Jabber Broadcaster
On the way back from the Informatiktage 2007 I wrote something Daniel Schreckling asked for. He wanted something to coordinate when to go to lunch with his coworkers.
So I wrote this little jabber bot. It allows users to create new channels, within which all members may broadcast messages to the other subscribers. The channels are secured by a password, set by the creator.
I’ll set one up at [email protected] in the next few days. If you find any security issues I appeal to your honesty to report it to me and not using it for destructive purpose. The source can be found here, so feel free to use or extend it. I’m sorry there are no comments, but hopefully the code is pretty straight forward. To use this bot you need to have the xmpp and MySQLdb modules for Python, well, and Python itself, installed.
Update (4. April 2007):
I corrected a little mistake in the code.
You may test it at jid:[email protected].
Popularity: unranked [?]
Filesharing 2.0
While the Informatiktage 2007 I got in touch with the presenter of trusted computing lecture, which was based on his diploma thesis. He told me about some ideas, how trusted computing may be used to secure some privacy, for example in filesharing. Normally you would use trusted computing to certify that an application is doing exactly this or that, but why not using it the other way round and certifying that it doesn’t do something, for example associating an ip with a file or other kind of logging. Since I am not yet that much into trusted computing and didn’t get all the tiny bits how to guarentee such a behaviour, I will not try to explain it in greater detail now. Just plainly use trusted computing to certify that the counterparts software is not logging anything and maybe supports some techniques to obscure something.
Some security measures we have been thinking about, that will be needed additionally, to disguise the source are:
- Naturally encrypting the traffic, so there are no conclusions about the content transfered.
- Generating fake traffic to other clients, so it is not possible to know which clients really did send parts of the file. This only works if the faked traffic is at average as much as the the one generate for downloading the file at a per client basis. If only one or at just a few people are sharing a file, especially if it is big, this kind of disguise is pretty traffic hungry and not very applicable.
Nevertheless, I think this is a pretty innovative approach. And when I have found the time to get a bit more into trusted computing and peer to peer networking we will hopefully start this project.
If you got some ideas which may lead to some improvement of this project please contact me. Or if you know this won’t work cantact me too, but please also explain why ;).
Popularity: unranked [?]
Informatiktage 2007
This weekend the Informatiktage 2007 took place. It was pretty cool and interesting. As I wrote before i attended to the workshop “Security in online banking” which was held by Hans-Peter Dünnwald, Matthias Stoffel and Eberhard Stickel. They were from the “Sparkasseninformatikzentrum” and “Hochschule der Sparkassen-Finanzgruppe”. We were only 5 attendees, so it was a rather relaxed. The workshop was divided into three parts. One on the first day and two on the second.
The first one started a little boring and confused, because only one of three people who should present this workshop were there first and the one who was present was pretty ill. The two other arrived short before the end, they had some meetings. He began the workshop with the basics of cryptography, like what is symmetric and asymmetric encryption and stuff. Most of us already heard and/or read almost everything we were told.
The evening program was called networking. But no we didn’t play computer games. It was more to get in contact with other students and the representatives of the companies that were presenting the workshops or sponsoring the whole congress. And there was free beer, which almost got fatal for me.
On the second day three of us, including me, were able to give a short lecture about our submissions. Too bad Georg and I were a little late, because I had to find a copyshop, which was able to print a black and white poster for under 20 Euro, so we didn’t see the first half of “Rainbow table Cracking”. My lecture was about XSS and Session Riding. I did mostly a live presentation of how it works and then enumerating known countermeasures. Unluckily I seem to have liked talking about XSS too much, so there were only 5 minutes left to talk about Session Riding and so this part got a little chaotic.
The part of the Sparkasse was much more interesting than the day before. They told us about their experiences and way of handling with security and it’s breaches. I was just a little disappointed about their comment on requiring javascript to be able to reach the Haspa onlinebanking section. They only said “Yes I do agree with you. But you always have to choose between security and functionality/design”. Yes i do agree with them, but please choose security if it comes to my money. Well, they told me the new Haspa website is already launched and I just had a look at it and yeah they fortunately did change it. The workshop topic of this second part was basically about the ways the guys with the dark hats do their stuff. It was primarily about phishing techniques, since this is the way the most damage is done.
Between the second and third part of the workshop the poster session took place. I had the feeling, that it got some more attention on the first day and so in the main we did talk to the owners of our neighbouring posters. But maybe it was just because my poster was that ugly and/or uninteresting. I wouldn’t wonder about that too much. I created it in the middle of a night and the print was done by zooming an A4 print to an A1 format, which is not necessarily the best thing to do. But it saved me 10 Euro.
The last part began with the third lecture. It was about trusted computing in mobile environments. The third part then was then mainly about taken precautions and upcoming hardware, used by the Sparkasse. In the near future there will be a small chipcard reader available, that generates a special TAN out of the current EC card and som values of the transaction. But I don’t like the idea too much, because, if I loose my EC card, someone else might be able to generate TAN numbers out of it.
All in all it was really fun. This was one of the seldom chances get to know students from other universities and cities. It gave us the chance to build up connections between individuals with similar interest and, which may be even more interesting not that similar interests and thus a different point of view. I also learned some things about the ways Computer Science is handled in other cities, which was as well pretty interesting.
Popularity: unranked [?]
Ynnuf Ffuts
I just played around with some special characters as I stumbled across this. If you insert into some text, from that point the order of the following characters will be reversed. As far as I can see this has no security implication, since tags are still interpreted in the “right” direction, but this can be very annoying whatsoever and depending on the way the page is written might even kind of deface it. The effect applies on all characters after the this “special character”, that are in the same DOM text element. Well this is not really accurate, because the Source Code gets all converted from that point on, at least in Firefox.
So here is a small example what this looks like…
Popularity: unranked [?]
Advanced Voodoo
You are interested in theoretical computer science? You are more into mathematics than simple multiplication. Then this is going to be interesting for you.
George, the brain, is now blogging and sharing his knowledge with us. I am really looking forward to see, when he is going to solve P = NP and the theory of everything. ;)
Popularity: unranked [?]
GI Workshop
A few days ago we submitted a paper to the GI, which is originally a part of an abstract M4z and I did for a seminar. They accepted it, what means it will be printed in their magazine. That alone is nothing too cool, since it is more or less a summary of webbased vulnerabilities, but the really cool thing is, that we will be going to Bonn from the 29th to the 31st of March for a workshop at the Informatiktage 2007. And getting even better, the journey as well as the hotel will be getting paid.
We could choose between several different topics. I clearly decided to attend “Security in Online-Banking”, since it was the only security related.
It seems to be held by someone who is at least related to the “Sparkasse” and I am really interested in their point of view. The Haspa, which is Hamburgs branch of the Sparkasse, needs javascript activated to even be able to reach their online banking service. I do not get why they are doing this?! It does not look too security concerned to me. Well they got TANs, so it is not all that easy to ride the session and transfer money to my own account. But there may be other things, that could be modified. And moreover this urges even security aware people to activate javascript and therefore being vulnerable to potential XSS vulnerabilites.
I guess I will be looking what may be done with Session Riding on their site before then. Perhaps I also find some XSS possibility, but this does not appear too likely after a first look.
If you got something similar or even found already a vulnerbaility, please let me know. Maybe it will arise a bit more of their attention when someone is discussing it with them in person.
However, none the less I am really looking forward to this.
Popularity: unranked [?]
Massmail - XSS For The World
I just mailed most of the websites I found XSS vulnerabilities on. I will give them about a week to respond and then publish the list.
By the way, while collecting the mail addresses to inform them I tried to find out an email address of anyone responsible for something at aol.com, but their page is that well organized that I could not find any. Most of the time they wanted me to log in. But why should I register to an obviously vulnerable website. Thus they got left out.
Popularity: unranked [?]
UTF-7 Stuff
A few days ago I got a link from Martin Johns (this) and started playing around with this.
A scenario for this is: you got a page where everything between < and > is filtered out. It seems to forbid the inclusion of <script> blocks. But here is the clue. If the page does not define a charset, neither in the header, nor by a meta tag, we may load the page within an iframe on a page which charset is set to UTF-7 and this way having not < or >, but +ADw- and +AD4- circumvents the filter.
I got some code working, which exploits this here. You may want to see the page here, that will be loaded into the iframe, before you look at the link, since firefox saves the overwritten charset for that page and will view the content with the charset set to UTF-7 and this way executing the javascript. To reset it just clear your browser chache.
Since I do not have a second domain at the moment and could not find a page, which does not set the charset, I could not test what happens if an alien domain is loaded inside the iframe.
While looking for a page, that does not define a charset, I found something else which seems like a fixed issue. On pages where the charset is not defined in the header, but in a meta tag, there should be no charset defined on pages that are generated by the webserver itself. But too bad, someone else must have found that before, because in 404 error pages, which at least generated by Apache show the string of the wanted page, now magically have a charset defined in the header. If you got another idea how a webserver may be tricked into generating a page without a charset, I would love to know.
Popularity: unranked [?]
Hello World
This is the first entry in my obviously new blog. If I am not too lazy, I will post here stuff I am playing around with, which will be mostly security related. Other content may be things I experience or discover and is in my opinion mentionable.
Popularity: unranked [?]