Yesterday, Google Labs opened up the beta version of their CodeSearch search engine, giving way to an influx of pro-hack comments.

The, long awaited, CodeSearch facility enables users to lookup chunks of public source code, something thats sure to put the fjear mode : ON into the likes of Krugle, Codease and co.

Of course, pulling serverside source from webpages has been a dream of most hackers at one time or another, and Googles CodeSearch certainly lends its hand in doing so.

Consider the following search queries which will yield numerous results for unchecked GET variables, which could prove useful when employing Cross Site Scripting (XSS) attack vectors.

file:process.php "include($"

result: http://tinyurl.com/rrmh2

"include($_GET"

result: http://tinyurl.com/rdpl9

Not to mention the insertion of the following regex which outputs a mediocre 22,500 email addresses - making Google CodeSearch every spammers wet dream.

(Chris McClelland, of AJAXPress. stating over 11million emails from the string “@” - funny, we only found 9.5million, and half of those were not email related.)


^[a-zA-Z]([.]?([[:alnum:]_-]+)*)?@([[:alnum:]\-_]+\.)+[a-zA-Z]{2,4}$


result: http://tinyurl.com/ftz3u

Further, Google CodeSearch could prove to be somewhat of an engine for distributing “bad” code to unsuspecting programming/scripting newbies. “Google Code Search could also prove to be a tool for malware writers to distribute their code”, Adds Google Blogs, Steve Bryant, with a bit of realism to the whole security issue.

Recently I’ve had a sudden influx of porn related spam. Given that I dont usually get much spam, this was quite a surprise. Of particular interest, the influx started after applying, online, for a Barclay card.

Each email is a couple of lines packed with sexual related words, and includes a link which, when clicked, submits a GET variable to a script at the target URL, thusly validating the email address.

Example:

sexy blonde sucking and fucking
Hardcored and cummed
http://redheadteen.info/prime/siper.html?fMjXUYf.gVXjbW,hVX
Busty blonde oiled up
Amateur sex hardcore couple


The URL and .html file are variable. Obviously a little regex could filter out these emails due to the number of obscene words. But for anyone a little less tech savvy, a simpler solution is available.

The encoded variable at the end doesnt stand out to be of any particular type (base64, rot13 etc). However, cracking the code is extremely simplistic. The spammer uses a basic character substitution algorithm. Below are two tables, the first is what we know to be true, the second is the most likely completion of the conversion. Clear text is in bold, cipher text is in red

Verified Conversion Table

Most Obvious Completion

What becomes apparent is that the encoded GET variable is the receipients email address. As we know the variable content will be fixed (as apposed to random and matched in a database when processing) we can then use this to create a filter.

Option one would be to create a filter on the whole string. This is fine if you only have one email address, if you have multiple email addresses using only one domain, you could specifiy the filter to run after the @, or in the case of the cipher text, the “.”

If you have numerous email addresses across a number of domains, the obvious option would be to set to filter the encoded top level domains: ,WfQ(.net) ,hVX(.com) ,VSd(.org) etc

You can find details on how to set email filters on a number of mail clients at HideMyEmail - Spam FAQ as well as methods to help prevent spam

The US government has taken a step back from control of the internet with a new contract between it and overseeing organisation ICANN that came into effect yesterday.

The three-year contract, with an apparently significant halfway review point, has been heralded by both ICANN and the Department of Commerce as a sign that the US government has listened to worldwide criticism of its continued oversight role and has responded by providing ICANN with a new degree of autonomy.

However, experts disagree, with one calling it “old wine in a new bottle”, and another barely concealing his frustration with an administration that promised eight years ago it would end its role but now has decided “we will have to wait another three years, at a minimum”.

Read More : The Register - US Government Steps Back From Internet Control

On August 29, 2006 a patent request was made by Roger Detzler for an invention that instantaneously destroys the data contained on magnetic data storage media upon the occurrence of certain events.

Unauthorized access to data stored on magnetic media is prevented by destruction of the media with a reactant chemical. This approach may be initiated as a response to tampering or intentionally by using any one of several triggering interfaces rendering the data unrecoverable even to aggressive recovery procedures.

For the full document click here.

The good people over at Hackivismo have conjured up a new browser that allows users to surf the internet completely anonymously.

The open source program, named Torpark, utilises The Onion Router(TOR) network to constantly change where the user appears to be coming from. Along with an encryption method, Torpark provides end users with the means to scour the internet free of nosey ISPs.

“We live in a time where acquisition technologies are cherry picking and collating every aspect of our online lives - so it seems that it’s a browser attempting to redress that supposed imbalance.”
- said Oxblood Ruffin, founder of Hackivismo

Torpark is availabe as a free download from torpark.nfshost.com, and can be run from removable media, such as USB sticks, potentially turning any computer into an anonymous terminal.

An event to honor the inventions, inventors, historical milestones and the future of Public-Key Cryptography.

WHERE
Computer History Museum
Hahn Auditorium
1401 North Shoreline Boulevard
Mountain View, CA 94043

PROGRAM
6:00 to 7:00 PM Networking reception
7:00 to 7:30 PM Welcome and PKC Overview
7:30 to 8:30 PM Panel presentation discussing the past, present,and future of PKC moderated by Steven Levy.
8:30 to 9:00 PM Audience question and answer session

Panel Includes:

• Moderator: Steven Levy, Author of Crypto and Senior Editor, Newsweek Magazine
• Introduction: John Markoff, Author and Senior Writer, New York Times
• Mr. Ray Ozzie, Chief Software Architect, Microsoft Corporation
• Dr. Whitfield Diffie, Chief Security Officer, Sun Microsystems
• Dr. Martin Hellman, Professor Emeritus of Electrical Engineering, Stanford University
• Mr. Jim Bidzos, Former CEO, RSA and Founder, Verisign
• Mr. Brian Snow, Former Technical Director for the Information Assurance Directorate, NSA, Retired
• Dr. Dan Boneh, Professor Computer Science, Stanford University

For more information check out: ComputerHistory.org.

Terrorism and organised crime should not be used as excuses for passing laws which undermine people’s privacy and data protection rights, according to the European Data Protection Supervisor (EDPS). Existing laws do not need changed, he said.

From The Register article, Peter Hustinx of EDPS: “It is a misconception that protection of privacy and personal data holds back the fight against terrorism and organised crime,” said Hustinx. “Current legislation does allow, for instance, law enforcement to check suspicious phone numbers found in a computer.”

Read More : The Register - Terrorism no excuse for privacy breaches, says EU regulator

On the 13th of September the United States Government Accountability Office submitted a document to the House Committee stating that the Department of Homeland Security had not been fullfilling their 13 key responsiblities including the National Infrastructure
Protection Plan and its responsibility to develop an integrated public/private plan for Internet recovery.

The GAO have outlined around 25 key recommedations to the DHS over the last few years, these recommendations tend to incorporate the following 5 points…

• Conduct threat and vulnerability assessments
• Develop a strategic analysis and warning capability for identifying potential cyber attacks
• Protect infrastructure control systems
• Enhance public/private information sharing
• Facilitate recovery planning,including recovery of the Internet in case of a major disruption.

Not only have the DHS not been fullfulling these 5 points but also a whole load of cyber security officials have abandoned their jobs with the DHS.

Either the DHS is run by a bunch of incompetant fools or the government intentionally keeps the DHS in a state of limbo so to ease the passage of futher laws which breach our privacy and liberties. Take your pick.

You can find the full report here.

A school, in the South of Wales, has recently began the implementation of a new scheme in which it aims to fingerprint the 1,400 attending pupils in a bid to automate class registrations.

Parents of the children that attend the school, in Porth County, were notified little more than a week before the scheme was put into practice. The headmaster of the school defends the decision, claiming that

“it wasn’t necessary for us to seek parental consent in this. It’s a system that has been approved by the DfES and it’s supported by Capita SIMS…..There are 1,400 students in the school and we had two phone calls…the parents were perfectly happy.”

The system, known as VeriCool, is developed by a sector of General Dynamics, and aims to provide biometric scanning for each classroom. General Dynamics is best known for specialising in producing systems for the military and intelligence services.

The move has met with much controversy, with parents and privacy advocates airing their concerns. David Clouter of leavethemkidsalone argued that taking the register was an important way for teachers to establish contact with each individual pupil at the start of a class and that its role would not substitute manual registers, for instance, in the case of a fire.

Your Response : The Register - Letters

Note: Interestingly, I was recently speaking to a driving instructor. I have been wondering, for some time now, why plastic ID card driving liscences have been introduced when drivers are still required to carry the paper counter-part. The instructor informed me that the common theory is that it is part of the initial phase of the governments biometric national ID card scheme. The idea being that we will put up less of a fight if we are already used to carry an ID card of sorts - a way of slowly introducing us to the idea of a full national ID scheme / database. Coupled with the reported incident of schools implementing fingerprint scanning systems, we clearly ARE slipping further towards that Orwellian society that we resent so much.

PC Pro is currently running an article on new Xerox technologies involving temporary prints via time limited print ink. From the article:

“Xerox has lifted the veil from some of its research and development work in the field of printing. The cutting-edge research highlighted at a press event involved current projects that are expected to see the commercial light of day within 18-months, including a twist on the theme of invisible ink….This offers the prospect of reusable paper in the sense that the content is automatically erased after a period of time, ready for fresh printing. Inspired by the fact that many print outs have a life-span of a few hours (think of the emails you may print out just to read, or the content you proof read on the train journey back home), the specially prepared paper will preserve its content for up to 16 hours.”

Read More : PC Pro - Xerox reveals transient documents