Archive for February, 2007

Interesting new WWW attack vector

Friday, February 23rd, 2007

While I suppose that using javascript for evil purposes isn’t exactly a new idea, Bruce Schneier has written a piece (also covered on Slashdot and, I’m sure, other places) about three guys who have developed an attack that royally screw most users’ ability to use their Internet connection again.

AJAX, the magic pixie dust used heavily on sites like Google Mail, is really just javascript with the ability to make HTTP requests and parse the results of those requests. Javascript has been available in browsers for years and is recently enjoying some interest by web developers because of that last (somewhat) new capability. The use of this technology for evil is nearly indistinguishable from legitimate use, so it’s hard for any software to detect it and prevent it.

Basically, the attacker sets up a web site with some javascript code (see below) and tricks you into visiting that site. It’s not all that hard to get people to look at a rogue site: you can either spam the entire world and expect that a certain percentage of email readers are suckers who will click on the links in those messages, or you can hack a major site (such as Dolphin Stadium) and insert the exploit into it.

Now, the fun begins. This piece of javascript code (which, as I mentioned earlier, is pretty much impossible to identify as evil) attempts to make a connection to your router. If you are like most home users, your router is still sitting there with it’s default, factory-set password (probably something stupid like “admin”). That means that this piece of javascript code can login to your router and start playing around. This particular attack is designed to change your DNS settings such that all requests for named Internet addresses go to malicious servers. Those requests will be answered with fraudulent IP addresses which can be used to either emulate your favorite website or simply serve nothing but pop-up ads and porn. This little hack could even change your router’s password, locking you out of your own hardware.

Imagine if you were to fall victim to this exploit… the next time you tried to access, say, www.bankofamerica.com, the rogue DNS server sends you to what really is www.evilbankofamerica.com. The site looks like Bank of America’s real site, and you fall for the bait. You enter your username and password for online banking, and bang! – the bad guys have your online banking credentials.

SSL certificates might save you, since VeriSign (and others) are unlikely to issue an SSL cert for “www.bankofamerica.com” to an entity that is not Bank of America. But what do you think most people do when they get a security warning these days? My guess is that most people do whatever they have to do in order to get the security warning to go away and let them look at their website. That is a recipe for disaster.

Since we’re talking about folks who have never changed their router’s password, they probably wouldn’t know how to recover from this problem, either. If the attack included changing your router’s password, you’ll have to reset it to factory defaults in order to get back up and running again.

I’m guessing most home users will ask friends what to do if every site they visit is just porn and popups. The advice they are going to get is to reinstall their operating system (statistically it will be Microsoft Windows, which has a bad reputation for becoming easily infested). Many users aren’t willing to do that, and will pay someone else to do it. Re-installing the OS won’t work, so those users are likely to do the next best thing: go out and buy a new computer. That won’t work either.

What a pain in the ass.

What a great exploit.

Blog moved to virtual host

Tuesday, February 13th, 2007

The whine of my rack server has finally gotten to me.

So, in spite of the home heating advantages, after more than 2 years of hosting my own website, blog, and mail server in my home, it’s time to get it out of here.

I found a relatively low-cost virtual hosting plan where I have free reign of my own virtual machine. Sadly, I couldn’t use Gentoo – my preferred Linux distribution – so I had to settle for Debian, whose package manager is absolutely maddening to me.

At any rate, we’ll see how things go. So far, the MySQL upgrade (Debian’s latest stable version of 4.0? WTF?) and WordPress installation (no stable version available through Debian?!) have been relatively painless. Let’s just hope that everything else goes well.