Skip navigation
Help

SQL Injection

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.


Reflected XSS vulnerabilities in action

Aspect Security

When my neighbor called early Wednesday morning, she sounded close to tears. Her Yahoo Mail account had been hijacked and used to send spam to addresses in her contact list. Restrictions had then been placed on her account that prevented her from e-mailing her friends to let them know what happened.

In a blog post published hours before my neighbor's call, researchers from security firm Bitdefender said that the hacking campaign that targeted my neighbor's account had been active for about a month. Even more remarkable, the researchers said the underlying hack worked because Yahoo's developer blog runs on a version of the WordPress content management system that contained a vulnerability developers addressed more than eight months ago. My neighbor's only mistake, it seems, was clicking on a link while logged in to her Yahoo account.

As someone who received one of the spam e-mails from her compromised account, I know how easy it is to click such links. The subject line of my neighbor's e-mail mentioned me by name, even though my name isn't in my address. Over the past few months, she and I regularly sent messages to each other that contained nothing more than a Web address, so I thought nothing of opening the link contained in Wednesday's e-mail. The page that opened looked harmless enough. It appeared to be an advertorial post on MSNBC.com about working from home, which is something I do all the time. But behind the scenes, according to Bitdefender, something much more nefarious was at work.

Read 11 remaining paragraphs | Comments

0
Your rating: None

Look at this incredible thing Ian Baker created. Look at it!

The PHP hammer

What you're seeing is not Photoshopped. This is an actual photo of a real world, honest to God double-clawed hammer. Such a thing exists. Isn't that amazing? And also, perhaps, a little disturbing?

That wondrous hammer is a delightful real-world acknowledgement of the epic blog entry PHP: A Fractal of Bad Design.

I can’t even say what’s wrong with PHP, because – okay. Imagine you have uh, a toolbox. A set of tools. Looks okay, standard stuff in there.

You pull out a screwdriver, and you see it’s one of those weird tri-headed things. Okay, well, that’s not very useful to you, but you guess it comes in handy sometimes.

You pull out the hammer, but to your dismay, it has the claw part on both sides. Still serviceable though, I mean, you can hit nails with the middle of the head holding it sideways.

You pull out the pliers, but they don’t have those serrated surfaces; it’s flat and smooth. That’s less useful, but it still turns bolts well enough, so whatever.

And on you go. Everything in the box is kind of weird and quirky, but maybe not enough to make it completely worthless. And there’s no clear problem with the set as a whole; it still has all the tools.

Now imagine you meet millions of carpenters using this toolbox who tell you “well hey what’s the problem with these tools? They’re all I’ve ever used and they work fine!” And the carpenters show you the houses they’ve built, where every room is a pentagon and the roof is upside-down. And you knock on the front door and it just collapses inwards and they all yell at you for breaking their door.

That’s what’s wrong with PHP.

Remember the immediate visceral reaction you had to the double-clawed hammer? That's exactly the reaction most sane programmers have to their first encounter with the web programming language PHP.

This has been going on for years. I published my contribution to the genre in 2008 with PHP Sucks, But It Doesn't Matter.

I'm no language elitist, but language design is hard. There's a reason that some of the most famous computer scientists in the world are also language designers. And it's a crying shame none of them ever had the opportunity to work on PHP. From what I've seen of it, PHP isn't so much a language as a random collection of arbitrary stuff, a virtual explosion at the keyword and function factory. Bear in mind this is coming from a guy who was weaned on BASIC, a language that gets about as much respect as Rodney Dangerfield. So I am not unfamiliar with the genre.

Except now it's 2012, and fellow programmers are still writing long screeds bemoaning the awfulness of PHP!

What's depressing is not that PHP is horribly designed. Does anyone even dispute that PHP is the worst designed mainstream "language" to blight our craft in decades? What's truly depressing is that so little has changed. Just one year ago, legendary hacker Jamie Zawinski had this to say about PHP:

I used to think that PHP was the biggest, stinkiest dump that the computer industry had taken on my life in a decade. Then I started needing to do things that could only be accomplished in AppleScript.

Is PHP so broken as to be unworkable? No. Clearly not. The great crime of PHP is its utter banality. Its continued propularity is living proof that quality is irrelevant; cheap and popular and everywhere always wins. PHP is the Nickelback of programming languages. And, yes, out of frustration with the status quo I may have recently referred to Rasmus Lerdorf, the father of PHP, as history's greatest monster. I've told myself a million times to stop exaggerating.

The hammer metaphor is apt, because at its core, this is about proper tooling. As presciently noted by Alex Papadimoulis:

A client has asked me to build and install a custom shelving system. I'm at the point where I need to nail it, but I'm not sure what to use to pound the nails in. Should I use an old shoe or a glass bottle?

How would you answer the question?

  1. It depends. If you are looking to pound a small (20lb) nail in something like drywall, you'll find it much easier to use the bottle, especially if the shoe is dirty. However, if you are trying to drive a heavy nail into some wood, go with the shoe: the bottle will shatter in your hand.
  2. There is something fundamentally wrong with the way you are building; you need to use real tools. Yes, it may involve a trip to the toolbox (or even to the hardware store), but doing it the right way is going to save a lot of time, money, and aggravation through the lifecycle of your product. You need to stop building things for money until you understand the basics of construction.

What we ought to be talking about is not how terrible PHP is – although its continued terribleness is a particularly damning indictment – but how we programmers can culturally displace a deeply flawed tool with a better one. How do we encourage new programmers to avoid picking up the double clawed hammer in favor of, well, a regular hammer?

This is not an abstract, academic concern to me. I'm starting a new open source web project with the goal of making the code as freely and easily runnable to the world as possible. Despite the serious problems with PHP, I was forced to consider it. If you want to produce free-as-in-whatever code that runs on virtually every server in the world with zero friction or configuration hassles, PHP is damn near your only option. If that doesn't scare you, then check your pulse, because you might be dead.

Everything goes with PHP sauce! Including crushing depression.

Therefore, I'd like to submit a humble suggestion to my fellow programmers. The next time you feel the urge to write Yet Another Epic Critique of PHP, consider that:

  1. We get it already. PHP is horrible, but it's used everywhere. Guess what? It was just as horrible in 2008. And 2005. And 2002. There's a pattern here, but it's subtle. You have to look very closely to see it. On second thought, never mind. You're probably not smart enough to figure it out.
  2. The best way to combat something as pervasively and institutionally awful as PHP is not to point out all its (many, many, many) faults, but to build compelling alternatives and make sure these alternatives are equally pervasive, as easy to set up and use as possible.

We've got a long way to go. One of the explicit goals of my next project is to do whatever we can to buff up a … particular … open source language ecosystem such that it can truly compete with PHP in ease of installation and deployment.

From my perspective, the point of all these "PHP is broken" rants is not just to complain, but to help educate and potentially warn off new coders starting new codebases. Some fine, even historic work has been done in PHP despite the madness, unquestionably. But now we need to work together to fix what is broken. The best way to fix the PHP problem at this point is to make the alternatives so outstanding that the choice of the better hammer becomes obvious.

That's the PHP Singularity I'm hoping for. I'm trying like hell to do my part to make it happen. How about you?

[advertisement] How are you showing off your awesome? Create a Stack Overflow Careers profile and show off all of your hard work from Stack Overflow, Github, and virtually every other coding site. Who knows, you might even get recruited for a great new position!

0
Your rating: None

waderoush writes "If you visit Menlo Park, CA-based Willow Garage, you'll meet a $400,000 humanoid robot called PR2 that has stereo vision, a pair of dextrous arms, and enough smarts to roam the building indepedently and even plug itself into the wall when it needs to recharge. But in a sense, PR2 is just a demo. The real action at Willow Garage is around ROS, the Robot Operating System, a free meta-operating system that's already being used by hundreds of roboticists around the world and may soon be handed over to an independent foundation analogous to the Apache Software Foundation. Brian Gerkey, Willow Garage's head of open source development, says 'What we need is a LAMP stack for robotics,' and hopes that ROS will jumpstart innovation in robotics in the same way Linux and other free software components provided the foundation for the Internet boom. Today's roboticists 'have to come at the problem with a very deep expertise in all aspects of robotics, from state estimation to planning to perception, which automatically limits the number of people capable of building new things,' Gerkey says. 'But by providing a basic toolset analogous to the LAMP stack, we can get to a point where all you need to know is how to write code and what you want your robot to do.'"


Share on Google+

Read more of this story at Slashdot.

0
Your rating: None

About

LulzSec (a.k.a Lulz Security) is a computer hacking group that began making headlines in May of 2011 after taking responsibility for compromising the security of a number of high profile targets. They have be known to use Distributed Denial of Service (DDOS) attacks and SQL injections to take down websites. (See also: #OpSony)

Highlights

The group periodically releases stolen information from websites. They post the stolen data on their website in .txt files[9] or in torrents on their page on The Pirate Bay[10]. Releases often are posted on Fridays and thus they made a hash tag called “#fuckfbifriday” that they use to tweet with.

May 5th, 2011: FOX

The earliest known hack attributed to the group began on May 5th, 2011 against Fox Broadcasting Company, which resulted in the breach of TV talent show X Factor contestants database and 73,000 applicants’ personal information. On May 10th, Fox.com sales database and users’ personal information was released.

<!-- http://twitter.com/#!/LulzSec/status/66648067281141760 → .bbpBox66648067281141760 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

We’re releasing the X-Factor contestants database publicly tonight. Stay tuned. Wink, wink, double wink!less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

May 27th – June 6th: SONY

Between late May and early June 2011, international media company Sony’s database was attacked by hackers who took thousands of users’ personal data including “names, passworsd, e-mail addresses, home addresses dates of birth.” Lulzsec claimed that it used a SQL injection attack and was motivated by Sony’s legal action against the original iPhone jailbreak hacker George Hotz, who revealed similar information of Sony’s PlayStation 3 console in December 2010.

<!-- http://twitter.com/#!/LulzSec/status/72823208465805312 → .bbpBox72823208465805312 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Hey guys, we took a cruise! Who wants to play spot the SonyMusic SQLi? #fun #fun #FUNless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

The breached databases include Sony Music Japan, Sony Pictures, SonyBMG Netherlands and SonyBMG Belgium. The group claimed to have compromised over 1,000,000 accounts, though Sony claims the real figure was around 37,500. Some of the compromised information has been reportedly used in scams.

May 29th: PBS

On May 29th, 2011, LulzSec managed to compromise several PBS web properties including their official website and Twitter account. The PBS homepage was defaced with an image of Nyan Cat and the words “all your base are belong to lulzsec” referecing All Your Base Are Belong To Us. They claimed it was in response to a biased documentary about Wikileaks that had aired on an episode of PBS Frontline. They also were responsible for an article which claimed that 2Pac, a rapper who died back in 1996[7], was still alive and was found living in New Zealand with another famous dead rapper, Biggie Smalls[8].

June 15th: CIA

LulzSec took responsibility for taking down the United States Central Intelligence Agency website in a tweet[1] on June 15th, 2010. According to Gawker reporter Adrian Chen[2], the attack was meant to impress Twitter user Quadrapocdacone:

This afternoon, Quadrapodacone and Lulzsec got into a Twitter flame war, after Quadrapodacone mocked Lulzsec for taking on only “soft targets” like video game companies and PBS. (Lulzsec has since deleted its side of the conversation.)

<!-- http://twitter.com/#!/LulzSec/status/81115804636155906 → .bbpBox81115804636155906 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Tango down – http://t.co/2QGXy6f – for the lulz.less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 15th: War With 4chan

An article was posted to the website VentureBeat claiming that LulzSec was starting to attack users of the website 4chan.org, and the nebulous group referred to as “Anonymous”, on June 15th, 2011.

The sparring began when LulzSec initiated a “DDoS Party,” which was a set of large-scale distributed denial of service attacks on several gaming servers and websites that brought a lot of games offline. EVE Online, League of Legends and Minecraft all faced outages or significant latency problems. That was enough to get the attention of “/v/,” an internal image sharing board on 4chan.org that focuses on video games.[3]

June 17th: SEGA Attack Denial

On June 17th, 2011, multinational videogame developer company SEGA issued an e-mail to its online network SEGA Pass subscribers revealing that the network was breached by a group of hackers and an unknown number of subscribers’ personal information were stolen, such as e-mails and date of birth:

“Over the last 24 hours we have identified that unauthorised entry was gained to our Sega Pass database,” the company said. “We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems.”

On the next day, Lulzsec responded to the news on Twitter by denying an involvement with the attack on Sega Pass. In a tweet expressing their fancy for the aging console Dreamcast, @Lulzsec announced that they will help the company to take down whoever launched this attack in retaliation:

<!-- http://twitter.com/#!/LulzSec/status/81765889329991680 → .bbpBox81765889329991680 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

@Sega – contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 17th: War With Anonymous Denial

On June 17th, 2011, the @LulzSec Twitter account announced that they are not at war with Anonymous, and repeated the sentiment by retweeting @YourAnonNews:

<!-- http://twitter.com/#!/LulzSec/status/81748529609048064 → .bbpBox81748529609048064 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Saying we’re attacking Anonymous because we taunted /b/ is like saying we’re going to war with America because we stomped on a cheeseburger.less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

<!-- http://twitter.com/#!/YourAnonNews/status/81754107299373056 → .bbpBox81754107299373056 {background:url(http://a2.twimg.com/profile_background_images/230702416/14684_1_other_wa...) #C0DEED;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

We are NOT at war with @LulzSec #MediaFagsless than a minute ago via TweetDeck Favorite Retweet ReplyAnonymous
YourAnonNews

<!- end of tweet -->

June 19th – Operation Anti-Security (#AntiSec)

On June 19th, 2011, LulzSec posted a statement on pastebin[5] announcing that they will be teaming up Anonymous to attack government agencies.

Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their path. We fully endorse the flaunting of the word “AntiSec” on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered. To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships.

June 20th – SOCA

On June 20th, 2011, LulzSec managed to take down the United Kingdom’s Serious Organized Crime Agency (SOCA) website with a DDoS attack as part of Operation Anti-Security.

<!-- http://twitter.com/#!/LulzSec/status/82836801731043328 → .bbpBox82836801731043328 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Tango down – http://t.co/JhcjgO9 – in the name of #AntiSecless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 21st: Arrest

On June 21st, 2011, 19-year-old Ryan Cleary was arrested by UK police for allegedly attempting to take down a police website. According to PCWorld[6], his arrest was related to an investigation into LulzSec’s attacks:

The Metropolitan Police Central e-Crime Unit (PCeU) said the teenager was detained following an investigation into network intrusions and distributed denial-of-service (DDOS) attacks against “a number of international business and intelligence agencies by what is believed to be the same hacking group.”

LulzSec denied that Ryan was a part of the hacker group, and only had minor involvement hosting one of thier irc chatrooms on his server.

<!-- http://twitter.com/#!/LulzSec/status/83244937847652352 → .bbpBox83244937847652352 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Ryan Cleary is not part of LulzSec; we house one of our many legitimate chatrooms on his IRC server, but that’s it. http://t.co/98VflEiless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 21st: Brazilian Government Websites

On June 21st, a South American branch of Lulzsec group (@LulzSecBrazil) launched DDoS attacks against the portal of Brazilian government websites and the homepage of the President under the banner of Operation Anti-sec. The denial-of-service attacks came following the announcement on June 19th of a joint operation seeking to “steal and leak any classified government information, including email spools and documentation.”

Since the beginning of Operation Anti-sec, LulzSec’s support base has expanded from small unknown groups to an international network of Anonymous activists and regional Lulzsec chapters in Brazil and Colombia, as well as the Iranian Cyber Army.

June 23rd: Arizona Department of Public Safety

On June 23rd, Lulzsec also released a new set dubbed “Chinga La Migra,” a Spanish phrase meaning “fuck the border patrol,” which reveals hundreds of private intelligence bulletins, personal information of police officers and confidential documents including training manuals and personal email correspondence. In the press release, the group cited the legislation of SB1070 (Support Our Law Enforcement and Safe Neighborhoods Act), a controversial anti-immigration law that was passed in the state of Arizona in April 2011, as their primary motive behind targeting the Department of Public Safety.

The documents classified as “law enforcement sensitive”, “not for public
distribution”, and “for official use only” are primarily related to border
patrol and counter-terrorism operations and describe the use of informants to
infiltrate various gangs, cartels, motorcycle clubs, Nazi groups, and protest
movements.

<!-- http://twitter.com/#!/LulzSec/status/84032144283938816 → .bbpBox84032144283938816 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Presenting Chinga La Migra: http://t.co/tQZ1uro | http://t.co/apl4g7J #AntiSecless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 25th: LulzSec Retires

On June 25th, 2011, LulzSec released a statement on pastebin[11] saying that after 50 days of hacking, they will be going into retirement.

<!-- http://twitter.com/#!/LulzSec/status/84758628325801984 → .bbpBox84758628325801984 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

50 Days of Lulz statement: http://t.co/GbAD070 | Torrent: http://t.co/lGsJ4PU Thank you, gentlemen. #LulzSecless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

They later tweeted that Operation Anti-Security would be passed on completely to Anonymous:

<!-- http://twitter.com/#!/LulzSec/status/84771325025075200 → .bbpBox84771325025075200 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Finally, we encourage all future #AntiSec enthusiasts to join the AnonOps IRC here: http://t.co/1XLL1Jj and follow @AnonymousIRC for glory!less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

The farewell statements were also accompanied with about 458 MB of data from AOL, AT&T, Navy.mil, pilimited.com, and many other websites that they uploaded from their Pirate Bay account[10].

External Links

[1] Twitter – @LulzSec

[2] Gawker – Hackers Take Down CIA Website / 6/15/2011

[3] VentureBeat – Hit the deck: LulzSec and Anonymous start trading blows

[4] Linear Fix – Why LulzSec Hacks: A Timeline of Major Hacks

[5] Pastebin – Operation Anti-Security

[6] PCWorld – UK police arrest teen from Lulz Security for DDOS attack

[7] Wikipedia – Tupac Shakur

[8] cnet News – PBS, hacked, says Tupac is still alive

[9] Lulz Security – Releases

[10] The Pirate Bay – LulzSec

[11] Pastebin – 50 Days of Lulz

0
Your rating: None

I don't usually do news and current events here, but I'm making an exception for the CWE/SANS Top 25 Most Dangerous Programming Errors list. This one is important, and deserves a wide audience, so I'm repeating it here -- along with a brief hand-edited summary of each error.

If you work on software in any capacity, at least skim this list. I encourage you to click through for greater detail on anything you're not familiar with, or that piques your interest.

  1. Improper Input Validation

    Ensure that your input is valid. If you're expecting a number, it shouldn't contain letters. Nor should the price of a new car be allowed to be a dollar. Incorrect input validation can lead to vulnerabilities when attackers can modify their inputs in unexpected ways. Many of today's most common vulnerabilities can be eliminated, or at least reduced, with strict input validation.

  2. Improper Encoding or Escaping of Output

    Insufficient output encoding is at the root of most injection-based attacks. An attacker can modify the commands that you intend to send to other components, possibly leading to a complete compromise of your application - not to mention exposing the other components to exploits that the attacker would not be able to launch directly. When your program generates outputs to other components in the form of structured messages such as queries or requests, be sure to separate control information and metadata from the actual data.

  3. Failure to Preserve SQL Query Structure (aka 'SQL Injection')

    If attackers can influence the SQL that you send to your database, they can modify the queries to steal, corrupt, or otherwise change your underlying data. If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security.

  4. Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')

    Cross-site scripting (XSS) is a result of combining the stateless nature of HTTP, the mixture of data and script in HTML, lots of data passing between web sites, diverse encoding schemes, and feature-rich web browsers. If you're not careful, attackers can inject Javascript or other browser-executable content into a web page that your application generates. Your web page is then accessed by other users, whose browsers execute that malicious script as if it came from you -- because, after all, it did come from you! Suddenly, your web site is serving code that you didn't write. The attacker can use a variety of techniques to get the input directly into your server, or use an unwitting victim as the middle man.

  5. Failure to Preserve OS Command Structure (aka 'OS Command Injection')

    Your software acts as a bridge between an outsider on the network and the internals of your operating system. When you invoke another program on the operating system, and you allow untrusted inputs to be fed into the command string, you are inviting attackers into your operating system.

  6. Cleartext Transmission of Sensitive Information

    Information sent across a network crosses many different nodes in transit to its final destination. If your software sends sensitive, private data or authentication credentials, beware: attackers could sniff them right off the wire. All they need to do is control one node along the path to the final destination, any node within the same networks of those transit nodes, or plug into an available interface. Obfuscating traffic using schemes like Base64 and URL encoding offers no protection.

  7. Cross-Site Request Forgery (CSRF)

    Cross-site request forgery is like accepting a package from a stranger -- except the attacker tricks a user into activating a HTTP request "package" that goes to your site. The user might not even be aware that the request is being sent, but once the request gets to your server, it looks as if it came from the user -- not the attacker. The attacker has masqueraded as a legitimate user and gained all the potential access that the user has. This is especially handy when the user has administrator privileges, resulting in a complete compromise of your application's functionality.

  8. Race Condition

    A race condition involves multiple processes in which the attacker has full control over one process; the attacker exploits the process to create chaos, collisions, or errors. Data corruption and denial of service are the norm. The impact can be local or global, depending on what the race condition affects - such as state variables or security logic - and whether it occurs within multiple threads, processes, or systems.

  9. Error Message Information Leak

    Chatty error messages can disclose secrets to any attacker who misuses your software. The secrets could cover a wide range of valuable data, including personally identifiable information (PII), authentication credentials, and server configuration. They might seem like harmless secrets useful to your users and admins, such as the full installation path of your software -- but even these little secrets can greatly simplify a more concerted attack.

  10. Failure to Constrain Operations within the Bounds of a Memory Buffer

    The scourge of C applications for decades, buffer overflows have been remarkably resistant to elimination. Attack and detection techniques continue to improve, and today's buffer overflow variants aren't always obvious at first or even second glance. You may think that you're completely immune to buffer overflows because you write your code in higher-level languages instead of C. But what is your favorite "safe" language's interpreter written in? What about the native code you call? What languages are the operating system API's written in? How about the software that runs Internet infrastructure?

  11. External Control of Critical State Data

    If you store user state data in a place where an attacker can modify it, this reduces the overhead for a successful compromise. Data could be stored in configuration files, profiles, cookies, hidden form fields, environment variables, registry keys, or other locations, all of which can be modified by an attacker. In stateless protocols such as HTTP, some form of user state information must be captured in each request, so it is exposed to an attacker out of necessity. If you perform any security-critical operations based on this data (such as stating that the user is an administrator), then you can bet that somebody will modify the data in order to trick your application.

  12. External Control of File Name or Path

    When you use an outsider's input while constructing a filename, the resulting path could point outside of the intended directory. An attacker could combine multiple ".." or similar sequences to cause the operating system to navigate out of the restricted directory. Other file-related attacks are simplified by external control of a filename, such as symbolic link following, which causes your application to read or modify files that the attacker can't access directly. The same applies if your program is running with raised privileges and it accepts filenames as input. Similar rules apply to URLs and allowing an outsider to specify arbitrary URLs.

  13. Untrusted Search Path

    Your software depends on you, or its environment, to provide a search path (or working path) to find critical resources like code libraries or configuration files. If the search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing.

  14. Failure to Control Generation of Code (aka 'Code Injection')

    While it's tough to deny the sexiness of dynamically-generated code, attackers find it equally appealing. It becomes a serious vulnerability when your code is directly callable by unauthorized parties, if external inputs can affect which code gets executed, or if those inputs are fed directly into the code itself.

  15. Download of Code Without Integrity Check

    If you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can modify that code before it reaches you. They can hack the download site, impersonate it with DNS spoofing or cache poisoning, convince the system to redirect to a different site, or even modify the code in transit as it crosses the network. This scenario even applies to cases in which your own product downloads and installs updates.

  16. Improper Resource Shutdown or Release

    When your system resources have reached their end-of-life, you dispose of them: memory, files, cookies, data structures, sessions, communication pipes, and so on. Attackers can exploit improper shutdown to maintain control over those resources well after you thought you got rid of them. Attackers may sift through the disposted items, looking for sensitive data. They could also potentially reuse those resources.

  17. Improper Initialization

    If you don't properly initialize your data and variables, an attacker might be able to do the initialization for you, or extract sensitive information that remains from previous sessions. If those variables are used in security-critical operations, such as making an authentication decision, they could be modified to bypass your security. This is most prevalent in obscure errors or conditions that cause your code to inadvertently skip initialization.

  18. Incorrect Calculation

    When attackers have control over inputs to numeric calculations, math errors can have security consequences. It might cause you to allocate far more resources than you intended - or far fewer. It could violate business logic (a calculation that produces a negative price), or cause denial of service (a divide-by-zero that triggers a program crash).

  19. Improper Access Control (Authorization)

    If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and exercise that unauthorized functionality.

  20. Use of a Broken or Risky Cryptographic Algorithm

    Grow-your-own cryptography is a welcome sight to attackers. Cryptography is hard. If brilliant mathematicians and computer scientists worldwide can't get it right -- and they're regularly obsoleting their own techniques -- then neither can you.

  21. Hard-Coded Password

    Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.

  22. Insecure Permission Assignment for Critical Resource

    Beware critical programs, data stores, or configuration files with default world-readable permissions. While this issue might not be considered during implementation or design, it should be. Don't require your customers to secure your software for you! Try to be secure by default, out of the box.

  23. Use of Insufficiently Random Values

    You may depend on randomness without even knowing it, such as when generating session IDs or temporary filenames. Pseudo-Random Number Generators (PRNG) are commonly used, but a variety of things can go wrong. Once an attacker can determine which algorithm is being used, he can guess the next random number often enough to launch a successful attack after a relatively small number of tries.

  24. Execution with Unnecessary Privileges

    Your software may need special privileges to perform certain operations; wielding those privileges longer than necessary is risky. When running with extra privileges, your application has access to resources that the application's user can't directly reach. Whenever you launch a separate program with elevated privileges, attackers can potentially exploit those privileges.

  25. Client-Side Enforcement of Server-Side Security

    Don't trust the client to perform security checks on behalf of your server. Attackers can reverse engineer your client and write their own custom clients. The consequences will vary depending on what your security checks are protecting, but some of the more common targets are authentication, authorization, and input validation.

Of course there's nothing truly new here; I essentially went over the same basic list in Sins of Software Security almost two years ago. The only difference is the relative priorities, as web applications start to dominate mainstream computing.

This list of software security mistakes serves the same purpose as McConnell's list of classic development mistakes: to raise awareness. A surprisingly large part of success is recognizing the most common mistakes and failure modes. So you can -- at least in theory -- realize when your project is slipping into one of them. Ignorance is the biggest software project killer of them all.

Heck, even if you are aware of these security mistakes, you might end up committing them anyway. I know I have.

Have you?

[advertisement] Did your buddy just get his ear chewed off for another server crash? Help him out by recommending PA Server Monitor. He just might buy you lunch. Download the Free Trial!

0
Your rating: None