Am I alone in fearing that lust for shrinking down the browser will get us in more troubles like this (or just make plain old-school phishing more effective)?
Feeds
13620 items (0 unread) in 75 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
26 items tagged "Google"
hackademix.net
-
A Fistful of Pixels
Posted: May 22nd, 2011, 12:14pm CDT by Giorgio
Tags: Google [edit]
-
1337 Blogger Super-Admin
Posted: March 13th, 2011, 10:33am CDT by Giorgio
Tags: Google [edit]
Nir Goldhsanger asked me to share with my audience a nice privilege escalation through parameter pollution he found, allowing the attacker to become administrator of any Blogger blog, which he dutifully reported to Google and deserved him the famous $1337 bug bounty.
I’m quite impressed by the first step of the attack, where the application gets fouled by a double “blogID” parameter: the first gets validated (it actually refers to a blog owned by the attacker) but then the second is actually used to perform the “add authors” action. Looking at the URL, it would seem they use Struts or some other Java-based framework. Since I’m quite rusty with them (these days I mainly use PHP and Ruby on the server side), would anyone attempt a reverse engineering and explain which kind of code could get messed by this? Did they maybe parse their parameters twice, with two different parsers?!
SEO BlackHat: Black Hat SEO Blog
-
Bing is Just Better
Posted: February 1st, 2011, 11:08am CST by QuadsZilla
Tags: Google [edit]
Over the past few weeks, we’ve seen the hypocrisy coming out of Google reaching new all time highs. The mud slinging out of the Google camp is a signal:
Google is running scared.
Bing has gotten better. A lot better: and Google has gone from ignoring Bing to character assassination.
The latest hoopla goes like this “Waaaah, Bing is copying our search results!” When we dig deeper, we find that, no, Bing is not copying Google results, they are tracking user searching behavior. But hold on, doesn’t Google’s Privacy policy say (and I quote):
“Some of our services, including Google Toolbar and Google Web Accelerator, send the uniform resource locators (“URLs”) of web pages that you request to Google. When you use these services, Google will receive and store the URL sent by the web sites you visit, including any personal information inserted into those URLs by the web site operator. Some Google services (such as Google Toolbar) enable you to opt-in or opt-out of sending URLs to Google, while for others (such as Google Web Accelerator) the sending of URLs to Google is intrinsic to the service””
So Google Does EXACTLY THE SAME THING and throws mud at Bing for doing it? . . . AGAIN? The part that’s even worse is that people who are suppose to be “Search Engine Journalists” can’t even get the story right, because they’re too busy sucking Google cock and just blindly reprint everything fed to them.
The Fact is that Bing has gotten better. It’s a viable competitor and it’s taking market share from Google in the US. This year will be a repeat: Bing will shave off at least another 3 points of US Marketshare: at the expense of Google.
Google is scared. They call Bing’s Results “a Cheap imitation”, but the fact is that Bing is now consistently delivering better results. For all queries? No, not yet. But for your average, non power user, Bing delivers.
If you haven’t used it in a while, head back over to Bing. Use it for a week as your first Go To search engine. It’s much better than you thought.
-
Anti PR SEO – Made Profitable by Google
Posted: November 27th, 2010, 6:38pm CST by QuadsZilla
Tags: Google [edit]
I know I haven’t posted in forever, but this is just too great to pass up:
Not only has this heap of grievances failed to deter DecorMyEyes, but as Ms. Rodriguez’s all-too-cursory Google search demonstrated, the company can show up in the most coveted place on the Internet’s most powerful site.
Which means the owner of DecorMyEyes might be more than just a combustible bully with a mean streak and a potty mouth. He might also be a pioneer of a new brand of anti-salesmanship – utterly noxious retail – that is facilitated by the quirks and shortcomings of Internet commerce and that tramples long-cherished traditions of customer service, like deference and charm.
Nice? No.
Profitable?
“Very,” says Vitaly Borker, the founder and owner of DecorMyEyes, during the first of several surprisingly unguarded conversations.
“I’ve exploited this opportunity because it works. No matter where they post their negative comments, it helps my return on investment. So I decided, why not use that negativity to my advantage?”
19 pages, but an interesting story. You can get the jist of it by reading the first 5.How’s that old saying go? No publicity is bad publicity.
hackademix.net
-
Thumbs Up, Google
Posted: July 1st, 2010, 5:28am CDT by Giorgio
Tags: Google [edit]
I’m quite surprised (albeit happy) to see " target="_blank" rel="nofollow external">a capitalist corporation actually contributing to social progress, and with a politically bold move, rather than with the usual hairy tax-deductible alms.
But after all Mozilla itself is a foundation, but a corporation too, isn’t it?
Interesting times we’re living in…
-
Google Analytics Opt-Out Snake Oil
Posted: May 26th, 2010, 4:09pm CDT by Giorgio
Tags: Google [edit]
On his blog, Wladimir Palant complains about Google providing browser users with a not effective enough way to opt-out from Google Analytics.
Specifically, he doesn’t like how the Google Analytics Opt-out Browser Add-on actually allows Google Analytics scripts to load and run, just setting a global variable ( _gaUserPrefs
) in the hosting page which tells the code not to send back data.
This approach is inherently flawed, because the hosting page can easily force Google Analytics to run by simply overwriting the aforementioned _gaUserPrefs
variable.
Worse, the _gaUserPrefs
variable is automatically added to every single page you load. Hence, the fact itself you’re using this “opt-out” add-on can be easily detected if you keep JavaScript enabled, adding some extra points to your unanonymity score. Something like
if (!!_gaUserPrefs) alert(”You hate Google Analytics, don’t you?”)can make a nice test to update the Panopticlick suite with, singling out privacy concerned persons.
However, the original sin is that the Google Analytics’ script still being downloaded and executed, and if you find this questionable from a security/privacy perspective, then the Google’s Analytics Opt-Out Browser Add-on serves no purpose.
Wladimir’s post initially advertised his own extension as a better solution, but later he had to retract:
Still, until Google can come up with something better I recommend people to use Adblock Plus with EasyPrivacy filter subscription,
that’s the easy and reliable solution(check the update below).Update: Sorry, that last part wasn’t entirely correct — EasyPrivacy doesn’t block Google Analytics script either, due to many websites being broken without it as mentioned above.
True, if you block Google Analytics’ script by using a proxy, a firewall, a host file or Adblock Plus with an ad-hoc filter, many sites are going to break because they depend on JavaScript objects provided by Google Analytics. They integrate GA calls within essential functionality, such as link and button event handlers or even initialization routines, and they fail more or less dramatically when the script is missing. Sad, silly but true.
This is no news (and no problem) at all for NoScript users, though: in fact, almost one year and half ago, this very issue prompted the development of NoScript’s Script Surrogates feature, which prevents the breakage by “emulating” the blocked script with dummy replacements. This means that NoScript users have Google Analytics blocked by default, with no site-breaking side effects.
So, until Google can come up with something better I recommend people to use the reliable and easy solution ;)
SEO BlackHat: Black Hat SEO Blog
-
Gmail Feature Follow-Up: This Ain’t Mashable Here!
Posted: March 17th, 2010, 8:53pm CDT by QuadsZilla
Tags: Google [edit]
Alright so already the “This Gmail Feature Would be Amazing” has more tweets than any other post I’ve ever done. Sure, 120 (as i’m writing this) isn’t earth-shattering, but this blog ain’t exactly mashable, (where every retarded post gets that many.)
But I’ve been convinced by the comments that it could be turned into an auto spammer with the auto-resend feature. No problem, we don’t need it. We just need to be reminded in 1-7 days when the thread we started or replied to has not been responded to.
Most of the time the email will be a reply with the original quoted saying “Where are we on this?” But not always.
If you understand GTG, you know why this would be so incredibly helpful. Even if you don’t, you probably understand at least half the benefit.
So Google: Where’s my new feature?!?
Hotmail? . . .Anyone?
Bueller?
Bueller?
-
This Gmail Feature Would Be Amazing
Posted: March 15th, 2010, 5:00am CDT by QuadsZilla
Tags: Google [edit]
I know you Google Employees read this blog.
So listen up: take that free time or whatever it is that lets you start up side projects and implement this feature in gmail:
It will be so incredibly useful that I’m shocked no one has done it before. Shit, if Hotmail implemented this feature and fixed it so the browser back button worked, I’d fucking start using hotmail: it would be that helpful.
-
This Gmail Feature Would Be Amazing
Posted: March 15th, 2010, 5:00am CDT by QuadsZilla
Tags: Google [edit]
I know you Google Employees read this blog.
So listen up: take that free time or whatever it is that lets you start up side projects and implement this feature in gmail:
It will be so incredibly useful that I’m shocked no one has done it before. Shit, if Hotmail implemented this feature and fixed it so the browser back button worked, I’d fucking start using hotmail: it would be that helpful.
-
Google Suggest: The Potential for Power, Coruption, and Liability
Posted: January 2nd, 2010, 11:18am CST by QuadsZilla
Tags: Google [edit]
How long before Google’s suggestions actually cause measurable harm to a person or company?
.
We’ve already seen the tendency for Google to suggest the rather inappropriate.
So what would happen if someone who owned a enough boxes sent out enough Google queries on seemingly legitimate accounts? Could this type of activity damage a competitor’s brand?
Could it go far enough toward ruining someone’s life that Google would be held responsible in court?
Google suggest is a useful feature and perhaps we’re still just in the beta format (isn’t everything there considered beta for years?).
Regardless of what they do with this tool, they’re gonna take some heat. If they suggest sponsors – well if they do that, I’d love to sign up! But I’m sure people will bitch and moan about it.
If they clearly augment the suggestions by human review, then it’s going to be increasingly difficult for them to retain the image of being agnostic about the results. Google won’t be able to hide behind “oh, well that’s just what the big machine behind the curtain spits out”.
This type of suggestion is very powerful. The potential for abuse (whatever that means) is enormous. This is Orwell’s Ministry of Truth incarnate: only stronger. That 1984 vision only had the power to change the answer.
Google takes that one step further: they have the power to change the very question.
I, for one, am certainly happy that this power rests in the hands of a company that “don’t be evil.”
Aren’t you?.
hackademix.net
-
Why Chrome has No NoScript
Posted: December 10th, 2009, 9:00am CST by Giorgio
Tags: Google [edit]
On April the 1st (!) 2009 I had a phone call with Mickey Kim of Google. The Chromium development team was starting to design a browser extension API, and they wanted to know what kind of hooks were needed for FlashGot and NoScript to be ported on Chrome. I gave them detailed answers with references to related Mozilla technologies, and they promised to keep me updated with progresses.
Eight months later, Chrome extensions are here but NoScript is not among them yet, and people are asking why. The reason is very simple: Chrome is still lacking the required infrastructure for selective script disablement and object blocking.
Maybe Google plans to implement the missing stuff later, maybe they’re still trying to figure out whether it can be done without enabling effective ad blocking, but in the meanwhile the pale AdBlock and FlashBlock imitations which have been hacked together by overwhelming popular demand, are forced to use a very fragile CSS-based hiding approach, ridiculously easy to circumvent.
Just install the most popular FlashBlock clone for Chrome and visit this page I put together in 3 minutes to see what I mean…
UpdateSam Hasler came to the rescue:
The top rated FlashBlock clone for Chrome does block your example page.
Of course, it took another 3 minutes to fix “the top rated” as well ;-)
SecuriTeam Blogs
-
The Internet May Harm your computer!
Posted: January 31st, 2009, 9:22am CST by yairb
Tags: Google [edit]
I have just Googled up some Securiteam pages. Can you imagine my shock when I saw the Google Alert Saying Securiteam can harm my computer?
Isn’t that great?
Just before I push the Panic Button, I Googled up one more term.
This is what I got:
When I saw this one, I relaxed.
On regular days when you see the message saying “This site may harm your computer” it means that google believes that this site may install malicious software on your computer.
Today Google’s Safe Browsing feature probably freaked out for some reason.In any case, according to Google, the whole Internet can harm your computer right now, so be careful!
Update: Marissa Mayer wrote in the google blog that the problem happened because the URL of ‘/’ was mistakenly added to the ‘bad sites’ file and ‘/’ expands to all URLs. She also wrote that this problem started at 6:27 a.m. and ended at 7:25 a.m. PST.
-
Expose the security holes in your products during development. Black Box Testing makes it safer!
hackademix.net
-
Surrogate Scripts vs Google Analytics
Posted: January 25th, 2009, 12:13pm CST by Giorgio
Tags: Google [edit]
Sooner or later you, dear NoScript user, may face this puzzle: you already allowed every single script source looking “legitimate” on a certain page, but the damn thing stubbornly refuses to work as it should. Then, in a moment of enlightenment, you dig inside your Untrusted menu, and there you find google-analytics.com. You put it there long ago because you don’t like to be tracked, but now you cross your fingers and temporarily allow it… et voilà, the page starts behaving!
Now, you may ask why the hell a web site requires Google Analytics scripts to be enabled for providing its basic features, and you might be right: no reason for that. On the other hand, a growing number of web sites leverage Google Analytics for more than just tracking page views and navigation: they also try to collect finer grained usage data about some specific features of theirs. Therefore they call functions or reference objects from http://www.google-analytics.com/ga.js from their own “1st party” specific scripts, e.g. when you click a certain button: if google-analytics.com is blocked by NoScript (or by AdBlock Plus, or by your hosts file, for the matter), the 1st party code referencing it will obviously fail and the button will stay dead. You can be hinted about Google Analytics being the culprit by opening Tools|Error Console and watching for errors like “urchinTracker is not defined” or “_gat is not defined”.
So far, all you could do about that was allowing google-analytics.com. But latest NoScript (1.8.9.7 or above) implements a new feature, called Surrogate Scripts, which works around this problem out of the box and is customizable enough to cope with similar 3rd party script issues in the future. How does it work? Very simple: whenever an external script is blocked, NoScript checks if its URL matches a certain pattern, and if it does an alternate user-provided surrogate script gets executed instead, in the context of the loading page. There you can define surrogates for any required object or function.
There’s no UI for this feature (yet?), but its intended audience is likely geeky enough not no need one.
You can specify as many URL/surrogate mappings as you want, by creating a couple of about:config preference entries under the noscript.surrogate root.
The built-in Google Analytics mapping can be regarded as a reference:- noscript.surrogate.ga.sources: *.google-analytics.com
- noscript.surrogate.ga.replacement: var _0=function(){};with(window)urchinTracker=_0,_gat={_getTracker:function(){return {__noSuchMethod__:_0}}}
var _0=function(){};with(window)urchinTracker=_0,pageTracker={_setDomainName:_0,_trackPageview:_0,_initData:_0},_gat={_getTracker:function(){return window.pageTracker}}*
If you want to exempt some pages from this replacement (e.g. because they already provide a graceful fallback for missing external scripts), you can add an URL pattern to the noscript.surrogate.ga.exceptions preference, e.g. *.mozilla.org *.mozilla.com. Script Surrogates can be disabled globally by setting noscript.surrogates.enabled to false.
Happy hacking :)
*UpdateJesse Andrew told me about some Google Analytics API not covered by the original surrogate, so rather than trying to find out every possible tracker method, present and future, I decided to catch them all by exploiting a nifty Mozilla JavaScript feature, i.e. __noSuchMethod__. Please get 1.8.9.8 (latest development build) if you want to this more reliable approach right now.
Update 2Since I’ve been asked by concerned non-geeks (especially those who can’t read JavaScript code) what exactly the Google Analytics surrogate does, here’s a plain English description: the Google Analytics surrogate script does NOTHING. It’s a dummy “catch all” replacement for the most common Google Analytics functions: it makes the calling pages happy, helping not to break sites, but doesn’t send nor receive anything to/from Google.
SEO BlackHat: Black Hat SEO Blog
-
Adwords by Browser Type or OS?
Posted: December 10th, 2008, 8:45am CST by QuadsZilla
Tags: Google [edit]
Can I target my adwords buy to include only one type of OS or Browser type? I see where I can target mobile devices, but beyond that . . . am I just missing the option and it’s right there in front of me?
Let’s say I’m selling an application and only want to target Safari users or those on the OSX platform - can I do that with Adwords? Can I do it with Yahoo’s Advertising platform?
Has anyone done this with adwords?
Can one of my loyal Google-Employee readers help me with this?
SecuriTeam Blogs
-
Hi Goog, where is your user agent?
Posted: December 8th, 2008, 2:27am CST by yairb
Tags: Google [edit]
Net Applications reported this week that one third of the traffic coming from Google’s facilities has no user agent. This report refers specifically to the traffic coming from Google’s employees and not the Search Engine’s traffic.
Vince Vizzaccaro, a senior executive from Net Applications said that they had never seen an OS stripped off the user agent string before. “you have to arrange to have that happen, it’s not something we’ve seen before with a proxy server.”
So what’s Google hiding? Of course, Google, like Google wouldn’t comment on rumors and speculations.What do you think? Why would they hide their UA?
-
Is your site safe from SQL Injection attacks? Use an SQL Injection Scanner on a daily basis to protect your network!
SEO BlackHat: Black Hat SEO Blog
-
Not a “Bounce” . . . but a SCASI
Posted: November 27th, 2008, 2:46pm CST by QuadsZilla
Tags: Google [edit]
After my last 2 posts on bounce rate, Many more questions have been popping up about the bounce effect.
First, let’s clarify what we’re talking about here. Google doesn’t need to use analytics data bounce rates. It’s much more likely that Google would use a metric such as:
SCASII don’t think there’s a word for this yet, so I’ll invent the term SCASI (SERP Click After Site Inspection).
If a surfer Clicks SERP A from a list of SERPs and then (10 secs to 4 mins later) clicks any other SERP on that same list of search results it is a negative quality indicator. If the user found what they are looking for, they wouldn’t need to keep clicking on SERPs. If they continue to click, they’re initial find was not satisfying.
The links in search results are not direct links to the sites, but rather a google redirect such as:
http://www.google.com/url?sa=t&source=web&ct=res&cd=14&url=http%3A%2F%2Fwww.holidays.net%2Fthanksgiving%2F&ei=UQIvSfPRHaGievXK5OMK&usg=AFQjCNFNzOBQgfUn_14d33MdAMUPBgYz2Q&sig2=SJhrGbVZlvPXlOT9zYBHgQ
This would allow Google to easily track SCASI . . . and to a great extent “bounce”.
This isn’t technically the “bounce rate” but would be a good corollary in most instances. However, in the event that the landing page actually answers the users questions, the corollary would start to break down.
For example, many people who go to the wikipedia through a Google search will not continue to click in wikipedia. Many of them will “bounce” after reading the article. But if the wiki article answered the user’s question, the bounce might be high but the SCASI would be very low.
As webmasters, we don’t have access to SCASI data . . . unless of course we own all the top 10 SERPs
What we DO have is bounce rate. In a majority of cases, a higher bounce rate will mean a higher SCASI rate.
It’s clear to me that Google already uses this type of data for ranking sites. If not, they should start sending me a consultancy paycheck for designing their damn search engine . . . after all, I did answer their interview questions. Better yet, let me take over the search department at Microsoft; we desperately need more competition in the search space.
I’ve got more to cover on this - but is it getting any clearer to you?
PS: Happy Thanksgiving!
-
Dancing on the Grave of the Yahoo - Google Deal!
Posted: November 6th, 2008, 10:14am CST by QuadsZilla
Tags: Google [edit]
The Yahoo - Google advertising deal would have been horrendous for consumers, advertisers, Yahoo, partners . . . pretty much for everyone but Google.
Yesterday, that deal was pronounced dead.
<sings> “Ding, Dong the witch is dead.”</sing>
w00t! and all that jazz.
As much of a free market guy as I am, the one place where the free market needs government intervention is in the area of Anti-Trust and Monopoly oversight. The DoJ did right on this one.
Google is becoming increasingly arrogant with their partners and advertisers. On their syndication deals, from what I hear they want to “renegotiate” every deal down to a 50% or lower payout (when in many cases these partners have 85%+). While Yahoo isn’t the best answer for “competition” in the marketplace, at least they’re something.
Google knows they are in effect the only game in town and are behaving more and more like it. Aaron Wall discussed this further in “How Long Until People View Google Like Microsoft?”
I know at least one person who already does.
Speaking of Microsoft, Yahoo shares are up significantly after the death of the Google deal on speculation that this puts Yahoo back in play for a Microsoft bid. Jerry Yang all but begged Microsoft to buy them following the collapse of the Google deal.
The mid $40 numbers that Jerry et al were dreaming of earlier this year are more of a pipe dream than ever. Even the odds of Microsoft bidding $31 per share again are slim to none.
But a $23 price tag would probably work for everyone. Whether or not that’s gonna happen is why the stock is still trading a shade under $15 today. Microsoft said they’ve “moved on” and they may well have meant it.
The question is: If MSFT has moved on, what the hell have they moved on to?
SecuriTeam Blogs
-
Wired network compromised during the Google developer conference in Israel
Posted: November 4th, 2008, 10:36am CST by Aviram
Tags: Google [edit]
Calcalist reports that the wired network in a recent google developers conference in Israel was hacked during the conference. I haven’t seen that report anywhere else, but the reporter Dora Kishinevski is fairly level headed with little tendency for sensational stories so I’m marking it as probably true.
According to the article, google sent a follow up email to the participants and warned them the network was compromised. This is interesting first because the attack was on the wired and not wireless Internet, which is considerably harder to do without being caught, and second because it reminds us how insecure gmail is over compromised lines (as opposed to, for example, a corporate VPN). I’m willing to bet close to 100% of the participants used gmail while in the google conference.
The article also quotes google as writing “We recommend you change your password, just in case, to any site you visited using the wired connection”. Definitely.
-
Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!
hackademix.net
-
NoScript vs Insecure Cookies
Posted: September 9th, 2008, 6:44pm CDT by Giorgio
Tags: Google [edit]
Mike Perry’s Automated HTTPS Cookie Hijacking just made Slashdot’s front page, so I decided to spend some time nesting a countermeasure inside NoScript’s request intercepting guts.The original idea comes from an email conversation I had with pdp just after his GMail account had been compromised: he suggested to mark every cookie with the “Secure” attribute, causing the browser to send it exclusively over HTTPS connections.
Later he detailed this concept as a feature of his yet to be developed BrowserSecurify plugin:Secure cookies: The feature will prevent the browser from sending cookies over unecrypted channels, once activated. This feature will mark insecure cookies as always secure. This effectively means that you login into GMail and continue browsing Google over unencrypted channel not being afraid of leaking sensitive data which can be used to compromise your GMail account.
NoScript’s new feature, called Forced Secure Cookies is slightly different, less obtrusive and non-interactive.
In facts, NoScript 1.8.0.5 just intercepts the “Set-Cookie” headers which are being sent over encrypted connections and are not flagged as “Secure” yet, adding the missing attribute on the fly before the cookie is stored.
This way, only those cookies actually created in the context of an encrypted transaction are forcibly switched to “Secure”, and therefore sites having lower security requirements and needing insecure cookies to work as a non-sensitive persistence mechanism are less likely to break.
Obviously those sites creating session-identifier cookies over insecure channels and recycling them after secure authentication won’t be helped by this implementation, but it’s apparently not the case of GMail, for instance.
However, should that prove itself to be such a common pattern to be worth protecting, a check on HTTP/HTTPS switching could be added to erase any previously set domain cookie.Forced Secure Cookies, like Anti-XSS Filters, are designed to work independently from your trusted whitelist; in other words, it does not care about JavaScript and plugins permissions and will be effective even if you “allow script globally” (not recommended, as usual).
Are you’re in the mood for beta testing? Please grab latest NoScript development build and drop me a line if it appears to summon any black hole swallowing your planet.
SecuriTeam Blogs
-
gmail https - not for everyone
Posted: September 8th, 2008, 4:32pm CDT by yairb
Tags: Google [edit]
A few weeks ago, Google added an option to force your Gmail connection to https instead of http. This feature was great news for people like me who use public networks a lot.
I was looking for that feature in my settings page but couldn’t find anything that looks like it. I stopped looking for it and today when looking for something else, I found the reason why I didn’t get this feature.
I’m using Google Apps for my domain, and apparently my Google Apps account simply doesn’t have this feature. Only my Gmail account has it!This is how the setting page of my Gmail account looks like:
This is how my Google Apps setting page looks like:
I can’t think of a good reason for Google to make a Google Apps account less secure than a Gmail account. I can only hope that it’s a matter of time and it is not one of those features that will never be included in Google Apps.
In any case, if you are using Google Apps you can still use a secured connection.
Instead of going to [mail.google.com] , take your browser to [https:].
That will make your connection https instead of http.Google had supported https for Gmail from day 1. The thing is, it was kind of a secret and if you didn’t look for it, or didn’t have somebody to tell you about it, you would still be using http. As a matter of fact, I doubt it if more than a tiny fraction of Gmail users have ever heard of https and know if it’s good or bad.
Security should be built over security awareness. Without awareness real security will never happen. Employees who write classified documents should be aware of the document classification they work on. It is not enough to tell them that their document is classified. They need to know about classification and think about classification and understand what classification means when dealing with it.
The same way that people know not to keep their ATM card PIN code in their wallet, (the bank helped them to raise their security awareness) Google must help their users raise their security awareness and know not only that https is available for Gmail but also that https is so much safer than http and should be used by default.I doubt it if the majority of people will ever use the secured connection for Gmail. Such a feature requires education and Google will never do that. Since https is significantly slower than http, and since most people don’t know about security and don’t really care about security, this feature is probably just another feature for the readers of this blog, and their family and friends.
Update: I checked gmail corporate user comment, and he is right. My gemstones shop uses the free version of Google Apps. The paid version has a feature called “SSL enforcement for secure HTTPS access” that is included in the paid version only (no.4 in “Collaboration application features”).To be honest, I don’t think I have the right to complain about something I got for free. I also have customers that are paying for premium features that cost me nothing, features that are there just to make the customers upgrade to the Advanced Plan. I guess this is not a mistake and someone wants me to upgrade. Fair enough.
-
Let the experts make sure your website is safe. Vulnerability Assessment is the answer.
hackademix.net
-
Google Chrome Mail Template
Posted: September 4th, 2008, 2:23am CDT by Giorgio
Tags: Google [edit]
Since I spent a relevant portion of my past two days answering email messages similar to the following, I decided to post a catch-all answer here.
Hi Giorgio,
I just read Google’s introduction to its Chrome browser.
I was so impressed with its security features that I may even switch from Firefox to Chrome. (I didn’t think that was even possible when I first heard of Chrome.)
Would you consider adapting your NoScript add-on to it?
I tried out Chrome and loved it, but the absence of NoScript was immediately apparent!Seth
Hi Seth,
I’ve been playing with Chrome since it’s been available, and I cannot say I’m impressed with its security.
I do like its speed, but Fx 3.1 builds with TraceMonkey enabled are already faster.
I really love its taskmanager: opening a random MySpace page and watching CPU and RAM consumption skyrocketing blamed precisely on the Flash plugin (70MB Flash, 28MB the page itself versus 11MB for an empty tab) is kind of cool, even if it comes with the cost of redundant resource allocation (if it was Firefox, crowds would be screaming “memory hog”).
On the other hand, there’s nothing apparently novel in its security approach, and it doesn’t address any in-browser security problem, such as XSS or CSRF, at all.The worst part, though, is that Chrome is not nearly as extensible as Firefox: cynical people may suspect this is to prevent something like AdBlock Plus or NoScript itself to be ported, biting advertisement bottom lines.
This is such a bummer that Google had to issue a late announcement about an extension API, but if it’s gonna be like Opera’s widgets (as I strongly suspect) it won’t help.BTW, one of Chrome’s most hyped features, stability due to the claim you might crash one tab but not the whole browser, fully justifies the “beta” tag:
Cheers
–
Giorgio -
Yahoo.com Zombied and Hacked, Google.com Acquired By Calitec (WTF?)
Posted: April 5th, 2008, 5:08am CDT by Giorgio
Tags: Google [edit]
This morning I was toying with an idea for easing NoScript allowance of sub-objects and sub-scripts which, even being 1st party content, are offloaded to different domains for performance reasons.
One prominent example is YouTube, which recently started serving scripts from ytimg.com, requiring NoScript users who want to watch videos on youtube.com to whitelist both domains.
Now the idea, probably too much naive not to be a dead end, was to correlate domains by “ownership”, using real time and cached WHOIS queries: sub-content whose Registrant information matches top-level page site’s would be allowed to load if the latter is trusted.
Databases (in)accuracy aside, this approach is too much coarse-grained to fit: how many NoScript users would be happy to put www.google.com and googleanalitycs.com in the same basket?
Anyway, playing some minutes with com.whois-servers.net (the “meta-server” where WHOIS client programs lookup the server responsible for a certain .com domain) yielded some amusing results:
[ma1@groucho]$ cat >wtf && chmod 700 wtf
#!/bin/bash
while [ ! -z "$1" ]; do
echo
SUFFIX=${1//[a-zA-Z-_]*./}
exec 3/dev/tcp/$SUFFIX.whois-servers.net/43
echo -e >&3 "$1"
egrep -i "$1.w+." <&3
shift
done
[ma1@groucho]$ ./wtf YOUTUBE.COM YAHOO.COM GOOGLE.COM MICROSOFT.COM
YOUTUBE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
YOUTUBE.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YOUTUBE.COM.IS.N0T.AS.1337.AS.WWW.GULLI.COM
YAHOO.COM.ZZZZZZ.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YAHOO.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
YAHOO.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
YAHOO.COM.VIRGINCHASSIS.COM
YAHOO.COM.TWIXTEARS.COM
YAHOO.COM.OPTIONSCORNER.COM
YAHOO.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YAHOO.COM.JOSEJO.COM
YAHOO.COM.JENNINGSASSOCIATES.NET
YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM
YAHOO.COM.ELPOV.COM
YAHOO.COM.EATINGFORJOY.NET
YAHOO.COM.DALLARIVA.COM
YAHOO.COM.CHRISIMAMURAPHOTOWORKS.COM
YAHOO.COM.BGPETERSON.COM
GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
GOOGLE.COM.YAHOO.COM.MYSPACE.COM.YOUTUBE.COM.FACEBOOK.COM.THEYSUCK.DNSABOUT.COM
GOOGLE.COM.WORDT.DOOR.VEEL.WHTERS.GEBRUIKT.SERVERTJE.NET
GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
GOOGLE.COM.SPROSIUYANDEKSA.RU
GOOGLE.COM.SERVES.PR0N.FOR.ALLIYAH.NET
GOOGLE.COM.PLZ.GIVE.A.PR8.TO.AUDIOTRACKER.NET
GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
GOOGLE.COM.IS.HOSTED.ON.PROFITHOSTING.NET
GOOGLE.COM.IS.APPROVED.BY.NUMEA.COM
GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM
GOOGLE.COM.BEYONDWHOIS.COM
GOOGLE.COM.ACQUIRED.BY.CALITEC.NET
MICROSOFT.COM.ZZZZZZ.MORE.DETAILS.AT.WWW.BEYONDWHOIS.COM
MICROSOFT.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
MICROSOFT.COM.ZZZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
MICROSOFT.COM.ZZZ.IS.0WNED.AND.HAX0RED.BY.SUB7.NET
MICROSOFT.COM.WILL.LIVE.FOREVER.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.WILL.BE.SLAPPED.IN.THE.FACE.BY.MY.BLUE.VEINED.SPANNER.NET
MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET
MICROSOFT.COM.WAREZ.AT.TOPLIST.GULLI.COM
MICROSOFT.COM.USERS.SHOULD.HOST.WITH.UNIX.AT.ITSHOSTED.COM
MICROSOFT.COM.TOTALLY.SUCKS.S3U.NET
MICROSOFT.COM.SOFTWARE.IS.NOT.USED.AT.REG.RU
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
MICROSOFT.COM.RAWKZ.MUH.WERLD.MENTALFLOSS.CA
MICROSOFT.COM.OHMYGODITBURNS.COM
MICROSOFT.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
MICROSOFT.COM.LOVES.ME.KOSMAL.NET
MICROSOFT.COM.LIVES.AT.SHAUNEWING.COM
MICROSOFT.COM.IS.NOT.YEPPA.ORG
MICROSOFT.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
MICROSOFT.COM.IS.IN.BED.WITH.CURTYV.COM
MICROSOFT.COM.IS.HOSTED.ON.PROFITHOSTING.NET
MICROSOFT.COM.IS.GOD.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLSHIT.NET
MICROSOFT.COM.IS.A.MESS.TIMPORTER.CO.UK
MICROSOFT.COM.HAS.ITS.OWN.CRACKLAB.COM
MICROSOFT.COM.HAS.A.PRESENT.COMING.FROM.HUGHESMISSILES.COM
MICROSOFT.COM.FILLS.ME.WITH.BELLIGERENCE.NET
MICROSOFT.COM.CAN.GO.FUCK.ITSELF.AT.SECZY.COM
MICROSOFT.COM.ARE.GODDAMN.PIGFUCKERS.NET.NS-NOT-IN-SERVICE.COM
MICROSOFT.COM.AND.MINDSUCK.BOTH.SUCK.HUGE.ONES.AT.EXEGETE.NET
The amazing thing is that this data is not even meant for human consumption!
SEO BlackHat: Black Hat SEO Blog
-
The Real Story: Why ComScore’s Google Clicks are Flat
Posted: February 27th, 2008, 5:33am CST by QuadsZilla
Tags: Google [edit]
GOOG has fallen from a high of $747 a share to less than $450 intra day yesterday. The latest 10% or so drop comes as comScore reports that clicks on Google ads in the United States were flat in January when compared with a year earlier.
But why? WHY are Clicks flat from a year ago? Is it the oncoming recession? A sign that this “Internet thing” is just another bubble? Is comScore one of the Four Horsemen of the apocalypse?
To find out what really happened, let’s take a short stroll down memory lane: all the way back to the middle of October 2007.
To set the scene, picture ten men clad in dark blue business suits in a smoke filled executive boardroom deciding how to squeeze the last nickel out of customers for shareholder value. Then slap yourself in forehead: this is Google after all.
To reset the scene, imagine something like the 10-year reunion of your University’s Computer Science Fraternity set in an office best described as Geek Paradise. Towards the middle of the room, two people are engaging in a “policy meeting”. It looks something like this:
Googleoid says to GoogleDork, “You know, [snort-laugh], most Adsense clicks are an accident because of the clickable area of the Adsense Ads.”
GoogleDork Replies (in his best Yoda Voice) “Foolish you are in the way of the Click. Knows where he clicks, does user. Accidents, they are not.”
Googleoid whips out his Gangsta Rap impression “Shit Holmes, Don’t make me put the smackdown on your ass, [Snort-Laugh], dem clicks is played out. And you’d know dat if youz let me do some regulate’in”
“Clickable area size matters not. Look at me. Judge me by my size, do you? Hmm? Hmm?” taunts GoogleDork.
“Yo Homey, don’t be fronten. [pushes up glasses on nose] The shit ain’t broken, so maybe we shouldn’t be fuckin wit it – know what I’m sayin?” asks Googleoid.
“Fear is the path to the dark side. Fear leads to . . .”
Googleoid Interrupts “Pleeeeeeze Neeegro! I’ll bet you that 6 digit ICQ number you got that reducing the clickable area drops the CTR by more than 30% of the quotient of area reduced over net total area.”
GoogleDork Breaks from his Yoda Voice and says “Put up that complete 1984 1st edition Legoland Kings Castle set and you got yourself a bet.”
They drop their foam swords, shake hands on the bet and walk over to GooglePlebe’s desk (seen here):
They tell Googleplebe to reduce the clickable area on Adsense text ads and he makes it so. Before, a user could click anywhere on the ad and be brought to the destination. After the changes, users have to click on something that looks like a hyperlink.
The Aftermath“The CTR on text ads declined about 60% in the last 2 months with Googles changes, Image ads on the other hand stayed the same.” –January 4th, 2008 Marcus of Plentyoffish.com
4 months later, that little back and forth in the Google Rec Room shaved about $85 Billion (with a B) in market capitalization.
But it wasn’t as stupid an idea as it might seem. You see, Adsense works in a Quasi-market place environment. The market will bid up the cost per click once the adjustment for accidental clicks is readjusted. Right now, marketers should be getting a better value per click as a higher percentage of the clicks are “real” or intentional. That will lead to higher bids per click and ultimately should be close to a break even for GOOGs bottom line.
Is the Sky Really Falling?The problem is that in the interim, GOOG gives almost not Guidance to the stock market. Mutual Fund types are really too thick to grasp exactly what’s going on, so they think that this “slowing” in the growth has to do with the potential recession effecting GOOG.
Meanwhile, the real story is that Online Advertising Spending will continue to grow at about 30% per year for at least the next 3 years and GOOG is poised to take a disproportionate amount of that growth even if nothing else they do is even marginally successful.
Jeremy Zawodny's blog
-
Republicans Kiss Google's Ass...
Posted: February 16th, 2008, 9:17am CST
Tags: Google [edit]
I threw up a little bit in my mouth this morning while reading the press release titled 2008 Republican National Convention Names Official Innovation Provider.
Embracing technology that will propel the 2008 Republican National Convention to the forefront of the digital age, the GOP today announced that Google Inc. will serve as the Republican National Convention's Official Innovation Provider. Convention President and Chief Executive Officer Maria Cino made the announcement in a unique video posted to the convention's new YouTube channel (www.youtube.com/gopconvention2008). The video is also showcased on the convention's website (www.GOPConvention2008.com), and highlights Google's cutting-edge, computer-generated SketchUp graphics of the Xcel Energy Center, where the convention will be held.
I didn't know that the Republican campaign was so hard up for innovation that they needed to get it from Corporate America, but okay...
As Official Innovation Provider, Google Inc. will enhance the GOP's online presence with new applications, search tools, and interactive video. In addition, Google will help generate buzz and excitement in advance of the convention through its proven online marketing techniques.
On-line marketing (AdWords and AdSense, presumably) generating excitement. Yeah. Sure. I get excited by ads all the time, don't you? Especially Republican ads!
The convention's official website, www.GOPConvention2008.com, will eventually feature a full-range of Google products, including Google Apps, Google Maps, SketchUp, and customized search tools, which will make navigating the site easier. The convention's YouTube channel will enable visitors to upload, view, and share online videos. These innovative technologies will also help the GOP streamline convention organization and expand its online reach across websites, mobile devices, blogs, and email.
So they've figured out how to embed stuff in their web site to make it easier and, presumably, make up for their inability to get together a web team that could design a site that's easy to navigate? Yeah, I'd brag about that too.
I was tempted to re-write the release without all the buzzwords and over-the-top language, but I have to hit the road soon for a long drive. I guess it pretty much speaks for itself.
I'm not sure who's paying who here, but the republicans sure are kissing some Google Ass. It kinda makes you wonder what the revenue share on this deal is, doesn't it?
Either way, a dumb thing like this is an excellent way to lose credibility in my mind. I'm surprised they didn't also announce HTML as their official markup language and HTTP as the site's preferred protocol.
[Apparently I'm not the only one. See also, GOP Names Google Its Official Innovation Provider from the Wall Street Journal.]
(comments)
Rational Survivability
-
Google Security: Frightening Statistics On Drive-By Malware Downloads...
Posted: February 12th, 2008, 9:05pm CST by beaker
Tags: Google [edit]
Read a scary report from Google's security team today titled "All your iFrame Are Point to Us" regarding the evolving trends in search-delivered drive-by malware downloads. Check out the full post here, but the synopsis follows:
It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads,
i.e. web pages that attempt to exploit their visitors by installing and
running malware automatically. During that time we have investigated
billions of URLs and found more than three million unique URLs on over
180,000 web sites automatically installing malware. During the course
of our research, we have investigated not only the prevalence of
drive-by downloads but also how users are being exposed to malware and
how it is being distributed. Our research paper is currently under peer
review, but we are making a technical report [PDF] available now. Although our technical report contains a lot more detail, we present some high-level findings here:The above graph shows the percentage of daily queries that contain at least one search result labeled as harmful. In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing.
Ugh. The technical report offers some really good background data on infrastructure and methodology, geographic distribution, properties and delivery mechanisms. Fascinating reading.
/Hoff
Jeremy Zawodny's blog
-
Using Gmail to read those damned winmail.dat files!
Posted: January 15th, 2008, 7:21pm CST
Tags: Google [edit]
A few times a week I get email from some sorry Outlook/Exchange user which contains a dreaded winmail.dat file. Being a Thunderbird user, this presents a bit of a problem--one that has been well documented in Dealing with the winmail.dat file and unreadable attachments and How to Prevent the Winmail.dat File from Being Sent to Internet Users.
The are various "free" winmail.dat readers around, but this is 2008 not 1998. I shouldn't have to install the email equivalent of a "helper application" to read a fucking word doc that crappy email software couldn't encode in a sane format.
So anyway, I got one today and actually needed to read it. And I hadn't installed one of those stupid winmail.dat decoders since I had my laptop replaced. Faced with the prospect of actually installing software I wondered what'd happen if I forwarded a copy of the message to my Gmail account.
Well, wouldn't ya know it? The damned thing came through just fine. I was able to extract the attachment and open it faster than you can google "free winmail.dat decoder."
Kick Ass.
Just for kicks, I sent it to my dormant Yahoo! Mail account too... and it was also able to extract the Word document from the winmail.dat file.
Now why on earth hasn't this functionality been built into Thunderbird? Or Windows for that matter?
It's days like this that I might confuse my laptop for a stone tablet... just for a moment or two.
(comments)