Archive for the Politics Category

Discovered the ultimate cure for the NIMBY syndrome!

Reported by Beppe Grillo (popular Italian blog), but ignored by mainstream television news as usual: with an urgent decree effective since May 1st 2008, Italian Government allows toxic/nuclear waste storage sites, polluting power plants, incinerators and similar tourist attractions to be covered by State Secret.
Information about their existence, location and environmental impact can be declared "classified": anybody revealing them risks up to 5 years in prison.
Even the official Public Health agencies are banned from exercising their ordinary monitoring powers: in other words, no common people can actually measure, know or tell if a certain place in the sun-blessed Italian seaside or countryside is being actively poisoned by a government-blessed shit factory.

In the embedded Youtube movie clip, former Minister of Culture and Tourism Francesco Rutelli (of the cabinet which wrote the aforementioned decree) invites you to visit the Best Country in the World®.
Where are you going to spend your summer vacations?
Any relocation hint for me and my family?

One of my early Hackademix posts was about SQL injection vulnerabilities exploited to deface the United Nations main web site. In a later update I explained how, rather than fixing their holes properly, the U.N. technicians deployed a pretty useless Web Application Firewall, masking the most obvious attack surface but keeping their sites just as vulnerable as before.

Now WebSense is reporting that both the United Nations and the UK Government have web pages affected by the infamous "Mass Malicious JavaScript Attack", which has been spreading since January across thousands of sites, bombing visitors with a chain of 8 client-side exploits triggered by an external script hosted on remote servers (e.g.

These exploits leverage a Microsoft Internet Explorer 7 vulnerability patched last year (bad guys seem not to trust Windows Update effectiveness), “as well as [bugs in] other applications”. Well, since modern browsers embed a lot of "other applications" which are usually quite vulnerable, maybe a good idea (actually the only sane idea, other than reverting to Lynx) is switching to a safe web browser and -- shameless plug(in) -- making it even safer by preemptively blocking execution of malicious scripts and embedded content. On a side note, Opera's web site preferences couldn't help in cases like these, when the compromised site is probably among the ones you trust, allowed to run scripts; NoScript, instead, still blocks the external malicious code even if the main page is in your whitelist.

As previously explained by SANS, the


tag importing the malicious JavaScript code is inserted into the victim web pages through trivial SQL injection vulnerabilities, so much trivial that an automated tool has been used to find vulnerable sites through Google and infect them with the payload.
The default search pattern of this tool is

inurl:".asp" inurl:"a="

: in English, "those web pages developed with Microsoft Active Server Pages technology and accepting query string parameters". Unsurprisingly, this profile matches the original, still unpatched U.N. SQL injection; as I already said reporting the first accident, I believe crackers primarily target ASP sites (even though they are relatively few nowadays) because of the poor coding standards often shown by ASP coders, who usually have a Visual Basic desktop programming background and are less aware of web application security.

At any rate, some simple googling reveals that some U.N. sites are still infected, while UK Government sites have been "cleaned up".
The sad truth, though, is that even those "clean" sites are still vulnerable, hence they could be reinfected at any time: some people just never learn...

Major Leonardo DomeniciAccording to the main Italian press agency ANSA, the major of the beautiful city Florence, Leonardo Domenici, has just filed a complaint to take in court Wikipedia, accused of defamation.
MichelangeloReason: the encyclopedic entry about him, currently obscured as a legal precaution*, reported a story about his wife being favored by the city administration in public contracts. In a note, major Domenici states that this is "a slander", as already ruled in a trial.

Question: since Wikipedia is open to public editing and discussion, did Domenici try to rectify the story, possibly abducting the aforementioned ruling as a reference, before trying to take this case in a court? And, most important, who's legally responsible for editorial content which is freely editable by anyone and whose authority is supposed to derive by external references and editing history/discussion?

*March the 1st, a couple hours later...

A previous version of the article dating to August 2007 has been restored, removing the whole "Criticisms" section as shown by this chronology diff.
For those who can read Italian, here's the Wikipedia editors discussion about this case: at the core, they're raising same question I asked myself this morning: couldn't he simply click the "Edit" button?

SQL Injection ToyNo, this title is not about to the United Nations web site.

Their hole is still gaped by the way, no matter what the U.N. staffers said so far.
As you may recall, I did offer a little free help to fix their bugs (13 AUG), but I've not been contacted back, notwithstanding some public flattery.
At any rate, since the 5 days "grace time" granted them under the RFPolicy is more than expired (10 days now), you may want to stay tuned for a report about their vulnerabilities -- and, more interesting, about the worrying ways they pretend (or, worse, believe?) to have fixed them -- as soon as I find a few minutes for this.

In the meanwhile, the real reason behind this post: I'm releasing a free web-based tool to help those experimenting and studying SQL injections, called SQL Injection Toy (or just SQL IT).

Even if simple, it exhibits some interesting properties:

U.N.PatchedI've been attaching some updates to my United Nations VS SQL Injections article, but this story deserves another clarification post, now.

A few hours ago I've been contacted by Ronda Hauben (Telepolis/OMNI), asking if I had any news about the vulnerability and how the agency was handling it.
I answered her just like I answered the inquiry I received from Anne Broache (CNET/ yesterday:

I can confirm the vulnerability is still there.
The U.N. staff just deployed a cosmetic patch to hide the bug from the most obvious tests, but this measure cannot prevent an attack.
I reported this problem to U.N. on Monday morning (8.06 AM UTC), offering cooperation to evaluate and fix it under the provisions of the RFPolicy.

They did not come back to communicate with me yet, but on the other hand the aforementioned policy grants them 5 days to do it.
As I said the site is still vulnerable, but I won't disclose any other technical detail until this "grace time" is expired.

Shortly after I sent Ronda my reply (around 22.00 UTC), I was about to hit my bed when I decided to check again...
To my surprise, all my U.N. bookmarks landed on 404 (not found) pages, and when I tried the home page itself I was welcomed by this message:

Bad Behavior has blocked 725 access attempts in the last 7 days.