Monday, October 18, 2010

Cross-Site Request Forgery: Are your web applications vulnerable?

Cross Site Request Forgery (also known as XSRF or CSRF) works by exploiting the trust that a site has for the user. CSRF according to OWASP, is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.

How does the attack work?

There are lots of ways in which an end-user can be tricked into submitting information to or loading from a web application. In order to execute an attack, we need to first understand how to generate a malicious request for our victim to execute.

Let us consider the following example: Sawyerr wishes to transfer #1,000 to Segun using The request generated by Sawyerr will look similar to the following:


However, Titi discovers that this web application in question will execute the same transfer using the URL parameters below:


Titi now decides to exploit this web application vulnerability using Sawyerr as her victim. Titi first constructs this URL which will transfer #100,000 from Sawyerr's account right to her account.

Now that she has generated her malicious request, Titi needs to trick Sawyerr into submitting it. The easiest way to do this is to send Sawyerr an HTML mail containing the following:

<a href="">View my Pictures!</a>

We are doing this in assumption that Sawyerr is authenticated with the web application when he clicks the link, the transfer of #100,000 to Titi's account will occur.

But lets say Titi realizes that Sawyerr will notice that a transfer will occur if he clicks the link, Titi can decide to hide the attack in a zero-byte image as below:

<img src="" width="1" height="1" border="0">

If the code above were included in the email, Sawyerr would only see a little box indicating that the browser could not render the image. However, the browser will still submit the request to without any vindication(visual) that the transfer has taken place.

How to Prevent this type of attack

Use the cheat sheet provided by OWASP here to prevent this type of attack.

Friday, October 8, 2010

Anonymous Cyber-Protest group stages DDOS attack on Spain's copyright society

An online activist group – apparently using the 4Chan web portal as its forum – started a major distributed denial of service attack (DDOS) at around midnight CET yesterday evening against the web portal of the Spanish copyright protection society, the SGAE.

The stated aim of the 'Anonymous' group's attack – one of the first activist protests of its type to attack a copyright organisation in Spain, Infosecurity notes –- was to crash the site.

Unconfirmed reports suggest, however, that the site did not crash, but traffic to the portal was significantly slowed down, as is normal with DDOS attack of this type.

As of 10am CET this morning, however, site traffic to the SGAE portal was back to normal, Infosecurity notes.

According to Luis Corrons, technical director of PandaLabs, the Spanish-headquartered IT security vendor, recent attacks of this type have targeted the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), resulting in 17 server crashes and up to two hours of inactivity.

The newswire says that the 'Anonymous' cyber-activist group – operating via the 4Chan portal – called its DDOS attack 'operation payback' and claims that the attack is one of several the group has staged in recent weeks.

What appears to have upset the activist group, says Panda, is the attempted closure of free file-sharing websites by groups like the RIAA and the MPAA.

Corrons said that his team has been in contact with the SGAE to advise them of last night's attack and has been monitoring the events in real time throughout the night.

"The way things are progressing, it will be no surprise to see cyberprotests organised country by country targeting different copyright protection associations", he said.

One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards

Well, i read the story from page 1 to 7 and it was like i was watching 'Die hard 5'.

Max Butler had an audacious plan to rule the black market in stolen credit cards. But angry hackers and pesky Feds had other ideas.

Excerpts below

The heat in Max Butler's safe house was nearly unbearable. It was the equipment's fault. Butler had crammed several servers and laptops into the studio apartment high above San Francisco's Tenderloin neighborhood, and the mass of processors and displays produced a swelter that pulsed through the room. Butler brought in some fans, but they didn't provide much relief. The electric bill was so high that the apartment manager suspected Butler of operating a hydroponic dope farm.

But if Butler was going to control the online underworld, he was going to have to take the heat. For nearly two decades, he had honed his skills as a hacker. He had swiped free calls from local telephone companies and sneaked onto the machines of the US Air Force. Now, in August 2006, he was about to pull off his most audacious gambit yet, taking over the online black markets where cybercriminals bought and sold everything from stolen identities to counterfeiting equipment. Together, these sites accounted for millions of dollars in commerce every year, and Butler had a plan to take control of it all.

Read the whole story here.

Chinese iPod gadget aims to skin Apple

Have you ever wished that your iPod Touch was an iPhone? Now it can be, thanks to a new device called the "Apple Peel 520" and created by a Chinese company.

Invented by a 22-year-old programmer who lives in the southern Chinese city of Shenzhen, the gadget is comprised of a case that fits around the outside of Apple's iPod Touch, a popular media player and Wi-Fi-enabled pocket computer with e-mail, maps and other applications.

The Apple Peel 520 case contains a battery, dock connector and SIM card that allows voice calls. Users will also have to install special software to enable a text messaging function, and to allow the device to properly work with the iPod Touch (users will have to break into the software of the iPod in order to download the necessary applications).

Once installed, the Apple Peel gets around five hours of talk time and 120 hours on standby, according to a review posted on
I developed it because I love the iPhone, but it's too expensive in China.
--'Maxpy', developer of Apple Peel 520

CNN interviewed the inventor of the device via QQ, a popular instant messaging service in China (he declined a phone interview and was only willing to offer his online name: "Maxpy").

When asked why he created the Apple Peel, Maxpy said it boiled down to economics: "Because I love the iPhone, but it's too expensive in China."

Maxpy said he began building the device last April, revealing the final product online about a month ago via a company he started called Yosion Technology.

The iPhone, which was officially launched on the mainland last October, more than two years after its debut in the US, costs between $588 - $740 while an iPod Touch is around $235. The Apple Peel sells for $57.

Analysts said a thriving gray market flooded with fake iPhones smuggled in from Hong Kong and the West has hurt legitimate sales of the Apple smart phone here.

The illegitimate phones are usually cheaper and contain functions, such as wireless Internet, that are not available on phones sold through legal channels.

"All of the potential users already had purchased an iPhone, they had found a way to buy one," Leo Wang, founder of Mobile 2.0 forum, a telecom and mobile organization, told CNN after the China launch of iPhone release last year. "The official iPhone is too expensive."

Whether or not the Apple Peel 520 will appeal to Chinese consumers or have any impact on iPhone sales in the country remains to be seen. So far, according to Maxpy, only around 150 of the devices have been pre-sold on, a popular Chinese e-commerce site. Two were sent to technology websites for review.

While there are plans to mass manufacture the gadget in the future, Maxpy says those plans are on hold until the company can ensure there are no intellectual property right violations.

"We have no detailed plans," he said. "But of course we want to make a profit from it."

Maxpy also said they want to check on Apple's policy on "outside devices" as well as try to reach the company to see if they have any interest in the gadget, asking CNN whether we could put him in touch with Apple CEO Steve Jobs. We could not.

CNN did try to reach Apple representatives in Beijing and Hong Kong. No one was available for comment.

There are also a few technical glitches to be worked out. According to a Chinese review translated into English on M.I.C. Gadget, the Apple Peel does not support 3G, there's a small lag time when calls are made from the iPod Touch and deleting and forwarding text messages is not available, among other minor complaints.

Nevertheless, many say they are impressed with the functionality of the device.

"It is the first time there has been a hardware application that has changed the functionality in such a key way," said Tai-Pan (a pseudonym), editor of the Taiwan-based "It is very cheap for someone with an iPod Touch, so there is some kind of value proposition for people who want to save money."

What's more is the Apple Peel also illustrates the evolution of China's massive "shanzhai," or black market, phone industry. Based mostly in Shenzhen, it is an industry characterized by the massive production of copycat mobile phones and other devices, which are sold at lower prices and often with more localized functionality than global brands.

Every year, millions of shanzhai phones are sold throughout China and exported to developing countries, resulting in a major dent in the sales of mainstream manufacturers in those markets, according to the research firm Gartner.

"People are already or will soon be buying not just China-made but China-owned products," said Benjamin Joffe, founder of the Beijing-based mobile and Internet consulting firm Plus8Star.

"Most of Apple's factories are in China, so it is not like China cannot make high-quality products," he said.

"The issue remaining to go up the value chain has been design, marketing and distribution. Chinese companies are learning, acquiring talent and buying what is missing."

Tuesday, October 5, 2010

Russian authorities detain suspected bank carding kingpin

Russian authorities have detained a Ukrainian citizen accused of overseeing a criminal operation that used fraudulent credit cards and passports to siphon large amounts of cash out of banks around the world.

The detention of the unnamed suspect came as Department K of the Russian Interior Ministry stopped the actions of the international criminal group the Ukrainian allegedly led, according to a press release (Google translation here) issued on Monday. The group, which was made up of at least 50 members, siphoned more than $660,000 out of 17 Russian banks between January and June alone.
Click here to find out more!

Russian authorities also confiscated more than 100 counterfeit credit cards and an encoder used to write data to cards' magnetic stripe.

The action comes as authorities in Ukraine, the US, and UK last week rounded up dozens of people suspected of participating in bank fraud related to Zeus, a prolific computer trojan that specializes in stealing banking credentials of its victims. Most of those arrested were accused of being money mules who used fraudulent passports to launder money stolen from compromised accounts. Five of those detained in Ukraine were accused of orchestrating the overarching scheme.

Russian authorities didn't say if those detained were related to the same crime ring, but the activities they're accused of sound remarkably similar. Some of the Russian suspects are accused of using fake passports to mislead bank employees. ®