A security advisory was released yesterday detailing a denial-of-service vulnerability that most of the web could be affected by.

The vulnerability lies in the hashing algorithms used by a variety of programming languages (including Python, Ruby, PHP and Java). When collisions happens these algorithms will take up large amounts of CPU cycles to deal with them (From what I understand).

To give you an idea of the extent of this problem I’ll quote the PDF linked in the advisory, take for example PHP:

On an i7 core, the 60 seconds take a string of multi-collisions of about 500k. 30 seconds of CPU time can be generated using a string of about 300k. This means that an attacker needs about 70-100kbit/s to keep one i7 core constantly busy. An attacker with a Gigabit connection can keep about 10.000 i7 cores busy.

Or Ruby:

A typical POST size limit in Ruby frameworks is 2 MB, which takes about 6 hours of i7 CPU time to parse. Thus, an attacker with a single 850 bits/s line can keep one i7 core busy. The other way around, an attacker  with a Gigabit connection can keep about 1.000.000 (one million!) i7 cores busy.

This allows someone to take down almost any webserver with (very) limited resources. Possible workarounds are: limiting CPU time, limiting the POST size, or limiting the maximum amount of POST variables.

I’m currently waiting for the first PoCs and exploits to be published and will post an update when I get my hands on one (Which will also confirm if I understand the exploit correctly).

Update: I can see how this will ruin your day

Update 2: Go here for an easy to understand explanation.

Merry #LulzXmas to everyone http://imagebin.org/190224 Stratfor rooted. All your base are belong to us. <3 #Anonymous

This tweet just went out from the @AnonymousIRC Twitter account (First occurance of the tweet I could find), a mirror of the defacement can be found on Zone-H. The Stratfor website is down as I write this.

Stratfor is a large private intelligence corporation having fortune 500 companies and international intelligence agencies as their clients (source). A full list of clients can be found here.

Edit: there’s also this:

Over 90,000 Credit cards from LEA, journalists, intelligence community and whitehats leaked and used for over a million dollars in donations

- By @AnonymouSabu

So one million dollars from compromised credit cards, from what I can understand of later tweets they only used corp execs credit cards, who wont feel it that hard in their pockets, but not sure if I’m very fond of this action.

The Video Posted

AnonOps has once again been hacked, today a paste was put up on pastebin by CARLOS1337 who got in because of an exploit in the Anope IRC Services daemon AnonOps was running.

The services database has been obtained by the hacker(s), this includes nickserv passwords, memo’s and channel passwords. The passwords were hashed, but if you used  a short or weak password it has probably already been found.

AnonOps has already started dropping nickserv registrations as a precautionary measure, so you’ll have to re-register. Also for the people that have re-used the password they used on AnonOps, I suggest you change those passwords ASAP.

~Xeross

Over the past years Anonymous has become more and more known, Scientology protests, supporting Wikileaks, etc. and as of late, the large amount of hacks being performed and publicized.

Now the idea behind the movement is one I approve of, both Anonymous and AntiSec* (Free speech, and exposing govt./corporations), however some of the actions being undertaken under these flags I have my doubts with.

For example the slew of hacks being performed on seemingly random small websites, it just feels like some people aren’t hacking because of AntiSec, but merely use it as a justification for their hacks.

Now on topic of the volunteer DDoS attacks, it seemed some people just did it for kicks, but most of them were legitimate protests against the actions of various organizations. I can not disapprove any of this because people have the right to protest.

The thing bothering me is that some people use the movements as mere justification, rather than being motivated by said movement. Using it as an excuse, rather than anything else.

I’ll happily participate in discussion in the comments section, so feel free.

~Xeross

Edit: I do have to admit that all these hacks have me laughing a lot. Especially incompetent high-profile websites/companies.

* I support this to a degree, that it’s good that the poor security of various organizations is being exposed. Also another sidenote, this seems to be a completely different movement than the original AntiSec (Check the Wikipedia page for more info on that)

Ryan Cleary, who is known for releasing the IP addresses of everyone that connected to the AnonOps IRC Network has been arrested today.

Various news outlets are reporting he is thought to be the “Mastermind” behind LulzSec (They need catchy headers, stupid press), which is of course utter bullshit, considering the only thing Cleary has ever done is take down websites with a botnet.

Also why would he be a mastermind if he got caught, that would pretty much disprove the claim.

We’ll see how this unfolds, hope he has a “fun” time in jail (Hmm Ms. Black could probably help him with that), and I sure as hell hope that the press will correct itself.

~Xeross

Update

LulzSec has officially confirmed that Cleary is not part of LulzSec.

Ryan Cleary is not part of LulzSec; we house one of our many legitimate chatrooms on his IRC server, but that’s it.

- LulzSec on Twitter

The Bitcoin exchange known as Mt. Gox has been hacked on Sunday the 19th of June, the account database was compromised and an account containing a large volume of bitcoins was hacked.

Subsequently the hacker decided to sell off all the bitcoins effectively crashing the market (Well at least on Mt. Gox) dropping the exchange rate to a mere $0.01.

Now they’ve said they are performing a roll-back (trades  218869~222470 will be reverted, according to above link), yet this sounds impossible as there’s the possibility people have cashed out coins during that period, if they were to roll-back wouldn’t that cause a discrepancy between the money in their bitcoin wallet and the money available on the site?

It seems I’m not the only one that has raised this concern, I guess we’ll have to wait and see how this turns out.

If anyone knows anything more with regards to the roll-back and problems involved please leave a comment.

~Xeross

So where the last post was a write-up of what CCP managed to fuck-up this’ll just be a rant on the idiocy that accompanied the development of these new forums.

Every single person that’s in the programming business (Including webdevelopers) have at least some basic knowledge of how this fucking stuff works. For example the cookies, every webdev knows that anything you store in the damn bastards can be edited by the end user, so at least use proper checks or proper cookies.

And now there’s people saying it’s a simple oversight but it’s not, even every person I know at my school that’s currently doing webdev knows this fucking thing. And I highly doubt it can be that fucking hard to implement a way to store data alongside your fucking forum sessions.

And then there’s the ip/account banned guy that posted, how fucking hard can it be to block those, 1 simple fucking SQL query in your log-in or posting code is all it takes, it just doesn’t make any god damn sense.

Oh yes and the fucking forum signatures, really you don’t sanitize the value of the cookie, not that this should be stored in a cookie to begin with, but if you’re being stupid you might as well hide your stupidity with data sanitization.

And the last thing, they used existing open-source forum software, I encourage using open-source software, but don’t fucking claim it’s made in-house when you’re just modifying some open-source code, and being terribad at modifying it at the same time.

The only scenario that is remotely plausible is that the forums were developed by some interns, but even then one of them would’ve realized the cookies aren’t secure. Now I hope that monday devblog sheds some fucking light, but I highly doubt it.

Once again, Xeross out.

P.S.: Yes my idea of a rant is adding the word fuck a lot in my sentences, deal wiz it

So CCP made a huge blunder with the “awesome” new forums, shortly after they were opened to the public a multitude of exploits was found, and their response as always was top notch.

In-house Developed Forums…

So one of the statements from CCP was that the new forums were going to be completely developed in-house, but as multiple people soon found out there were certain urls starting with yaf_ in them present in the forum software. And with some googling one finds http://yetanotherforum.net/

So it turns out the forums are using some open-source .NET based forum as their base, which in turn spawns a few other problems (Even though it would’ve probably been easy to prevent them).

Insecurely stored sensitive data

One of the issues found was that certain data was stored in the cookies, and this data wasn’t being validated server-side again. This data included both signatures and the current character ID.

This meant that anyone could pose themselves as any character by changing this value, this eventually resulted in people being able to post in the announcements forum and even read forums that are normally not available to them.

XSS Exploits

As I mentioned previously also the forum signature settings were being stored as a cookie, and people soon found out that one could simply modify that cookie to include any kind of HTML they wanted into their signature, including <script> tags.

This would open up a whole myriad of possible attacks, just check the wikipedia article on Cross-site Scripting to get an idea of what’s possible. Simply said everything is possible though, people can change the behaviour of the entire page that this malicious signature is being displayed on. In short, bad stuff.

Posting from a banned IP

At one point a post was made with the poster claiming they are posting from a banned account from an IP that has been banned, I can’t verify it, but if it’s legit that means they failed to implement the current banning system into the forums too.

CCP’s Response

So far CCP’s response on this has been that they’ve taken offline the new forums and reopened the old. And that on monday the 11th of april more info will be released. There might’ve been other statements on twitter and alike but this is what the official frontpage says.

Not just the forums

Eventually this is now not just about the forums anymore, for example Mandrill’s Loss of Faith post. Which seems to say that more and more things are going wrong at CCP, and that they need a more enterprise-style mentality, because in essence they still work with their hobbyist enthusiasm that they started with.

Now we’ll just have to wait and see what the Monday devblog will be and if CCP will step up their game soon, I definitely hope they read Mandrill’s blog post and I hope they can get something of value from it.

…

Finally I have to credit Helicity’s post or most of the details I posted regarding the forum exploits, and I also recommend you read that as it’s a good write-up. And also credits to whomever made the banner that I used for this post.

Xeross out.