02-03-2010 12:50 Top ten malware-hosting countries revealed US and UK among the top 10 countries hosting the most infected webpages. News :: Sophos Povezani zapisi: 03-11-2010 16:53 One a day keeps the hackers away. Read our discussion of the top 25 coding errors in the appsec streetfighter blog http://appsecstreetfighter.com ., (Thu, Mar 11th) ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute ISC 03-10-2010 5:41 Are URL shorteners really dangerous?  There has been plenty of buzz about URL shorteners and security. URL shorteners have been described as a new attack vector since being popularized by social networks such as Twitter. I don't feel that URL shorteners are any more of a threat than their full length counterparts and here's why...How URL shorteners work The purpose of a URL shortener is to replace a log URL (e.g: http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html) with a shorter one (e.g: http://bit.ly/cikl0z). When a user clicks on http://bit.ly/cikl0z, he is redirected to http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html via an HTTP 301 redirection: GET /cikl0z HTTP/1.1 Host: bit.ly HTTP/1.1 301 Moved Location: http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html ---------------------------------------------------------- GET /downloadwhitepaper_stateofweb-q4-2009.html HTTP/1.1 Host: www.zscaler.com HTTP/1.1 200 OKThe browser made two requests: one to http://bit.ly/cikl0 and one to http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html Existing defense mechanisms All the existing in-browser (Google Safe Browsing in Firefox, Opera's Fraud Protection, etc.) or external (IDS, proxy, etc.) URL scanners are applied on both the initial short and redirected long URL requests. If the long URL is a known malicious site, it will be stopped whether or not the the user clicks directly on the long URL, or on a shortened URL. Firefox Safe Google Browsing warning on a URL after a redirection Also, content inspection (Antivirus, Deep Packet inspection, etc.) is applied on both requests. The use of URL shorteners and redirections does not require any new security inspection. All of the web browser security tools in place prior to the use of URL shorteners are still relevant. Hiding the real URL The main argument against URL shortening services is that users don't know which domain they are being redirected to. In our previous example, users see the bit.ly host name in the link address, and do not know that they will be redirected to www.zscaler.com until after they click on the link. After the redirection, the ultimate destination URL can be seen in the web browser address bar. The long URL is displayed in the browser address bar after redirection How many people know the difference between a good URL and a bad URL? Even then, how can anyone be sure that a site won't serve malicious content. Many perfectly legitimate websites (Redcross, Indian Governmental websites, etc.) have been hacked and can contain an infamous hidden iframe to spread malware. Well-known websites are no longer necessarily safer than unknown or new sites. Simply using the reputation of the hostname for deciding whether a URL is safe or not is not a good idea. In a post Michael wrote a year ago, he checked 100,000 TinyURL (URL shortener service) urls. He did not find any link to a malicious executable, no phishing sites, and really few redirections to malicious content. I believe the danger of URL shorteners has been overblown, mainly based on the idea that individuals are in a position to determine if a website is dangerous or not simply by looking at the final URL. Users are far better off relying on antivirus, URL blacklists and regular browser updates for security. And these tools work just fine or shortened URLs as well. - Julien Feedproxy Security 03-10-2010 5:41 Are URL shorteners really dangerous? There has been plenty of buzz about URL shorteners and security. URL shorteners have been described as a new attack vector since being popularized by social networks such as Twitter. I don't feel that URL shorteners are any more of a threat than their full length counterparts and here's why...How URL shorteners work The purpose of a URL shortener is to replace a log URL (e.g: http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html) with a shorter one (e.g: http://bit.ly/cikl0z). When a user clicks on http://bit.ly/cikl0z, he is redirected to http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html via an HTTP 301 redirection: GET /cikl0z HTTP/1.1 Host: bit.ly HTTP/1.1 301 Moved Location: http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html ---------------------------------------------------------- GET /downloadwhitepaper_stateofweb-q4-2009.html HTTP/1.1 Host: www.zscaler.com HTTP/1.1 200 OKThe browser made two requests: one to http://bit.ly/cikl0 and one to http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html Existing defense mechanisms All the existing in-browser (Google Safe Browsing in Firefox, Opera's Fraud Protection, etc.) or external (IDS, proxy, etc.) URL scanners are applied on both the initial short and redirected long URL requests. If the long URL is a known malicious site, it will be stopped whether or not the the user clicks directly on the long URL, or on a shortened URL. Firefox Safe Google Browsing warning on a URL after a redirection Also, content inspection (Antivirus, Deep Packet inspection, etc.) is applied on both requests. The use of URL shorteners and redirections does not require any new security inspection. All of the web browser security tools in place prior to the use of URL shorteners are still relevant. Hiding the real URL The main argument against URL shortening services is that users don't know which domain they are being redirected to. In our previous example, users see the bit.ly host name in the link address, and do not know that they will be redirected to www.zscaler.com until after they click on the link. After the redirection, the ultimate destination URL can be seen in the web browser address bar. The long URL is displayed in the browser address bar after redirection How many people know the difference between a good URL and a bad URL? Even then, how can anyone be sure that a site won't serve malicious content. Many perfectly legitimate websites (Redcross, Indian Governmental websites, etc.) have been hacked and can contain an infamous hidden iframe to spread malware. Well-known websites are no longer necessarily safer than unknown or new sites. Simply using the reputation of the hostname for deciding whether a URL is safe or not is not a good idea. In a post Michael wrote a year ago, he checked 100,000 TinyURL (URL shortener service) urls. He did not find any link to a malicious executable, no phishing sites, and really few redirections to malicious content. I believe the danger of URL shorteners has been overblown, mainly based on the idea that individuals are in a position to determine if a website is dangerous or not simply by looking at the final URL. Users are far better off relying on antivirus, URL blacklists and regular browser updates for security. And these tools work just fine or shortened URLs as well. - Julien Feedproxy Security 03-10-2010 18:47 Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication, (Wed, Mar 10th) Yesterday Microsoft re-released KB973811 ==http://www.microsoft.com/technet/security/advisory/973811.mspx This relates back to the original KB973917 == http://support.microsoft.com/kb/973917 and advisory MS09-071 ==http://www.microsoft.com/technet/security/bulletin/ms09-071.mspx This affects the Extended Protection for Authentication functions within XP, Vista and Server 2003 ==http://support.microsoft.com/kb/968389 It didn't show up in yesterday's Patch Tuesday review because Microsoft is classifying it as a non-security upgrade. This is confusing to me, because the update actually includes mitigation against a credential forwarding attack, which you might see on an unencrypted, unsigned connection (yes, there's still a lot of that going around ! ) This update affects XP, Vista and Server 2003. Windows 7 and Server 2008 are not affected. Thanks to our readers on letting us know about this one. I'm still puzzled as to why this wasn't on Microsoft's list of security updates ... =============== Rob VandenBrink Metafore =============== ISC |
