Sharing my thoughts with the world.
SANS ISC is reporting that various sources are saying that we may see XP SP3 before the end of the month. With OEMs and MSDN subcribers seeing the patch on April 21st and an end-user release date of April 28th.
About 15 minutes ago I had connection problems with my Google Apps account. My web-based Google Chat had disappeared, so I closed my browser and reopened it, but it's gone... completely gone... the Chat tab is even gone inside my settings options.
Anybody got any ideas?
The X represents where the Chat Window normally is and the arrow points to where the chat settings would normally be.
Update:
Alex Word just pointed out that this is back up now. Thanks Alex!
This isn't a new topic... McAfee mentioned it a couple of weeks ago, and it appeared in a ha.ckers.org comment almost 2 years ago.
It seems that Google Page Ad (http://www.google.com/pagead) can be abused as a redirect. This redirect won't work blindly, certain variables require certain values. However those variables aren't validated... I can generate a valid redirect, and then substitute in any url I want and it will still work. I've been noticing more and more spam lately making use of this, and it leads me to wonder why Google, with all their power (and I am a huge Google fan), can't get the validation right to ensure that this issue stops.
Here's an example URL... however in this case, I've removed the spammers address and inserted ComputerDefense.org: http://www.google.com/pagead/iclk?sa=l&ai=JqenDy&num=08582&adurl=http://www.computerdefense.org
Update:
In thinking this through more, I thought I should add to it. This redirect requires certain information... without the ai and num fields, the redirect won't work. All Google has to do is tie these fields to a specific URL, they don't even need the redirect URL included anymore... They could validate and redirect based on data they retrieve while validating the request.
This morning I talked about W3AF beta6 being available. Only now did I finally get time to install it... I wanted to test drive the UI, and it ended up being quite the task to get it installed. Part way through I realized that this would be a someone time consuming process and started documenting everything I had to do. I figured that others will most likely want to play with the UI on Windows XP so I'm going to share my documentation:
Installing w3af with UI on Windows XP with Python 2.5
Download pygoogle
Extract pygoogle
From your extracted directory run 'python setup.py install'
Download fpconst
Extract fpconst
From your extracted directory run 'python setup.py install'
Download SOAPpy
Extract SOAPpy
Edit <extractdir>\SOAPpy\Client.py; move the import __futures__ line to Line 1
Edit <extractdir>\SOAPpy\Types.py; move the import __futures__ line to Line 1
Edit <extractdir>\SOAPpy\Server.py; move the import __futures__ line to Line 1
From your extracted directory run 'python setup.py install'
Download gtk+ runtime
File: gtk2-runtime-2.12.1-2007-10-28-ash.exe
Install
Update gtk+ runtime
File: glib-2.16.2.zip
Extract Files
Copy files from \bin over gtk2-runtime install (default: C:\Program Files\GTK2-Runtime\lib)
Install pyGTK files
PyGTK 2.12.1-2
PyGobject 2.14.1-1
PyCairo 1.4.12-2
Download pyOpenSSL
Current Version: 0.7
Install
Download OpenSSL
Current Version: 0.9.8g Light
Install
Download w3af
Extract to directory
Browse to the w3af folder, create a shortcut to file w3af.
Modify shortcut target -- path\to\python25 path\to\w3af -g
Double Click shortcut
I've got a few interesting links that I thought I'd share.
Up first is a map with the location of Google Data Centers (via Google Blogoscoped). This is actually pretty cool to checkĀ out.
Next is OpenPacket.org, which I'll probably do a post about again sometime soon. For now a brief intro though. This is a great concept... a place where people can upload their packet captures, so that others can download and view them. This can be used by everyone... students, researchers and enthusiasts. I think first and foremost, it's a great learning tool, however if a certain level of quality is maintained, everyone will benefit from this project.
The last, and probably most interesting, is a Google XSS that Billy Rios blogged about. The XSS takes advantage of the fact that certain browsers (IE was used, but it was mentioned that others can be affected by this) don't always use the content-type suggested by the server. In many cases the browser will attempt to determine the content-type on it's own. This means that enough HTML in a response with content-type: text/plain will be rendered by IE (and in some cases other browsers) as HTML.
That's all for now...
Some new software shipped that I should have mentioned, and apparently it go past me..
The first is OpenSSH 5.0, release quite shortly after OpenSSH 4.9 (I believe it was 4 or 5 days). The following was attached to the release notes:
We apologise for any inconvenience resulting from this release being made so shortly after 4.9. Unfortunately we only learned of the below security issue from the public CVE report. The Debian OpenSSH maintainers responsible for handling the initial report of this bug failed to report it via either the private OpenSSH security contact list (openssh@openssh.com) or the portable OpenSSH Bugzilla (http://bugzilla.mindrot.org/).
The security issue in question was CVE-2008-1483.
The second piece of software is W3AF Beta 6. The Web Application Attack & Audit Framework is designed to create an extensible framework for finding and exploiting web application vulnerabilities. Beta 6 introduces a GTK UI, new plugins and bug fixes.
A few days ago I updated the site, and I must say... WP2.5 is awful... I'm actually disappointed that I had to upgrade. Having used typepad, WP, Greymatter, blogger and Serendipity... I was actually a really big fan of WP and thought it was about as good as they come. Now I'm not too sure about that. The user back end on 2.5 is awful... It's slower than the old UI was, it's not laid out nearly as conveniently (yes they made it less intuitive) and it's ugly... I realize it's an attempt to go more Web 2.0ish, but they failed miserably... In all the time that Wordpress has powered this blog, this is the first time I've been completely disappointed and considered moving to new software.
Confused? I know I was... but this is actually quite interesting.
OS Version (via systeminfo)
Vista Ultimate Release: 6.0.6000 N/A Build 6000
Vista Ultimate Service Pack 1: 6.0.6001 Service Pack 1 Build 6001
Server 2008 Standard Release: 6.0.6001 Service Pack 1 Build 6001
You can read more about it here.
A discussion elsewhere got me thinking about this, and some quick googling didn't turn anything up. If there are already write-ups on this, I would love if people could point me toward them.
Let's say that you are using Tor. When your traffic traverses Tor, it hits an end-point somewhere. That end-point knows that it is your end-point. Now, I'm a malicious individual... a spammer who needs CAPTCHAs solved. What do I do? I setup a Tor server and pass you my CAPTCHAs to solve. I don't believe it would be that difficult to inject CAPTCHAs into the mix. Your Tor connection comes into the server, but outbound HTTP passes through a proxy... this proxy is designed to display CAPTCHAs.
As I said, maybe this has already been discussed elsewhere, and maybe Tor even has protections against it. Either way, I'm really surprised that you don't hear about this more often. I've read about people paying to have CAPTCHAs solved... the only cost associated with this would be bandwidth. You could even expand on it to save bandwidth. A botnet deploys Tor across several thousand machines... these machines all forward the non-local HTTP traffic to "CAPTCHA proxies".
Since Tor users are accustomed to solving proxies for search engines and other big sites, they may not even notice these CAPTCHAs.
So let me know what you think... Thoughts, ideas, evidence of this, papers on this... it's all good.
A couple of weeks ago I posted about certain GMail features not being available in Google Apps for Domains. I was out of town last week and other than taking in RENT last night on stage, I've pretty much been asleep the entire time. I just logged into my Google Apps for Domains account for the first time since getting back and I was surprised to see that all that lost functionality was now available. I don't know if someone from Google saw this and made the changes or if it was entirely coincidental, but either way... Thanks Google!
Design by Beccary and Weblogs.us
·
XHTML
·
CSS
·