And only banks, that’s what Mikko Hypponen, Chief Research Officer at F-secure, has announced a few days ago. If financial institutions are the only ones that can use a bank-tld the end of phishing could be near.

As we all know, a lot of phishing-site are exact copies of the original sites, and only the domainname differences. So, what does Mikko think? That using the bank-tld will make people understand the difference? A lot of people trust their bank and are not smart enough to check the tld.
And if we look a little bit further, what is going to restrict a phisher to get access to a subdomein? Of course, Mikko has a point, but his solutions is just not enough!
If we don’t teach our kids, parents, grandpa’s and grandma’s how to see the difference, the problem will not pass with a simple tld!

On top of that, even if you have the right site, you’re not perfectly secure. Hackers showed us that a few weeks ago, when they cracked the text-message-security from the CommonWealth Bank in Australia.

It seems like there was a little mix-up with our domainregistrer, and we were down for two days. It has been fixed now (as you can see )

Two weeks ago someone on a mailinglist posted a securitywarning about Diesel PHP Job Site, a script that is used to make a jobsite. The securitywarning was about a information disclosure what had our interest directly when we read it. What is the point? DieselScripts uses a “phonehomesystem” in their software. Nothing wrong with that (err, ok there are some things with that, but it is legal) when it is used the right way. DieselScripts however is using a strange method: they are emailing “some stuff” to their support emailadres.

Let’s look at the stuff they email: your username, your email, host you are running it on, your database credentials and your passwords. Yes you are reading this correctly, they send your database credentials and passwords to themselves. Of course we were interested about this and contacted DieselScripts.

At first, DieselScripts reaction was that every PHP-scriptcompany uses phonehomescripts like this. We asked somewhat further and then we really got scared:

Fraudulent orders have been quite many for the past months and that’s why we

added this method (used by most php scripts developers). This way we can

remove any illegal copies used on the web.

Yes, you are reading this correctly, they say remove, and with that they mean getting into your server and remove software because you didn’t buy it. What about that! Because we weren’t very delighted with this we mailed them back and explained to them it was possible they are breaking some law’s by using the credentials to get into peoples servers and look what we’ve got:

Hello Ronald,

I have gave it a lot of thought and decided to remove the code that sends

data. From this day forward we won’t use this procedure anymore.

We will implement a serial number verification process as you suggested.

We only were forced to remove our product a few times from a server but we

don’t remove only illegal copies that weren’t purchased from us or our

affiliates regardless of the server they were installed on.

So if I see it correctly they are stopping the “remove software from servers” from now on and are going to work with serials. I suggested this to them, together with some blacklist and/or a phonehomesystem that just phoned the used serial back. What leaves us with one question: are these guys really changing their software? Or are they just saying it.

And one to add for the guys at DieselScripts, are the other application you develop also equipped with these nasty phonehomeprocedures? And are you going to get rid of them too?

And last but not least: what are you going todo with all the credentials you have already? Are you removing it?

We really like to get a version of all the software with the phonehomeprocudure removed, so DieselScripts how about it?

DieselScripts is the creator of Diesel Job Site, Diesel Joke Site and Diesel Pay.

Firefox has released Firefox 1.5.0.4 and fixed several bugs. Look at the following advisories for the bugfixes.

http://www.mozilla.org/security/announce/2006/mfsa2006-31.html

http://www.mozilla.org/security/announce/2006/mfsa2006-32.html

http://www.mozilla.org/security/announce/2006/mfsa2006-33.html

http://www.mozilla.org/security/announce/2006/mfsa2006-34.html

http://www.mozilla.org/security/announce/2006/mfsa2006-35.html

http://www.mozilla.org/security/announce/2006/mfsa2006-36.html

http://www.mozilla.org/security/announce/2006/mfsa2006-37.html

http://www.mozilla.org/security/announce/2006/mfsa2006-38.html

http://www.mozilla.org/security/announce/2006/mfsa2006-39.html

http://www.mozilla.org/security/announce/2006/mfsa2006-40.html

http://www.mozilla.org/security/announce/2006/mfsa2006-41.html

http://www.mozilla.org/security/announce/2006/mfsa2006-42.html

http://www.mozilla.org/security/announce/2006/mfsa2006-43.html

A few days ago we saw a notice on a mailinglist about a PoC which makes a DoS possible on (again) Firefox. We contacted the guy who posted it (n00b) and asked him what it does.

It seems like it uses an old bug in Firefox, it exploits the way Firefox handles multiple html tags.

We’ve tested this on Windows XP without Service Packs, with SP1 and SP2 and it crashes Firefox. On Linux however it spikes the load, but it doesn’t crash Firefox, and on my Apple (Mac OS X Version 10.4.6) it does the same as on Linux.

But this doesn’t mean that it isn’t a bad bug, and the Firefox developers really need to get this fixed.

The PoC is available here, but remember that it can crash your Firefox!

Securiteam.com reports a bug in Safari a bug in Safari which makes the famous SRCOD (Spinning Rainbow Cursor Of Death) appear. They are reporting that Safari 2.0.3 (417.9.3) under Mac OS X 10.4.6. is vulnerable, but earlier version may be vulnerable too. The PoC-code looks like this:

for (;;);

Just put this between script-tags in a HTML-file and open it. The only solution they see right now is to disable javascript.

In this article we told our readers of a Dutch student who had found a bug in the UPnP-protocol.

Today, at the SANE Conference, he’s telling the world what the flaw is. While he is in the Netherlands telling those people how it works, we are proud to present it to you, our readers. In addition to my detailed discussion below NIST.org has additional information and discussion on the subject.

Introduction

In February of this year, a student from the University of Utrecht in the Netherlands reports a flaw in the UPnP protocol to Linksys. In January he had told Microsoft about the bug and Broadcom was informed in March 2006. Microsoft’s response to him was that the bug only exists if a router was configured incorrectly. Broadcom didn’t respond to him until he wrote his Proof of Concept paper in April. Recently he was informed that Linksys made a new firmware available for some their devices, but not all of them, that corrects this problem.

Do the flaws Armijn found really only exist in routers with incorrect configurations? Or is Microsoft wrong and are the flaws as bad as Armijn Hemel says they are?

The UPnP Protocol

Most readers are at least aware of the UPnP Pprotocol. It is used in a lot of SOHO type routers and is used by some popular client applications such as MSN Messenger and Microsoft’s XBOX-Live. The UPnP protocol is not only used to configure routers. UPnP is also used, for example, in VoIP-applications to dynamically open ports on the router.

The UPnP-protocol uses well know Internet standards, like XML, HTTP and SOAP. Because of the scope of the flaws Armijn found we are going to focus on the way UPnP opens ports and forward ports to devices.

How UPnP Works

For UPnP-devices to find each other discover messages are used. These messages are being send to 239.255.255.255 port 1900 UDP in XML format. In response to a discover message a response message is sent with a location where a XML file can be downloaded. When a connection is made, a UPnP-device can ask another device (e.g. a router) to configure some things.

Configuring of Port Maps

The following can be uses to configure a portmap from a router to a devices with IP-address 10.0.0.151:

Adding a port mapping for the machine located at the IP
address 10.0.0.151 can be done with the following code:

soapaction2=”urn:schemas-upnp-org:service:WANPPPConnection:
1#AddPortMapping”

server._sa(soapaction2).AddPortMapping(NewRemoteHost=”",
NewExternalPort=8080,
NewProtocol=”TCP”,
NewInternalPort=80,
NewInternalClient=”10.0.0.151″,
NewEnabled=1,
NewPortMappingDescription=”internal webserver”,
NewLeaseDuration=0)

When we look at this we see that port 8080 on the router is being forwarded to port 80 on client 10.0.0.151. Not a big deal, isn’t it? And nice UPnP let’s you do it.

But wait, I didn’t mention any authentication, did I?

The flaw

Ok, I mentioned it above. There is no authentication. Of course, the UPnP Forum defined a security model, but is it used? Let’s take some examples that Armijn has written about in his paper:

Exposing Internal Machines to the Internet

Port forwarding / port mapping is a nice feature available to the UPnP-protocol, and it can be configured by an easy command, as mentioned above. Let’s look at this example:

(c)Armijn Hemel

The above example shows us one of the flaws Armijn told me about. What if a piece of spyware tells the router to open a port to a SMTP Daemon? Will it be able to send out emails through our host on the inside network? Armijn says it can, and I beleave him.

But if you think this is bad, let’s look at another example:

I’ll quote Armijn for this one:

Using UPnP to Create Proxies and Hijack Ports

At least one implementation of an Internet Gateway Device (router) profile allows anyone on the internal network to set the Internal Client parameter as used by the AddPortMapping SOAP function to any machine on the Internet. This implementation was developed by Broadcom for their router platform. It can be found in certain revisions of the Linksys WRT54G(S) and a lot of other Linux-based routers and access points (the hardware list on the OpenWrt Wiki gives a good indication which devices are based on the platforms Broadcom makes).

The problem with the Broadcom implementation is that the Gateway Device doesn’t check if the InternalClient parameter is a machine on the inside LAN. Because of this error, the Gateway will perform NAT on the incoming packages to the InternalClient even if it is on an external interface.

This means that all traffic on ports on the Gateway can be forwarded to other machines that are also on the external interface. An attacker can exploit this bug to have his own traffic routed to the internet and creating his own onion routing system.

And it can still be worse!

Let’s Create Chaos!

Aside from adding a port mapping other actions can be performed on an Internet Gateway Device, including deleting port mappings. Deleting existing portmappings can disrupt the correct working of programs.

The focus in Armijn’s paper is on the Internet Gateway Device profile in general and the WANIPConnection and WANPPPConnection profiles in particular. But there are probably a lot of other opportunities which he didn’t test. Hacks he could think about to create chaos are:

- shutting down routers by using the LANHostConfigManagement subprofile

- injecting false DNS-records by using the LANHostConfigManagement subprofile

- abuse HVAC controls with UPnP

- remotely control IP cameras, of which some seem to be using the UPnP AV profile

Conclusion

I hope that we have cleared stuff up a bit, and want to thank Armijn Hemel for providing his paper on such a short notice. If you want to learn more about this vulnerability we hope to put up Armijn’s email address and his SANE paper on the forum as soon as he gives us his permission.

Websense, a company focussed on web security and web filtering productivity software has made result available of their survey about surfing in the workplace and spywareinstalls. They interviewed about 700 people about their web use at work.

The survey reveals that men are more likely than women to engage in personal web surfing at work. 65 % of men with access to internet on their work uses this for personal surfing, aka non work-related surfing, versus 58% of women.

Similarly, men are more likely to spend more time on the internet at work for both work-related and non work-related tasks than women do. For example, men admit to spending 11.6 hours on average per week on work-related websites and 2.3 hours per week on non-work related websites. In comparison, women admit to surfing 9.0 hours on average on work-related and personal sites and admit to spending only 1.5 hours per week on non work-related sites only.

Websense found also a difference about the type of non work-related websites; men are more likely to visit weather-, sport-, investment- and blogwebsites.

The survey also reveals antoher thing: men and women hold different views regarding web-based threats such as spyware and when to involve helpdesk to remedy the situation.

The Employee survey also reveals that men and women hold different views regarding web-based threats such as spyware and when to involve help desk to remedy the situation.

Women who visit websites containing spyware are more likely than men to say that their work computer has been negatively impacted by spyware. (45 percent of women versus 35 percent of men surveyed). On that same note, women who have visited websites containing spyware are more than twice as likely as men to call their help desk or IT department if their computer was infected with spyware—64 percent of women have called their IT department for help whereas only 30 percent of men have done so.

Source: http://www.websense.com/global/en/PressRoom/PressReleases/PressReleaseDetail/?Release=0605161213

The dutch informatics student Armijn Hemel has found a bug in the UPnP-protocol, which is used in a lot of consumer- and Small Bussiness-routers. Microsoft, who has created UPnP is looking at the problem. Hemel has told Microsoft about the problem in january, but MS responded that only routers that are configured wrong are vulnerable. Hemel says that this isn’t correct and will show at Sane how it is possible to use this bug with a few lines of Python and some libraries to redirect websites and install virusses.

Linksys’ owner Cisco, which routers use UPnP started releasing updates for their WRT54G Linux-based accesspoint to fix the problem and also Zyxel is creating a patch as we speak.