Sunday, September 25, 2011

Distributed Attacks Using URL Shorteners and News Aggregators

[Obligatory Warning: The information below is merely a speculative issue. I am not suggesting its use on any site. It is, however, something to watch for.]

I was talking with some people in a group the other day, and our conversation turned towards the prevalence of news aggregation sites like Reddit, Digg, and others. Stories that are submitted to those sites are seen by hundreds of people, if not thousands, often within minutes of submission. Now you're probably wondering what this has to do with security.

Think about some of the attacks that have occurred recently. They've often originated with a SQL or perhaps a persistent JavaScript injection. There are a lot of attacks that can occur entirely from the URL bar, just by injecting additional information into the URL. This is bad because anyone can 'click' a URL.

Now back to news aggregators. When you submit a link to those sites, you can chose a title, add the URL, and then it is instantly visible to many users of that site. The point of these sites is that news-worthy links and important information gets "voted" to the top and that meaningless data is sent to the bottom. However, in order to be sent to the bottom, some people will have to click and rate the submitted site. This is where we bring in the malicious URL from before. If the URL with injection code is passed through a single or multiple URL shorteners, there is no way for the user of the aggregation site to know what is behind the link.

The entire point of this concept is to distribute a hacking attack. If an attacker is trying to attack a site through a form of injection, he or she can simply craft a ton of malicious links, submit them to these aggregation services from behind a proxy, and have some innocent user click them for him or her. It's effectively having others hack a site for them because when the site checks its logs, it'll see multiple IP addresses from users of the aggregation service.

Is this a big concern? Not really. But it's an interesting possibility that site admins and security professionals need to watch for on their own sites.

Tuesday, September 13, 2011

Windows 8 - First Looks

[Note: the following is a rambling of notes I jotted down quickly after viewing the new Windows 8 release.]

The Windows 8 Developer Preview was just released tonight (9/13/2011). I downloaded it, installed it in VirtualBox and played with it for a bit. My first thoughts: I don't like it one bit (for a desktop).

The one feature that I truly dislike is the use of panels. I originally thought they'd be an interesting and welcomed change for the desktop. I was wrong. They do nothing but hinder easy switching between apps and viewing of the start menu. They are big, clunky, and not suitable for a desktop at all.

The second thing that causes a major headache is the lack of familiar options. For example, to shutdown, the user has to click Start, then the "Settings" panel, the "Shut Down." This is not intuitive at all.

Finally, the color scheme is horrible. I know it can be changed, but the default teal / green is a shocking step backwards in Windows' appearance.

Check out the quick screencast: