Eldar Marcussen: March 2010 Archives

My favourite con is back! Ruxcon 2010 will be held in Melbourne (FOR TEH WIN!) at RMIT campus on December 4 & 5. The call for paper is out, deadline for submissions is 30th of July.

Please see http://www.ruxcon.org.au for more details.

With smpCTF looming I thought I would link to these excellent "post mortems" from
CCDC 2010 and Reiners exploiting past sql filters, something we have seen in the last two codegate and owaspeu10 challenges...
CCDC 2010 - Part1
CCDC 2010 - Part 2
Reiners - Exploitiing hard filtered sql injection article

Ron Bowes did an analysis of the rockyou.com passwords to see what the number of accounts you would nab with the top X number of passwords. This shows how a bigger password list has diminishing returns.


He has made the top X password dictionary files and other password lists available in his wiki at http://www.skullsecurity.org/wiki/index.php/Passwords. I you want more details you can read the whole article at http://www.skullsecurity.org/blog/?p=516

smp Capture The Flag (CTF), 2010 Hacker Olympics, is a contest designed by "hackers" and "security enthusiasts" for the like to battle it out against each other over a highly sugar induced weekend. In the smpCTF Hacker Olympics teams and individuals are put up against other teams from around the globe in the same environment with the same objectives and a mission to accomplish.

Do you have what it takes to compete...?

More details at http://www.smpctf.com/ dates and times have not yet been decided.

Robert Hansen is at it again. This time he has produced a very simple exploit that will steal passwords that are stored (remembered) in the browser.The code is very simple and works a treat for Firefox.

I would recommend this over the usual XSS alert boxes the next time you are demoing cross site scripting. Try it out at http://ha.ckers.org/weird/xss-password-manager.html. I haven't tried it in any browsers besides firefox, but even if you can't read it straight out of the DOM, you could always rewrite the form action url or even hook the onsubmit call to send the username and password to a destination of your choosing.

I had some spare time, so I created a little game. I've called it security roulette. The object is to find as many web application security flaws as you can in a given number of websites in a limited timeframe.The number of websites is determined by google and the time limit is self imposed or agreed to if you are challenging someone.

I wrote a quick mashup to help you play. The scorecard could probably use some tweaking. My suggested house rule is "no browser plugins or third party applications allowed".

@dblackshell wrote about a "nifty" feature on his blog a while back. A website he uses has implemented a feature which will alert the end user if their flash version is not up to date. It delivers the message in a very authoritative looking way, as you can see in this image (click for full version).

I tend to disagree with his opinion. It is not "nifty", it is harmful. Although I won't go in depth here, I believe as many other do that user education does not work. Casual computer users does not have the required knowledge to determine the validity of this message at the tip of their fingers. The end result is that we train more users to click accept. What do you think this user will do the next time they are presented with this image?

The latter image is malware disguised as a flash update. Could your parents, grand parents aunts, cousins or friends tell the difference?