Sunday 30 January 2011

Example.com has changed!

Nearly everyone involved in security testing or website design has undoubtedly used the domains example.com and example.net to demonstrate something or other. These are special domain names, reserved for private testing, so nobody is allowed to register them.

For as long as I can remember, the domains have been configured to point to a web server. For several years, they returned the following rather minimalist content:

You have reached this web page by typing "example.com", "example.net","example.org" or "example.edu" into your web browser.

These domain names are reserved for use in documentation and are not available for registration. See RFC 2606, Section 3.

But now it's changed! The example domains now issue a 302 redirect to a page on a different domain: http://www.iana.org/domains/example/

Try it out: http://example.com

I don't like this. I'm all in favour of making things look a bit prettier, but for some reason it seems wrong to redirect users to a completely different domain name.

I wonder if any test code will be broken by this change?

Friday 28 January 2011

Quora login exposes names and photos

When Quora went live a few weeks ago, I was one of many who rushed in to sign up for an account and see what all the excitement was about. It describes itself as "a continually improving collection of questions and answers created, edited, and organized by everyone who uses it". Sounds like a nice idea, but I haven't really used it enough to gauge how useful it actually is.

I thought I'd change that, so I revisited quora.com today to give it another go, but the first thing that struck me was the default behaviour of the login form.

As soon as you enter your email address into the login form, it automatically displays your full name and profile image. This is not dependant on cookies or location – anybody in the world can do this with your email address in order to find out what you look like, and what your full name is. They don't even need to be registered with Quora to find this out.

The login form posts the email address in an XMLHttpRequest to http://www.quora.com/webnode2/server_call_POST. If that email address is registered on Quora, the server responds with the name and photo from the corresponding Quora profile. I consider this both a security and a privacy problem.

Armed with just your email address, an anonymous attacker can:

  • Determine whether you are registered on Quora.
  • Map your email address to your full name – very useful for phishing.
  • Discover what you look like.

I don't think many Quora users would expect their details to be exposed in this way, and at least not to people who haven't even registered to use Quora. It is worth noting that Facebook also reveals names and photos after a few failed login attempts, but only after a CAPTCHA has been solved (thus preventing large scale automated abuse)

But what are the real security implications? Phishing victims are more likely to fall for scams if a phishing email contains the victim's full name. Indeed, genuine emails from PayPal even offer this piece of advice in the footer:

How do I know this is not a Spoof email? Spoof or 'phishing' emails tend to have generic greetings such as "Dear PayPal member". Emails from PayPal will always address you by your first and last name.

Obviously that's not safe advice.

Thursday 27 January 2011

Tesco Mobile's hidden fair use policy

I previously blogged about T-Mobile's silly fair use policy, but at least they make it clear what the data limit is. Tesco Mobile, on the other hand, seem to be intent on hiding their fair use limit from pay as you go customers.

Nine months ago, I regrettably bought a mobile phone locked to the Tesco Mobile network. I had looked around their website (http://www.tesco.com/mobilenetwork/) and decided that their Pay as you go tariff was good value if all I ever wanted to do was access the internet with no risk of hidden fees (they offer a 7-day "Unlimited Browsing" pass for £2). I had a jolly good browse around the site, but there was absolutely no quantification of a fair use limit. As the pass was labelled "unlimited", I naturally assumed that if there was a fair use limit, it would be reasonably high, or at least in line with other mobile networks.

Just a couple of days later, a friend of mine with an incredibly old web browser pointed out something I had missed: Tesco's website says there is a rather paltry fair use limit of only 100Mb per week. How did I miss that?!

Well, I hadn't missed it – sort of. The fault lies in the Tesco Mobile website, which apparently only works properly in Internet explorer 6. That's quite remarkable given that it's now the year 2011.

So what's actually wrong with their website? There is only one page which states what the fair use limit is (100mb), and this piece of text is not visible in any modern web browser software.

The following screenshot from Firefox 3.6.13 shows the text box in which the 100mb limit is stated; however, it is impossible to scroll down far enough to read it! The design of this web page is faulty, and overlays the bottom navigation bar on top of the final paragraph, making it practically invisible:

This is not just a Firefox rendering issue – the same problem occurs in any vaguely recent version of Internet Explorer, Opera, Chrome and Safari. In fact, the only browser I could view the relevant text in was Internet Explorer 6 (which was released 10 years ago!).

Alternatively, you can view the HTML source, but it's hardly reasonable to expect a customer to do that:

Searching their website for "100mb" confirms that this is the only page the limit is mentioned on (for Pay as you go customers); yet it is completely hidden from anyone who isn't running 10 year old software.

What I find really unfair is that Tesco have refused to fix this problem with their website, which has continued to hide the 100Mb fair use limit for at least 9 months. If I had known about this low limit, I would never have bought a phone from them. I made that clear to Tesco, yet they still refuse to fix it.

I have informed Tesco exactly what the problem is on numerous occasions. They have either insisted that nothing is wrong, or have point blank refused to respond to me.

One lady even accused me of lying when I said the 100Mb fair use limit was not visible on their website. "I can see it here in front of me in black and white," she said, refusing to believe anything I was saying. I did wonder whether they, too, were living in the past with Internet Explorer 6, but sadly she did not understand what a web browser was, let alone what version it was.

It was clear that nobody was going to fix the problem, so I thought I'd head straight to the top and ask the CEO to get it fixed. Surely the CEO will care about other customers being misled by the hidden fair use limits?

Apparently not: I asked the CEO of Tesco, Sir Terry Leahy, why the website has not been fixed. This particular question has never been answered. I even asked him to at least acknowledge that their website is broken, but this too has been avoided in any responses. Tesco have refused to answer either of those two questions, so I can only assume they are hiding the fair use limit on purpose.

I believe it is dishonest for Tesco to act this way. They are knowingly refusing to fix their website, seemingly happy for some other sucker to be misled the same way I was.

As they still refuse to fix the site, and seem happy to continue hiding the fair use limit from online customers, I told Sir Terry that I was going to write an article about it. I did, of course, ask him if he had any comments before I published, but the only response I got was, "I would like to confirm that we have nothing further to add."

I suppose when it comes to generating revenue by misleading prospective customers, "every little helps".

Wednesday 26 January 2011

DDoS Tutorial

Gosh, I had no idea it was this easy to launch a distributed denial of service attack. I particularly like the bit where the hacker demonstrates the effectiveness of this method by carrying out an attack against 127.0.0.1. I bet that server took a real hammering in this video:

Mind you, I can understand why they would want to launch an attack against 127.0.0.1 – the last time I went there, I found they had stolen all my files!

Monday 10 January 2011

T-Mobile's fair use policy is unenforceable

UK mobile network operator T-Mobile is changing its Mobile Internet fair use policy to have a significantly reduced fair use limit of only 500Mb per month. Despite this change, T-Mobile are not going to let customers escape from their contracts prematurely – including those who signed up when the limit was clearly set at 3Gb.

However, one important new feature is that this 500Mb limit does not apply to "browsing", which they define like so:

"Browsing means looking at websites and checking email, but not watching videos, downloading files or playing games."

Help, I'm confused! What happens if I visit YouTube and play a video in my web browser? More alarmingly, I've been using email since the last millennium, but never knew I was actually browsing whenever I checked it.

Aside from the obvious ambiguities, it's pretty obvious that they have no way of enforcing this fair use limit accurately. What happens if I download an email which has a video attached, or if I tunnel all of my phone's network traffic over a VPN?

And perhaps the best example: If I browse around an HTTPS website, how will T-Mobile know that I am browsing? How can they distinguish a very large webpage from a small video? Quite simply, they cannot.

I've asked T-Mobile how they are going to count HTTPS traffic. I'll update this post when they respond, but hopefully just thinking about that question will surely make them realise the flaws in their new fair use policy?

Update: T-Mobile appear to have ignored my question. Maybe they don't know the answer.

WikiLeaks Twitter Paranoia

In the midst of the WikiLeaks hosting saga, it was only natural that I should start following WikiLeaks on Twitter. I remember saying at the time, "I'm probably on some government list now."

I wasn't far wrong:

This stems from a DoJ court order compelling Twitter to reveal information about some of its users. The slight paranoia blog provides a good analysis of the order.

The peculiar thing is that the list of WikiLeaks followers is already public information. And just how useful is this list, anyway? WikiLeaks' Twitter stream is not protected, so anybody can ostensibly "follow" its contents without explicitly following it on Twitter, or even needing a Twitter account.

Essentially, anyone can see what is being tweeted by WikiLeaks, simply by browsing to http://twitter.com/wikileaks. Twitter won't be able to identify people who access this page through an anonymising proxy, so of course, the DoJ won't even know about those followers.

Saturday 8 January 2011

An Interview with Anonymous

Last month, Netcraft saw WikiLeaks.org being ousted from the United States. A loose-knit group named Anonymous then began launching distributed denial of service (DDoS) attacks against organisations that had been unhelpful towards WikiLeaks.

These attacks successfully took down prominent websites such as MasterCard.com, Visa.com and PayPal.com. Some people clearly didn't like this, and the Internet Relay Chat (IRC) network used by Anonymous was then subjected to retaliatory attacks, as were several website domains used by the "Anonymous Operations" organisers.

Despite being attacked at least twice this week, AnonNews.org is one of the survivors and has since evolved to become one of the most important resources for those involved in the ongoing Anonymous campaigns. The latest round of DDoS attacks have been directed towards Tunisian government websites.

On 7th January 2011, I interviewed the Dutch owner of AnonNews.org, Sven Slootweg. Sven is a freelance web developer with an active interest in freedom of speech (and would like to make it clear that his views do not represent the whole of Anonymous). It's a long, yet informative interview; enjoy:-

How long have you been involved with Anonymous?

I've been following Anonymous since Project Chanology (the protests against the Church of Scientology), but became involved myself since Operation Payback changed its targets to sites involving Wikileaks... on the other hand, seeing as I've always felt the same way about things like freedom of speech as a large part of Anonymous, you could say I've been involved with it for a much longer time, just not under the banner of Anonymous.

What is your role in the ongoing DDoS attacks being carried out by Anonymous?

In the DDoS attacks themselves... I'm not involved at all. However, seeing as the callouts/manifestos/press releases for these attacks are also posted on AnonNews, I do contribute to making people aware of what is happening. I'm also a channel operator in the Operation Tunisia IRC channel, but basically only there to keep the room clean (kick out people screaming false targets and trying to spread confuision), I'm not involved with the coordination of attacks themselves.

Do you believe the DDoS attacks against MasterCard, Visa, PayPal and so on have achieved anything?

Absolutely... not only have they sent a sort of "warning message" to these companies and other companies who would try to shut Wikileaks, they have also caused a lot of attention from media outlets over the world. Everyone knows Anonymous exists, and that there are people fighting for freedom. It has contributed a lot to the awareness of the general public. I do think, however, that more DDoS attacks on "old" targets like Mastercard would not have any positive effect, and even harm the current image of Anonymous. The media attention and awareness is there, and there's not a lot to gain in that field for Anonymous in general.

Do you think any companies have been reluctant to terminate relationships with WikiLeaks after witnessing the effect of these attacks?

I think it will certainly have helped. Although companies may still terminate relationships with WikiLeaks if they are seriously pressured / blackmailed by the US government, I very much doubt any company would do it voluntarily now, because they know there is a risk of being targeted. Especially companies whose business relies greatly on the internet, will most likely be more reluctant.

Which sites are currently being attacked by Anonymous, and why?

As far as I am aware, the nameservers that are used by many Tunisian government websites are being attacked right now, leading to these websites being unavailable, because of the increasing censorship and restriction of freedoms in Tunisia. More sites may be under attack, but if that's the case, I'm not aware of them... the best way to find out would be to join the IRC and ask around in the channels :) There is another operation running regarding Tunisia: the setting up of TOR bridging servers. Seeing as the known TOR servers are blocked by the Tunisian government, people are now working on providing "hidden" TOR bridging servers. Although this is not related to DDoS, it can be considered an attack on the censorship in the country.

How are the attacks being carried out?

The DDoS attacks basically consist of many people running LOIC, PyLOIC, HOIC, or any other effective DoS tool simultaneously. In some cases a "hive" is used; an IRC C&C server that people can connect to with their DoS tools (at least, those that are hivemind-enabled). The DoS tool will monitor the channel for commands, and attack when instructed to do so. This basically creates a very accurate voluntary botnet, that also operates in a similar way. If no hive is available people are instructed to manually enter targets into their tools.

Who decides which website to target?

Basically targets are decided by everybody. The unwritten rule, however, is to not attack media outlets as it would limit their freedom of speech, even if it is state-owned or state-controlled. When a list of potential targets has been made, these targets are put into a poll on the web, after which everyone can vote for the target he thinks is most important. The channel operators may decide to not include targets, for example, when they are not related to the cause, or if there would be too much collateral damage. Generally the target that gets the most votes is attacked first, and if it has been attacked successfully either a new poll is started, or the target in second place is attacked. This is the general method, other operations may use other methods if they feel it is more appropriate... seeing as there is no central governance in the whole of anonymous, any operation or project may have its own "authoritarian structure" (or the absence thereof) and its own way of deciding what to do.

There seemed to be more than 2,000 computers involved in the attacks against MasterCard and Visa. How many computers are involved in the current attacks against Tunisian sites?

I can't be sure as I don't think everyone who is attacking is present in the IRC channel... but the IRC channel holds about 200 people at this moment. It's pretty much impossible to make a real estimate of the "firepower".

Do you perceive the Tunisian websites as being "easier" targets, which could be successfully attacked with fewer computers?

Seeing as I'm not directly involved with the attacks, I can't really say anything for sure, but I can imagine that government websites generally have less capacity than for example Mastercard and PayPal, who rely on their online presence for a serious chunk of their business. This doesn't only go for Tunisian government sites, but for "western" government sites as well.

A few of the Tunisian websites are back online again now. Do you think Anonymous will continue to carry out attacks against other websites? If so, what other sites may come under attack?

I think websites may continue to be attacked for a while, but I also think the strongest point of the attack has been reached. People are focusing on other projects regarding Tunisia now, such as scripts to remove the phishing scripts inserted into various social networking sites by the Tunisian government, and setting up TOR bridges under the name "Project Tornesia". Some people have also started spreading awareness (and had success) by e-mailing news stories regarding Tunisia to media outlets. Quite a few media outlets actually started to publish news regarding Tunisia after being pushed by Anonymous. Regarding other sites: I have no idea what is going to happen in the future, but I do not expect many more DDoS attacks as the impact is limited. Most likely Anonymous will keep fighting against the Tunisian censorship in different ways, for example through the aforementioned projects and by calling out to Tunisians to also protest in real life.

A few arrests have been made against people taking part in the DDoS attacks. Do you think this has reduced the size of the botnet by deterring volunteers from taking part, or are they merely losing interest in the campaign?

I think it has certainly made a difference, but I don't think it's the main reason for the decrease of volunteers. The IRC has experienced a lot of problems a few weeks ago (being attacked itself), and this may have lead to many people not joining the network anymore. Combining this with the fact it has been relatively quiet (less high-profile attacks) for a while, this is most likely the main reason for the decrease of volunteers. The fact that there isn't as much hype around the attacks on for example Tunisia, as opposed to the attacks on Mastercard etc., most likely contributed in the fact less people came back.

Who runs the IRC network?

It's run by several people... I don't know most of them, there is one person who I knew (through the internet) from a few years back. As far as I know, the network staff (thus server owners) change now and then as well.

The website you run - AnonNews.org - appears to have become one of the main sources of information for members of Anonymous. Are you concerned that your website may also come under attack?

It has been DDoSed twice by now... in fact I'm quite surprised at the absence of attacks, especially personal ones. I haven't yet received any prank calls or similar things. The DDoS attacks are not a big problem anymore, as I have recently moved to a host that has good DDoS protection and also does manual blocking. Since the server is now also running several automated blocking scripts it should be able to cope with pretty much any DDoS attack. I haven't yet had any problems with exploits, except for someone figuring out a way to cast multiple votes (this has been corrected and fixed). I expected more attacks than this, so from the start I wrote the site to be as secure as possible, and I don't expect anything to go horribly wrong. Of course there have been several vulnerability scans on the site, but I'm not worried.

I noticed your involvement with Anonymous is far from anonymous – for instance, your name is recorded in the WHOIS details for the anonnews.org domain. Have you taken any precautions to avoid personal attacks?

Not really... I stand for my opinion, and if that leads to personal attacks, so be it. It's fairly impossible to trace me back to where I live, so I am not expecting any physical attacks, and I don't really mind things like prank calls; in fact, it's rather interesting to see what people come up with. Since I don't do anything illegal, it's not necessary for me to stay anonymous, and I'd rather do things on my own name if that means it's easier to achieve a goal.

Do you know who was responsible for the DDoS attacks against AnonNews.org, or how the attacks were carried out?

In both cases I don't know who was behind it, only in the second case it had been announced in a comment on both AnonNews and a Flickr page by a user that I could not find more information about. Both attacks consisted of synfloods, and in the second case it appears there was also a minor http flood added to it. The first attack was most likely running from several servers, while I suspect the second attack to have been carried out from a larger botnet of consumer machines.

The WikiLeaks.org website was ousted from the United States shortly after Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman encouraged companies to avoid assisting WikiLeaks in its efforts to disseminate the stolen cables. As an active supporter of WikiLeaks, are you concerned that AnonNews.org may suffer a similar fate by virtue of being hosted in the US?

I don't expect any trouble with that, seeing as not only is my host supportive, but AnonNews also doesn't do anything that could be considered illegal. It's simply an open "activist" platform, much like Indymedia and similar sites. Would there eventually be trouble with this, I will look into moving the site to a different country, but I don't really expect anything to happen in this field. Many controversial sites have always been hosted in the US, and I believe the entire affair with Wikileaks was an exception.

I notice that AnonNews.org accepts donations via PayPal. What are these donations used for?

Right now I'm using them wherever AnonNews costs money (which is not a lot) but a part of it also flows to YuNicc, another nonprofit project that runs entirely on donations.... and a part of it goes to "myself" to live from, seeing as AnonNews costs quite a lot of time. Not a lot comes in, but it covers the costs, and it enables me to spend time on AnonNews without going completely broke.

What do you think of the media's perception of Anonymous? Is it accurate?

I think it's certainly going in the right direction, but many media outlets are still failing to grasp the concept of Anonymous. They are still looking for the "leaders" of Anonymous, and still treat it as a group with one collective opinion, goal, and agenda. They fail to see that Anonymous is not really a group, but rather an anarchistic movement, according to the original definition of anarchism. If someone has an idea, he will try to set it up. If enough people agree, the idea will gain popularity and "followers", and it will thus make impact. If an idea is not liked by many, it will be ignored and eventually fade away. It's pretty much self-regulatory, and no operation has the same group of people supporting it. Being part of Anonymous does not mean you have to have a certain opinion. Anyone wanting to sail under the flag of Anonymous, will be Anonymous. It's a "fluid organism", so to say, and it has no official representatives. And well, most media don't get that. The other problem with most of the media is that they only focus on the more violent attacks like DDoS attacks, and completely ignore initiatives like Operation Paperstorm and Operation Tornesia. This way they, consciously or unconsciously, portray Anonymous as a group of hackers (or rather, using the correct term, crackers), and not "activists", even though the latter is more correct. Many people within Anonymous do not have technical knowledge. Another problem is that media often portrays Anonymous as being "people from 4chan". While the roots are indeed on 4chan, this relationship is not really there anymore. Many people on the AnonOps IRC server, for example, barely visit 4chan. I have even spoken to some who don't even know what 4chan is.

Around the same time as the DDoS attacks against MasterCard in December, Anonymous launched a separate campaign named Operation Leakspin. This was supposed to raise awareness of the least-exposed leaks by posting comments to social networking sites and forums. Did this have much impact?

I don't think Operation Leakspin (which is now renamed to Crowdleak) has had very much impact on the general public so far, mainly because all the media attention was aimed towards the DDoS attacks. However, pretty much every Anon is aware of the existence of the project, so it certainly has potential to grow more. I think it will just need time to grow, and that it also requires more attention from media outlets.

So is the successfulness of a campaign based on how much media attention it gets?

Seeing as the main strong point of Anonymous is that many people, a crowd, are working together, I think that for now media attention plays a very important role in the successfulness of a project or operation. This may (and probably will) change over time though, as the Anonymous "movement" gets more "followers" who actively keep track of what's going on and what Anonymous is doing. Right now it's important to make people aware that Anonymous exists, and that it's active. As soon as people start checking on Anonymous themselves, it will not require as much media attention as is currently the case.

With regard to its support of WikiLeaks, what are the long term goals of Anonymous?

I can't say anything about that for sure, it really depends on what the individual people involved in Anonymous are going to do. I know there are also a lot of people involved with setting up new Wikileaks mirrors and keeping them alive, but I'm not involved with that specific project.

What are the most interesting or unexpected events you have witnessed since Operation Payback began?

For the operations... pretty much everything. It's really interesting and sort of surreal to see what Anonymous as a collective can achieve and has achieved. A massive collection of unidentified regular people reached media outlets all over the globe, and people are really being helped. Personally the two most unexpected events were first of all the responses of the people in Tunisia... when reading the comments on AnonNews you could see they were really happy that someone outside their country stood up for them, and it really boosted their morale and hope. The second thing I didn't expect was the massive publicity of AnonNews. It has apparently appeared on the national French television (TF1), and both BBC and Al Jazeera reported on my downtime, which is somewhat odd and surreal if you're the person behind the site. I have had days where I got 12,500 unique visitors in a day... that is a lot for a site that has existed for only 3 weeks.

Friday 7 January 2011

Welcome to High Severity

Online security is something I have always been interested in. I've been doing security consultancy and web application security testing for several years at Netcraft, helping major banks and financial institutions remain secure and immune to hackers. You may even have seen me talking about such topics on BBC News, or heard me talking about them on various BBC radio stations including the World Service.

I have spent much of the past month fervently monitoring the distributed denial of service attacks being carried out by a group called Anonymous. These attacks have successfully taken down the websites of MasterCard, Visa and PayPal, all because they were unsupportive of WikiLeaks. While I have written about these attacks in some detail on news.netcraft.com, it would be nice to have the opportunity to express my personal views without having to worry about being too formal.

So, welcome to my new blog at HighSeverity.com. I quite like the domain name. I'll be using this to discuss any interesting security topics that I come across in my spare time, and you may even get to see me spouting the occasional rant. Unless stated otherwise, all views and expressions will be mine and not those of my employer, but I shall no doubt be referring to Netcraft's rather useful services and public datasets from time to time.

My first post – excluding this one, of course – will be an in-depth interview with a prominent Anon (a member of Anonymous). If you have any suggestions for future posts, just drop me an email.