Archive

Posts Tagged ‘internet’

ASP.NET Session Cookie Crypto Attack Exploiting

September 20th, 2010 No comments

If the Linux CVE-2010-3081: 64bit Linux Kernel Root Exploit didn’t get you, then this little birdy might. It seems the implementation of the AES encryption algorithm which protects the integrity of the Session Cookies in ASP.NET has a weakness which could enable an attacker to hijack sessions – Which bank? The idea behind the use of AES is to ensure that the crypt’d data hasn’t been tampered with – and hence decryptable, but unfortunately the flawed implementation of the use of AES and how it handles errors gives out some much needed clues for an attacker to pursue.

From TheThreatPost article:

In this case, ASP.NET’s implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified. If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some information about the way that the application’s decryption process works. More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it’s actually possible.

There is a Microsoft Security Advisory (2416728) which gives some workarounds until a proper fix is made available. What’s really concerning is this little tidbitt from Thai Duong about Using their tool the Padding Oracle Exploit Tool or POET:

“It’s worth noting that the attack is 100 [per cent] reliable, [that is], one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes.”

What’s really interesting is seeing the video of the exploit in action on dotnetnuke (don’t close your eyes). ScottGu has blogged about this exploit which goes into far more detail than I can, but if you’re keen there’s a nice document on using the Padding Oracle exploit and includes discussions regarding the JSF View state, cracking CAPTCHA schemes as well as some juicy details on CBC-R.

{lang: 'en-GB'}
Share

Chrome 4.0 is out with extensions support

January 26th, 2010 1 comment

Well finally Google has released Chrome 4.0 and with it extensions support amongst the many other features which finally brings some much needed juice to the browser. I’ve been running Firefox and Chrome simultaneously (Chrome for gmail & google apps, firefox for daily browsing) but I have a feeling I may change to using Chrome full time now.

Some cool extensions to try (most are from Firefox)

  • Xmarks Bookmarks Sync – I’ve been using FoxXmarks to sync my bookmarks for a while now, so its only natural I install this for Chrome. You can also stick with the standard Bookmark sync via Google which you’ll need a Google account for.
  • Google Mail Checker / Google Alerter – there’s also the One Number extension that brings more than just checking gmail.
  • AdBlock – probably the number one reason most people wanted extensions in Chrome!
  • Forecastfox Weather – My weather extension I use in Firefox.
  • FlashBlock – Can’t stand videos playing automatically when you load a gazillion tabs and wonder WHO THE EFF is talking?
  • Goo.gl URL Shortner – none others required.
  • Firebug Lite – Not as feature packed as Firebug, but then why would they call it Lite?
  • IETab – Sometimes you gotta.

Chromed. There’s lots more if you’re into Facebook, Twitter and all the other fancy things these days, even one for uTorrent! Download the latest build and give things a go!

PS. You don’t need to restart Chrome to install extensions either!

{lang: 'en-GB'}
Share

Opera 10 finally released!

September 1st, 2009 No comments

Today marks the release of Opera 10.

Amongst the highlights:

– Revamped user interface
– Boosted speed from the new Opera Presto 2.2 engine, giving it a 40% increase from the previous version when running web applications (such as Gmail)
– Opera Mail has seen various improvements
– Opera Turbo, designed to increase browsing speed for those on slower Internet connections
– An inline spell checker, to help catch mistakes when typing in entry forms
– Thumbnail tabs which are resizable
– Speed Dial has been given personalization features

Download a copy or read up on the new features in this release, the site’s being hammered right now by the looks of it? I still remember starting out with Opera 5 back in 2001, a close friend designated Opera as his ‘porn browser’, purely because of the tabbing and speed (not to mention lightweightness ) of the browser.

{lang: 'en-GB'}
Share

New Google Image search options bring some coolness!

August 3rd, 2009 No comments
Google Image Search Options

Google Image Search Options

I haven’t searched for images in quite sometime but just realised that Google has updated its image search options!

Lets say your looking for some photos on Windows 7, but you don’t want all the screenshots of the operating system, instead you want just people. Select Faces option and voilla, people images.

What about some photos of Australia? Maybe photos that show just how harsh our climate is in the dessert? Historical or artsy Black & White ones? You get the idea 🙂

Awesome and useful! If you’ve ever wondered what I look like, all you have to do is search (heheh).

{lang: 'en-GB'}
Share

Foxy ladies: Mozilla releases Firefox 3.5!

July 1st, 2009 No comments

The moment we’ve all been waiting for, Mozilla has released the final version of Firefox 3.5 (which was originally slated to be 3.1). Amongst the highlights include the new Gecko 1.9.1 rendering engine and (from their release notes):

  • Available in more than 70 languages. (Get your local version!)
  • Support for the HTML5 <video> and <audio> elements including native support for Ogg Theora encoded video and Vorbis encoded audio. (Try it here!)
  • Improved tools for controlling your private data, including a Private Browsing Mode.
  • Better web application performance using the new TraceMonkey JavaScript engine.
  • The ability to share your location with websites using Location Aware Browsing. (Try it here!)
  • Support for native JSON, and web worker threads.
  • Improvements to the Gecko layout engine, including speculative parsing for faster content rendering.
  • Support for new web technologies such as: downloadable fonts, CSS media queries, new transformations and properties, JavaScript query selectors, HTML5 local storage and offline application storage, <canvas> text, ICC profiles, and SVG transforms.

For the developers, the Mozilla developer centre details the changes in this release. But the most exciting is the support for <video> and <audio> elements from the HTML 5 draft and the inclusion of the TraceMonkey JavaScript engine.

Download it now!

{lang: 'en-GB'}
Share

Yesterdays Undies: Microsoft releases Internet Explorer 8!!!

March 20th, 2009 No comments

A quick note that the once mighty beast that is Internet Explorer (affectionatley also dubbed, Internet {Exploder, Exploiter etc}) has released the much awaited version 8.

Internet Explorer 8 About BoxThere’s also a review on eWeek for IE 8 and an Exclusive interview on TechRadar with Microsoft’s John Curran.

Direct download links for your platform:

Grab it while its hot and add it to your list of browsers to test, or just use SuperPreview. UPDATE: we tried it, and our initial thoughts were it was lamey, stick to BrowserShots.

Whilst its downloading, checkout the History of the Internets, everything from the days of Marquees and annoying overdone GIFs, to the days where every fscking site had a flash video, to the brighter days of today, when we all seem to walk to stalk everyone else and see what they’re up to.

I’m running Windows 7 on this lappy so unfortunately you wont be able to install the RTM if your in the same boat.

In terms of security, unfortunately IE8 was defeated at Pwn2Own but not before everyones *favourite* fruit company’s Safari went down… in seconds for the second year in a row! Not even IE8 on Win7 was left out of the carnage.

Mmm I can taste those crApples rotting on teh Safari – they should add that to the list of security features.

Late for work, enjoy.

{lang: 'en-GB'}
Share

Microsoft releases IE8 Beta 1 and ASP.NET MVC RC1

January 28th, 2009 No comments

Wow, what a stinking hot day today was, utter chaos on our public transport system (which they are explaining and not making excuses about just incase you got con’nexed into thinking that) so it was nice to spend some time on the beach like the rest of the crowd.

More importantly, news in the virtual werld is that Microsoft have released Internet Explorer 8 RC1 for everyone to test against. Essentially its now feature complete and will behave like RC1 at final RTM. So give that a go, if you were a tester you’ll be glad to know that your pre-RC1 copies will upgrade. You wont be able to install it on Windows 7 though!

If you want to peak Inside Internet Explorer 8 theres a good interview on Channel 9 with Dean Haachamovitch and Jason Upton.

Then, theres the release of ASP.NET MVC Framework RC1. See the release notes and take a look.

{lang: 'en-GB'}
Share

Google Chrome 2.0

January 9th, 2009 1 comment

While Microsoft flaunts Windows 7, everyone’s second favourite company, Google is hard at work on Chrome 2.0. They’ve just release a pre-beta release tagged Chrome 2.0.156.1 which brings some funky new changes:

  • New version of WebKit. WebKit is the open source code Google Chrome uses to render web pages (HTML and CSS). 1.0.154.36 used basically the same version of WebKit as Safari 3.1, but the WebKit team has made a lot of improvements since that was released. 156.1 uses WebKit version 528.8 or, more precisely, revision 39410 from the WebKit source tree. In addition to fixing bugs and enabling features like full-page zoom and autoscroll, the new version also enables some nifty CSS features:
  • Form Autocomplete. Google Chrome remembers what you’ve typed into fields on web pages. If you type in the same form again, it will show any previous values that match what you’ve typed so far. You can disable Form autocomplete on the Minor Tweaks tab of the Options dialog.  (Note: this is like the basic form autocomplete available in Firefox or Internet Explorer. It is not the same as the form fill feature in Google Toolbar.)
  • Full-page zoom. Previously, page zoom (Ctrl++ or Ctrl+-) increased or decreased only the text on a page. Zoom now scales everything on the page together, so pages look correct at different zoom levels.
  • Spell-checking improvements. You can now enable or disable spell checking in a text field by right-clicking in the field. You can also change the spell-checking language by right clicking. To enable spell-checking in a language, add it to the list of ‘languages you use to read web sites’ in the Fonts and Languages dialog ([Wrench] > Options > Minor Tweaks > Fonts and Languages). Note that Google Chrome doesn’t have spell-checking dictionaries for every language you can add to this list.
  • Autoscroll. Many users have asked for this and (thanks to our WebKit update), we now offer autoscrolling. Middle-click (click the mousewheel on most mice) on a page to turn on autoscroll, then move the mouse to scroll the page in any direction.
  • Docking dragged tabs. When you drag a tab to certain positions on the monitor, a docking icon will appear.  Release the mouse over the docking icon to have the tab snap to the docking position instead of being dropped at the same size as the original window. Docking positions are:
    • Monitor top: make the dropped tab maximized.
    • Monitor left/right: make the dropped tab full-height and half-width, aligned with the monitor edge.
    • Monitor bottom: make the dropped tab full-width and half-height, aligned with the bottom of the monitor.
    • Browser-window left/right: fit the browser window and the dropped tab side-by-side across the screen.
    • Browser-window bottom: fit the browser window and the dropped tab top-to-bottom across the screen.
  • Import bookmarks from Google Bookmarks. The [Wrench menu] > Import bookmarks & settings… option now has a Google Toolbar option to import Google Bookmarks. The bookmarks get imported into your Other bookmarks folder. The bookmarks are not kept in sync; the import process simply reads in the current set of online bookmarks.
  • New SafeBrowsing implementation. SafeBrowsing is now faster, more reliable, and uses the disk less often.
  • Use different browser profiles. You can start a new browser window that uses a different profile (different bookmarks, history, cookies, etc.). Use [Wrench menu] > New window in profile. When you create a new profile, you can name it and add a shortcut to your Desktop.
  • Update the V8 Javascript engine to version 0.4.6.0 (from 0.3.9.3).
  • New network code. Google Chrome now has its own implementation of the HTTP network protocol (we were using the WinHTTP library on Windows, but need common code for Mac and Linux). We fixed a few bugs in HTTP authentication and made Google Chrome more compatible with servers that reply with invalid HTTP responses. We need feedback on anything that’s currently broken, particularly with proxy servers, secure (https) sites, and sites that require log in.
  • New window frames on Windows XP and Vista, supporting windows cascading and tiling, and other window-management add-in programs.
  • Experimental user script support (similar to Greasemonkey). You can add a –enable-user-scripts flag to your Google Chrome shortcut to enable user scripts. See the developer documentation for details.
  • A new HTTPS-only browsing mode. Add –force-https to your Google Chrome shortcut, and it will only load HTTPS sites. Sites with SSL certificate errors will not load.

Go on, try it out.

{lang: 'en-GB'}
Share

Google releases Chrome 1.0

December 12th, 2008 No comments

Epic news, Google has released a 1.0 release of Chrome.

We have removed the beta label as our goals for stability and performance have been met but our work is far from done. We are working to add some common browser features such as form autofill and RSS support in the near future. We are also developing an extensions platform along with support for Mac and Linux. If you are already using Google Chrome, the update system ensures that you get the latest bug fixes and security patches, so you will get the newest version automatically in the next few days.

You can download a windows version today, the Linux & Mac OS builds are still in development.

{lang: 'en-GB'}
Share

Microsoft releases Internet Explorer 8 Beta 2

August 28th, 2008 No comments

Yippe Ya Ya yay! Microsoft just released IE8 Beta 2 as posted on the IEBlog:

We’re excited to release IE8 Beta 2 today for public download. You can find it at http://www.microsoft.com/ie8. Please try it out!

You’ll find versions for 32- and 64-bit editions of Windows Vista, Windows XP, Windows Server 2003, and Windows Server 2008. In addition to English, IE8 Beta 2 is available in Japanese, Chinese (Simplified), and German. Additional languages will be available soon.

While Beta 1 was for developers, we think that anyone who browses or works on the web will enjoy IE8 Beta 2. Before the team blogs about our Beta 2 in detail, here’s an overview of what you’ll find in IE8.

We focused our work around three themes: everyday browsing (the things that real people do all the time), safety (the term most people use for what we’ve called ‘trustworthy’ in previous posts), and the platform (the focus of Beta 1, how developers around the world will build the next billion web pages and the next waves of great services).

Go and download a copy and try it out. While your waiting checkout the cool new features in IE8.

{lang: 'en-GB'}
Share