StalkDaily worm hits Twitter

Found a full post mortem of the latest worm to hit the Social Media scene – StalkDaily. Very interestingly, twitter allowed to add script tags in their profile, and 17-year old Mickeyy Mooney employed a cross-site scripting attack to not just post an update promoting his own site, but also added the same malicious javascript on the profile pages of who-ever visited an infected page. The modus operandi of the attack is described in more detail here.

This of course, made use of the authentication tokens that are present when you are logged into twitter – and while it couldn’t scrape passwords, it did its harm. Twitter is kinda more open than all others, since it reveals pretty much all its functionality through its API – it even gives the users the ability to even update their profiles. This, along with the fact that they allow Javascript inclusion in the profile (extremely surprising! why would they allow this!), makes it easy to do cross-scripting attacks here.

I was wondering what means can be employed to control this — and there are a few strategies that can be used here:

  1. Input Cleanup – Always clean up inputs when you are accepting anything from a foreign agent (user, website, api). This should include cleaning up script tags, cleaning up for SQL injection, etc.
  2. Secure Account Settings – Ensure that before changing account settings, users are at least made to put in their password once again, or it’s on a separate location (https) that prevents the same authentication tokens to be used. Yahoo/Google do that for all important account settings
  3. Sandbox External Code – If you do have to run any custom code that the user sends your way, run it in a sandbox. Rather than giving it access to all your data structures, create a new datstructure, populate it appropriately and let it spit out the results in some predefined format (say, XML). You can parse the results and display it again. Showing users’ code directly can be quite dangerous.
  4. Extra authentication for APIs – Give the API an extra authentication token, say an api key, that prevents the users to access your api’s without it. The challenge here would be distribution of this extra information. This can either be done by asking users to put in an extra api key when they give api access to somebody, or to make the software pass through a API validation step (a la OpenID, or Vista UAC) that only gives out the api key, after correctly informing the user.

Do you have any other tips?


The Terror Blasts and Twiddling Thumbs

Once again, our country is facing terror attacks in Mumbai. And once again, I’m afraid we will fail to do anything. Once again, we will talk of the Spirit of Mumbai, shrug off, sleep, get up and go back to work. Once again, politicians will condemn the attacks, there will an enquiry, a committee, a review, a panel, a report – all to be lost in a filing cabinet in South Block. Once again, the world will cry afoul, issue travel advisories, cancel air tickets and hotel bookings, and then visit next year and get high on dope in Varanasi. Once again, the army will be called into action, after the intelligence system has failed, rescue people, save lives, and go back to training camps. Once again, we will fear the economy, FIIs drawing back money, FDI drying up, and everybody will forget in sometime. Once again, a tour will be called off, security concerns will arise, but they will come back in no time salivating for the money. Once again, lives will be lost, relatives will cry, friends will mourn, death certificates made, a compensation announced, and will be forgotten in history. Once again, the injured will pick up the pieces, perhaps with no leg, perhaps with no eyes, and live a life of despicable cruelty ever after. Once again, …

But for how long? For how long will this sceptre repeat, right in front of our eyes and we will fail to take any action. Hasn’t this list of events become an all too common phenomenon? Hasn’t it become so blaise that many times we hardly even notice — ignore the page 1 and turn straight to page 3? What have we done to improve the situation? Where is the Corrective and Preventive Action? Have we even prepared a document, let alone implement it? Where are the criminals of the past crimes? Have we punished enough? Has our political establishment the balls to hang the perpetrators of terror? Punish them such that nobody will try to repeat this mockery of India?

We can all keep talking. Will we ever do anything? Will we stand up for India?

I just wonder.

I hope we are a part of the solution – so just putting down some thoughts. Start a dialog. Let’s see if we can come up with a solution.

Vote – The biggest responsibility for Indians is to vote. That’s the way we can bring about a change in our country. That’s the way to show your country you actually care what the situation is. JaagoRe is a great effort – kudos to them – and let’s support them. And next time, let’s vote in a single party, whoever it be, so that we are not crippled by our slow democratic process. If we end up with a hung assembly again, in the cacophony of the Parliament, the terrorists will get away again.

Respect – I believe that we don’t respect the people who save us enough. Everytime, after the war situation, there is a flurry of patriotic films, saluting the soldiers, the commandos, but films are not enough. We need to give them more respect in real life. Perhaps a regular feature across TV channels on war heroes and those who laid down their lives for the country. Increase their salaries. For God’s sake – many of us work for foreigners, write code, analyze, sell, buy for MNCs – but these guys lay their lives for unknown men and women of India, who perhaps don’t even give back enough in return. They deserve to be paid more than most others. Give them more repect in social circles. Treat them as heroes. Only then will we want to join the Army, rather than using it as the last resort and career option.

Love – We can’t cure this ill with hate. If we started a revenge propaganda, things will never improve. We can only heal if we treat both Hindu and Muslims with love, and not get swayed by brainwashing. We need to be careful about identifying the perpetrators, and punish them with determination, but treat the others with love. If the retaliation is arbitrary and unreasonable, things will only get worse.

Spend – Let’s spend more money on intelligence. Let’s beef it up. The only way to fight these attacks is by fusing them early, since once a man who cares not for his own death has a gun in a room full of people there is very little anybody can do. We need to find the clues early, nab them and nip them in the bud. Repeating the earlier point, how many people do we hear of who are working in intelligence? For a nation of a billion people, a trillion whispers, a gazelleon hiding spaces, there is hardly enough intelligence personnel.

Revisit – Let’s revisit the past crimes, and keep track of whether we actually punished the guilty. Our media stumbles from story to story, and in 3-4 days we will forget everything that’s happened today. Let’s keep track of these, keep checking what’s being done, and make sure the guilty are given exemplary punishment, and the good given reward.

Reward – Let’s reward the brave. Citizens who have saved the lives of others. Both monetarily and socially. Let people feel that our society actually rewards those who serve others.

Educate – Let’s spend more on education. Typically, the people most succeptible to brainwashing are those who are not so educated – and unable to think and understand themselves.

I think I’m coming to the end of my ideas. Will look forward to receiving more in the comments section.

%d bloggers like this: