Disclaimer: Everything that I say in this blog post about ShapeSecurity and their ShapeShifter product, is based on their YouTube video, their description of their product on their pages, and an article on PandoDaily. As such, the product may be much more sophisticated than I think it is (if so, they should have really given better examples) in which case, what you read below may not be 100% correct.
The emperor’s new clothes
On one of my daily Twitter rounds, I noticed someone talking about this great product that will revolutionize web security. What does this product do you ask? It uses “polymorphism” to constantly change a page’s HTML code so that bots won’t be able to appropriately interact with the page. This means, according to the company, that all bad things that bots do (automatic signups, spam, credential testings, etc.) will seize. At the same time, the page remains identical for human users who will have no problems interacting with the page. Here’s the presentation of their product:
I discovered Ghostery in the summer of 2012, when I was researching web-tracking and specifically web-tracking done through web fingerprinting. Ghostery is a really cool browser extension which helped me identify the domains that popular web fingerprinters used to deliver their code and thus allowed me to isolate and study the fingerprinting code. You can read all about that in our paper titled: “Cookieless Monster: Exploring the Ecosystem of Web-based Device fingerprinting“.
- The remotely included code can be buggy and you are thus introducing vulnerabilities to your own site, when you choose to include it
- The remote host can be malicious and use its scripts to attack your users and exfiltrate data from your site
- The remote host can be targeted by an attacker, as a way of reaching a harder to get target (e.g. your page)
- Even though most sites of the Alexa top 10,000 include code from up to 15 remote hosts, there are sites that include code from up to 295 remote hosts. Assuming that only one of these hosts is enough to fully compromise your script-including site, trusting almost 300 of those is, at the very least, worrisome
- As far as remote inclusions as concerned, Google is king, owning 5 out of the top 10 most included scripts found in our study
- Script inclusions from private-network IP addresses: Same as above, but now the site tries to include code from hosts such as “192.168.1.1”. This means that the attacker now just needs to be in the same local network (Cross-network Scripting).
Check out our full paper for all the juicy details
Till next time
On my usual daily visit of Slashdot, I read that McAfee introduced a new application called “McAfee Social Protection” for Facebook. In a nutshell, you install their plugin, allow their application to control quite a bit of your Facebook and then you can start uploading pictures “safely”. Here’s a video of it in action.
They say a picture is worth a thousand words. How about, two pictures?
So, the important points of the above text are:
“It’s our goal to make these ads as relevant and useful as possible for you. Google doesn’t create categories, or show ads, based on sensitive topics such as race, religion, sexual orientation, or health. ”
Sounds reasonable. Let’s see the ad that actually got me here.
An AdSense ad about dating, based on religion, while watching a video-clip from a popular Christian band
One can claim that the ad is targeting single people, but it is actually targeting the intersection of Christian and Single, thus effectively targeting both.
Google, don’t be evil.
I’ve been recently reading Michal Zalewski’s “The Tangled Web”, a book which tries to map the whole security landscape around browsers and Web applications in about 300 pages… it does a pretty good job
Did you know that if you use a popular cheap web hosting product and you haven’t changed the default error pages of your sites, you are most likely hosting an open redirect? If not, read on
Suppose for a second that you are a loyal customer of babyhow.com, an eshop selling stuff for your baby. One beautiful day you receive an email letting you know that babyhow.com has moved its business and providing you with a link to read more:
Two years ago I decided to get a personal site. I was after two things: flexibility and low cost. I didn’t want to get a VPS but I also didn’t want the hosting packages of one domain and 350MB of space. So I found IPage.com a shared hosting provider that was giving me unlimited hosted sites, unlimited databases, unlimited bandwidth and unlimited disk space for about 35 euros for a year… that in my book was a great deal! So I went ahead and bought it. In that year I was generally happy with them. My pages where occasionally a bit slow but still fast enough for my sites’ needs. The problem was that the 35 euro price was an introductory price and the next year IPage asked me for triple that amount… Since I didn’t feel like that was a good thing (now that you are a customer we’ll suck you dry) I decided to look elsewhere. A colleague at work recommended Bluehost.com. Bluehost offered me the same things as IPage plus SSH access for about 50 euros per year. I went for that and I was quite happy…. until this week… Continue reading
Joke I just made up:
What do you call a woman who first says to you “I love you” but ten minutes later she adds “I actually don’t, but don’t feel bad because I say that to all men”?