Black Hat 2007 sees Web 2.0 repeating Web 1.0 mistakes

LAS VEGAS--This year's Black Hat was pretty much summed up in a prescient keynote by Richard Clarke, the nation's former cyber security czar who is now a novelist and chairman of Good Harbor Consulting. Clarke said "we're building more and more of our economy on cyberspace 1.0, yet we have secured very little of cyberspace 1.0." The apparent speed gained in Ajax (Asynchronous JavaScript and XML), which is technology that divides processing tasks between the Web server (Web site) and the Web client (browser), has opened Web 2.0 to some old-school attacks.

Nothing more clearly demonstrated this than a live hijack of a Gmail account. In a talk originally to have been presented alongside his colleague David Maynor, Errata Security CEO Robert Graham demonstrated for a standing-room-only crowd how he was able to use a tool called Hamster and Ferret to sniff the wireless airwaves for the URLs of Web 2.0 sites. While talking about another matter entirely, Graham ran the tools in the background, sniffing the wireless packets in the conference room, looking for Web 2.0 sessions cookies used by those in the audience for his talk (if, as a speaker, you ever wanted to thwart those who would be checking e-mail during your presentation, this is the tool to use). Grabbing cookies is not new. What is new is that Graham was able to grab these Web 2.0 clear text session cookies out of the thin air and then plunk the captured URL into a new browser. No password is needed; the cookie itself is enough. Toward the end, Graham opened his Hamster tool and found several likely candidates. He chose one Gmail account that had been opened during his talk. The presentation screen lit up with some poor guy's active Gmail account briefly displayed. Everyone applauded before Graham quickly wiped the information from the screen.

Should you avoid Gmail? No. If you simply change the URL in your Gmail bookmark (or any other Google-related bookmark) from http:// to https://, the Errata Security hack is no longer valid. That's not true, however, for Facebook, Hotmail, and several other Web 2.0 accounts. Graham says that while traditional Web 1.0 sites long ago learned to terminate session cookies, the cookies used on Web 2.0 sites don't expire for several years, so you could sniff accounts out of the air at your local Starbucks and months later still have access to that person's account. That's what's really scary about this new kind of man-in-the-middle attack: the victim has no idea that this is happening, and even changing the account password will have no effect. While you as an attacker can send messages, read existing messages, and even alter the look and feel of the Web mail service itself, you can't, however, lock the owner out of the account.

In a separate talk, Billy Hoffman and Brian Sullivan, both of SPI Dynamics, talked about the rush to Web 2.0, how even some established sites are "Ajaxify-ing" themselves at the expense of good security practices. To prove their point, the pair built an Ajax-enabled travel Web site, HackerTravel.com. They did so by following the current best practices for Ajax. In their talk, however, Sullivan and Hoffman showed how they could take advantage of known weaknesses within Ajax. For example, they could rearrange the JavaScript on the client to either book every seat on the plane (staging a denial-of-service attack) or purchase a round-trip ticket for $1.

Last year, Hoffman talked about the many problems within Web 2.0 Ajax technology, and this year he more or less put the subject to bed by addressing developers and insisting that they not put business logic on the client side of the transaction; that they keep all of that on the Web server. You can hear more about this topic from Hoffman and Sullivan on a recent Security Bites podcast.

Later in the conference Billy Hoffman returned with John Terrill, executive vice president and co-founder of Enterprise Management Technology, to talk about a prototype Web 2.0 worm they've built written in JavaScript and Perl. Hoffman explained that if there's a cross-site scripting vulnerability on a Web site, the worm can inject itself into that Web site in JavaScript form. Inside the worm is a Perl form so that when a user visits that Web site, the JavaScript version gets downloaded to their Web browser and the Perl form can inject itself into the Web server, so it can move from client to server with ease.

While we've seen computer worms before, they claim their new creation can pull vulnerability data off security sites such as Secunia and then exploit those new vulnerabilities, rendering current desktop security protection ineffective. Currently such a worm does not exist in the wild, but Terrill and Hoffman insist it's possible for others to do what they've done. You can hear Hoffman talk more about his creation in this recent Security Bites podcast.

There is hope. In addition to better coding practices on the Web server, another way to prevent runaway Web 2.0 vulnerabilities is to lock down the JavaScript in the client's browser. At Black Hat, Mozilla released new tools allowing anyone to test their Firefox (or any browser) against JavaScript errors. What's significant is that you can also use this tool against Apple Safari, Microsoft Internet Explorer, and Opera.

In an interview before her presentation, Window Snyder told me there are about 10,000 Firefox users worldwide who regularly download what are called nightly builds. Whenever the Mozilla security team puts out new fixes within the nightly builds, it's these 10,000 users who test the fixes on a wide variety of machines and under a wide variety of circumstances. Thus, Mozilla is able to roll out its security patches faster and with fewer headaches than its competitors. By tapping into their millions of users worldwide, Mozilla hopes more of these avid users will identify future Firefox flaws before they can be exploited.