Yesterday, we wrote about the Firesheep extension for Firefox, which brought session hijacking to the masses. Ostensibly a tool to highlight the unencrypted session handling employed by many popular websites, its user-friendliness allows novices to sniff out and hijack sessions that are not protected by SSL.

Unsurprisingly, the newfound simplicity of launching these session hijacking attacks kicked up quite a fuss on Twitter, and Firesheep received over 100,000 downloads overnight.

Idiocy

In response to the rapid uptake of Firesheep, Jonty Wareing has just released a somewhat different tool called Idiocy. This acts as "a warning shot to people browsing the internet insecurely" by sniffing network traffic to see if anyone is visiting the Twitter website over an unencrypted HTTP connection; and if they are, it will hijack the session and automatically post a tweet to warn them that they are vulnerable. The tweets helpfully include a link to a page which explains what happened, and how to prevent it happening in the future.

So rather than allowing anybody to exploit session hijacking for malign purposes, this tool tells the 'victim' how to browse more safely. The code and documentation for Idiocy is available from Jonty's GitHub repository.

WikiLeaks has started using the Amazon Elastic Compute Cloud (EC2) to serve some of the whistle blowing site's controversial content from the United States.

Shortly after WikiLeaks went live with their Iraq War Logs on Friday, UK-based Alex Norcliffe noticed Netcraft showing the new site to be hosted by Amazon EC2 in Ireland. Alex checked the IP addresses being used by the site and discovered it was being served from five locations in total, including two other Amazon EC2 instances that are located on US soil.

Amazon's EC2 web service is perhaps ideally suited for sites like WikiLeaks, which may receive huge bursts of traffic when important leaks are announced. Any EC2 site using the Amazon Cloudwatch monitoring service can enable the Auto Scaling feature to automatically scale up a site's capacity to cope with traffic spikes, or scale it down at less busy times to reduce costs.

The main WikiLeaks site, wikileaks.org, is also using round robin DNS to serve some of its requests from Amazon in the US. Prior to this, the site was hosted by PeRiQuita AB in Sweden, using the Sun Java System Web Server 7.0. Both wikileaks.org and warlogs.wikileaks.org are now using Apache 2.2.16 on Debian Linux.

Criminals often register their own domain name to perform phishing attacks. Unlike the other common phishing site scenarios (including hacked servers, open redirects, and abuse of free webhosting), phishing sites that have their own domain name can be harder to remove, because the website owner and domain owner is the fraudster. Only the hosting and DNS providers and the domain registrar are able to take the site down and also likely to cooperate.

The operation of top-level domains is generally split between a registry, which operates the infrastructure that answers DNS queries, and registrars, which sell domain names and provide the process for owners to maintain their records. Registries generally are not directly involved in removing phishing domains, and refer those to the registrar through which the domain was registered.

However, it is relatively easy to become a registrar, so large numbers of hosting companies, web design firms and domain name resellers are able to handle registrations. Registrars may not all respond quickly to abuse complaints. And in unusual cases registrars themselves may be involved in illegal activity.

There is a particular problem with so-called fast flux phishing attacks. Here the attacker uses a large pool of compromised hosts — often personal computers on DSL connections — and from these randomly chooses a number to act as web servers to host the phish (and also some to act as DNS servers for the phishing domain). The set of hosts used to support the phishing site is changed regularly, so efforts to contact the owner of one hacked system would at best cause the phishing site to be temporarily unavailable. ICANN (which hands out the contracts to operate generic top level domains including .com) published a report earlier this year looking at whether it should intervene to encourage adoption of more effective policies by registrars to prevent the abuse of fast-flux setups; but it seems reluctant to compel registrars to stop a practice that may also have some legitimate uses.

The one common point for any phishing attack is the URL sent to victims. In the case of fast-flux attacks, the owner of the domain will not cooperate and there are too many hacked systems hosting the phish for contacting the hosting provider to be effective. The only place where the attack can be quickly stopped is for the registrar or registry to suspend its domain name.

Continue reading

Human error was responsible for a data center electrical overload that knocked the Cisco Systems web site offline for about three hours Wednesday afternoon, the company said last night. The outage came as Cisco released four security advisories about vulnerabilities in its networking products, and left system administrators unable to access Cisco's support resources. The company was able to alert users through blogs.cisco.com, which is hosted on an another network.

"The issue occurred during preventative maintenance of one of our data centers when a human error caused an electrical overload on the systems," Cisco said in an update. "This caused Cisco.com and other applications to go down. Because of the severity of the overload, the redundancy measures in some of the applications and power systems were impacted as well, though the system did shut down as designed to protect the people and the equipment." The outage can be clearly seen on this performance chart for www.cisco.com:

A dynamically updating chart of the Cisco.com web site performance is available. Netcraft offers a web site performance monitoring service that provides similar charts, along with e-mail alerts when an outage occurs.

A serious security hole has been discovered in TWiki, the popular open source collaboration software. The vulnerability allows remote attackers to execute shell commands on affected systems, and is already being actively exploited, with some analysts warning that a worm could soon follow. A hotfix is available from the TWiki web site.

TWiki is an enterprise collaboration platform typically used on development projects. It is used for internal communications at companies including IBM, Yahoo, Circuit City, Reuters, Boeing, General Electric, Wachovia and ZoneLabs. Some large companies use it to run web-facing Wikis, such as British Telecom's UK Telco B2B Forum.

Continue reading