Oliver Thylmann’s Thoughts

XSS stands for cross site scripting. Another interesting acronym is Cross-site request forgery (CSRF). All in all, what most of you should think about is that for web sites that are written without security in mind, or that simply have a bug, you can possibly infiltrate code of your own as an outsider. A good example of this would be the MySpace Worm which enabled the creator to have somebody who visited his MySpace profile, automatically add him as a friend. Additionally, that person automatically added his little code to their profile, automatically making all people that visited that persons profile the authors friend again.

So let’s see how long it took him to get a few friends. He included a little bit of code on his profile when he had 73 friends, an hour later somebody looked at his profile (1 more friend, bit more code on that persons page), 7 hours later he had 221 friend requests, one hour later 480, then another (he since accepted the 480 ;)) 561 another hour later, … 3 hours later 2503 friends and 6373 request; 5 hours later 2503 friends, 917084 requests, a few minutes later over a million friend requests.

Now that’s really fun. I mean nobody was hurt. But what follows next can be just a small little addition to that little worm, or an add you see, or a forum posting, or an article, … .

As seen in this article that has just been published, entitled U R Insecure - how URl exploits are changing the webappsec landscape, you can at this time on firefox, or ie, or any other browser really as long as it is on windows, infect the file system. What does that mean again? It means that provided I have somehow been able to inject code on a web site you are visiting, I can open a command prompt on your machine without you noticing, download a small application, install it, and then can do virtually anything to you. What could that be?

• I delete all contents of your hard drive (actually don’t need the app for that)
• I turn of your computer
• I scan all network drives for a file with “financial”, “next”, “quarter”, “confidential” or something mixing those (of course then sending me those files)

Just to connect this again to the MySpace Worms. Within a few hours I’d have turned off a million PCs, or scanned them for confidential material. You will by now come up with your own ideas. The thing is that the door is wide open because a system in browsers allows you to open another application. There might be a joost:// prefix on your machine and Joost might be insecure (not saying it is!) and I embed a link that will open joost://something that will again give me access to the file system.

This is not posted to make anyone afraid, but it should alert us all that this Web 2.0 idea, and all the JavaScript usage, doesn’t make things easier. We can’t just bang out an Alpha release of something without some idea of security. This is possibly getting dangerous and we need to be aware. With suddenly being able to get online apps offline the problem will only be bigger. We can write great apps that run in a browser and I am looking forward to more cool things coming there, but keep in mind that it’s not all as simple as it sounds. Imagine this working on the iPhone (I am not aware that it is). I’ll just call a few numbers and you are broke and I am rich.

This is one of the first things that Mario started to implement when he arrived here at Ormigo. It’s now called phpids and available for all to use, already gaining some traction with the security crowd. The thing is that we are dealing with lots of personal data here at Ormigo, so we want to try to make as sure as possible that it’s safe.

What the phpids does is listen in on strange requests coming into a php based application and gives them a certain escalation state. Based on state it can choose, or rather be told to, do certain things, like fully deny access from a certain IP, remove the page for that user and only show a warning, do nothing and log, send our email alerts, whatever. It’s there to make sure that you are not running blind. Holes in the application are sure to happen, but the biggest problem is not knowing about them.

You can check out the code right here on Google Code, or join the Google Group or simply do a Smoketest. Have fun and be sure to report back.

Since coming-out, there has been some international coverage already and this is just the start. Obviously this creates an overhead but hey, let’s see where it takes us, and from a management perspective you do need to calculate the potential costs of a breach of your application against the possible costs of a few more servers.

I am looking forward to seeing more people take it up and contribute back into the project.

So I received my FON router last friday and I just wanted to quickly let the world know what my experience was. The thing is that it is a real first adopters device, so beware if you want to order one.

In the box is a short documentation of what you have to do and that is the first thing. It is really short and you really only have one option. Set-up the router behind your normal router, because the thing has to be online very fast. You boot it up, it gets its IP from your earlier router, you are connected to the FON router with your system though. Then you quickly launch a browser and it loads a FON registration page. There you will have to enter your user information and you will get an eMail allowing you to authenticate yourself as the owner of that router, or rather his MAC address. All this has to happen in 5 minutes or your Router will have to be turned off and on again. It worked after the third try. Finally online with my FON router.

But I could not access the router interface anymore. This is where you have to find out that they added some security patches to the system and now you can only open the interface of the system on the FON router via a network port and not via the WiFi interface. Oh well, once that was found out, I could get in. The interface is nicely done but a little low on features. It does allow you to set up PPPoE though and so I did. Here you should remember that saving those setting doesn’t suffice, but you will need to also Apply them. Then again, that didn’t do much good because I did not get the router to dial in via PPPoE. It might be trying, but I wouldn’t know because there isn’t a log anywhere to be found and I couldn’t connect via SSH to it anymore to look through the file system.

So I am back using two routers, which does work, but seems a bit stupid. I am hoping to eventually get some feedback from FON through the Forums. Mailing them at info@fon.com has not had any result for another question and the people in the forum say they weren’t really successful either. The Forum seems to be filled with users and not much else. All in all, FON seems to have fallen victim to their own success and are probably trying to hire like crazy. They seem to be getting sales people on board quickly but I’d really like them to hire a very good support guy that manages their call center or at least monitors the Forum.

The price for the router still comes out great and if you are wondering if you can use it without being with FON, it seems that you can hack your FON router (source) to make it ping FON periodically to say you are still using their system. We’ll see how long that works and it’s probably not something you really want or need to be doing. The system seems to work great as it is and I am looking forward to the software in Version 1.0, as it’s still 0.6, signifying at least a certain degree of beta status.

We’ll see how that story continues.

Technorati Tags: Customer Support, FON, Hacking, LinkSys