About Me

Toralv Dirro

Toralv Dirro

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#McAfeeFOCUS, #MFETrivia, #SecChat, $1 million guarantee, 3G, 12 Scams of Christmas, 99 things, 419 scam, 2011 Threats Predictions, 2012, 2012 London Olympics, 2012 Security Predictions, Abbreviation, access to live fraud resolution agents, Account Takeover Scams, Accredited Channel Engineer, ACE, Acquisition, addiction, Adobe, adult online content, advance-fee fraud, Advanced Persistent Threat, advanced persistent threats, adware, AET, affiliate marketing schemes, Alex Merton-McCann, Alex Thurber, AMTSO, analysis, Android, Android/NickiSpy, android antivirus, Android Exploit, Android Malware, Android Malware Analysis, Android Market, Android Mobile Malware, Android Rooting Exploit, Android security, android security app, animation, Annual Partner Survey, Anonymous, Anonymous Group, anti-malware, anti-phishing, anti-spyware, anti-theft, anti-virus, anti-virus program pops up, Antievasion, antivirus, Antivirus software, App Alert, Apple, application developers, applications, application security, app protection, apps, app safety, app security, APT, ASIC, ATM scams, ATM skimming, attack, attacks, Australia, automobile, automotive, AutoRun malware, award, awards, Backdoor, Back To School, Bad Apps, balanced scorecard, bank accounts, bank fraud, banking fraud, Belarus, Bernie Madoff, best practices, beyond the PC, bill collectors call for nonpayment, Bin Laden Scams, Biological Computer, Bitcoin, BlackBerry, Blackhat, Black Hat, black hat hackers, blue screen, Bluetooth, bot, botnet, botnets, bots, Brazil, breach, buffer overflow, C-SAVE program, Cameron Diaz, canada online scams, CanSecWest, car hacking, celebrities, certification, chain mails, channel partner, Channel Partners, Channel Partner Town Hall, Channel Program, Channels Town Hall, Charity Phishing Scams, child identity theft, children online safety, children safety online, child safety, Chile, China, christmas, Christmas scams, christmas shopping, Christmas shopping concerns, Christmas shopping crimes, chromebook, CIO Insomnia Project, CISO Executive Summit, Citrix, Civil War, class action lawsuit, clickjacking, cloud, cloud apps, Cloud city, Cloud computing, Cloud Expo, cloud security, Cofer Black, college students, Commercial/SMB, Commercial and Enterprise Deal Registration, Compliance, computer, computer issues, computers, computer security, computer support, conference, Conficker, consolidation, Consumer, consumerization, consumerization of IT, consumer threat alert, consumer threats, Consumer Threats Alert, Content Protection, cookies, Corporate Responsibility, counter identity theft, creating safe passwords, creating strong passwords, credit card fraud, credit card fraud and protection, credit card skimming, credit card thefts, credit fraud alerts, credit monitoring, credit monitoring and resolution, credit scores, crimeware, critical infrastructure, cross-site scripting, CSP, currency, Cyber, cyber addiction, cyber attack, cyber bullying, cyberbullying, Cybercrime, cybercrime, cybercriminal, cyber criminals, cyberespionage, cyber ethics, Cyber Insurance, Cyber Intelligence Sharing and Protection Act of 2011, cybermom, Cyber Monday shopping, cybermum, cyber mum, Cybermum India, Cyber risks, cybersafe, cybersafety, cyber scams, cyberscams and identity theft, cybersecurity, cyber security, cyber security awareness, cybersecurity concerns, cybersecurity mom, Cyber Security Mom, cybersquatter, cybersquatting, cyberterrorists, cyber threat, cyberthreats, cyberwar, dangerous searches, data, Database, database activity monitoring, database security, data breach, data breaches, data center, Datacenter, data center security, Data Classification, data loss, Data Loss Prevention, Data Protection, dating scams, Dave DeWalt, Dave Marcus, David Small, DDoS, Deal Registration, decade of cybercrime, deceptive online promotions, dedicated security appliances, Deep Command, DeepDefender, Deep Defender, Deepika Padukone, DeepSAFE, DefCon, DefCon Kids, denied credit, Dennis Omanoff, Department of Commerce, device, Device Control, devices, digital assets, digital assets worth, Digital Certificates, digital devices, digital gadgets, digital music and movie report, distributed denial of service, distribution, DLP, Dmitri Alperovitch, DoS, download, downloaders, drivers license, drivers license identity theft, dumpster diving, Duqu, e-card scams, e-gold, e-mail id, earnings, easter, Easter scam, eBay, ecards, ecard spam, education, Eelectric Vehicle, EFF, election, email, Email & Web Security, Email & Web Security, email accounts, Email Protection, email scam, email scams, email security, email spoofing, embedded, embedded devices, Embedded Security, EMEA, employment fraud, Employment Identity Theft Scams, encryption, Endpoint Protection, Endpoint security suite upgrade, Enhanced Deal Registration, enterprise, enterprise mobility, enterprise resource planning, enterprise scurity, enterprise security, epo, ePO DeepCommand, ePolicy Orchestrator, Epsilon, epsilon security breach, ERP, espionage, etiquette, EV, exploit, Exploit for Android, exploiting real brand names, exploits, facebook, Facebook Security, Facebook spam, Facial recongnition, fake-av, fake alert, fake ant, fake anti-virus software, fake anti virus, Fake AntiVirus, Fake Anti Virus Scams, fake emails, Fake Identity, fake software, fake system tool programs, fake websites, false, families online, family, family identity safety, family online safety, family protection, Family Safety, Farmville, FDCC, fictitious identity theft, FIFA, financial scams, Firesheep, firewall, FISMA, Fixed Function Devices, Flash, Focus, Focus11, FOCUS 2011, forrester, forwards, Foundstone, France, France Law, fraud, fraud resolution, fraud resolution agent assistance, fraudulent credit card or bank charges, free, freely downloadable morphing tool, free money scam, free money scams, french, French Law, Friday Security Highlights, FTC, games, gaming, gaming consoles, Gartner, Gartner Security and Risk Management Summit, Gaza, George Kurtz, gift cards and iPad promotions online, gift online shopping, gift scams, Global Cybersecurity, Global Risk 2012 report, Global SecurityAlliance Partner Summit, global threat intelligence, gmail, gold software support, good parenting, google, google code, government, gratis, GSM, GTI, hacker, Hackers, hackers steal credit card numbers and sensitive personal data, hacking, Hacking Exposed, Hacktivism, Hacktivity, HB1140, Healthcare, heidi klum, Here you have worm, Heuristics, Hi5, HIPAA, Hispanic, hoax, holiday gifts, holiday malware, Holidays, holiday scams, holiday screensavers, holiday shopping, holiday shopping fraud, holiday websites, home network issues, host intrusion prevention, Host IPS, household devices, how to set up wi fi, how to talk to kids, how to talk to teens, HV, Hybrid Vehicle, ICS, identify potential cyber-threats, identity exposure, identity fraud, identity fraud scams, identity protection, identity protection $1 million guarantee, identity protection alerts, identity protection fraud, identity protection surveillance, identity surveillance, identity theft, identity theft celebrities, identity theft expert, identity theft fraud, identity theft protection, identity theft protection identity protection fraud, identity theft protection product, identity theft resolution, identity theft ring, identity theft risk, identity theft scams, identity theft tax scams, Identity thieves and cybercriminals, identity threat protection, IDF 2011, ID theft, iframe, IIM Bengaluru suicide case, illegal immigrants, impersonation, in.cgi, Incumbency Advantage Program, India, India cybermum, Indian kids, Indonesia, industrial control systems, infected mobile apps, information collected by advertisers or social media marketing, Information leak, Information Protection, Information Security, Infrastructure, Initiative to Fight Cybercrime, innovation, insiders, Insider Threats, integration, Integrity, intel, intellectual property, internet addiction, internet connected devices, Internet Explorer, Internet filtering, internet identity trading surveillance, Internet monitoring, Internet Phishing Scams, internet privacy, Internet Safety, internet security, internet security tips, internet time limits, Interop, in the cloud, IntruShield, intrusion prevention, In vehicle Infotainment, investment scams, IP, iPad, iPad scams, iphone, IPS, IPv6, IRS, IRS scams, I Series, IT, IT as a Service, itouch, IT Security, IT Security market, Japan, japan earthquake malware, japan earthquake safe donation, japan earthquake scams, japan tsunami scams, java, JavaScript, job applications, Joe Sexton, John Bernard Campbell, julian Assange, kama sutra koobface, Katrina Kaif, keep family PC safe, Kernel 0day vulnerability, keycatchers, keyloggers, kids, kids online behavior, kids online safety, kids safety, king county, koobface, laptops, Larry Ponemon, LART, Late Payment Scam, law, law enforcement, LCEN, legal, legal identifier, legal risk, linkedin, Linux, Linux/Exploit:Looter Analysis, Linux and Windows, live-tweeting, live access to fraud resolution agents, lizamoon, Lloyds, Location services, Lockheed Martin, logging out of accounts, login details, logistics, LOIC, Looter Analysis, Lori Drew, lost, lost or stolen driver’s license credit cards debit card store cards, lost or stolen Social Security card or Social Security number, lost or stolen wallet, lost wallet protection, lottery, luckysploit, M&A, mac, Mac antivirus, mac malware, Mac OSX, Mac OS X, Mac security, mac threat, mailbox raiding, Mail fraud, mail order bride spam, malicious apps, malicious files, malicious program, Malicious QR Code, malicious sites, malicious software, malware, Malware Experience, malware forums, Malware research, malware threats, malweb, managed security services, Management, managing personal affairs online, map, mapping the mal web, maps, Marc Olesen, Mariposa, mass mailing worm, mass sql injection, mastercard, Maturity Model, mcaf.ee, McAfee, Mcafee's Who Broke the Internet, mcafee all access, McAfee AntiSpyware, McAfee Antivirus Plus, McAfee Application Control, McAfee Channel, McAfee Channel Partner, McAfee Cloud Security Platform, McAfee Consumer Threat Alert, McAfee Data Loss Prevention, McAfee Email Gateway 7.0, McAfee Employees, McAfee ePO, McAfee ePolicy Orchestrator, McAfee Facebook page, McAfee Family Protection, McAfee Family Protection for Android, McAfee Firewall Enterprise, McAfee FOCUS, McAfee FOCUS 2011, McAfee Identity Protection, mcafee identity theft protection, McAfee Initiative to Fight Cybercrime, McAfee Internet Security, McAfee Internet Security for Mac, mcafee internet security for mac; mcafee family protection for mac, McAfee Labs, McAfee Labs Q3 Threat Report, mcafee mobile, McAfee Mobile Security, McAfee MOVE AV, McAfee Network Security Platform, McAfee Network Threat Response, McAfee NSP, McAfee Partner, McAfee Partner of the Year Award, McAfee Partner Summit, McAfee Policy Auditor, McAfee Rewards, McAfee Risk Advisor, McAfee Safe Eyes, McAfee Safe Eyes Mobile, McAfee Scan and Repair, mcafee secure shopping, McAfee Security Journal, McAfee Security Management, McAfee security products, McAfee security software offer, McAfee Security Webinars, McAfee SiteAdvisor, McAfee Site advisor, mcafee spamcapella, McAfee TechMaster services, McAfee Threat Predictions, mcafee threat report, mcafee total protection, McAfee Vulnerability Manager, McAfee Vulnerability Manager for Databases, mcafee wavesecure, McAfee® Internet Security Suite, McCain, medical identify theft, Medical identity theft, medical records, michael jackson, Microsoft, Mid-Market, Middle East, Mike Decesare, MMORPG, Mobile, mobile antivirus, mobile applications, mobile apps, mobile banking, mobile data communications, Mobile Data Protection, mobile data protocols, mobile device, mobile devices, mobile devices and security threats, mobile devices issues, mobile identity security, mobile malware, mobile phones, mobile phone spyware, mobile protection, mobile safety tips, mobile security, mobile security software, mobile smartphone security, mobile spam, mobiles security, mobile threats, mobile wireless internet security concerns, Moira, Moira Cronin, mom, money laundering, monitor a child’s identity, monitor credit and personal information, monitoring, Morphing, most dangerous celebrities, mothering advice, mothering boys, mothering Internet safety, movies, M Series, msn spaces, multiple devices, multiple social security numbers, mum, Mummy blogger, myspace, mystery shoppers, NAC, national cybersecurity awareness month, National Cyber Security Awareness Week, national identification card, NCSA, ndr, near field communication, Netbook, netiquette, Network Evasions, Network Security, Network Security; Email & Web Security; Security-as-a-Service, network security server security, new year resolution, New York Times, Next Generation, next generation data center, NFC, NickiSpy, Nigerian 419 Scam, nigerian scam, Night Dragon, NitroSecurity, Nitro Security, north america, North Korea, Oak Ridge National Laboratory, obama, OCTO, olympics, Olympic scams, OMB, online, Online Backup, online banking, online banking safely, online child safety, online coupon scams, online credit fraud, online danger, online dangers, online dating, online e-tailers, online ethics, online fraud, online game, online games, online gaming, online gangs, online harassment, online marketing sites, online personal data protection, online predators, online safety, online safety tips, online scams, online search, online security, online security education, online shopping, online shopping risks, online shopping scams, online surfing, online threat, online threats, onlinethreats, online video, Open Source, operational risk, Operation Aurora, Operation Shady RAT, Optimized, Orange, organized crime, organized criminals, OS/X, oscars, outages, outlook, OWASP, P2P, PARC, parental advice, Parental control, parental controls, Partner Acceleration Resource Center, Partner Care, partners, Partner Summit, passport, password, password complexity check, passwords, password security, password stealer, patch, Patch Tuesday, Patmos, Paul Otellini, pay-per-install malware, Payload, payment, paypal, PC Addiction, PCI, PCI Compliance, PCI DSS, PCs, pc security, PDF, peer to peer, Peer to Peer file sharing, Pemberton, perception, personal identity fraud, personal identity theft, personal identity theft fraud, personal information, personal information loss, personal information over mobile phones, personal information protection, Personal information security, personal privacy, peter king, Phantom websites, phishing, phishing kits, phishing scams, phishing shareware, pickpockets, pic sharing, piers morgan, PII, piracy, Playstation, policies, Ponemon Institute, Ponzi scam, pop ups, Postcode Lottery, posting inappropriate content, posting videos online, PostScript, potential employers, Potentially unwanted program, power grid, power loss, Pre-detection, president obama, Printers, privacy, privacy setting, privacy settings, proactive identity protection, proactive identity surveillance, Products, promotion, Protect all devices, protect devices, protect digital assets, protection, provide live access to fraud resolution agents, Public-Private partnerships, public policy, Public Sector, puget sound, Pune Police, pup, PWN2OWN, pws, qr code, QR codes, quarterly threat report, Ramnit, RAT, rdp, Rebecca Black, Records phone conversations, reference architecture, regulation, regulations, Renee James, reporting, reputational risk, Rep Weiner, research, resolutions, responsible mail, restore credit and personal identity, retail, RFID, ring tones, risk, Risk Advisor, risk and, Risk and Compliance, Risk Management, risk of personal information loss, risks of online shopping, risky, Riverbed, Robert Siciliano, roberts siciliano, rogue anti-virus software, rogue applications, Rogue Certificates, ROI, romance scams, Rookits, rootkit, RootkitRemover, Rootkits, RSA, RSA 2010, Russia, SaaS, SaaS Monthly Specialization, safe, safe email tips, safe online shopping, safe password tips, Safe search, safe searching, Safe surf, safe surfing, SAIC, Saudi Arabia, Saviynt Access Manager, SCADA, scam, scammers, scams, SCAP, scareware, SchmooCon, schools, screensavers, sear, search, Search engine optimization, Search engine poisoning, SEC Guidance, SecTor, Secure Computing, secure devices, secure new devices, secure smartphone, secure wi fi, security, Security-as-a-Service, Security 101, Security and Defense Agenda, security awareness, security breach, security breaches, security conferences, Security Connected, Security Connected Reference Architecture, security landscape, security management, security metrics, security optimization, security policy, security software, sensitive data, sensitive documents, Sentrigo acquisition, seo abuse, settings, sexting, Shady RAT, SharePoint, shopping scams, shortened URLs, short url, SIA Partners, SIEM, simple safety tips, SiteAdvisor, site advisor, SlowLoris, Small Business, Smart Grid, smartphone, smartphones, smartphone safety, smartphone security, smart phone threats, SMB, SMB Advisor Tool, SMB Extravaganza, SMB Specialization, smishing, sms, SMS Lingo, sniffing tools, social business, social engineering, social media, social media online scams, social media passwords, social media threats, social network, social networking, social networking best practices, social networking scams, social networking sites, social networking sites security, social networks, social responsibility, Social Security, Social Security Card, social security number, Social Security number fraud, social security number theft, Social Security number thefts, software, Software-as-a-Service, solid state drive, Sony, South Korea, spam, spam mail, spear, Spearphishing, Spellstar, SpyEye, Spyware, sql attacks, SQL Injection, SSN fraud, st. patricks day, stealth attack, stealth crimeware, stealth detection, Steve Jobs, Stinger, stolen cards, stolen mail, stolen medical card, stolen passwords, stolen Social Security number thefts, Stop.Think.Connect, storage, student loan applications, Stuxnet, subscription, Suites, summer activities, summer vacation, supply chain, supply chain security, Support, support services, surfing, suspicious messages, swine flu, Symbian, T-Mobile, Tablet, tablets, tablet security, targeted attacks, taxes, tax filing tips, Tax Preparer Scams, tax returns, tax scams, TCO, teacher abuse over the internet, Tech Data, tech gifts, technical support, technology development, technology trends, teen hate video, teens, teens online safety, teens posting video, Telecommunications, Testing, text message, The VARGuy, threat, threat reduction, Threats, Tips, tips and tricks, TJX, Todd Gebhart, tools, TPM, traffic manager, travel related online scams, travel risk, travel security, trending topics, trojan, trojan banker, trojans, Trust and Safety, Trusted Computing Module, trustedsource, trusted websites and web merchants, tweens, tweet, Tweets, twitter, Twitter celebrities, Twitter online security, twitter spam; phishing; twitter scam, type in website address incorrectly, typing in incorrect URLs, typos, typosquatting, U.S. Cyber Challenge Camps, UAE, Ultrabook, unauthorized credit card transactions, Underground Economies, unique password, United Arab Emirates, unlimited technical support, unprotected PCs, unsecured unprotected wireless, unsecured unprotected wireless security risks, unsecured wireless, Unsecure websites, unsubscribe, UPS scam, UPS scams, urchin.js, URL hijacking, URL shortening services, USB drives, use of cookies advertising personal security, use of Social Security number (SSN) as national ID, US ESTA Fee Scam, US passport, US Visa Waiver Program scam, valentine scams, valentines day scams; romance scams; email spam, valentines day scams; romance scams; valentine threats, Vanity Fair, vbs, Vericept DLP, verify website's legitimacy, ViaForensics, video game, violent video games, Virtualization, VIrtual Machines, Virtual Sales Kickoff 2012, virus, Viruses, Virus protection, visa, vista, VMworld 2011, Vontu DLP, vulnerability, vulnerability management, Vulnerability Manager, vulnerability manager for databases, waledac, WAN, water facility, water pumps hacked, water treatment facilities hacked, wave secure, web, Web 2.0, web mobs, web protection, web searches, web security, Websense DSS, Web services, web sites, web threats, welfare fraud, wells fargo, what to do when your wallet is lost missing or stolen, white hat hackers, Whitelisting, Wi-Fi WEP WAP protection breach, wifi, wikileaks, windows, Windows 7, Windows Mobile, Wind River, work with victim restore identity, World Cup, world of warcraft, worm, Worms, wrong transaction scam emails, www.counteridentitytheft.com, Xerox, xirtem, xmas, xss, youth, youtube, you tube videos, Zbot, Zero-Day, ZeroAccess, zeus, zombie, zombie computers, zombies, • Facebook etiquette, • Most dangerous celebrity, • Parental control
McAfee Labs :

From XSS to root: Lessons Learned From a Security Breach

Wednesday, April 14, 2010 at 8:34am by Toralv Dirro
Toralv Dirro

In an excellent blog, the people from Apache did a very good job analyzing and documenting how a security breach happened–going through all the stages of the attack and drawing conclusions. Should you ever become the unfortunate victim of an attack, this blog offers an example of how to document it!

I quote:”If you are a user of the Apache-hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised.” So if you are a user, please act accordingly after reading this blog ;)

But let’s take a look at the early stages of the attack; I feel there are some important conclusions missing:

Apache reports two simultaneous attacks that were launched. A brute-force attack against the JIRA login and an attempt to exploit a (previously unknown) cross-site scripting attack. They later say that just one of the attacks was successful, but not which one. From their blog:

The attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:

ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]

Tinyurl is a URL redirection and shortening tool. This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross-site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administrators clicked on the link. This compromised their sessions, including their JIRA administrator rights.

So administrators–knowledgeable and security-minded users–with elevated privileges opened an unverified link that was supplied by an external (anonymous?) source. And worse: The link was clearly obfuscated. This is where all technical security measures fail. Users worldwide are told again and again to be very careful with links in email and social networks, especially when they come from an untrusted source. Well, the fact that Koobface is alive and spreading makes it obvious that users still are too happy to click on any link they get. That experienced administrators fall for this makes the future look gloomy indeed. :(

And another word about the URL obfuscators: A link shortened with tinyurl is one of very few that I would open, simply because it has got a preview feature you can enable, showing you the actual link before it takes you there. If at least one of the targeted users in this incident would have enabled that feature, the XSS attack would have become obvious and would have been discovered immediately.

So folks, please enable such functionality before you fall victim to an attack through obfuscated links, and stay clear of unknown URL shorteners or those without a preview feature.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

CAPTCHA Image

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (2)

  • albino April 16, 2010 1:12PM

    Surely an attacker could offer a link to any page that they have control over, and have that page redirect to the XSS’d page. Given the number of vulnerable web applications around, the only ‘safe’ course of action would be to not visit any websites that you haven’t already visited – which is clearly impractical.

    Reply
  • Alan Browsky April 16, 2010 12:43AM

    It is very interesting to see how everyone is *now* concerned with these short links, especially after the Apache.org got hacked because of a short link, https://blogs.apache.org/infra/entry/apache_org_04_09_2010

    When TinyURL, and all the other >500 followers, started to offer shortening services, all the people began to use short URLs like crazy. I think that Twitter played its role, though. Wouldn’t it be better to prevent all this to happen by analyzing short links before the bad guys started to exploit them?

    However, I have noticed that one effort is being made along this direction: besides it’s own shortening service, the guys at http://long-shore.com seem to offer a simple analyzer that goes a little deeper than “previewing”.

    Reply