Funny from my perspective, because the author seemed to be real serious about the subject. In a few words the author suggest webmasters to use the html encrypter (it is actually an encoder) as an “effective deterrent”.

Like people would really sacrifice the possibly index-able content and accessibility for a false sense of security… come on, it must be a joke.

Even if this may have been worse for users who store their images there (myself included), there is more to it than meets the eye.

Like the attack on Astalavista, this one was also performed by the anti-sec group (groups, there could be more) and only makes me think there will be more attacks.

The message which was present on ImageShack’s website after the attack.

As you may have read their manifesto, hacking ImageShack does not conform to their goal…

How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all supporters of full-disclosure and the security industry in its present form. If you own a security blog, an exploit publication website or you distribute any exploits…

Furthermore, they don’t see the irony of their actions. The more they are going to hack security unrelated websites (like ImageShack) the more are they going to spread FUD. And it’s needles to say that more FUD equals more work for the whitehats that they so much despise.


And they are good at spreading FUD! After the Astalavista hack OpenSSH exploit FUD spread online like plague.

The only way I would go about vulnerability disclosure would be trough responsible one… Mentioning that I would be responsible only if the given vulnerability could affect me; otherwise I wouldn’t really care… that’s just me.

Even with all that said, there is one common ground where I can relay with them, concerning PoC code that script kiddies copy-pasta for mass sploitation… PoC should be only left for innovative/new techniques and not for every *dangerous* exploit out there.

Like any online movement it has it’s pros and cons; some didn’t/don’t understand the: VX, Zeitgeist, Anonymous (it is a movement, sort of) or any other movement; so why understand the Anti-sec one, right?

And so you don’t think I am speaking in a hypocritical manner, I admit I strip as well a part from your privacy, with the simple Google tracker I have inside my web pages… but for those that do care about their anonymity this is not an issue.

Tor

As any other person would say, as a first step in regaining your anonymity would be installing the Tor bundle… And don’t get me that “just hackers use proxies”, because it’s not true… who would use a proxy for a %25 bonus prison time if caught? (they would use their own tunnels and proxies, not Tor networks)

There are many reasons why you would use a proxy, apart from the list which you can read on Tor projects website “Who uses Tor?“, what better way to hide your ass when trolling people?

Use Tor, if possible even help out by setting up a node, and be happy of it’s extra anonymity (which I cannot have).

Scroogle

Well, in case you are a Google user I hope you know that every search you ever do is logged… If you have a Google account you may check your whole search history here. Now you may see where Scroogle would come in pretty handy. It also comes with SSL support, so it also adds a part of privacy to it: ssl.scroogle.org.

In simple terms Scroogle does the search on Google for you, drops the cookie that Google tries to attach to your browser and prints you the output of the search.

BugMeNot

Often enough websites ask you for a user account in your attempt to access their content, even if it’s going to be your first (and last) visit on their page. Well through BugMeNot you can bypass that compulsory registration process. Why not just register?

Mailinator

In case BugMeNot didn’t have the answer for the problem (as in bypassing compulsory registration), you can quickly set up your account without having to fear spam later on. Mailinator offers you a easy one step temporary email address for any occasion, at any time you may need it.

GPG

GnuPG is the GNU project’s complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication (…)

Using PGP encryption has many benefits, given the amount of tools built upon it.
For the browser (Firefox) you got FireGPG which let’s you sign, verify, encrypt and decrypt anything that you can select in your browser, this even includes email, posts and so fort. It also comes with implementation for Gmail.

Firefox addons

There are two addons which I know help in providing anonymity.

One would be NoScript, which I use to block trackers (like Google Analytics), but this is just a bonus for the main reason I use it, and I mean security.

The second one is RequestPolicy, which if even would look very similar to NoScript there is a finely grained difference them. I personally use both of them, and do recommend the same if you got the patience to whitelist websites you visit.

IM Encryption

The modern use of the internet is highly oriented on instant messaging, so this area of privacy should be taken care of with more interest than any other before told privacy measure.

For example the IM client Pidgin has a few privacy and security plugins from which you may choose.

As for IM clients like MSN and Yahoo! you may download (and use) BitDefender Chat Encryption for free.

More suggestions?

If there is something that you think I missed out (as in privacy and anonymity for internet users) feel free to contribute, even with alternatives for the before mentioned ones.

Before I would go further with that I should state that I appreciate very much both Firefox addons. Couldn’t imagine browsing without the two of them. And this is the reason why I’ve put up that question, because once accustomed to both of these addons you just can’t go back to old fashion browsing.

It’s one thing that some didn’t knew how to use NoScript or didn’t fully understand it’s potential, and gone to use YesScript instead, which just made me crack.

And while both sides were right, I think it all started due to a misinformation or lack of it thereof. In NoScript’s FAQ it was stated that version 1.9.2.4 white listed Giorgio Maones domains in AdBlockPlus.

Some people probably started to fork NoScript, but that for another time, when we will have something that could reach the same level of protection which NoScript brought.

Update: NoScript’s author reply on the matter.

Hackers have no color.
Hackers have no creed.
Hackers have no ethics.
Hackers have free will.
Hackers make things work.

Hackers can handle any situation, with almost any tool (MacGuyver type of person), in almost every field…

Hackers do it for FUN and profit. Not vice-versa…

The anwser isn’t that simple. Based on the amount of data that could have been leached from the websites (mentioned above) F-Secure looks the trust worthiest. Why F-Secure? Because given their defense-in-depth methodology no sensitive data could have been retrieved, just ordinary data that you may see on other several public pages.

As from any other attack scenario, there is something to be learned. In this case F-Secure and their methodology gave us the lesson. You should never, and I repet never, grant access to important data to a user which interacts with a visitor (in this case, a mysql database user). You will lower the threat by creating different users for different tasks.

Also, I won’t go in complaining about the SQL injections, even if I should, because it’s nothing uncommon. When you have a team of developers which constantly add/remove components and which haven’t got a secure coding methodology (some might sanitize the data on request, others before the usage) SQL injection vulnerabilities (XSS vulnerabilities) will iminently pop up. I said I won’t complain about the vulnerability, but given the fact that they are in the security industry (and not some unknown players) you would expect more…

Another “debate” I’ve seen was based on Acunetix article which mentioned that Unu found the vulnerability in Kaspersky’s website via their scanner. Even if true, we all know that Acunetix Scanner isn’t always enough to catch all the vulnerabilities (as Unu declared also), and no such scanner can. People generally use Acunetix Scanner for a quick and dirty PRELIMINARY scan.

Enough said.

Filters

In the filters extensions we have 3 types of filters: validate, sanitize and other filters. Let’s take em each separately and see what the extension has to offer us.

Validate Filters
• Data Type Validation
  • FILTER_VALIDATE_BOOLEAN

    Validates if the specified variable/value is a boolean value.

  • FILTER_VALIDATE_FLOAT

    Validate if the specified variable/value is of type float.

  • FILTER_VALIDATE_INT

    Besides the fact that it validates integers it allows you to specify a range in which the specified variable or value should be. It also allows you to validate octal and hexadecimal numbers.

• String Validation
  • FILTER_VALIDATE_EMAIL

    Validates if the variable/value is a well formed email address.

  • FILTER_VALIDATE_IP

    Can be used for validating IPv4/IPv6 addresses, having flags to disallow reserved/private IP ranges.

  • FILTER_VALIDATE_REGEXP

    Validates variable/value with regular expressions.

  • FILTER_VALIDATE_URL

    Validate URL’s. I wouldn’t recommend it though, since it validates 'http://...'. Better of with regular expressions here.

Sanitize Filters
• FILTER_SANITIZE_EMAIL

  I highly recommend to not use this filter, because it won’t sanitize the email address. The characters !#$%&'*+-/=?^_`{|}~@.[] will remain intact.

• FILTER_SANITIZE_ENCODED

  URL-encode string, optionally strip or encode special characters.

• FILTER_SANITIZE_MAGIC_QUOTES

  Applies addshashes() to the specified variable/value. Seriously, shouldn’t this be extinct already. I though we should have left them behind once we moved away from PHP 4.x. Try to not use this one, because in some SQL systems backslashes are not escape characters.

• FILTER_SANITIZE_NUMBER_FLOAT

  Remove all characters except digits, +- and optionally .,eE.

• FILTER_SANITIZE_NUMBER_INT

  Remove all characters except digits, plus and minus sign.

• FILTER_SANITIZE_SPECIAL_CHARS

  HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.

• FILTER_SANITIZE_STRING

  Strip tags, optionally strip or encode special characters.

• FILTER_SANITIZE_STRIPPED

  Alias for the above filter.

• FILTER_SANITIZE_URL

  Remove all characters except letters, digits and $-_.+!*'(),{}|^~[]`<>#%";/?:@&=.

• FILTER_UNSAFE_RAW

  Do nothing, optionally strip or encode special characters.

Other Filters
• FILTER_CALLBACK

  Call user-defined function to filter data.

As you must have noticed the sanitizing filters are pretty bad, some even repetitive. Although haven’t marked red all of them, I surely won’t use them. For sanitizing (against XSS) I’ll use good old strip_tags() combined with htmlspecialchars() because this way I can define quote style encoding, and charset in which to encode. As for safe SQL queries, I use db specific functions.

Functions

Ok, so we had some complains about the filters. But let’s look beyond that for a moment and see what the filtering functions have to offer us.

• filter_has_var

Through this function we can check if a POST, GET, ENV, SERVER, COOKIE value has been set.

if(filter_has_var(INPUT_POST, 'submit')) {
  echo 'yes the submit value has been set';
}

Although this might seem similar to a isset() usage, be not fooled by it. It (probably) takes a snapshot of all the superglobals (POST, GET, ENV, SERVER, COOKIE) so…

/*
 submit isn't set
*/
$_POST['submit']=1;
if(filter_has_var(INPUT_POST, 'submit')) {
  echo 'this will not be echoed';
}

Is this a good thing? Well, it depends. Haven’t seen till now somebody who controlled the flow of the application (in a script) through setting/unsetting a value in the superglobals, but I have seen hand coded register_globals implementation (for backwards compatibility) in PHPList which permitted that the SERVER['file'] (named something like that) to be overwritten and making it vulnerable to remote file inclusion. So in that particular scenario it would have helped.

• filter_id and filter_list

One returns the numeric value of a filter, while the other returns a list of filters… moving on.

• filter_input and filter_input_array

The (ONE) function for the “Data Filtering Extension”. I’ll post an example from the documentation.

$search_html = filter_input(
    INPUT_GET,
    'search',
    FILTER_SANITIZE_SPECIAL_CHARS
);
$search_url = filter_input(
    INPUT_GET,
    'search',
    FILTER_SANITIZE_ENCODED
);

echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";

• filter_var and filter_var_array

It works in the same way as filter_input, just that now you can use the filters on variables/string… these examples are also from the documentation.

// will validate
var_dump(filter_var(
    'bob@example.com',
    FILTER_VALIDATE_EMAIL
));

// will fail (return false), because it
// misses the scheme (http://)
var_dump(filter_var(
    'example.com',
    FILTER_VALIDATE_URL,
    FILTER_FLAG_SCHEME_REQUIRED
));

Should I use it?

Well, can’t say for sure. The validation filters seem pretty good unless you count the URL one… actually that could be a good filter also if you shouldn’t add 3 flags to behave like you normally would expect…

The other reason why I can’t pronounce a final answer (maybe someone who reads this will) because I haven’t checked the source code of the extension…

You have more information about it (not quite that big of a difference) from the online documentation page found here. Waiting your opinion on this one…

Update: Chuck Norrises was here and updated the text, removing my opinion of vulnerable code. eof!

The second major thing that spread this concept was, after my opinion, the FireCAT (Firefox Catalog of Auditing Toolbox), which by now has reached it’s 1.5 version. It has many addons listed, but I think that for pen-testing the starred ones are enough. Although for experimenting you may use the others too.

If you would like to try them out, I would recommend you to create a different Firefox profile… At the high number of plugins, the browser could freeze up. You could have, for example, different profiles for different sets of addons, tasks: blogging, hacking, sharing (p2p/torrents), etc.

For creating Firefox profiles you only have to add two parameters to the command line. The command is:

firefox.exe -no-remote -ProfileManager

Or modify it in the shortcut properties, after the quotes that surround the path to the firefox.exe file. If all is fine, than at every start the Profile Manager should pop up, thus letting you choose/create/delete/rename profiles.

I think that now that you have seen some insights on this matter you would agree that Firefox may as well be the best “platform” for web application pen-testing.

Contrary to some industry observers, antivirus software is not dead. It is, however, undergoing a game-changing transformation.

Here should be noted that by game-changing the author (Carey Nachenberg) is really saying that the antivirus software will be “antivirus” software only by name.

What do I mean by that? To tell you honestly I think that the VX (Virus eXchange) scene is dying slowly and only a couple, or should I say handful, of viruses/worms emerge annually. Without the virus creators, there should be no future for AV, right? Wrong!

AV software for many years detects Malware (Spyware, Trojan, RAT, Rootkits?) and if it were not for the strong impact of the word Virus I would be really sure they would be called Anti-Malware.

By some measurements, the volume of malicious software is now outpacing the production of legitimate programs. Symantec recently measured the adoption rate of new software
applications and found that out of almost 55,000 unique applications deployed during a weeklong measurement period on Microsoft Windows PCs, 65 percent were malicious.

This proves the fact that nowadays Malware do the harm, not viruses. I know some of you knew that, but it had to be said for those who didn’t.

(…) attackers can easily circumvent most generic signatures by tweaking existing malware files, scanning them with an antivirus scanner, and repeating the process until the scanner no longer detects the infection. Such modifications can be
done by hand or, unfortunately, all too easily via automation.

That doesn’t sound so new, it reminds me of the first tutorial I read about making viruses undetectable. And it’s not a new either, it’s a tutorial that dates as back as 1991, called How To Modify A Virus So SCAN Won’t Catch It.

Clearly, in such an environment, traditional signature-based detection – or blacklisting – alone is not enough.

You don’t say… What about heuristics, it’s been around for more than a decade, and great things can be done with it. I have in mind an AV program that implemented it quite well, but I don’t want to make from this article a promotive one.

As the volume of malicious code continues to skyrocket, security techniques must increasingly focus less on analyzing malware and more on analyzing “goodware.”

Whitelisting was, and is, always a better choice, in my opinion, than blacklisting.

Similarly, it!s difficult for security companies to locate less
popular, yet entirely legitimate, software applications and add them to a whitelist. Imagine a small software vendor that caters to just a handful of customers. What are the odds that this vendor!s software will be discovered and added to a whitelist in a timely fashion?

About the same as winning the lottery.

Perhaps the greatest benefit of a hybrid approach is that it would finally return the burden of antivirus protection from the shoulders of weary customers back to security vendors

Perhaps…