http://www.southsideofthejames.com Mon, 06 Sep 2010 08:38:57 +0000 http://wordpress.org/?v=2.9.1 en hourly 1 http://www.southsideofthejames.com/cross-site-scripting-xss-%e2%80%93-it%e2%80%99s-bad-for-your-financial-health.html http://www.southsideofthejames.com/cross-site-scripting-xss-%e2%80%93-it%e2%80%99s-bad-for-your-financial-health.html#comments Sat, 21 Aug 2010 00:00:13 +0000 admin http://www.crawbot.co.cc/?p=4250

Internet Rumors Can Be Damaging – Even If Unconfirmed

A woman working at HP sent an email to hundreds of co-workers that a snack made by Osem, one of the largest food manufacturers in Israel and a local subsidiary of Nestle, caused infant death.

This email quickly spread and the result was a 6% drop in Osem’s stock in just a few hours.

The email wasn’t very sophisticated. It wasn’t even remotely true. Still, Osem – one of the largest companies in Israel – had its stock damaged by a completely false email rumor.

Apple’s stock goes down when rumors are circulated that Apple’s CEO Steve Jobs has had a heart attack. The Apple stock takes a beating every time that rumor surfaces, and that happens regularly.

Stocks going up or down because of rumors is as old as the invention of the stock market. But the Internet makes it easier to fabricate a rumor and have it reach far and wide within hour. Just add one more component and a stock could be driven deeply into the ground: credibility. For maximum credibility, how about planting a confirming statement on the corporate web site!

How Damaging Could A Confirmed Rumor Be?

Imagine if you saw a news item on the corporate web site www.apple.com that actually confirmed the death of Steve Jobs. Imagine if you saw on Osem’s web site an admittance of guilt that their snack was indeed poisoning infants. What would happen to their stock then?

Here’s the scary part: it is not difficult to do this. Nobody even needs to break in or deface the corporate web site for this to happen. All that is needed are these two things:

1)    An unhandled Cross Site Scripting (XSS) vulnerability on the corporate site, and

2)    Inclusion of a carefully crafted link to the corporate site in the alarming email, on a social network page or included in a Twitter ‘tweet’ that takes advantage of the vulnerability

The link in the email will apparently take the alarmed person to the corporate site, but once they ‘arrive’ they will actually see a page that was created by the attacker and which confirms the alarming content. That link contains the XSS attack. When that link is then forwarded, every other person who uses it will also see this faked page. How far and how fast can such a link be spread? See the two examples at the beginning of this article again.

How Hard Is It To Do XSS?

Not hard at all. In fact, we made a quick proof of concept to the Tel Aviv Stock Exchange (TASE) a few years ago when we planted a false news item using a cross site scripting attack. The reaction from TASE was familiar to any computer security expert who ever reported a XSS vulnerability: “This is not really a problem as there was no change to any page on our site”. For something that is “not a problem” they sure fixed it within the hour, though.

We’ve experienced this same response almost every time our vulnerability scanning service (see http://www.beyondsecurity.com/vulnerability-scanner.html) finds a XSS vulnerability in a fortune 500 corporate or government site. We are often asked to explain why the report presents it as a serious issue. Using cross site scripting we have demonstrated the planting of false financial reports in the ‘investors’ section, altering news items and in almost all cases we have been met with the reaction: “this is not a real vulnerability” and “how can this really affect me?”

Who’s Damaged By A Cross Site Scripting Attack?

Most security researchers opt to explain XSS as an attack that steals cookies from site visitors. The damaged party in this case is ‘just’ the web site visitor who loses his account and any funds that maybe connected to it (setting aside how attackers may take that stolen account and use further explits to escalate permissions until they end up owning your serrver!).

While loss to the site visitor is a likely outcome, I think there’s a greater risk in the alteration of information on a ‘trusted’ page which could be useful in a phishing attack, or like the examples above, an attack intended to drive stock down that had been sold short.

I’m waiting for the first XSS attack that will tank a big company stock after is has been sold short by the attacker. If you are responsible for the security of your site, make sure your company won’t be the one.

]]> http://www.southsideofthejames.com/cross-site-scripting-xss-%e2%80%93-it%e2%80%99s-bad-for-your-financial-health.html/feed 0 http://www.southsideofthejames.com/user-profile-corruption-in-windows-it-can-be-recovered.html http://www.southsideofthejames.com/user-profile-corruption-in-windows-it-can-be-recovered.html#comments Sat, 21 Aug 2010 00:00:08 +0000 admin http://www.crawbot.co.cc/?p=4245

The Windows user profile allows you to have a personalized desktop environment. On corruption of user profile you cannot access your system. When you attempt to log on to Microsoft Windows XP Professional or Microsoft Windows XP Home Edition, you might encounter the following error message:

“Windows cannot load your profile because it may be corrupted. You may be logged in using a temporary User Profile.”

This behavior of Microsoft Windows XP makes all your vital files inaccessible and cause critical file loss situations. In this critical situation one needs to perform File Recovery by sorting out this problem.

Cause of the problem

As stated in the above error message, this problem takes place due to corruption to the user profile. Due to this reason Windows cannot verify your account and thus does not let your log on to it.

Solution

You can sort out this issue by creating a new user profile. To do so, you need to delete the existing user profile.

The user should keep it in mind that before deleting the user profile and creating a new one, there should always be a backup for all of your critical data. When you move to new profile, Windows may let your log into the system but your critical files, applications and configuration will be missing. After creating a new profile, you can easily restore data from backup.

On deleting the old user profile without backing up the data, you may come across critical file loss situations. To recover your significant file in such cases, thorough scanning of entire hard drive using File Recovery Software is required.

These are third party applications which perform Deleted File Recovery in most of the file loss situations. With simple and interactive graphical user interface, these software are fairly easy to use.

Stellar Phoenix Windows Data Recovery is an advanced and dominant tool that can recovery lost files from all FAT16, FAT32, VFAT, NTFS and NTFS5 file system partitions. This software is compatible with Microsoft Windows Vista, 2003, XP and 2000. It also recovers deleted Outlook and Outlook Express emails.

]]> http://www.southsideofthejames.com/user-profile-corruption-in-windows-it-can-be-recovered.html/feed 0 http://www.southsideofthejames.com/how-to-configure-an-authoritative-time-server-in-windows-server-2008.html http://www.southsideofthejames.com/how-to-configure-an-authoritative-time-server-in-windows-server-2008.html#comments Mon, 16 Aug 2010 00:22:00 +0000 admin http://www.crawbot.co.cc/?p=4248

Time synchronisation in modern computer networks is essential, all computers need to know the time as many applications, from sending an email to storing information are reliant on the PC knowing when the event took place.

Microsoft Windows Server from 2000 onwards has a time synchronisation utility built into the operating system called Windows Time (w32time.exe) which can be configured to operate as a network time server.

Windows Server 2008 can easily set the system clock to use UTC (Coordinated Universal Time, the World’s time standard) by accessing an Internet source (either: time.windows.com or time.nist.gov).

To achieve this, a user merely has to double click the clock on their desktop and adjust the settings in the Internet Time tab.

It must be noted however, that Microsoft and other operating system manufacturers strongly advise that external timing references should be used as Internet sources can’t be authenticated.

To configure the Windows Time service to use an external time source, click Start, Run and type regedit then click OK.

Locate the following subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParametersType

In the right pane, right-click Type then click Modify, in edit Value type NTP in the Value data box then click OK.

Locate the following subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigAnnounceFlags.

In the right pane, right-click AnnounceFlags and click Modify. The ‘AnnounceFlags’ registry entry indicates whether the server is a trusted time reference, 5 indicates a trusted source so in the Edit DWORD Value box, under Value Data, type 5, then click OK.

Network Time Protocol (NTP) is an Internet protocol used for the transfer of accurate time, providing time information along so that a precise time can be obtained

To enable the Network Time Protocol; NTPserver, locate and click:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer

In the right pane, right-click Enabled, then click Modify.

In the Edit DWord Value box, type 1 under Value data, then click OK.

Now go back and click on

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParametersNtpServer

In the right pane, right-click NtpServer, then Modify, in the Edit DWORD Value under Value Data type In the right pane, right-click NtpServer, then Modify, in the Edit DWORD Value under Value Data type the Domain Name System (DNS), each DNS must be unique and you must append 0×1 to the end of each DNS name otherwise changes will not take effect.

Now click Ok.

Locate and click the following

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClientSpecialPollInterval

In the right pane, right-click SpecialPollInterval, then click Modify.

In the Edit DWORD Value box, under Value Data, type the number of seconds you want for each poll, ie 900 will poll every 15 minutes, then click OK.

To configure the time correction settings, locate:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32Timeconfig

In the right pane, right-click MaxPosPhaseCorrection, then Modify, in the Edit DWORD Value box, under Base, click Decimal, under Value Data, type a time in seconds such as 3600 (an hour) then click OK.

Now go back and click:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32Timeconfig

In the right pane, right-click MaxNegPhaseCorrection, then Modify.

In the Edit DWORD box under base, click Decimal, under value data type the time in seconds you want to poll such as 3600 (polls in one hour)

Exit Registry Editor

Now, to restart windows time service, click Start, Run (or alternatively use the command prompt facility) and type:

net stop w32time && net start w32time

And that’s it your time server should be now up and running.

]]> http://www.southsideofthejames.com/how-to-configure-an-authoritative-time-server-in-windows-server-2008.html/feed 0