Yesterday, we wrote about the Firesheep extension for Firefox, which brought session hijacking to the masses. Ostensibly a tool to highlight the unencrypted session handling employed by many popular websites, its user-friendliness allows novices to sniff out and hijack sessions that are not protected by SSL.
Unsurprisingly, the newfound simplicity of launching these session hijacking attacks kicked up quite a fuss on Twitter, and Firesheep received over 100,000 downloads overnight.
In response to the rapid uptake of Firesheep, Jonty Wareing has just released a somewhat different tool called Idiocy. This acts as "a warning shot to people browsing the internet insecurely" by sniffing network traffic to see if anyone is visiting the Twitter website over an unencrypted HTTP connection; and if they are, it will hijack the session and automatically post a tweet to warn them that they are vulnerable. The tweets helpfully include a link to a page which explains what happened, and how to prevent it happening in the future.
So rather than allowing anybody to exploit session hijacking for malign purposes, this tool tells the 'victim' how to browse more safely. The code and documentation for Idiocy is available from Jonty's GitHub repository.
WikiLeaks has started using the Amazon Elastic Compute Cloud (EC2) to serve some of the whistle blowing site's controversial content from the United States.
Shortly after WikiLeaks went live with their Iraq War Logs on Friday, UK-based Alex Norcliffe noticed Netcraft showing the new site to be hosted by Amazon EC2 in Ireland. Alex checked the IP addresses being used by the site and discovered it was being served from five locations in total, including two other Amazon EC2 instances that are located on US soil.
Amazon's EC2 web service is perhaps ideally suited for sites like WikiLeaks, which may receive huge bursts of traffic when important leaks are announced. Any EC2 site using the Amazon Cloudwatch monitoring service can enable the Auto Scaling feature to automatically scale up a site's capacity to cope with traffic spikes, or scale it down at less busy times to reduce costs.
The main WikiLeaks site, wikileaks.org, is also using round robin DNS to serve some of its requests from Amazon in the US. Prior to this, the site was hosted by PeRiQuita AB in Sweden, using the Sun Java System Web Server 7.0. Both wikileaks.org and warlogs.wikileaks.org are now using Apache 2.2.16 on Debian Linux.
A years-old vulnerability has been brought into the limelight by an open source FireFox extension which makes it extremely easy to hijack sessions belonging to other Web users on shared networks.
Eric Butler's Firesheep tool makes it remarkably simple for novices to hijack sessions on several social networking sites. Firesheep monitors network traffic and detects when someone visits a website which transmits unencrypted session cookies. The victim's name and photo is displayed by the tool, and double-clicking on that person instantly logs you in as them.
Even though these session hijacking vulnerabilities have been possible for many years, the sheer user friendliness of this new tool is causing a storm of comments on Twitter. No specialist hacking knowledge is required to use the tool – all you need is to be on the same network as your victim. Sending unencrypted data over open WiFi networks has always posed a security risk, and the release of this new tool greatly increases the likelihood of exploitation.
Online banking services typically employ HTTPS throughout an entire session, keeping the session cookies encrypted and thus hidden from eavesdroppers. Due to the computational overheads of providing HTTPS connections, many other websites reserve this secure protocol only for transmitting login credentials, after which the user would continue to use the website over an unencrypted HTTP connection. This is the weakness which allows Firesheep to work, as it makes the session cookies vulnerable to eavesdropping. This type of vulnerability is commonly discovered during Netcraft's security tests, and Butler's new extension greatly simplifies the process of exploiting it on a range of popular sites.
In recent years, the computational overheads of HTTPS have become less significant due to the continual improvements in computer hardware, so more and more sites are beginning to adopt HTTPS for the entire lifetime of a user session. For instance, Google introduced an "always use HTTPS" option on their widely used Gmail service in 2008, before eventually making this the default setting at the start of 2010.
Butler announced Firesheep at the 12th ToorCon conference. The extension already allows session hijacking vulnerabilities to be exploited against 26 different sites, including Facebook, Flickr, Twitter and WordPress. Additional sites can be monitored simply by adding a new script to its existing list of handlers.
In the October 2010 survey we received responses from 232,839,963 sites.
Again this month Apache increased its market share by approximately 1 percentage point, gaining 5.5M hostnames, while Microsoft and Google lost 1.3M and 400k hostnames respectively. Microsoft's losses in Active Sites were much smaller, at just over 100k, while Google lost 150k.
While the other servers' gains were down this month, nginx saw a 1.4M increase in hostnames, bringing its market share up by nearly 0.5 percentage points. Notable growth includes a 400k increase in Moldova and a 700k increase in the US, which includes a 150k jump at BurstNet, a 200k jump at Hurricane Electric and an increase of nearly 400k at ServePath, LLC. If current trends continue nginx will overtake Google for number of hostnames by next month, however it trails Google in Active Sites by over 4M. nginx has not had a higher number of hostnames than Google since the heavy losses it sustained in February when a large number of stale blogs at wordpress.com and 163.com were expired from the survey.
lighttpd lost nearly 500k hostnames, a drop of almost 25%. This was largely due to losses at iWeb Technologies (300k) and in the Bahamas (200k).Total Sites Across All Domains
August 1995 - October 2010
Market Share for Top Servers Across All Domains
August 1995 - October 2010
Developer September 2010 Percent October 2010 Percent Change Apache 129,782,948 57.12% 135,209,162 58.07% 0.95 Microsoft 54,787,167 24.11% 53,525,841 22.99% -1.12 15,312,751 6.74% 14,971,028 6.43% -0.31 nginx 12,779,550 5.62% 14,130,907 6.07% 0.44 lighttpd 1,818,032 0.80% 1,380,160 0.59% -0.21
Rank Company site OS Outage
DNS Connect First
Total 1 Datapipe FreeBSD 0:00:00 0.019 0.052 0.015 0.031 0.041 2 www.netcetera.co.uk Windows Server 2008 0:00:00 0.019 0.046 0.051 0.104 0.209 3 Virtual Internet Linux 0:00:00 0.019 0.202 0.054 0.113 0.369 4 INetU FreeBSD 0:00:00 0.027 0.120 0.067 0.167 0.397 5 New York Internet FreeBSD 0:00:00 0.027 0.139 0.069 0.145 0.359 6 www.qubenet.net Linux 0:00:00 0.031 0.082 0.040 0.083 0.331 7 www.codero.com Linux 0:00:00 0.035 0.539 0.104 0.419 0.853 8 www.uk2.net Linux 0:00:00 0.054 0.133 0.049 0.103 0.263 9 www.cwcs.co.uk Linux 0:00:00 0.066 0.168 0.256 0.556 0.796 10 www.dinahosting.com Linux 0:00:00 0.070 0.088 0.099 0.199 0.199
All of the top three hosting company web sites this month had the same number of failed requests - five each. The top three hosting companies are therefore ranked based on performance and the average connection times to their sites.
Datapipe was the best performing hosting company in September 2010. Datapipe has datacentres in the U.S., the U.K. and China. The company has a strong sustainability policy and powers two of its American datacentres using renewable energy. Datapipe has consistently performed well, having been in the top ten every month since last November.
This month's second best performing hoster was UK-based Netcetera. Netcetera was founded in 1996 and provides co-location, dedicated servers and managed hosting.
The third best performing this month was Virtual Internet, also a UK-based hoster founded in 1996. The company primarily provides managed hosting services, focusing on high availability and resilience.
Six of the top ten hosting company web sites this month are running Linux.
Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.
From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.
Information on the measurement process and current measurements is available.
Earlier this morning, an Australian teenager discovered a new cross-site scripting vulnerability on twitter.com. Just a couple of hours later, hackers used the same flaw to launch a massive XSS worm attack against Twitter users.
zzap appears to have discovered the vulnerability shortly after seeing RainbowTwtr's colourful use of CSS injection to display the colours of the rainbow.
Using a similar technique, zzap was able to inject an
zzap later demonstrated that it was possible to steal cookies from Twitter users, by displaying the contents in another pop-up message. This could be mitigated to some extent if Twitter used the HttpOnly attribute for their cookies — this would prevent injected scripts from being able to directly access the
Although the XSS exploits demonstrated by zzap were mostly harmless, some users were nonetheless baffled by the unexpected behaviour and concluded that Twitter had been hacked:
zzap told another Twitter user that the flaw could be used to steal account information, while one of his other examples made the obvious point:
Searching Twitter for "onmouseover" shows many of the different attack vectors currently being exploited and propagated:
The vulnerability is still present right now, but John Adams at Twitter Security responded to Netcraft within just a few minutes to say they are looking into it.