Archive for August, 2008

Proof of concept:

  1. Disable IE7's Protected Mode
  2. ...

OK, I was just joking.

I'm confident this blog post is a joke as well.
After all, its author is a MVP...

As you probably have heard, security expert Petko D. Petkov (pdp), founder of GNUCITIZEN, had his GMail account violated and raided.
He told me he did not believe it had been a classic man in the middle attack, as many of us speculated during the past days, and interviewed by Dan Goodin he blamed XSS:

In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw.

Perhaps, but that doesn't make sense to us. XSS exploits typically allow you to enter restricted parts of a website without the benefit of a password. Whoever broke into Petkov's account was able to archive an entire email spool into an mbox file. Without knowing his password, the attackers most likely would have had to archive all 2GB message by message.

It makes sense to me, though (even if I still bet on a MITM, since GMail has been secured against cookie leakages side-tracking HTTPS only very recently): if you combine any XSS vulnerability with the very handy automatic password completion offered by modern browsers, stealing credentials becomes absolutely trivial.

However, if Petko is right, a certain comment of his about NoScript, posted under an article about GMail attacks (!) almost one year ago, sounds totally ironic now ;)

Window Snyder, Mozilla's Chief Security Something-or-Other
An email I received yesterday night:

Hi,

I've been using NoScript with Firefox for a while (recommended by SANS), and today it paid off bigtime.
I got to work, started Firefox, and went to our homepage.
NoScript complained and I checked out the complaint at the bottom of the page. Our webpage had a link on it to sdo.1000mg.cn.
I started looking and found that we had the SQL injection attack currently featured at SANS:

http://isc.sans.org/diary.html?storyid=4844

NoScript found it first! You are a hero! Thanks.

Jeff E.
[Anonymized US Educational Site]

Then a quote from Ryan Naraine's Talking Firefox security with Mozilla’s Window Snyder:

There are discussions happening internally at Mozilla around adding NoScript functionality into the core browser.
“It’s a conversation we’re having. I’d love to see it in there.”

Oh Window, why didn't you tell me these sweet words when we were face to face in the romantic and adventurous land of Whistler?
I guess it's destiny, even Steve Ballmer had been too shy to declare his love ;)

As you've probably heard, the Firefox Summit 2008, albeit great for meeting face to face people I only knew through IRC or Bugzilla, has been quite challenging:

  1. Besieged by bears
  2. Cut away from the rest of the world by a crash bug in the Whistler-Vancouver communication module
  3. Lost in the dark because of a truck-based DOS attack

We must all thank Dan Portillo for the (much) good of the Summit he masterly organized and the great job he made in working around the issues listed above, but on the other hand they might have been prevented perhaps by choosing a less hazardous place, since "Whistler" was the code-name for Microsoft Windows XP...

However, when yesterday night, after a 36 hours trip, I was finally back in Palermo believing it was all over, I went to get back my baggage -- including most of my t-shirts, 3 pants, 9 bottles of maple syrup for my relatives and friends -- but... it obviously wasn't there. OK, I should have expected some problems since I packed also one leg of Wladimir Palant's, which I had to smoke (on pure maple wood) the day of the power outage, before it started smelling inside my useless fridge.
After waiting about one hour because nobody in the airport could say if the unloading operations were done or not yet (what about implementing a callback architecture or a notification bus?), I had to formally claim it lost and was given a link to a website for tracking the baggage recovery process.

So this morning I tried submitting this form, but I got redirected to a page showing the following error message:

Il sistema non può indviduare* una lima valida per la vostra entrata.

For those who don't speak Italian (like the author this disturbing text, I hope), this sounds like

The system cannot find a rasp suitable for your entrance.

As you can imagine, I was quite glad the system couldn't ;)
Nonetheless, I still needed to know about the destiny of my baggage, so I retried on a clean profile: same result!
In the end I reluctantly switched the rendering engine through the IE Tab extension, and the system finally decided to be more collaborative: it reported there was no available tracking info yet, but at least it stopped threatening "my entrance" with steel tools.

At that point I checked all the browsers I've got at hand, with the following results:

  • Gecko-based: RASP
  • IE: OK
  • Linx: RASP
  • Opera: OK
  • Safari: RASP

Before you ask, yes I tried to fake my headers via the User Agent Switcher extension.
Any clue?

* this misspelling seems even to rule out a machine translation with no human intervention

Bad Behavior has blocked 786 access attempts in the last 7 days.