Monthly Archives: December 2010

INFOSEC 101: Breaking Down Scary Terms and What They Mean

Posted on by

I am not a hacker. But I understand the information security world. It’s a scary place, unfortunately, to people who have no exposure to it. Yesterday, WordPress 3.0.4 was released as a critical release… and it was. Matt explained the reason for the release in this way:

Version 3.0.4 of WordPress…is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

Simple enough. He goes on to refer to the vulnerability as an XSS vulnerability which caused a bit of angst on Twitter about what that means and if non-technical users should be given more information due to the terminology.

So, as a public service, I give you some basic definitions and concepts of web security and what we mean. These concepts are rightly scary, but the names tend to be scarier to those who don’t understand them.

XSS

XSS means cross site scripting. Cross site scripting attacks are generally attacks that occur because something is injected into a URL or “event” on a site to make the site do something else. Do something else can mean “hijack” a site so all visitors are sent somewhere else, or special HTML is injected into a site (often in the form of hidden links that diminish Google search results for the site, etc). This was the nature of the vulnerability fixed in WordPress yesterday.

XSS attacks are almost always carried out because of JavaScript injection. WordPress does have security API that makes dangerous characters (that is, special characters that make JavaScript do things) and it is encouraged that all plugin and theme developers use these APIs. [Docs]

CSRF

CSRF means Cross Site Request Forgery. With CSRF attacks, browsers (and sometimes other things) are hijacked to “do” things to a website without a user knowing. It’s the proverbial trojan horse where there is an inherent trust from a site that the user/browser is doing something trusted and so attacks riding the coat tails of such trust are given the same trust that the user would also get.

A simple example (does not actually exist) would be that an authenticated user in WordPress with admin privileges is tricked into clicking a link (as the authenticated user) and then admin privileges are transferred to the attacker. We’ve seen this kind of attack on Facebook and Twitter before where DMs or messages are spread across Facebook walls or via Twitter DM).

SQL Injection

SQL Injection is an attack that, without going into the technical details, allows an attacker to send special queries to the database that can alter, modify or even delete a database altogether. You don’t see many of these anymore because most apps are built on frameworks or platforms (like WordPress or Drupal) that have built in routines and APIs that prevent this. In WordPress, there is a prepare() function in the database class which ensures that no SQL injection is possible.

0Day Vulnerabilities

0Day (that is Zero, not “Oh”) is a vulnerability that is exploited before it has been disclosed. Many security researchers work closely with web application developers to alert them to newly discovered vulnerabilities before they are publicly disclosed. They then work with the developers to close the hole before disclosing the vulnerability. The term 0Day comes from the idea that the web app developer knows about the exploit on the 0th day after public disclosure (it hasn’t been disclosed yet).

Denial of Service/(D)DoS

(D)DoS is a (Distributed) Denial of Service attack. These attacks are carried out by flooding a site with traffic/requests to the point where the site can no longer handle the traffic and collapses. If the attack comes from a single source, it’s a DoS but if it comes from more than one, it is a DDoS.

Obviously, there are many aspects of security. We could go way complicated on terminology and concepts, but these are some of the basics you should know when you see something about a vulnerability.

Photo Credit: heathbrandon

Best Internet Memes of 2010

Posted on by

Pants on the Ground

January came in with a roar with American Idol auditions. One audition, General Larry Pratt, sang a ridiculous song “Pants on the Ground”. See the original audition below:

This spawned remixes, covers and even Brett Favre firing up the Minnesota Vikings after winning the NFC Divisional game.

I’m on a Horse

The Old Spice commercial that took the internet by storm because… well, because it was so damn ridiculously funny. The man behind the I’m on a horse commercial is none other than Twitter user @isaiahmustafa.

Funny stuff.

The meme continued when Old Spice did an Old Spice Questions series on YouTube where Isaiah Mustafa took questions from Twitter users and answered them on YouTube.

After Isaiah Mustafa stepped down as the Old Spice spokesman, Baltimore Ravens lineback Ray Lewis stepped in with a hilarity of his own.

BPGlobalPR

Leroy Stick (fake name) began the Twitter account @BPGlobalPR as a result of watching for over a month as BP Public Relations people spun bullshit to the general public and government after the catastrophic oil catastrophy in the Gulf of Mexico. The account served several purposes. For one, it helped us laugh when he put out content like these:


The second purpose it served was to draw attention to the horrible way BP managed their reputation and brand. At the TEDxOilSpill event, Stick was quoted as saying, “Having a brand means you stand for something. If you lie, than lying is your brand.”

This account has easily become the most retweeted account in 2010 and it’s devastating in it’s satirical impact.

Double Rainbow

The Double Rainbow Meme was hilarious in its own right. A guy in Yosemite National Park witnessed a double rainbow and proceeds to cry, weep, squeal and ask, “What’s it mean?” on video. The video was shared across the internet and even remixed into an autotuned song.

You’re Holding it Wrong

With the release of the iPhone 4, users complained about lack of reception and dropped calls. In an extraordinary press conference shortly after the release of the phone, Apple CEO Steve Jobs commented on how, if the phone was held a certain way, it would interfere with the built-in antenna. This was echoed by Apple and AT&T Support technicians and the phrase, “You’re holding it wrong” was adopted by the masses.

You’re holding it wrong also became a euphemism for other hilarity throughout 2010.

Journos Go All Capitalistic on Wikileaks

Posted on by

Since the release of the State Department cables by Wikileaks, I’ve sat back and watched as the journalism world has gone through convulsions about the morality of capitalizing on these secrets.

It’s been a fascinating, and illuminating, charade. As the fourth estate, the media would like to portray themselves as an unbiased, objective entity that maintains balance in society. Yet, inherently, the media is just as guilty of self-interest as anyone else in this whole mess.

Yes, the State Department specifically, and the United States (and maybe other) governments would like to keep the lid on the memos. They see their credibility in talking with other nations on the line.

Julian Assange sees this, as pointed out in the great piece by zunguzungu, where Assange is quoted as saying:

Authoritarian regimes give rise to forces which oppose them by pushing against the individual and collective will to freedom, truth and self-realization. Plans which assist authoritarian rule, once discovered, induce resistance. Hence these plans are concealed by successful authoritarian powers. This is enough to define their behavior as conspiratorial.

Assange sees a world where transparent and open government subvert the power and authority of the same government and so there is a natural tendency (he calls it conspiracy) to hide what happens inside.

I agree that this dichotomy exists in some areas of government, but the diplomatic cables are common sense – for all involved. Keep them hidden as there is a potential that revelation can increase safety risks, decrease operational security and reduce negotiation power. Successful negotiations derive from a position of power and everyone knows this. This is not something that amounts to some great conspiracy.

Meanwhile, the media is on the sideline, their power usurped from this rogue operative with a rogue website. Instead of the New York Times or Washington Post benefitting from the receipt of leaked information as has been the case in their traditional past (see Watergate), an upstart “news organization” is stealing their thunder. Sure the Times and a variety of other media outlets were given the data eventually, but the arbiter of information was no longer them.

While the media wrings their hands over a contrived battle between the morality of publishing leaked, national security documents and preservation of national secrets, the bigger capitalistic battle is happening and that overshadows journalistic sense of responsibility.

The ability to be first is being tainted here. While Wikileaks promises to distribute new information, acting as a benevolent dictator, to news organizations, these news organizations are capitulating their responsibilities simply to make sure they have some crumbs off of Assange’s table.

No one, certainly, is suggesting that news outlets should become a lap-dog, as I have heard toss around, of the government, bowing to their every will and whim. Certainly not, lest we live in a Communist system. However, the media is expected to operate in a suitably responsible way.

In this case, the media knows that they are on the outs. In a last gasp of industry-pride, they have sacrificed themselves in a last-ditch effort to remain relevant. Put in another way, they have come to serve themselves instead of the people they exist to serve.

Of course, this hasn’t happened overnight. No, in fact, many years of budget cuts, acquisitions, mergers and staff reductions have caused the media industry to alter how they operate and approach stories. It’s less likely that you’ll have a Bob Woodward and Carl Bernstein hitting the trenches to uncover a conspiracy so deep that it reaches the President of the United States. No, that would require far more time and resources – and frankly, better reporters – than exist in todays media.

So with not a thought to their forefathers, the media of the 21st century makes decisions of national security to protect their own industry than serve the constituents who consume their journalism everyday. I wish it weren’t so.

Photo by Photoserra