I like to think I’ve got operating system security down pretty well. I know I’m not as good with network security, but I try just as hard. When I got into web security this summer, I took a hard look at how I could improve the security of my web browser and it’s only taken me 4 months to realize that it’s probably a pointless endeavor.
This is what my desktop looked like up until yesterday:
That’s 4 different web browsers and 7 different Prism Single-Site-Browsers (SSBs). That’s right, I sucked it up and used SSBs for a whole 4 months after I wrote a post denouncing them because they seemed like the only good option I had. Oh, and every SSB had NoScript installed on it.
The purpose for all this was to keep my cookies isolated from eachother and divide my browsing habits into different domains, so if I got caught in an attack on… say, this weblog, there would be no way an attacker could also walk away with my Google auth tokens. Google obviously means a lot to me, so I decided I need to keep all of their services completely isolated from everything else, hence the SSBs. I also cleared the data stored in each browser on a regular basis to minimize the information stored by them at any given time.
Continue reading ‘Protecting Your Cookies’
Our lab holds a Capture the Flag (CTF) hacking contest as part of CSAW each year and the tagline for it is:
“A digital cyber attack and defense competition in detecting application security vulnerabilities.”
…but shhhhh! Don’t tell marketing, there is absolutely no defense involved! 
. I believe that attack has merits on its own, but that is a discussion for another time.
CSAW CTF started out in 2004 as a network-based game with dozens of virtual machines running known vulnerable software. The challenge was to discover and detect these issues and then find or tweak public exploits to work on them. This could have been a good way to run CTF, but we simply couldn’t afford the time to make it work properly. I ended up taking second place to Michael Aiello, now a close friend of mine, that year. Afterwards, Mike and I sacrificed our chances of winning the next year by helping develop the 2005 contest and, along with other members of the lab, changed the game’s format to how it remains to this day.
Continue reading ‘CSAW08 CTF’
Every year, as part of CSAW, we hold a Security Awareness Poster contest where we ask students to convey a simple message regarding any current issue in information security. These posters always turn out amazing and are among the most impressive, if non-technical, entries we get. Unfortunately, we haven’t been so good at sharing these posters with others and usually only make a few printouts for ourselves in the lab.
Today, that is going to change. I uploaded my hand-picked favorites from the last 3 years to my web site for the entire web to enjoy! I tried to mark who made what poster in the title but please leave me a message if I missed yours.
Amanda Morante's 1st place entry from 2006
View the full library of awareness poster images here.
Registration for CSAW 2008 is still open and we will be having the Security Awareness Poster contest again, in addition to 6 other contests. If you know any graphic designers, convince them to join!
This year’s Penetration Testing and Exploit Development course (Fall 2008) will contain completely rewritten course material, guest lectures from leading security professionals, and free access to commercial tools provided by Fortify Software and Matta (thank you!). Additionally, the class will be held on-campus rather than online as it has been.
The instructor for the course is Nasir Memon with TA’s Dan Guido (me) and Vikram Padman. The syllabus has been finalized and the guest professors as well as their respective topics are as follows:
- December 4th — FINAL PROJECTS
- December 11th — hack the planet/show off projects
Students will have to complete one homework assignment every two weeks, a take-home midterm, and do a final project of their choosing. Each two week session will contain one full session of Q&A to review the homework associated with it. Extra credit will be given for participating in CSAW and UCSB iCTF.
Any questions about the course can be e-mailed to me at dguido@gmail.com.
EDIT: The course will be held in room RH227
A recent article in ComputerWorld profiled NYU-Poly, and specifically the ISIS lab, as 1 of 10 “IT Schools to Watch.”
When Stan Nurilov attended Polytechnic Institute of New York University in an accelerated bachelor’s/master’s of computer science program from 2002 to 2006, he truly enjoyed the technical courses he took in areas like operating systems and databases.
But it wasn’t until he graduated and began working as a software developer/project leader for a branch of the U.S. military that Nurilov fully appreciated the project-level courses that taught him about leadership qualities.
“Those classes really help me when I need to work with customers and gain collaboration on projects,” he says.
Stan is a graduate of our SFS program that pays for two years of tuition, rent, and other expenses in exchange for a commitment to work at a government agency for two years.
Head over to ComputerWorld and read the rest of the article!
Published on
August 16, 2008 in
Meta and Web.
On August 13th .mario, a high-profile member of the sla.ckers.org forum, alerted me to a XSS issue on the CSAW registration form. I had previously looked through the code and concluded it was safe based on this block of filtering code included at the top of the page:
//don't use this script!
foreach ($_COOKIE as &$cookie) {
$cookie = trim(strip_tags(@mysqli_real_escape_string($mySQL, $cookie)));
}
foreach ($_POST as &$post) {
if (is_array($post)) {
foreach ($post as &$_post) {
$_post = trim(strip_tags(@mysqli_real_escape_string($mySQL, $_post)));
}
}
else {
$post = trim(strip_tags(@mysqli_real_escape_string($mySQL, $post)));
}
}
Additionally, the registration script limits sources of user controllable input by only ever using the POST and COOKIE superglobals.
Continue reading ‘PHP strip_tags not a complete protection against XSS’
I also did the Fortify [Web] Hacking Challenge last week. Their challenge was refreshingly different, fun, and relaxing compared to the other web hacking challenges I’ve done. I really enjoyed playing in it even if it only lasted a short time. Here’s the official description of the contest:
The link below will take you to a Web site which contains numerous vulnerabilities but is being defended by the Fortify Real-Time Analyzer (RTA). When you conduct an attack, Fortify RTA will block your efforts and redirect you to a separate page. However, if you conduct a particularly impressive attack, Fortify RTA will redirect you to a different page, with a code word. There are three code words available.
Fortify RTA had a tight lock on that website! I probably came up with a hundred separate attacks against their website, but they were only looking for a very specific 3. Every so often, I’d come up with what I thought was an impressive attack but it wouldn’t give me any points! Here’s one example:
I found an authorization problem when viewing account details that let me enumerate the database for and grab the account details of every client in the bank. I used Burp Intruder to automate harvesting this data, making over 10,000 requests to the server to gather the info. Then I manipulated client-side parameters on the ‘transfer funds’ page to steal money from other clients and deposit it into my account. This wasn’t an attack they were looking for and didn’t get me any points! Grrr..
I took screenshots of all the actual attacks below.
Continue reading ‘Fortify Hacking Challenge’
Thanks to Aleksey and Phn1x for dealing with my constant stream of questions while reversing this. You’d think it was the first time I opened a debugger!
The level 1 challenge was a binary that asked for input and, if your input was correct, printed out an e-mail address you could use to get the level 2 binary. The Khallenge is a contest of speed, so the first person to get to and beat level 3 wins. Unfortunately, I solved level 1 after the contest ended and the level 2 and 3 binaries aren’t online yet, so no prizes and no info on those.
Continue reading ‘F-Secure Khallenge Level 1′
Published on
August 10, 2008 in
Wireless.
Do you ever connect to the free wifi at your local tea lounge and get assigned an address like 192.168.1.148? Are those 47 other users sucking up all the bandwidth, preventing you from reading that webpage or checking your email for that important message? Has the wireless AP simply crashed under all the load of those hippie mac users continuously reading LOLcats for no good reason?
This happens to me every so often and I use a simple, harmless, and effective technique to deal with it called an 802.11 deauthentication attack. I use aircrack-ng (available on a BackTrack live CD) to temporarily knock everyone off the AP to unclog its pipes and allow you to reach the internets. This blog post will walk you through how to do this yourself if you’re ever stuck in the same situation.
Continue reading ‘802.11 Deauthentication attacks for fun and profit’
ISIS Lab is organizing NYU-Poly’s 5th annual Cyber Security Awareness Week (CSAW) where students can compete and win prizes in a variety of information security challenges. There will be door prizes, raffles for participating, and bonus prizes for undergrad and high school participants. Qualified finalists will receive a travel scholarship to attend the awards ceremony in New York City.
Our website with descriptions of the contests as well as winning entries from previous years is located here: http://isis.poly.edu/csaw
Also to note: many of the makers and hardware hackers in this crowd will be happy to know that we have a new embedded systems challenge this year. Check it out!
Of all the things that happened this weekend, I didn’t expect this! I registered but I probably wouldn’t have played if Tom Brennan hadn’t frantically raced up to me at about 6:30 on Friday to tell me that I had to =). Thanks Tom!
I’ll talk about some of the challenges I went through, but if you’re really interested in these kinds of things you should compete in one of the capture the flag competitions that I developed for these upcoming events:
- NYU-Poly’s Cyber Security Awareness Week – A yearly event for students that our lab puts on. Compete in 7 different information security competitions for prizes! If you win, we’ll pay for you to come to NYC and collect your prize!
- OWASP AppSec NYC – A 2-day web application security conference taking place downtown this September. There will be a web capture the flag contest, also with prizes. Everyone is welcome to play and challenges will be accessible to beginners and experts alike!
Now about HOPE/Packetwars CTF… Continue reading ‘I won HOPE/Packetwars CTF!’
Published on
July 15, 2008 in
Events.
Tuesday (Tonight) – NYSEC at Pound and Pence
Wednesday night – InfoSec study time at ISIS Lab. I’m going to be working on a paper on Web Authentication.
Friday-Sunday – The Last HOPE at the Hotel Pennsylvania. Only $80 at the door! We’ll have a booth in the vendor area, come say hi!
Recent Comments