Almost everybody nowadays has a Gmail/Google account. We use it for our email service, to read our feeds, store our bookmarks, edit our documents, and what not. This demands that we constantly log in to these services with our google account user and password. The most “paranoid” users, never check the “keep me logged in” checkbox, while the majority just checks it and doesn’t even bother anymore.

If you “worship” your google account, and the idea of losing it sounds catastrophic to you, because all your life is in it. You might just keep on reading this post.

What’s the problem?

The web is mostly an unsafe place, and having your google account logged while browsing “random” web sites, might be a russian roulette experience. Because with some recent techniques like clickjacking, an attacker might set up a web page with malicious code that uses your logged in google account session to perform actions on your behalf. And if you don’t believe this, you can try for your self in the following example.

You can try this using a dummy Gmail account if you feel insecure about it.

Log in to your dummy Gmail account, open a new tab and go to this website. Now click the “send” button on the page, and go check your dummy Gmail sent messages folder. You will see that you have just sent an email, without even noticing (well you did notice actually if you checked the status bar, but it was too late anyway).

The way to achieve a hack like this is not very complex. Quoting the author:

You get a copy of the generated HTML code of the target webpage, then you simply hide everything, except for the button you want to overlay.. you could draw other things using absolute positioning, but this is enough for most scenarios.

You can checkout the “ghost page” here: http://www.sirdarckcat.net/dad.html

This attack has it’s pros and it’s cons.. the most important pro is that it’s the best way of doing cross-browser exploits.. since you don’t depend on the sizes, margins, overflow rules etc.. that different browsers use.

Possible solutions?

The best way to prevent against these attacks, while it may not be the ideal solution, is by simply reducing the time you spend logged in on the browser. Actually, you can even use these services with no logged session on the browser.

The answer is simple: don’t use these services web interface on your personal computer. For Gmail, use a POP or IMAP client of your choice, for every other, use Prism. Prism lets you run web applications in a desktop/standalone mode. This way you have all your sessions encapsulated, in a kind of sandbox way. Leaving you free to use the browser in a more relaxed manner.

Why do I say “on personal computer” ? Because it’s in your daily use machine that you are more tempted to save login forms and such, leaving you vulnerable to the type of attacks I described. On other machines you are less tempted to do that, because it’s not your machine, or it’s a public computer, and you spend much less time on it.

While I’ve been talking about Google accounts and Gmail along this post, actually, every other service may be vulnerable to this type of attack, but generally Google services are usually more secured than the rest.

What can web developers do?

Not much really. For web developers, the way to prevent that your site gets opened in a iframe is the piece of code known as “the Framekiller“. This is a javascript code snippet to include in your HTML pages:

<script type="text/javascript">
if (top !== self) top.location.replace(self.location.href);
</script>

This works with the obvious javascript/client side limitations, so it shouldn’t be regarded as a reliable approach, but it definitely helps.

More on the subject

If you wish to know more about other similar techniques, you can check these links below:

CSS Attacks

Clickjacking

Like I promised when I wrote about this summit, here are the videos of the presentations about the most common and some recently new web vulnerabilities.

Videos list:

• Introduction to OWASP, by Jeff Williams
• OWASP Top Ten, by Jeff Williams
• OWASP Enterprise Security API (ESAPI), by Jeff Williams
• LDAP, XML and SQL Injection, by Marcos Slaviero
• LDAP injection demo, by Marcos Slaviero
• XML injection demo, by Marcos Slaviero
• SQL injection demo, by Marcos Slaviero
• Clickjacking, by Arshan Dabirsiaghi
• Clickjacking demo, by Arshan Dabirsiaghi
• Phishing demo, by Matt Tesauro and Brad Causey
• Training sessions overview, by Mano Paul

Source: blog.carlosserrao.net

OWASP European Summit – Portugal / Algarve – 4th – 7th November 2008
Setting the Web Application Security Agenda for 2009: OWASP Invites You to join Our Summit in Portugal
http://www.owasp.org/index.php/OWASP_EU_Summit_2008

With the theme ‘Setting the AppSec agenda for 2009′, the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks! This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today.

I’m pissed off. Because besides the fact that I only knew about this today, I also won’t be attending it due to the usual lack of time and the tons of projects that I have to deliver in the end of the week. Soon I’ll post some presentations of the event.

I’ve been away from the blog from sometime, thanks to some freelance projects and university projects, so this is almost old news.

Clickjacking is the new buzzword on the web. What is it? It’s supposed to be a new vulnerability that mainly affects websites. It hasn’t been completely disclosed since vendors (Microsoft, Mozilla, Adobe, etc.) have asked for some time before disclosure. Patching every website on the web is definitely an impossible mission, so, browsers will be patched in order to solve this possible threat.

You can check here and here for details about clickjacking from RSnake’s blog, one of the two researchers that found this.

Update: Here’s the proof of concept video of clickjacking and webcam hijacking in Adobe Flash.

Update 2: A nice post from gnucitizen about this.

Everyone knows that almost every login form on a website has a “remember me” option, that stores a cookie on your browser that allows you to access the site without entering the username and password. Although this might be very convenient, it helps a common threat on the web to become easily successful. I’m talking about CSRF (Cross Site Request Forgery).

I write this post under the inspiration of Jeff Atwoods article about CSRF. I highly recommend it’s reading as an introduction to my post, and also every other article by Jeff.

So, many people use the “remember me” option in sites like Gmail, etc. Let’s imagine a simple case. You are using a forum, and you *don’t* check the “remember me” option. You leave the forum open in a tab, while browsing other sites in other tabs. In this case, you are temporarily vulnerable to CRSF, as long as the session in the forum remains active, and if the forum doesn’t have any anti-CSRF measures. Now, if you check the “remember me” option, you will be vulnerable even with the forum tab closed, because your authentication cookie remains in the browser, valid and… forever (at least until you clear the cookies or logout). That means if you visit a website that has a form or a link that executes some sort of a POST or some other action in the forum, it will be executed as your user.

In my example, maybe a forum isn’t really something worth to be paranoid about CSRF or other type of attacks, or maybe it is, it’s up to you to judge that. But definitely a web based email, or online shopping website is.

So it’s really important for web-developers to take this issue in consideration when developing web applications, even knowing that it will only fix a hole in a net (http protocol wasn’t designed for this). You can find some measures to protect your website against CSRF in Jeff’s article. Users should also be aware of this threats when using sensible and personal content web sites or applications, because relying on every web-developer’s security expertise, is putting themselves at risk.

Anyone that has an SSH server running on default port (22) knows that every day, hundreds or sometimes thousands of breaking attempts are written in the logs. Some are from fully automated bots, others from possible human attackers, scanning a target at a time.

How this is done? It’s pretty simple. It’s just a program that tries the user root, or a dictionary of possible usernames, and a dictionary of possible passwords. If your password is in that dictionary, it’s game over for you.

There are many ways to protect against this, like blacklisting an IP address after a defined number of attempts. But you can always try to have some fun with it. This article is kind of old, but it’s worth taking a look.

By changing the source code of the openSSH server, adding a sleep(10) instruction in the authentication code, you can make anyone desperate trying to brake into your box.

Check it here.

There’s this article on ZDNet. It reports that recently, there has been allot of active attacks against Linux systems, using stolen SSH keys.

As the article explains, once inside the machine, the attacker uses local kernel exploits to gain root access so that a rootkit known as phalanx2 gets installed.

This type of attacks are probably related to the recent Debian random number generator bug. So read on to get more info on the subject.

One thing that is missing in Ubuntu is an easy way for a novice user to turn on and configure the firewall. It’s bad enough to not have the firewall turned off by default. Even if you argue that Ubuntu is secure by default because it has no services listening on the network on first boot, that’s not an excuse to leave the firewall turned off.

Ok, there is ufw (uncomplicated firewall) which I think it’s nice because saves me all the hassle of messing with iptables when I don’t have the time nor the mood to deal with it. But it’s command-line based! Novice users don’t really like or know how to use the terminal!

To end this problem, there’s Gufw:

Gufw is an easy, intuitive, way to manage your Linux firewall. It supports common tasks such as allowing or blocking pre-configured, common p2p, or individual ports port(s), and many others! Gufw is powered by ufw, runs on Ubuntu, and anywhere else Python, GTK, and Ufw are available.

This project sounds nice to have in Ubuntu by default. In fact I liked it so much that I decided to contribute to it. So expect me to talk more about it in some future posts.

Link: gufw.tuxfamily.org

According to Fedora, some servers from the project were illegally accessed.

Quoting Paul W. Frields from Fedora:

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

Here’s the Fedora announcement and the security advisory by Red Hat.

And one more detail, the Fedora servers are hosted by Red Hat Inc. I hope that this isn’t much bigger than it seems.

This is something I missed in the last weeks. I’ve noticed that Gmail now has an option in the settings page, that allows the user to force https (SSL connection). I’ve tested it, and it works just fine.

This saves the effort of having to insert https manually in the URL, because otherwise, Gmail will only use it in the transaction of the username and password and discard it after.

After you select the option you’ll have to log out and log back in for the changes to take effect.