Comments for 0x0Lab Blog http://blog.0x0lab.org Just another damn blog Thu, 18 Aug 2011 00:08:15 +0000 hourly 1 Comment on MacOSX Sandboxes by How to run process in terminal with reading only permission for given directory … - Programmers Goodies http://blog.0x0lab.org/2010/03/macosx-sandbox/comment-page-1/#comment-5361 How to run process in terminal with reading only permission for given directory … - Programmers Goodies Thu, 18 Aug 2011 00:08:15 +0000 https://blogs.0x0lab.org/?p=51#comment-5361 [...] http://blog.0x0lab.org/2010/03/macosx-sandbox/ [...] [WORDPRESS HASHCASH] The comment's server IP (64.90.55.54) doesn't match the comment's URL host IP (64.90.53.152) and so is spam. [...] http://blog.0x0lab.org/2010/03/macosx-sandbox/ [...]

[WORDPRESS HASHCASH] The comment’s server IP (64.90.55.54) doesn’t match the comment’s URL host IP (64.90.53.152) and so is spam.

]]> Comment on iPhone applications that transmit credentials using “unsafe” protocols by The Web has still not switched to SSL-only | DataProtectionCenter.com: Tech and Security - Data Recovery and Protection, Internet, Technology, Security, Reviews, Softwares http://blog.0x0lab.org/2010/04/unsafe-iphone-applications/comment-page-1/#comment-5312 The Web has still not switched to SSL-only | DataProtectionCenter.com: Tech and Security - Data Recovery and Protection, Internet, Technology, Security, Reviews, Softwares Fri, 12 Aug 2011 14:13:04 +0000 https://blog.0x0lab.org/?p=127#comment-5312 [...] The situation is even worse in the mobile space. Most of the applications used on smartphones and tablets need to contact a web server to function: to retrieve advertising (Admob/Adsense Mobile), to get data from a web service, etc. But there is no way for the user to know whether sensitive information is sent over HTTP or HTTPS. There is no UI element equivalent to the lock shown in browsers and no visibility into the URLs. Researchers have illustrated that mobile developers cannot be trusted to secure communications, as all too often, they send user credentials in plain text. [...] [...] The situation is even worse in the mobile space. Most of the applications used on smartphones and tablets need to contact a web server to function: to retrieve advertising (Admob/Adsense Mobile), to get data from a web service, etc. But there is no way for the user to know whether sensitive information is sent over HTTP or HTTPS. There is no UI element equivalent to the lock shown in browsers and no visibility into the URLs. Researchers have illustrated that mobile developers cannot be trusted to secure communications, as all too often, they send user credentials in plain text. [...]

]]> Comment on iPhone applications that transmit credentials using “unsafe” protocols by The Web has still not switched to SSL-only | Triple-N http://blog.0x0lab.org/2010/04/unsafe-iphone-applications/comment-page-1/#comment-5303 The Web has still not switched to SSL-only | Triple-N Thu, 11 Aug 2011 23:00:16 +0000 https://blog.0x0lab.org/?p=127#comment-5303 [...] The situation is even worse in the mobile space. Most of the applications used on smartphones and tablets need to contact a web server to function: to retrieve advertising (Admob/Adsense Mobile), to get data from a web service, etc. But there is no way for the user to know whether sensitive information is sent over HTTP or HTTPS. There is no UI element equivalent to the lock shown in browsers and no visibility into the URLs. Researchers have illustrated that mobile developers cannot be trusted to secure communications, as all too often, they send user credentials in plain text. [...] [...] The situation is even worse in the mobile space. Most of the applications used on smartphones and tablets need to contact a web server to function: to retrieve advertising (Admob/Adsense Mobile), to get data from a web service, etc. But there is no way for the user to know whether sensitive information is sent over HTTP or HTTPS. There is no UI element equivalent to the lock shown in browsers and no visibility into the URLs. Researchers have illustrated that mobile developers cannot be trusted to secure communications, as all too often, they send user credentials in plain text. [...]

]]> Comment on iPhone applications that transmit credentials using “unsafe” protocols by The Web has still not switched to SSL-only | 2thepress.nl http://blog.0x0lab.org/2010/04/unsafe-iphone-applications/comment-page-1/#comment-5302 The Web has still not switched to SSL-only | 2thepress.nl Thu, 11 Aug 2011 22:15:14 +0000 https://blog.0x0lab.org/?p=127#comment-5302 [...] The situation is even worse in the mobile space. Most of the applications used on smartphones and tablets need to contact a web server to function: to retrieve advertising (Admob/Adsense Mobile), to get data from a web service, etc. But there is no way for the user to know whether sensitive information is sent over HTTP or HTTPS. There is no UI element equivalent to the lock shown in browsers and no visibility into the URLs. Researchers have illustrated that mobile developers cannot be trusted to secure communications, as all too often, they send user credentials in plain text. [...] [...] The situation is even worse in the mobile space. Most of the applications used on smartphones and tablets need to contact a web server to function: to retrieve advertising (Admob/Adsense Mobile), to get data from a web service, etc. But there is no way for the user to know whether sensitive information is sent over HTTP or HTTPS. There is no UI element equivalent to the lock shown in browsers and no visibility into the URLs. Researchers have illustrated that mobile developers cannot be trusted to secure communications, as all too often, they send user credentials in plain text. [...]

]]> Comment on SSH honeypot by The Beta Show: Επεισόδιο 9ο http://blog.0x0lab.org/2010/12/ssh-honeypot/comment-page-1/#comment-3975 The Beta Show: Επεισόδιο 9ο Mon, 25 Apr 2011 22:51:48 +0000 https://blog.0x0lab.org/?p=421#comment-3975 [...] 0x0lab - Καταγραφή επιθέσεων για ένα μήνα [...] [...] 0x0lab – Καταγραφή επιθέσεων για ένα μήνα [...]

]]> Comment on How hard can it be to disclose an XSS by Kevin http://blog.0x0lab.org/2010/09/how-hard-can-it-be-to-disclose-an-xss/comment-page-1/#comment-2058 Kevin Wed, 12 Jan 2011 03:45:56 +0000 https://blogs.0x0lab.org/?p=98#comment-2058 I personally recommending going to straight to management with security issues. As you can see, first line support does not have the technical knowledge to handle this; and they did not prioritize it properly, either. I would suggest contacting support again, stressing that the issue is a security vulnerability and you need contact information for a manager. They may not give you such info, but instead may ask for more info so they can help you... but don't go that route. Instead, state again that you need to talk to someone with the authority and knowledge to handle the problem; also stress that it is a security vulnerability and that it is of some importance and/or urgency that you talk to someone about it. Basically, don't deal with first line tech anymore; get a real manager to talk to ... and keep going higher up till you get the person who can handle it. Note: when you get to a manger, you'll have to sum the details in easy to understand terms for them (since they won't understand the technical side), but also include the technical details on how the exploit works, how to fix it, etc... that give to and discuss with the people who do the website. Well, it might be worth a try, right? :) I personally recommending going to straight to management with security issues.

As you can see, first line support does not have the technical knowledge to handle this; and they did not prioritize it properly, either.

I would suggest contacting support again, stressing that the issue is a security vulnerability and you need contact information for a manager. They may not give you such info, but instead may ask for more info so they can help you… but don’t go that route. Instead, state again that you need to talk to someone with the authority and knowledge to handle the problem; also stress that it is a security vulnerability and that it is of some importance and/or urgency that you talk to someone about it. Basically, don’t deal with first line tech anymore; get a real manager to talk to … and keep going higher up till you get the person who can handle it.

Note: when you get to a manger, you’ll have to sum the details in easy to understand terms for them (since they won’t understand the technical side), but also include the technical details on how the exploit works, how to fix it, etc… that give to and discuss with the people who do the website.

Well, it might be worth a try, right? :)

]]> Comment on Afgan War Diary in Numbers by Offener Brief an Partei- und Fraktionsspitze zu Afghanistan - Grüne Linke http://blog.0x0lab.org/2010/08/afgan-war-diary-in-numbers/comment-page-1/#comment-1873 Offener Brief an Partei- und Fraktionsspitze zu Afghanistan - Grüne Linke Thu, 30 Dec 2010 12:51:56 +0000 https://blog.0x0lab.org/?p=302#comment-1873 [...] [3] http://blog.0x0lab.org/2010/08/afgan-war-diary-in-numbers/ [...] [...] [3] http://blog.0x0lab.org/2010/08/afgan-war-diary-in-numbers/ [...]

]]> Comment on How hard can it be to disclose an XSS by Hordakk http://blog.0x0lab.org/2010/09/how-hard-can-it-be-to-disclose-an-xss/comment-page-1/#comment-1854 Hordakk Wed, 29 Dec 2010 15:10:29 +0000 https://blogs.0x0lab.org/?p=98#comment-1854 I have also discovered by accident a (session/business logic) security flaw on linkedin. One day, as soon as I arrived at my office, I logged in to Linkedin. Everything seemed quite weird and unfamiliar. I didn't know any of the people in the Linkedin status updates. Then I saw at the top, that I had logged in as a different user from the Management department in the same company and building as me. I log out and log in again. The same. While logged in, I could see and edit my profile normally but all my inbox, news etc were not mine but the same user's.... I thought of reporting it and informing my manager but then I thought "I am the only guy here working on security.... guess whom they will turn their suspicions at..." so I just forgot it. Linkedin should definitely take security seriously. I have also discovered by accident a (session/business logic) security flaw on linkedin. One day, as soon as I arrived at my office, I logged in to Linkedin. Everything seemed quite weird and unfamiliar. I didn’t know any of the people in the Linkedin status updates. Then I saw at the top, that I had logged in as a different user from the Management department in the same company and building as me. I log out and log in again. The same. While logged in, I could see and edit my profile normally but all my inbox, news etc were not mine but the same user’s….

I thought of reporting it and informing my manager but then I thought “I am the only guy here working on security…. guess whom they will turn their suspicions at…” so I just forgot it.

Linkedin should definitely take security seriously.

]]> Comment on Afgan War Diary in Numbers by malisimo http://blog.0x0lab.org/2010/08/afgan-war-diary-in-numbers/comment-page-1/#comment-652 malisimo Fri, 08 Oct 2010 06:04:27 +0000 https://blog.0x0lab.org/?p=302#comment-652 1 out of every 4 Afghans killed is a civilian. good aiming USA! 1 out of every 4 Afghans killed is a civilian. good aiming USA!

]]> Comment on HackAri – HackBar for Safari by Week 39 in Review – 2010 | Infosec Events http://blog.0x0lab.org/2010/09/hackari-hackbar-for-safari/comment-page-1/#comment-607 Week 39 in Review – 2010 | Infosec Events Mon, 04 Oct 2010 04:17:39 +0000 https://blog.0x0lab.org/?p=339#comment-607 [...] HackAri – HackBar for Safari – 0×0lab.org It is not exactly the same as HackBar, and it has a lot of limitations compared to it (e.g. you cannot resize the request, post data panels). [...] [...] HackAri – HackBar for Safari – 0×0lab.org It is not exactly the same as HackBar, and it has a lot of limitations compared to it (e.g. you cannot resize the request, post data panels). [...]

]]>