Topic: cookie hacker

So, this morning I get this email from some concerned user of my site telling me that a guy who has registered is a hacker and hacked a phpbb board (they sent me the address to that). They forwarded me this message by this hacker (the email address he used to post the message and the one used to sign up for my board are the same):

As a hacker, I can say with 100% certainty that Firefox is a better browser in terms of security than IE. IE's severely flawed implementation of HTML makes it so that just about every XSS (Cross Site Scripting) attack in the book works on it.

I can do IE-Compatible XSSes via tables, images, xml tags, bgsound tags, object tags, frame tags, iframe tags, and on and on. Not nearly as many of those will work in Firefox. In fact ALL of the XSSes I have done have worked in IE. However, only a handful have worked in Firefox.

About the patching of other security flaws that have been discovered, flaws discovered in Firefox (of which far fewer have been discovered than in IE, and the criticality of them has been lower) have been patched in short order. However, Microsoft has taken months to patch security flaws in IE before.

As far as features go, Firefox has a good number of them built in. Even if there is less than IE, Firefox has a robust plug-in interface; a plug-in can be written to do most anything in Firefox.

I even have a cookie editor for Firefox so I can effortlessly forge cookies. Forged cookies can be used to get unauthorized access to website features, and even entire accounts, so the cookie editor plug-in is really handy. There are MANY plug-ins for Firefox to add more features and functionality to the browser. And more are being developed every day.

These reasons are why Firefox is the browser of choice for hackers. It is more secure and more extensible.

By the way, while previewing the first version of my post, I discovered that this comments page may be vulnerable to XSS. I will do a test post to make sure (Don't worry, it will just create a simple alert() box if successful.)

Alrightythen, should I be concerned? I'm downloading the FF cookie edit extension now to see what it does but in the meantime is there a way to make sure cookies are protected?

Re: cookie hacker

Oh the link to that message he (Lacertosum) posted is here: http://jacquelinepassey.blogs.com/blog/ … refox.html toward the bottom of the page.

Re: cookie hacker

Well, as far as I can tell from his post, he's a script-kiddie (i.e.: No cracking skill whatsoever other than the infamous "cut/paste" methodology from vulnerability lists) and has no real skills at all.
From his "testing"...Nothing happened. Didn't work.

Here's the thing - If people go around posting things that start with phrases such as "As a hacker..." or "I'm a hacker..." you can almost guarantee that they're not.

Re: cookie hacker

I'm sorry, but I fail to see what this has to do with PunBB.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: cookie hacker

Rickard - I think (I could be completely off) that they're worried about this happening on their own punBB board because of the cookie issue.

Re: cookie hacker

You can't 'protect' cookies, they are completely out of your control. The only way someone can impersonate another user by editing the cookie is if they discovered the user's password hash. You can't just change the id stored in the cookie and become someone else, not in punbb at any rate.

7

Re: cookie hacker

erissiva wrote:

Well, as far as I can tell from his post, he's a script-kiddie (i.e.: No cracking skill whatsoever other than the infamous "cut/paste" methodology from vulnerability lists) and has no real skills at all.
From his "testing"...Nothing happened. Didn't work.

Here's the thing - If people go around posting things that start with phrases such as "As a hacker..." or "I'm a hacker..." you can almost guarantee that they're not.

Actually, he is a hacker.  It's easy to stop the basic exploit from working.  But when you recode it completely to bypass a filter, the situation changes.

You should really be more careful about claiming someone is a script kiddy.  If he thinks he's being challenged, he will find an exploit for your forums, if he spends a week or more doing it.  So please, for the good of your forums, don't go around saying such stuff.  If you have nothing better to do than insult people you don't even know, you should really get another hobby.  Or four.

And don't worry.  Your forums are safe from Lacertosum.  But always remember to upgrade to the latest version, for security, and keep an eye on bugtraq, because the next time someone may be REALLY malicious.

8 (edited by erissiva 2005-06-08 15:44)

Re: cookie hacker

Actually, he is a hacker.

No. He is a cracker. Wrong terminology and common mistake.

hacker
# noun:   a programmer for whom computing is its own reward; may enjoy the challenge of breaking into other computers but does no harm

cracker
noun:   a programmer who `cracks' (gains unauthorized access to) computers, typically to do malicious things

Crackers are one of the lowest forms of life. Their whole purpose is to destroy with intent to bring themselves fame. Although most of them give up when they realize that there are better ways to go about it.

You should really be more careful about claiming someone is a script kiddy.  If he thinks he's being challenged, he will find an exploit for your forums, if he spends a week or more doing it.

Let him go ahead and waste his time. I make daily backups of my site, as does my webhost. Even if he does take it down it will only take a couple more minutes to restore it to it's original state as well as discover the flaw using RAW access logs. wink Plus, supposed "crackers" do challenging things to make themselves feel better. It's not really that much of a challenge to hit someone's personal blog and gallery that barely pull in 30 hits a day. roll

Have I had my site cracked and defaced before?
Yes, back when I was a naive user that used unsecure software such as postnuke. But the exploit was one that could easily found by trawling the software's own security pages. roll Whoopee....The next Mitnick I presume? Um...No.

Do I care?
Not really. Like I said - Minor inconvenience that no one will notice.

In computing, a script kiddie (occasionally script bunny or script kitty) is a derogatory term for inexperienced crackers who use scripts and programs developed by others for the purpose of compromising computer accounts and files, and for launching attacks on whole computer systems (see DoS). In general, they do not have the ability to write said programs on their own. Such programs have included WinNuke applications and Back Orifice.

Script kiddies, instead of attacking an individual system, often scan thousands of computers looking for vulnerable targets before initiating an attack. The term is also often used as a derogatory spam for individuals who do not contribute to the development of new security-related programs, especially exploits, but rather benefit from the work of others.

Still firmly believe that. And, I wasn't personally attacking that individual, just his line of "work".
Be sure to forward this post to him. wink

Cheers! big_smile


Edit: After a simple Google search, it turns out that there are numerous Lacertosums. There is one legitimate one who runs the site http://hackthissite.com and is a legitimate hacker and who discovered the "WebCT 4.1 XSS" exploit.  But, as we have discussed before, this is a non-malicious person. Sorry about the confusion.

Re: cookie hacker

While we're on the subject, could someone please inform me of the usefulness of "vulnerability lists" such as Bugtraq?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

10 (edited by Smartys 2005-06-09 19:59)

Re: cookie hacker

Script kiddies, software that isn't updated anymore/where the vendor doesn't issue a patch (which usually isn't the case), being able to track the number of security issues in a piece of software
That's all I can think of off the top of my head smile

Re: cookie hacker

back ontopic tongue i found the cookie hacker(monster) sorry but everytime i saw this thread i thought of this
http://images.art.com/images/PRODUCTS/large/10095000/10095341.jpg

Re: cookie hacker

w00t big_smile

Re: cookie hacker

Even more relevent:

http://img14.echo.cx/img14/6938/mycookie2oh.jpg

Re: cookie hacker

hahaha

"Programming is like sex: one mistake and you have to support it for the rest of your life."