Lieber Stefan,

ich schreibe dir, weil ich eine Sache klarstellen möchte: Ich blocke Werbung nicht, weil mich Werbung nervt (ich sehe die nicht mehr) oder euch um eure Einnahmen zu bringen will, sondern weil die Werbung über JavaScript von für mich alles andere als vertrauenswürdige Drittanbieter ausgeliefert wird. Ich weiss durchaus guten Journalismus zu schätzen, weiss, dass dieser nicht umsonst zu haben ist und habe vermutlich mehr Verständnis für die Probleme der Verlage als viele andere denke ich.

Trotzdem kann ich nicht zulassen, dass irgendwelche Buden, die sich regelmässig pwnen lassen, meinen Rechner fernsteuern - denn das und nur das ist JavaScript: Remote Control eines Browsers durch den Server. Dieses Blocking ist also in erster Linie reiner Selbstschutz und ist auch jedem Nutzer sehr zu empfehlen.

Die Historie schädlicher Werbebanner auf Medienseiten ist lang und hat so ziemlich viele schon einmal irgendwann getroffen, sei es Zeit, Spon, Heise oder Handelsblatt um nur mal ein paar zu nennen, über die Schadcode verteilt wurde. Ein Problem ist dabei auch nicht zuletzt, dass es in so einem Falle ausser einer Entschuldigung keinerlei Entschädigung für die Opfer dieser Angriffe gab und gibt (sofern die Leute überhaupt merken, dass die gehackt wurden).

Ich bin nicht die Person, die tolle Ideen für Geschäftsmodelle hat, die funktionieren. Ich würde mir etwas wünschen, das für eure Branche nicht in Frage zu kommen scheint: Sowas wie eine Pauschale für alle Publikationen - in etwa nach dem Modell der GEZ für die Öffentlich-Rechtlichen. Ich nutze die Angebote eher sporadisch (meist auf Grund von Links), “blättere” aber praktisch auf den Seiten nie rum, womit ein Abo für mich keinen Sinn ergibt. Diese Art der Zahlung würde mir in meinem Nutzungsverhalten entgegen kommen.

Micropayment ist leider in den letzten Jahren nicht wirklich weiter gekommen und ausser Flattr sehe ich momentan wenig. Ich verstehe aber auch, dass sich damit kein Journalismus auf hohem Niveau lange finanzieren lässt.

Wie auch immer: Die Verantwortung für meine Sicherheit kann nur ich übernehmen - kein Staat, kein Verlag, kein Journalist und keine guten Worte. Die Konsequenz ist also, dass die Werbung, so auf die nicht verzichtet werden kann, entweder so eingebunden wird, dass sie ohne JavaScript auskommt oder sie wird schlicht geblockt. Denn mir ist Information zwar äusserst wichtig, aber nicht wichtiger als meine Sicherheit.

Mit freundlichen Grüßen, fukami

Wie einige vielleicht schon mitbekommen haben gibt es eine neue Version von Piwik. Piwik ist ein Stück Code zur Analyse von Besuchern auf Webseiten, ähnlich beispielsweise Google Analytics. Mein Kollege Stefan Esser hat ein schweres Sicherheitsproblem gefunden und ein Advisory dazu veröffentlicht, das im Bereich von PHP-Sicherheit wieder einmal eine Reihe wichtiger neuer Einsichten gebracht hat. Der entsprechende Exploit dazu ermöglicht das Ausführen von PHP Code aus der Entfernung oder das Anlegen beliebiger Dateien, also die vollständige Kontrolle eines Angreifers über einen Server, auf dem dieser Code gehostet wird.

Da ich nicht in fremden Seiten ohne Auftrag herumfingere weiss ich nicht, ob und wie die betroffenen Server bzw. PHP-Installationen gehärtet sind und ob sich die entsprechenden Seiten auch wirklich angreifen lassen (ich gehe aber davon aus). Was ich allerdings ahne ist, dass Piwik auf tausenden Seiten gehostet wird. Ich vermute aber sehr stark, dass dieser Exploit in Zukunft für den einen oder anderen Hack eingesetzt wird, weswegen ein Update auf die neue Version ein absolutes Muss ist. Ausserdem ist es angezeigt, Server, auf denen Piwik gehostet wird, nach Spuren von Einbrüchen zu untersuchen.

Eigentlich könnte man sagen, es ist soweit ganz normal — Bugs kommen immer wieder vor, auch Bugs, die das Ausführen von Code ermöglichen. Das ist auch richtig. Aber wenn man mal einen Augenblick inne hält und guckt, wo denn dieser Code überall zu finden ist, dann kommt man doch etwas ins Grübeln.

Webseiten werden oft als sogenannte virtuelle Server gehostet. Das bedeutet, dass sich auf einem physikalischen Server mehrere gehostete Domains befinden. So ist das auch auf den Seiten der Parteien wie gruene.de, spd.de oder liberale.de. Dort finden sich neben den eigentlichen Hauptseiten auch verschiedene Projekte und persönliche Seiten von Politikern der entsprechenden Parteien.

Man kann sich eine Reihe von Sachen vorstellen, wie Angreifer diesen Exploit nutzen können, angefangen von eher lustige Sachen wie subtile oder weniger subtile Verlautbarungen bis hin zu weniger lustigen Sachen wie Mitlesen von Mails, Servieren von Malware oder Angriffe auf weitere Server.

Die CDU nutzt auf ihren Hauptseiten übrigens dieses Tracking nicht, aber es gibt eine Reihe von CDU-Politikern und lokale Gruppen der Partei, bei denen es doch eingesetzt wird oder wo dieser Code auf einer anderen Domain auf demselben Server gehostet wird. Bei den Piraten gibt es diesen Code nur auf der Seite musik.klarmachen-zum-aendern.de, die keine weitere Verbindung zu anderen Servern der Piraten hat.

In der Liste der Seiten, die gegen so einen Exploit verwundbar sind (oder waren), finden sich aber noch eine Reihe anderer interessanter Bekannte: attac.de, proasyl.de aber auch jungefreiheit.de, die Seiten des Landes Rheinland Pfalz, des Umweltbundesamtes, des Asta der Uni Bonn oder die der Dampfplauderer von fixmbr.

Am interessantesten ist aber aus meiner Sicht eine völlig andere Seite, nämlich safer-shopping.de. Hinter Safer Shopping verbirgt sich ein Prüfsiegel des TÜV Süd, also genau etwas in der Art, das als eine der Maßnahmen im Rahmen der “Stiftung Datenschutz” grade im Gespräch ist. Dieses Beispiel zeigt einmal mehr, wie wenig diese Idee wert ist, denn auch andere Dienstleister, die solche Siegel anbieten, werden kaum in der Lage sein, diese Art von Angriffen zu verhindern, die das Vertrauen in Webseiten erheblich beeinträchtigen und dieses Siegel lächerlich erscheinen lassen.

Selbstverständlich ist auch bei einigen zertifizierten Seiten Piwik im Einsatz, denn was für Safer Shopping recht ist, ist für Anbieter von E-Shops natürlich nur billig.

Update: Kann übrigens sein, dass ich mich beim Einsatz von Piwik auf Safer Shopping-zertizierte Seiten geirrt habe. Waren jedenfalls irgendwelche Seiten mit Siegeln, die Sicherheit suggerieren sollen. Von daher ist es eigentlich auch egal, was das nun genau für welche waren.

Update 2: Zum Testen, ob man verwundbar ist, kann man die beiden Scripte nutzen, die Stefan in seinem Blog veröffentlicht hat. In beiden Fällen kommt dabei ein Cookie raus, der in den Browser kopiert werden muss: Datei schreiben und Code Execution.

Next week I will stay in Vienna to join Deepsec. Last year the conference was just amazing and I’m also looking forward to visit Metalab, one of my favorite hacker spaces. BeF and me will have a talk about ActionScript 3 obfuscation/de-obfuscation and other fun stuff with byte code. BeF released a new version of erlswf which is capable of disassembling AS3 and returning this disassembly as JSON. If you are interesting in those things you should check it out. BeF will hopefully blog about erlswf in detail (hinthint :)

During the last weeks I was one of the persons who looked through all the submissions (nearly 300!) for the 25C3. I was also involved into the decisions what talks will take place. I won’t tell much, but I think it will be interesting and much more focussed on technical topics rather than meta-blabla like the last years. BeF and me are going to speak about Flash stuff at 25C3 as well and we will also release a paper for the conference proceedings.

In November I will be at OWASP Germany 2008 in Frankfurt and talk about RIA security. I’m still not 100% sure what I will exactly talk about, but I think I will focus on difficulties one has to face when auditing complex RIA applications. Most people already know that I’m not a big fan of OWASP since it’s much to much vendor centric in my point of view (but, well, I don’t like to start a big rant here right now). Anyways, I’m looking forward to meet Alexios from n.runs and Martin at the conference.

Last month Stefan and me founded CGNSec. The idea is to meet security people and researchers from the Cologne/Bonn area to talk about unfinished ideas and projects as well as having some beers. Yesterday there was the second meeting and it was real fun. There were even some EZB guys from Frankfurt and we had some interesting conversations. I hope we will have some presentations from time to time, since there are quite some people with interesting stuff. I also hope that the MWCollect guys from Bonn are joining us next time.

Some personal notes: I got engaged with my girlfriend. Since she’ll go to Hamburg beginning of next year to join Henri Nannen Journalist School I will probably leave the Rhineland in between the next two years (well, not before she will finish). I really feel sad somehow, since I feel home here. But after her studies she will probably not coming back, so I will follow her sooner or later.

I joined a carnival society some months ago called “Beueler Stadtsoldaten”. The Rhenish Carneval is starting in a couple of days and I will have quite a couple of events where I will do some dancing (nothing to complicate really) - and I’m thinking about starting a blog or Soup where I like write about some experiences, post some photos and tell about all the dirty little things happen there. I will probably announce it using my Twitter account.

Last but not least a little advertising: End of November the book of Mario Heiderich, Christian Matthies, Johannes Dahse and me will be published by Galileo Press. It’s in German and it calls “Sichere Webanwendungen” (secure web applications). I was only responsible for everything related to Flash, so most of the work was done by the others. The nice thing is that it will be published only using my nick, not my real name :)

The next couple of weeks I’m going to speak at some interesting and completely different events. Next week I will be at re:publica in Berlin doing a tunneling workshop. Last year there was a screen at the entrance of re:publica showing the output of dnsniff. Some people got very pissed because of their passwords turning up in full HD quality. So Markus had the idea of this workshop and asked to do that in order to give the attendees a possibility to protect themself. The re:publica is going to be very big this year (800 attendees all together as far as I know) and a lot of old friends will show up I haven’t seen in a while.

The next event I’m going to visit is Bluehat v7 in Seattle. I’ve never been to the States before, so I’m really excited going there - especially because Microsoft is the reason which I still find very weird. I’ll give a presentation together with Manuel Caballero about Silverlight and how it compares to Adobe Flash security-wise. Only a few of the speakers of Bluehat are already known to me. Beside Lieutenant Dan and kuza55 I’m looking forward to got to know Sowhat. We tried to invite him to one of the past Chaos Communication Congresses but it was far more complicate than we thought because of problems with the visa. I’m also looking forward to got to know Billy Rios. I guess he and Nitesh will talk about Phishing.

In May I’ll be at PH-Neutral and give a presentation together with BeF entitled “SWF and the Malware Tragedy”. The talk is about static analysis of SWF bytecode and we hopefully have some more time to look into less known SWF bytecode obfuscation techniques. BeF and me also wrote a paper with the same title which is mainly about using Erlang programming language based erlswf for SWF bytecode analysis.

LSO, also known as Flash Cookies or Flash Shared Objects, are somewhat nasty: There are persistent across browsers, don’t get deleted on browser exit nor is there an obvious way for viewing and managing them. One possibility is to use NoScript, disable Flash entirely or disable read/write access to the directories where they get stored is another. But I personally find it interesting to see what sites are actually using those cookies for tracking. So a good solution for this specific issue would something to take back control and have an overview over those sites without giving them access to LSOs.

There is one simple solution and it is even supplied by Adobe itself: The Flash Player Settings Manager. It’s actually a Flash movie which is able to access the file system and store the settings.

I know, it is weird that it resides on Adobes website and it is far from being perfect at all since it would be much nice to have a real interface to it.

This week my workmate Stefan and me are going to join Deepsec, an “in-depth security conference” in Vienna. Deepsec looks very promising to me since there are a lot of talks I like to attend to, like the talks from Halvar Flake, Dave Aitel, Martin Johns, Alexander Kornbrust, David Litchfield or from Melanie Rieback. I will also give a talk, once again on Adobe Flash Security.

Beside the conference there will be another nice great event in Vienna called Roböxotica, a festival for cocktail robotics. I am also looking forward to visit Metalab and meet some friends.

Last but not least we will visit Figlmüller to eat Wiener Schnitzel :)

I just want to remind you guys to submit your lecture puroposal for the upcoming 24C3 in between the next 3 days :)

TecChannel filed a charge against German BSI. BSI stands for “Bundesamt für Sicherheit in der Informationstechnik” (Federal Office for Information Security) and they are the central IT security service provider for the German government. The reason for the charge is BSIs distribution of BOSS (BSI OSS Security Suite), which is basically a Live CD containing Open Source security tools such as Nessus and John the Ripper.

It will be interesting to see what happens.

A couple of days ago we had a nice discussion at Netzladen about all the politicians deciding about IT-related topics without using computers themself. Thomas from the FAU came up with this little analogy:

Those politicians are just like racists: They fear what they don’t know.

Very good point!

A while ago Michael Kubert offered to host so-called “hacker tools” and prepares a self-accusation of delicts forbidden by 202c StGB to see what happens. He posted his offer in the comments of Stefan article about taking down MOPB exploits. Now he prepared a simple password cracking bruteforce tool himself and offered it for download. His self-accusation happend beginning that week at the local prosecution authority Mannheim. He is very confident that nothing will happen.

Although I think it’s one way to get some information regarding that shitty paragraph, I don’t think it will really help very much. In my point of view the worst thing is not 202c itself but its connection to 303b regarding “computer sabotage” which points to 129a “forming of a terrorist organization”. As I mentioned several times, I’m quite sure that no one will ever go to jail for 202c. It’s more likely that it 202c will be used to have a more easy way to do house searches, hoping to find something interesting.

129a for example is also such weird paragraph: No one was ever convicted by that one, but it was (and still is) heavily used for starting investigations against groups and individuals. The “benefit” is mainly, that a different police is doing this investigation, so it’s much more intensive than the usual investigation regarding “normal” criminals.

Anyways, we’ll see what will happen.

A “funny” side note: The German Minister of Interal Affairs, Wolfgang Schäuble, gave an interview to the newspaper [Tagespiegel][tagespiegel], where is talking about the internet as “the universal plattform of the holy war against the western world” and that the internet “is not only for communication but also advertising, university, training camp and think tank for terrorists”. The most interesting part of it is that the German government is preparing a law for accusing people being trained in terrorist training camps. So it seems that everybody using the internet obviously participated at such camp in one way or another.

This could be really funny, but, well, in fact it’s not.

After Phenoelit, Stefan Esser and Kismac also THC surrenders. I doubt that this was the last group moving their resources away from Germany.

By the way: Jan Münther of n.runs clarified the things in a post on FD regarding the discussion about the Sophos Antivirus UPX parsing vulnerability. He also stated very clearly what most security people in Germany think:

As of the recent German “anti-hacking-tool laws” - these really bug everyone around here. The biggest problem is the fuzziness of the actual punishable acts: The law implies that the “criminal energy” is basically contained within the tools themselves, which of course is an absurd thought that only someone with zero contact with the actual subject matter can come up with. However, due to these new rules nobody around here knows what the real deal is - is having nmap on your box dangerous now? Is having ping and telnet dangerous? What about metasploit, CANVAS or CORE Impact, or god beware, own exploits, possibly 0days?

202c just sucks balls.

Steven M. Christey from MITRE gave a good example on Bugtraq mailing list where the new “anti hacker laws” in Germany regarding publishing of exploits are back firing badly. Here’s his full posting:

Subject: n.runs, Sophos, German laws, and customer safety

The n.runs-SA-2007.027 advisory claims code execution through a UPX file. This claim is inconsistent with the vendor’s statement that it’s only a “theoretical” DoS:

   http://www.sophos.com/support/knowledgebase/article/28407.html

   ”A corrupt UPX file causes the virus engine to crash and Sophos
   Anti-Virus to return ‘unrecoverable error. leading to scanning being
   terminated. It should not be a security threat although repeated
   files could cause a denial of service.”

It is unfortunate that Germany’s legal landscape prevents n.runs from providing conclusive evidence of their claim. This directly affects Sophos customers who want to know whether it’s “just a DoS” or not. Many in the research community know about n.runs and might believe their claim, but the typical customer does not know who they are (which is one reason why I think the Pwnies were a good idea). So, many customers would be more likely to believe the vendor. If the n.runs claim is true, then many customers might be less protected than they would if German laws did not have the chilling effect they are demonstrating.

It should be noted that in 2000, a veritable Who’s Who of computer security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias Levy, Alan Paller, and other well-known security professionals - published a statement of concern about the Council of Europe draft treaty on Crime in Cyberspace, which I believe was the predecessor to the legal changes that have been happening in Germany:

http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html

Amongst many other things, this letter said:

   ”Signatory states passing legislation to implement the treaty may
   endanger the security of their computer systems, because computer
   users in those countries will not be able to adequately protect
   their computer systems… legislation that criminalizes security
   software development, distribution, and use is counter to that goal,
   as it would adversely impact security practitioners, researchers,
   and educators.”

If I recall correctly, we were assured by representatives that such an outcome would not occur.

- Steve

Thanks to Steve for pointing it out.

The new location of “The Turkey Curse” is http://blog.fukami.io. All requests to the old location are redirected.

The Chaos Commnunication Camp is over, so it’s time to announce the Call for Participation of the 24th Chaos Communication Congress 2007 (24C3). The Chaos Communication Congress is the annual four-day conference organized by the Chaos Computer Club (CCC) and taking place in Berlin, Germany. The 24C3s slogan is Volldampf voraus! _– the German equivalent of “full steam ahead” – a particular request for talks and projects featuring forward looking hands-on topics. The Chaos Computer Club has always encouraged creative and unorthodox interaction with technology and society, in the good tradition of the real meaning of “hacking”.

This years congress introduces a new category for talks called “Making”. This category is all about making and breaking things and the wonderful stuff you can build in your basement or garage. Most welcome are submissions dealing with the latest in electronics, 3D-fabbing, climate-change survival technology, robots and drones, steam machines, alternative transportation tools and guerilla-style knitting.

As always, the date of this event is December 27th to 30th.

Lenin wore a hula skirt and a flower garland — do I have to say more? The Chaos Communication Camp 2007 of the Chaos Computer Club at Finowfurt Airport was a totally outstanding event. The whole crew, especially Julia and fh, did a great job organizing it. In the first place the setting was awesome. Camping on the historic Russian airport somewhere in Brandenburg, sitting next to old planes and listening to interesting talks in bunkers were unique experiences. It was fun for me to spend the first hours and days just walking around and discovering the area.

When at night the whole place changed into an illuminated party zone, I wondered once again, how an event like that was possible at all. The two thousand attendees had a quite fast and mostly working internet in the middle of nowhere. Everybody around was helpful and even the short rainstorms couldn’t spoil the fun.

There were a lot of interesting talks — shame on me that I only listened to few of them: Lisa`s talk on finding and exploiting concurrency issues in software, Seth Hardy’s excellent talk “A Crash Course In The Math of Public Key Cryptography”, Dan’s Black Ops 2007, Fefe’s “Know your compiler” and Gil’s talk about ZERT and binary patches. Unfortunately, I missed the talk about the A5 Cracking Project — well, all the talks have been recorded, so I will see it online in a few weeks. Update: kuza55 notified me that the recording is already online :)

It was so much fun hanging around with all the Italians (especially ascii, Alessio and Fabio), the guys from Leiwandville, the Illuminats from Entropia, the crowd from Berlin, Dresden and Cologne, the Americans at Camp Anaconda and all the other dudes from all over Europe. I had some great conversations, for example with Dan Kaminsky regarding attacks using DNS rebinding with a very cool private presentation of his “Suckets” and I talked with FX regarding so-called Security 2.0 and other funny things.

I was somewhat unsatisfied by my own talk entitled “Testing and Exploiting Flash Applications”. Since I’m not a native speaker, I was extremely nervous in the beginning. Funny thing is that especially the German listeners were upset about my poor language skills and some even claimed that I should have held the presentation in German. But in the aftermath I had quite a few interesting conversations, i.e. with Rob (the maintainer of Gnash, a free and open Flash Player alternative) about Flash security models. I would not have had this chance if I had held my lecture in German.

Well, I guess badly spoken English is one of the most spoken languages in the world =)

Since one hour is a short period of time, I only explained the basics and demonstrated some funny but harmless example exploits with XML.load functions like CNNs v0te teh l33t, Nokias OpenMoko support and RTLs feature of the camp talks (Update: fixed by RTL. Update 2: They didn’t get it right: It’s only fixed if variable ‘’xmldata'’ starts with “http://”). I also explained a flaw in AS3 socket handling, mainly discovered by David Neu after a discussion we had a while ago. Adobe has already acknowledged the problem and told us they will patch it by end of October. We decided to release the info to the public before then, since it is less dangerous than buffer overflows in their player or media server.

During my talk I introduced a Flash Security Project called FlashSec. This project aims at developing testing methods and tools for Flash/AIR security auditing and documentation.

I found it very funny to get applause after showing how one can use simple LocalConnections to let Flash movie talk to each other cross domain. For attackers it is especially useful to build Flash based attack back channels. By the way: In this context I`d also like to mention Thai Duong, who notified me about his lecture at VNSECON07 where he demonstrated how to zombify a browser with Flash just a couple of days before.

Nonetheless, both the positive and the negative feedback I got was very useful for preparing and extending my talk for FrOSCON next week.