appeared on Engadget on Sun, 21 Feb 2010 08:58:00 EST. Please see our terms for use of feeds.

Permalink | Email this | Comments

Last OWASP/ISSA Belgian chapter meeting was the location of an interesting discussion. For a full report of the meeting, read Xavier’s excellent blogpost.

Many SQL-injection techniques rely on tautologies: adding an expression that is always true to the where-clause of a select statement. Like OR 1=1. 1=1 is a tautology, it’s an expression that always yields true.

So if SELECT * FROM USERS WHERE USERNAME = ‘ADMIN’ and PASSWORD = ‘UNKNOWN’ doesn’t select any rows because the password is not correct, injecting ‘ OR 1=1 – gives SQL statement SELECT * FROM USERS WHERE USERNAME = ‘ADMIN’ and PASSWORD = ” OR 1=1 –’ which will return all rows, because the where-clause is always true (OR 1=1).

There are several security applications (WAFs, SQL firewalls, …) designed to monitor the stream of SQL statements and reject statements with tautologies, i.e. the result of a SQL-injection. Some are very simple and just try to match pattern 1=1. Bypassing them is easy: 1>0 is also a tautology. Others are more sophisticated and try to find constant expressions in the where-clause. Constant expressions are expressions with operators, functions and constants, but without variables. If a constant expression is detected that always evaluates to true, the firewall assumes it’s the result of a SQL-injection and blocks the query.

This is all classic SQL-injection, but now comes the interesting part.

What if I use an expression that is not a tautology in it’s mathematical sense, but is almost one… Say I use expression RAND() > 0.01 ? The RAND function is a random number generator and returns a floating point value in the range [0.0, 1.0[. Expression RAND() > 0.01 is not a tautology, it’s not always true, but it is true about 99% percent of the time. I call this a quasi-tautology.

A firewall looking for tautologies will not detect this, because it is not a tautology. But when you use it in a SQL-injection, you stand a 99% chance of being succesful (provided the application is vulnerable to SQL-injection)!

There are other functions than RAND to create quasi-tautologies. An expression comparing the seconds of the current system time with 59 is also a quasi-tautology.

The GreenSQL firewall will detect SQL statements with quasi-tautologies, not because it looks for them, but because it builds a whitelist in training mode.

There should be a 9-minute film on Newsnight tonight (10:30pm, BBC Two) showing some research by Steven Murdoch, Saar Drimer, Mike Bond and me. We demonstrate a middleperson attack on EMV which lets criminals use stolen chip and PIN cards without knowing the PIN.

Our technical paper Chip and PIN is Broken explains how. It has been causing quite a stir as it has circulated the banking industry privately for over 2 months, and it has been accepted for the IEEE Symposium on Security and Privacy, the top conference in computer security. (See also our FAQ and the press release.)

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.

It’s no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) — in fact Steven blogged about it here last August.

But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you’re not even looking? The banks didn’t even realise they needed to check.

This attack is both academically and practically significant. We get reports weekly from different victims of phantom withdrawals, and these include large numbers of stolen cards used to make purchases in the window between theft and the cancellation of the card. Currently these victims are denied refunds by their banks, but this attack could explain some of the frauds we are seeing. The fact the receipt says “PIN Verified” when actually it wasn’t raises a whole load of legal and evidential questions which call into question the banking industry’s claim that their systems work (and log) properly. Merchants will be none too pleased either; the system no longer protects their interests but only those of the issuing bank.

There’s been some confusion, possibly even misinformation, about our attack and its effects. Cartes Bancaires in France were so concerned that they briefed the press way in advance of our plans for publication. We can set the record straight on a few things:

• the attack applies to cards used online (where the merchant POS contacts the bank) as well as offline;

So what went wrong? In essence, there is a gaping hole in the specifications which together create the “Chip and PIN” system. These specs consist of the EMV protocol framework, the card scheme individual rules (Visa, MasterCard standards), the national payment association rules (UK Payments Association aka APACS, in the UK), and documents produced by each individual issuer describing their own customisations of the scheme. Each spec defines security criteria, tweaks options and sets rules – but none take responsibility for listing what back-end checks are needed. As a result, hundreds of issuers independently get it wrong, and gain false assurance that all bases are covered from the common specifications. The EMV specification stack is broken, and needs fixing.

We’re really worried that if something isn’t done to fix this problem, and the many others we’ve found in EMV, other regions adopting it (like the USA) are going to make the same mistakes again and again – and that means customers stay vulnerable.

That’s why again we’re arguing that Chip and PIN is broken. We don’t want people keeping their money in shoe boxes – we want the problems fixed. That means getting decent governance for the system that involves all the stakeholders – banks, regulators, merchants and customers.

Update (2010-02-11): ZDNet UK have some in-depth press coverage, and the story has also been picked up by the Telegraph and Daily Mail.

Microsoft is investigating public reports of a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. At this time, Microsoft is not aware of any attacks attempting to exploit the reported vulnerability.

As an issue affecting an Internet standard, we recognize that this issue affects multiple vendors. We are working on a coordinated response with our partners in the Internet Consortium for Advancement of Security on the Internet (ICASI). The TLS and SSL protocols are implemented in several Microsoft products, both client and server, and this advisory will be updated as our investigation continues.

As part of this security advisory, Microsoft is making available a workaround which enables system administrators to disable TLS and SSL renegotiation functionality. However, as renegotiation is required functionality for some applications, this workaround is not intended for wide implementation and should be tested extensively prior to implementation.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, depending on customer needs.
More details are in their bulletin and we’ll let you know if we hear anything more. We have not received any reports of in-the-wild exploitation of this potential vulnerability.
Thanks, Kurt and Cheryl, for bringing this to our attention!
Marcus H. Sachs

Director, SANSInternet Storm Center

San Francisco – Today a federal appeals court rejected a government claim of “lobbyist privacy” to hide the identities of individuals who pressured Congress to grant immunity to telecommunications companies that participated in the government’s warrantless electronic surveillance of millions of ordinary Americans. As the court observed, “There is a clear public interest in public knowledge of the methods through which well-connected corporate lobbyists wield their influence.”

The Electronic Frontier Foundation (EFF) has been seeking records detailing the telecoms’ campaign for retroactive legal immunity under the Freedom of Information Act (FOIA). Telecom immunity was enacted as part of the FISA Amendments Act of 2008.

“Today’s ruling is an important one for government and corporate accountability,” said EFF Staff Attorney Marcia Hofmann. “The court recognized that paid lobbyists trying to influence the government to advance their clients’ interests can’t hide behind privacy claims to keep their efforts secret.”

This decision is the latest setback for the government in its long-running attempt to delay disclosure of the documents EFF seeks. So far, EFF has obtained thousands of pages of records through this litigation.

"AT&T, Verizon and Sprint expended millions of dollars to lobby the government and get an unconstitutional grant of retroactive immunity for their illegal spying on American citizens," said EFF Senior Staff Attorney Kurt Opsahl. "The public deserves to know how our rights were sold out by and for telecom lobbyists."

The appeals court sent part of the case back down to the district court for further consideration, including whether disclosure of the lobbyists’ identities would reveal intelligence sources and methods and whether communications between the agencies and the White House can be withheld under the presidential communications privilege or other grounds.

For the full opinion:
http://www.eff.org/files/filenode/foia_C0705278/opinion2909.pdf

For more on this case:
http://www.eff.org/issues/foia/cases/C-07-05278

Contacts:

Marcia Hofmann
Staff Attorney
Electronic Frontier Foundation
marcia@eff.org

Kurt Opsahl
Senior Staff Attorney
Electronic Frontier Foundation
kurt@eff.org

Nate Cardozo
Open Government Legal Fellow
Electronic Frontier Foundation
nate@eff.org

Paul Wilson, my esteemed coauthor on that paper on the psychology of scam victims that is currently attracting quite a bit of attention, has just started an entertaining and instructive new blog, The Real Hustler. If you liked our paper, you’ll probably enjoy Paul’s blog.

Well worth a bookmark and repeat visits for fans of the BBC TV series and for researchers who recognize the importance of the exciting new field of security psychology.

Shared by Roy

I’ll drink for that!

A new study suggests that beer is a significant source of dietary silicon, a key ingredient for increasing bone mineral density. Beers containing high levels of malted barley and hops are richest in silicon.

Shared by Elton Carvalho

Gostei das partes que falam sobrecusto de extração versus valor de substituição e juros X reservas da natureza.

With a little help from Adobe

Security researchers have defeated vulnerability protections baked into the latest versions of Internet Explorer, demonstrating that it’s possible to poke holes in a safety net that’s widely relied on to keep end users safe from drive-by exploits.…

Case Study: WhatsUp keeps Legoland turnstyles ringing

In recent weeks, various cybercrime attacks have disrupted the computer systems that allow nations to manage their national greenhouse-gas emissions quotas and their possession of carbon assets according to international agreements (the Kyoto Protocol and the European system). One quota is the right to emit the equivalent of one ton of carbon dioxide during a specified period.

The initial attack targeted the Danish CO₂ quota register that was shut down on January 12. The Danish authorities took this decision after registry users received a fake email purporting to originate from the Danish Energy Agency and redirecting the recipients to a mirror site to steal their credentials.

It seems the attackers renewed their attempt last week by sending similar emails to carbon financial services in 13 European countries. Here, too, the goal was the theft of usernames and passwords to gain access to the national CO₂ quotas management systems. This caused another quota-market closure.

Using these credentials, hackers–instead of manufacturers, governments, and brokers–would in theory be able to sell and buy quotas. During the past 18 months, fraud on the CO₂ market has caused a tax loss of €5 billion. Such access would also be useful for the biggest emitters of carbon dioxide; those countries could manipulate the international quotas to reduce their penalties. The following graphic, from Europol (the European Law Enforcement Agency), explains how such fraud can occur.

One thing is sure, the people behind these attacks cannot be simple hackers. They are likely in the pay of rogue states that reject rules-based international trade.

Web security can be divided into two parts, Website security and Web Browser security. Both are equally important. A website must be able to protect itself from a hostile browser and a browser must be able to protect itself from a hostile website. If either side of these assumptions fails, then there is a problem (the Web is not secure). Attacks targeting browsers, which will be the focus of this post, can be broadly categorized into three distinct vectors:

1) Attacks designed to escape the confines of the browser walls and execute within the desktop operating system below. This is primarily achieved by exploiting memory and file-handling implementation flaws.

2) Behavioral attacks that trick users into doing something, such as downloading and installing malware, thereby harming their machine or encouraging them to reveal sensitive information.

3) Attacks taking advantage of design flaws in the way the Web works. These attacks normally remain within the browser walls and use the victim’s browser as a launch platform for surreptitiously pilfering information from their session or the surrounding network.

After years of massive volumes of CVEs (repository for published vulnerabilities), the browser vendor incumbents (Microsoft, Mozilla, Opera, Google, Apple) have made great strides in addressing vector #1. Some have more work to do than others. This is a good thing, as exploiting unpatched browsers is the primary method for malware propagation such as the so-called drive-by-downloads, legitimate websites hosting malware that infects their visitors. Fortunately “fixing” #1 doesn’t require “breaking the Web,” only updating shoddy code and distributing updates.

Solving #2 is more psychological than technical in nature. The challenge is that people trust computer screens, believe what they see on the Web, and will install anything in order to watch the latest celebrity sex tape or open a personalized e-greeting sent by their “friend.” Attackers prey on this inherent trust, general good nature, and basic human instinct. In response, browsers have provided EV-SSL, Anti-Phishing Toolbars, SSL warning dialogs, password managers, etc. These efforts make important security decisions more visible, harder to get wrong, or remove the decision altogether. Again “fixing” these issues doesn’t require “breaking the Web,” but creating a more intuitive user-interface design.

Many, including myself, have asked the major browser vendors to do something about the CSS History Hacking, a privacy violation where a malicious website can tell if you’ve been to a certain URL, by disabling access to key DOM APIs. They said doing so would break certain websites and upset Web developers. (Update: See Wladimir’s comment below for excellent insight into the true difficulty of solving this problem)

To solve Intranet Hacking, the suggestion was made to deny websites with a non-RFC 1918 IP address the ability to passively instruct a browser to connect to RFC 1918 IP addresses. The response was that it would break certain essential features like corporate Web proxy set-ups and add-ons like Google Desktop.

Fixing Clickjacking would require changing IFRAMES implementation so that they would not be transparent or allowed at all. Doing so would undoubtedly cause major Web breakage, such as no banner advertising or Facebook-style application platforms. So instead we get opt-in X-FRAME-OPTIONS, which basically no one uses at the moment.

Maybe browser tab/session separation is in order. When logged-in to a website in one tab, other tabs wouldn’t have session access thereby limiting the damage XSS, CSRF, and Clickjacking could inflict. But, this solution would probably annoy users and Web developers who really want persistent authentication. Oh, and we really need Web tracking cookies too. Gah!

So here we are, waiting for the other shoe to drop, and bad enough things to happen. Then we’ll get the juice required to fix these problems, by default. The bigger problem is when that time eventually comes we might actually be forced to break the Web to secure it. In the meantime, the community has been lobbying hard for opt-in tools that the proactive crowd can use to protect themselves ahead of time. Fortunately, we are starting to see new technologies like XSSFilter, Content Security Policy, Strict Transport Security, and Origin headers come into view. Maybe this is the future and a look into the security proving ground for the changes we’ll need to make later.

---

WhiteHat Security is a leading provider of website security services.

---

The Free Technology Academy (FTA) has released excellent book called “The GNU/Linux operating system”, the main contents are related with system administration. You will learn how to install and configure several computer services, and how to optimise and synchronise the resources using GNU/Linux.

Read more: Download of the day: GNU/Linux Advanced Administration PDF Book

Copyright © nixCraft. All Rights Reserved.

First of all, get Robert @RSnake Hansen’s RFI list here:

http://ha.ckers.org/blog/20100129/large-list-of-rfis-1000/

it’s a great list, but as soon as I saw it, I was like.. hmm.. how can I use that? Well, being that I am a Burp fan, I parsed the .dat with the following line:

cat rfi-locations.dat | grep -v "^#" | awk -F '?' '{print $1}' | sort -u > rsnake_list.txt

This pulls his list down to 906 entries which you can load in to Burp and hammer away with Intruder. If it pops any of them, not only have you better identified what is running on the site, but you might have just found RFI.

But I wanted to take this a step further:

The OSVDB archive allows you to download their entire database of vulnerabilities (after signing up for an account). I downloaded the CSV version so that I could parse it similar to how I did RSnakes. However, it definitely wasn’t that easy.

I downloaded osvd-csv.latest.tar.gz, extracted it and ran the following:

cat * | grep -i "remote file inclusion" | grep -v "\,0$" | awk -F "," '{print $13}' | sed ‘s/^\”//’ | set ‘s/\”$//’ | sort –u > osvdb_rfi.txt

Which got me close. About 3 hours of manual editing after that and I had another list of ~1750 possible remote file inclusions. Is this a full proof way of getting every possibility from the database? Definitely not, but it’s close, and I’d love to see some one modify and tweak my bash line to get it even closer. (Or find a completely different way)

Read more of this story at Slashdot.

This speaks for itself. Thanks to Phil Santoro for creating it and sending it us (a play on the iphone v. rock joke).

For forensic analysts, the .lnk shortcut file and the thumbprint cache are invaluable sources with Windows devices to provide details about missing data.

Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they may forget these two minor “tidbits”. These can show detail, indicate actions and associated history. Be Warned, I have found Windows machines having thousands of .lnk files on a “scrubbed PC.”

The shortcut (.lnk) file is an amazing mine of information for such a small file. This PDF (See Link) is an invaluable source describing the details of the shortcut .lnk.  The shortcut file name format is usually name.ext.lnk There may be multiple .lnk files created for one file depending upon the type.

XP stores the .lnk files for the Word 2007 Document Brains.docx in:

%Drive%:\Documents and Settings\User ID\Recent
The above .lnk (..\Recent)is slightly larger
%Drive%:\Documents and Settings\User ID\Application Data\Microsoft\Office\Recent

Windows 7 stores these .lnk files in
%Drive%:\Users\sdd\AppData\Roaming\Microsoft\Windows\Recent
The above .lnk (..\Recent) is twice the size of the second.
%Drive%:\Users\sdd\AppData\Roaming\Microsoft\Office\Recent

.lnk File properties show only a tip of available information. Compare the same Word 2007 Brains.docx.lnk file for XP and Windows 7. I use XVI32 as my hex-editor for details about the type of storage, location, Volume Serial number and much more.

Review the XP Hex dump example below. Then, compare the two different hex dumps of Windows 7 .lnk files. (You may need to zoom to inspect the images.) I did not include all of the first .lnk file hex.

Windows XP Brains.docx.lnk view (click to enlarge)

Windows 7 lnk (upper view) (click to enlarge)

Windows 7 (lower view) (click to enlarge)

Thumbs or Thumbnails are also invaluable source of data. I will discuss them in my next posting. I will then tie the Thumbnails and Shortcuts together.

Source and Links

Windows Shortcut File format: http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf

XVI32 Hex Editor: http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm

Steven is the senior member of an IT Security team for a Bio-Pharma company. He has presented to a variety audiences including SANS, Midwest Consolidated Security Forum and various local chapters of HTCIA and ISACA. His current focus is Certificate Management, Encryption and Incident Response. With a science degree unrelated to IT, Steven has over 20 years in Information Technology with the past 13 years in Security. He has earned among the various vendor certificates, his CISSP (#3700), CISA (#153869) as well as GIAC G7799 (#151) Silver and GCFA (#18) gold certifications.

Read more of this story at Slashdot.

If you don’t know who David Thorne is, I’ll remind you – he is the genius that gave you the “spider drawing” email mayhem. Then there was the “Party in Apartment 3” escapade and the “design me a logo” piece of genius.

But he didn’t stop there – our boy decided to give the people at BlockBuster Video a nervous breakdown as well.

Sit back and enjoy this..

It all started when they (BlockBuster) sent him a “your video is overdue” letter:

Enter, David Thorne:

From: David Thorne
Date: Sunday 8 November 2009 2.16pm
To: Megan Roberts
Subject: DVDs

Dear Megan,

Thank you for your letter regarding overdue fees. As all four movies were outstanding examples of modern cinematic masterpieces, your assumption that I would wish to retain them in my possession is understandable, but incorrect. Please check your records as these movies were returned, on time, over three weeks ago. I remember specifically driving there and having my offspring run them in due to the fact that I was wearing shorts and did not want the girl behind the counter to see my white hairy legs.

Regards, David.

From: Megan Roberts
Date: Monday 9 November 2009 11.09am
To: David Thorne
Subject: Re: DVDs

Hi David

Our computer system indicates otherwise. Please recheck and get back to me.

Kind regards,
Megan

From: David Thorne
Date: Monday 9 November 2009 11.36am
To: Megan Roberts
Subject: Re: Re: DVDs

Dear Megan,

Yes, they are definitely white and hairy. Viewed from the knees down, the similarity to two large albino caterpillars in parallel formation is frightening. People who knew what the word meant might describe them as ‘piliferous’, although there is something quite sexy about that word so perhaps they wouldn’t.

Regards, David.

From: Megan Roberts
Date: Monday 9 November 2009 1.44pm
To: David Thorne
Subject: Re: Re: Re: DVDs

Hi David

No I mean our records indicate that the DVDs have not been returned. Please check and return as soon as possible.

Kind regards,
Megan

From: David Thorne
Date: Monday 9 November 2009 4.19pm
To: Megan Roberts
Subject: Re: Re: Re: Re: DVDs

Dear Megan,

With the possible exception of Harold and Kumar Escape from Guantanamo Bay, the movies were not worth watching let alone stealing. In Logan’s Run, for example, the computer crashed at the end when presented with conflicting facts and blew up destroying the entire city. When my computer crashes I carry on a little bit and have a cigarette while it is rebooting. I don’t have to search through rubble for my loved ones. The same programmers probably designed the Blockbuster ‘returned or not’ database. Also, while one would assume the title Journey to the Centre of the Earth to be a metaphor, the movie was actually set in the centre of the earth which, being a solid core of iron with temperatures exceeding 4300˚ Celcius and pressures of 3900 tons per square centimetre, does not seem very likely. Waterworld was actually pretty good though. My favourite bit was when they were on the water but the scene when Kevin Costner negotiated for peace, ending the war between fish and mankind moments before the whale army attacked was also very good.

Regards, David.

From: Megan Roberts
Date: Tuesday 10 November 2009 3.57pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: DVDs

David

The DVDs are listed as not returned. If you cant locate the DVDs, you will be charged for the replacement cost.

Megan

From: David Thorne
Date: Tuesday 10 November 2009 5.12pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

I have checked pricing at the DVD Warehouse and the cost of replacing your lost movies with new ones is as follows:

Harold and Kumar Escape from Guantanamo Bay $7.95
Waterworld $4.95
Journey to the Centre of the Earth $9.95
Logan’s Run $12.95

I have no idea why Logan’s Run is the most expensive of the four movies as it was definitely the worst. Have you seen it? I wouldn’t pay $12.95 for that. I would use the money to buy a good movie instead. Probably something with Steven Seagal in it. The entire premise comprised of living a utopian and carefree lifestyle with only three drawbacks – wearing seventies jumpsuits, living in what looks like a giant shopping centre and not being allowed to live past thirty. This would seem logical though as I would not want a bunch of old people hanging around complaining about their arthritis while I am trying to relax at the shopping centre in my jumpsuit trying not to think about the computer crashing.

I was recently forced to do volunteer work at an aged care hospital. Footage of these people during Tuesday night line dancing could be used as an advertisement for the Logan’s Run solution. The only good aspect of working there was that I halved their medication, pocketing and selling the remainder, explaining the computer listed that as their dose and they were welcome to check knowing their abject fear of anything produced after the eighteenth century would prevent them from doing so. I also swapped my Sanyo fourteen inch portable television for their Panasonic wide screen plasma while they were sleeping, explaining that it had always been that way and their senility was simply playing up due to the reduced dosage of drugs.

Regards, David.

From: Megan Roberts
Date: Wednesday 11 November 2009 1.21pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: DVDs

Hi David

I have not seen those movies so I dont know what you are talking about. I prefer romantic comedies. If you have the movies we can’t rent them so we lose money and the fees are based on what we we would have made from renting them and we also have to purchase movies through our suppliers not from DVD Warehouse.

Megan

From: David Thorne
Date: Wednesday 11 November 2009 3.28pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

I myself am also a huge fan of romantic comedies. Perhaps we could watch one together. I have a new Panasonic wide screen plasma. My favourite romantic comedy is Fatal Instinct although it did not contain enough robots or explosions in my opinion and I was therefore unable to truly identify with the main characters on a personal and emotional level. Recently, I was tricked into watching The Notebook which was about geese. Lots of geese. It also had something to do with an old lady who conveniently lost her memory so she could not remember being a whore throughout the entire film. I don’t recall a lot of it as I was too busy being cross about watching it. In a utopian future society she would have been hunted down and killed at thirty.

In regards to the late fees, I understand the amount is based on what you lose by not being able to rent the movies out. You probably had people lined up around the block waiting to rent Logan’s Run. For eighty two dollars though, I could have purchased six copies of it from DVD Warehouse or, as I have heard he is a bit strapped for cash, had Kevin Costner visit my house in person and re-enact key scenes from Waterworld in my bathroom.

Regards, David.

From: Megan Roberts
Date: Thursday 12 November 2009 3.16pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Hi David.
Restocking fees are:

002190382 Journey to the Centre of the Earth $9.30
003103119 Logans Run $7.90
008629103 Harold and Kumar Escape from Guantanamo Bay $6.30
000721082 Waterworld $5.70

Total: $29.20 – I have deleted your late fees and noted on the computer that the amount owed is for the replacement movies not fees.

Kind regards,
Megan

From: David Thorne
Date: Thursday 12 November 2009 7.42pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

Those prices seem reasonable. I do not want Logan’s Run but will pick up the other three when I come in next.

Regards, David.

From: Megan Roberts
Date: Friday 13 November 2009 12.51pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

What? The $29.20 is the cost of the replacement DVDs for the store.

Megan

From: David Thorne
Date: Friday 13 November 2009 1.15pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

That makes more sense, I was wondering what I was going to do with two copies of each movie.

Regards, David.

From: Megan Roberts
Date: Friday 13 November 2009 2.33pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

What do you mean by two copies? Are you saying you found the four movies?

Megan

From: David Thorne
Date: Friday 13 November 2009 2.57pm
To: Megan Roberts
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Dear Megan,

Yes, they were on top of my fridge the whole time. Unfortunately I have a blind spot that prevents me from seeing this area of the kitchen as it is also where I keep my pile of unpaid bills. Last night I slept on the kitchen floor with the fridge door open due to my air conditioner being broken and the temperature outside exceeding that of the centre of the earth. As my fridge emits a high pitched ‘beep’ every thirty seconds when left open, the vibrations from this caused the DVDs to wriggle forward over the space of many hours before toppling from the edge and I awoke to find them beside me on the pillow. As you have already waived the late fees, I will drop them off tonight and we will call it even.

Regards, David.

From: Megan Roberts
Date: Friday 13 November 2009 3.43pm
To: David Thorne
Subject: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: DVDs

Ok.

[thanks misha]

Finally, the larger problem is that it only took one exploit to compromise these organizations. One exploit should never ruin you day. [sic]

No, that is wrong. The larger problem is not that it “only took one exploit to compromise these organizations.” I see this mindset in many shops who aren’t defending enterprises on a daily basis. This point of view incorrectly focuses on exploitation as a point-in-time, “skirmish” event, disconnected from the larger battle or the ultimate campaign.

The real “larger problem” is that the exploit is only part of a campaign, where the intruder never gives up. In other words, comprehensive threat removal is the problem. There is no “cleaning,” or “disinfecting,” or “recovery” at the battle or campaign level. You might restore individual assets to a semi-trustworthy state, but the advanced persistent threat only cares that they can maintain long-term access to the environment.

If the problem were simply defending against a compromised asset, we would not still be talking about this issue. Rather, the problem is that it is exceptionally difficult, if not impossible, to remove this threat. Individual exploits add to the problem but they are only skirmishes.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

If we ask whether a fact about a person identifies that person, it turns out that the answer isn’t simply yes or no. If all I know about a person is their ZIP code, I don’t know who they are. If all I know is their date of birth, I don’t know who they are. If all I know is their gender, I don’t know who they are. But it turns out that if I know these three things about a person, I could probably deduce their identity! Each of the facts is partially identifying.

There is a mathematical quantity which allows us to measure how close a fact comes to revealing somebody’s identity uniquely. That quantity is called entropy, and it’s often measured in bits. Intuitively you can think of entropy being generalization of the number of different possibilities there are for a random variable: if there are two possibilities, there is 1 bit of entropy; if there are four possibilities, there are 2 bits of entropy, etc. Adding one more bit of entropy doubles the number of possibilities.1

Because there are around 7 billion humans on the planet, the identity of a random, unknown person contains just under 33 bits of entropy (two to the power of 33 is 8 billion). When we learn a new fact about a person, that fact reduces the entropy of their identity by a certain amount. There is a formula to say how much:

ΔS = – log₂ Pr(X=x)

Where ΔS is the reduction in entropy, measured in bits,2 and Pr(X=x) is simply the probability that the fact would be true of a random person. Let’s apply the formula to a few facts, just for fun:

Starsign: ΔS = – log₂ Pr(STARSIGN=capricorn) = – log₂ (1/12) = 3.58 bits of information
Birthday: ΔS = – log₂ Pr(DOB=2nd of January) = -log₂ (1/365) = 8.51 bits of information

Note that if you combine several facts together, you might not learn anything new; for instance, telling me someone’s starsign doesn’t tell me anything new if I already knew their birthday.3

In the examples above, each starsign and birthday was assumed to be equally likely.4 The calculation can also be applied to facts which have non-uniform likelihoods. For instance, the likelihood that an unknown person’s ZIP code is 90210 (Beverley Hills, California) is different to the likelihood that their ZIP code would be 40203 (part of Louisville, Kentucky). As of 2007, there were 21,733 people living in the 90210 area, only 452 in 40203, and around 6.625 billion on the planet.

Knowing my ZIP code is 90210: ΔS = – log₂ (21,733/6,625,000,000) = 18.21 bits
Knowing my ZIP code is 40203: ΔS = – log₂ (452/6,625,000,000) = 23.81 bits
Knowing that I live in Moscow: ΔS = -log₂ (10524400/6,625,000,000) = 9.30 bits

How much entropy is needed to identify someone?

As of 2007, identifying someone from the entire population of the planet required:

S = log₂ (1/6625000000) = 32.6 bits of information.

Conservatively, we can round that up to 33 bits.

So for instance, if we know someone’s birthday, and we know their ZIP code is 40203, we have 8.51 + 23.81 = 32.32 bits; that’s almost, but perhaps not quite, enough to know who they are: there might be a couple of people who share those characteristics. Add in their gender, that’s 33.32 bits, and we can probably say exactly who the person is.5

An Application To Web Browsers

Now, how would this paradigm apply to web browsers? It turns out that, in addition to the commonly discussed “identifying” characteristics of web browsers, like IP addresses and tracking cookies, there are more subtle differences between browsers that can be used to tell them apart.

One significant example is the User-Agent string, which contains the name, operating system and precise version number of the browser, and which is sent every web server you visit. A typical User Agent string looks something like this:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

As you can see, there’s quite a lot of “stuff” in there. It turns out that that “stuff” is quite useful for telling different people apart on the net. In another post, we report that on average, User Agent strings contain about 10.5 bits of identifying information, meaning that if you pick a random person’s browser, only one in 1,500 other Internet users will share their User Agent string.

EFF’s Panopticlick project is a privacy research effort to measure how much identifying information is being conveyed by other browser characteristics. Visit Panopticlick to see how identifying your browser is, and to help us in our research.

1. 1. Entropy is actually a generalization of counting the number of possibilities, to account for the fact that some of the possibilities are more likely than others. You can find a pretty version of the formula here.
2. 2. This quantity is called the “self-information” or “surprisal” of the observation, because it is a measure of how “surprising” or unexpected the new piece of information is. It is really measured with respect to the random variable that is being observed (perhaps, a person’s age or where they live), and a new, reduced, entropy for their identity can be calculated in the light of this observation.
3. 3. What happens when facts are combined depends on whether the facts are independent. For instance, if you know someone’s birthday and gender, you have 8.51 + 1 = 9.51 bits of information about their identity because the probability distributions of birthday and gender are independent. But the same isn’t true for birthdays and starsigns. If I know someone’s birthday, then I already know their starsign, and being told their starsign doesn’t increase my information at all. We want to calculate the change in conditional entropy of the person's identity on all the observed variables, and we can do that by making the probabilities for new facts conditional on all the facts we already know. Hence we see ΔS = -log₂ Probability(Gender=Female|DOB=2nd of January) = -log₂(1/2) = 1, and ΔS = -log₂ Probability(Starsign=Capricorn|DOB=2nd of January)=-log₂(1) = 0. In between cases are also possible: if I knew that someone was born in December, and then I learn that they are a Capricorn, I still gain some new bits of information, but not as much as I would have if I hadn't known their month of birth: ΔS = -log₂ Probability(Starsign=Capricorn|month of birth=December)=-log₂ (10/31) = 1.63 bits.
4. 4. Actually, in the birthday example, we should have accounted for the possibility that someone was born on the 29th of February during a leap year, in which case ΔS =-log₂ Pr(1/365.25)
5. 5. If you’re paying close attention, you might have said, “Hey, that doesn’t sound right; sometimes there will be only one person in ZIP code 40203 who has a given birthday, in which case you don’t need gender to identify them, and it’s possible (but unlikely) that ten people in 40203 were all born on the 2nd of January. The correct way to formalize these issues would be to use the real fequency distribution of birthdays in the 40203 ZIP code.

As I close out my look at some of the most influential posts published here in 2009 I conclude with a post that garnered widespread industry recognition and sparked many discussions, Tod Beardsley’s “TCP Portals: The Handshake’s A Lie“. The post, only published a month ago, drew thousands of readers and dozens of comments. More importantly it shed some light on a potentially damaging vulnerability:

Whenever I interview someone for an Application Engineer or Security
Research position, my favorite introductory question is, “Can you describe for
me the TCP three-way handshake?”. It is a fine baseline question to
understand a candidate’s knowledge of modern
networking. Answers range from “SYN, SYN/ACK, ACK,”, to a full description of ARP, to initial sequence number generation. It’s a good
springboard question, because then you can start talking about
spoofing addresses, port scanning, the significance of IPIDs, and more.

We are hiring a lot here at BreakingPoint, which means
I’m asking this question a lot. After the fourth or fifth interview, I
decided one morning to look over RFC 793 to make sure
that I really did know everything there is to know about the
handshake. That is when I found out that we’ve all been living a lie.

Read the full post, "TCP Portals: The Handshake’s A Lie“.

And once again thank you to all of our fantastic contributors to this blog and to the readers that continue to provide us with commentary and insight. Happy New Year.

The diversity, volume, and innovation of the research was impressive. Competition was as fierce as ever and the judges had their work cut out. Rich Mogull, Dinis Cruz, Chris Hoff, HD Moore, Billy Rios, Dan Kaminsky, Romain Gaucher, Steven Christey, Jeff Forristal, and Michal Zalewski were tasked with ranking the field based upon novelty, impact, and overall pervasiveness. For any researcher simply the act of creating something unique enough to appear on the list is itself an achievement. Today the polls are close, votes are in, and the top ten list has been finalized. Researchers making the cut can expect to receive praise amongst their peers and take their place amongst those from previous years (2006, 2007, 2008).

Top honors go to Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger for their work on “Creating a rogue CA certificate.” The judges were convinced by no small margin that this entry stood head and shoulders above the rest. The team will be awarded a free pass to attend the BlackHat USA Briefings 2010! (generously sponsored by Black Hat)

Top Ten Web Hacking Techniques of 2009!

1. Creating a rogue CA certificate
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger

2. HTTP Parameter Pollution (HPP)
Luca Carettoni, Stefano diPaola

3. Flickr’s API Signature Forgery Vulnerability (MD5 extension attack)
Thai Duong and Juliano Rizzo

4. Cross-domain search timing
Chris Evans

5. Slowloris HTTP DoS
Robert Hansen, (additional credit for earlier discovery to Adrian Ilarion Ciobanu & Ivan Ristic – “Programming Model Attacks” section of Apache Security for describing the attack, but did not produce a tool)

6. Microsoft IIS 0-Day Vulnerability Parsing Files (semi‐colon bug)
Soroush Dalili

7. Exploiting unexploitable XSS
Stephen Sclafani

8. Our Favorite XSS Filters and how to Attack them
Eduardo Vela (sirdarckcat), David Lindsay (thornmaker)

9. RFC1918 Caching Security Issues
Robert Hansen

10. DNS Rebinding (3-part series Persistent Cookies, Scraping & Spamming, and Session Fixation)
Robert Hansen

Congratulations to all!

Coming up at IT-Defense (Feb. 3 – 5) and RSA USA 2010 (Mar. 1 – 5) it will be my great honor to introduce each of the top ten during my “2010: A Web Hacking Odyssey” presentations. Each technique will be described in technical detail for how they work, what they can do, who they affect, and how best to defend against them. The opportunity provides a chance to get a closer look at the new attacks that could be used against us in the future.

The Complete List

1. Persistent Cookies and DNS Rebinding Redux
2. iPhone SSL Warning and Safari Phishing
3. RFC 1918 Blues
4. Slowloris HTTP DoS
5. CSRF And Ignoring Basic/Digest Auth
6. Hash Information Disclosure Via Collisions – The Hard Way
7. Socket Capable Browser Plugins Result In Transparent Proxy Abuse
8. XMLHTTPReqest “Ping” Sweeping in Firefox 3.5+
9. Session Fixation Via DNS Rebinding
10. Quicky Firefox DoS
11. DNS Rebinding for Credential Brute Force
12. SMBEnum
13. DNS Rebinding for Scraping and Spamming
14. SMB Decloaking
15. De-cloaking in IE7.0 Via Windows Variables
16. itms Decloaking
17. Flash Origin Policy Issues
18. Cross-subdomain Cookie Attacks
19. HTTP Parameter Pollution (HPP)
20. How to use Google Analytics to DoS a client from some website.
21. Our Favorite XSS Filters and how to Attack them
22. Location based XSS attacks
23. PHPIDS bypass
24. I know what your friends did last summer
25. Detecting IE in 12 bytes
26. Detecting browsers javascript hacks
27. Inline UTF-7 E4X javascript hijacking
28. HTML5 XSS
29. Opera XSS vectors
30. New PHPIDS vector
31. Bypassing CSP for fun, no profit
32. Twitter misidentifying context
33. Ping pong obfuscation
34. HTML5 new XSS vectors
35. About CSS Attacks
36. Web pages Detecting Virtualized Browsers and other tricks
37. Results, Unicode Left/Right Pointing Double Angel Quotation Mark
38. Detecting Private Browsing Mode
39. Cross-domain search timing
40. Bonus Safari XXE (only affecting Safari 4 Beta)
41. Apple’s Safari 4 also fixes cross-domain XML theft
42. Apple’s Safari 4 fixes local file theft attack
43. A more plausible E4X attack
44. A brief description of how to become a CA
45. Creating a rogue CA certificate
46. Browser scheme/slash quirks
47. Cross-protocol XSS with non-standard service ports
48. Forget sidejacking, clickjacking, and carjacking: enter “Formjacking”
49. MD5 extension attack
50. Attack – PDF Silent HTTP Form Repurposing Attacks
51. XSS Relocation Attacks through Word Hyperlinking
52. Hacking CSRF Tokens using CSS History Hack
53. Hijacking Opera’s Native Page using malicious RSS payloads
54. Millions of PDF invisibly embedded with your internal disk paths
55. Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
56. Pwning Opera Unite with Inferno’s Eleven
57. Using Blended Browser Threats involving Chrome to steal files on your computer
58. Bypassing OWASP ESAPI XSS Protection inside Javascript
59. Hijacking Safari 4 Top Sites with Phish Bombs
60. Yahoo Babelfish – Possible Frame Injection Attack – Design Stringency
61. Gmail – Google Docs Cookie Hijacking through PDF Repurposing & PDF
62. IE8 Link Spoofing – Broken Status Bar Integrity
63. Blind SQL Injection: Inference thourgh Underflow exception
64. Exploiting Unexploitable XSS
65. Clickjacking & OAuth
66. Google Translate – Google User Content – File Uploading Cross – XSS and Design Stringency – A Talk
67. Active Man in the Middle Attacks
68. Cross-Site Identification (XSid)
    
69. Microsoft IIS with Metasploit evil.asp;.jpg
70. MSWord Scripting Object XSS Payload Execution Bug and Random CLSID Stringency
71. Generic cross-browser cross-domain theft
72. Popup & Focus URL Hijacking
73. Advanced SQL injection to operating system full control (whitepaper)
74. Expanding the control over the operating system from the database
75. HTML+TIME XSS attacks
76. Enumerating logins via Abuse of Functionality vulnerabilities
77. Hellfire for redirectors
78. DoS attacks via Abuse of Functionality vulnerabilities
79. URL Spoofing vulnerability in bots of search engines (#2)
80. URL Hiding – new method of URL Spoofing attacks
81. Exploiting Facebook Application XSS Holes to Make API Requests
82. Unauthorized TinyURL URL Enumeration Vulnerability

---

WhiteHat Security is a leading provider of website security services.

---

RockYou, a service that offers applications like slideshows, games, layouts and more for social networking sites like Facebook, MySpace or Orkut that of the network’s users seem to love so much was recently hacked and the service’s entire database of 30+ million data sets exposed. This alone would have been problematic but the situation grew worse when it became clear that the passwords were stored in plain text in the databases.

This mean that more than 30 million complete sets of emails, usernames and passwords were exposed to third parties. At least one hacker managed to get hold of all the data of which the passwords and a small sample was posted on the Internet.

RockYou users who have an account at the service should immediately change the passwords for all their services that use the password and email address to avoid that these accounts are hacked.

RockYou did not only store login information about its own service but also for third party websites like Facebook or MySpace to make it as easy as possible for the users to use the data in their social networking accounts. This means that MySpace, Bebo or Facbeook login information have also been stored on the Rockyou servers if the user has entered them before on their website (see Techcrunch for additional information)

Security company Imperva got hold of the 30+ million passwords that have been selected by RockYou users to secure their accounts. Their findings are alarming:

• About 30% of users chose passwords whose length is equal or below six characters.
• Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive
  digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com
  account owners is “123456”.

The password popularity chart is therefor dominated by easy to guess passwords just as 123456, Password, rockyou or abc123. The full report of the findings can be downloaded from the Imperva server as a pdf document.

If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts. And the problem is exponential. After the frst wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts.

Recommendations for users

• Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary.”
• Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice is recommended: “If you can’t remember your passwords, write them down and put
  the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”
• Never trust a 3rd party with your important passwords (webmail, banking, medical etc.)

The easiest way to ensure all this is to use a password manager that can generate strong passwords and save them for the user. We recommend Last Pass which is available for several popular web browsers.

One of my favorite projects has a new significant release. Bothunter is an auto9mated bot finding tool. It uses the Emerging Threats signature base, but has a LOT more under the hood. I highly recommend it, we write a lot of signatures based on new threats it identifies first.

Find more info here:

http://www.bothunter.net 

A colleague of mine showed me some code from a back-end
program on a web server.
Fortunately, the company that wrote this is out of business.
Or at least I hope they’re out of business!

size = 16384;
while (size && IsBadReadPtr(buffer, size)) {
    size--;
}