Ads 468x60px

freak2code is the blog about latest geek news,software reviews ,trends in technology and more informative stuff......

Friday, 31 August 2012

Stripe CTF 2.0


Stripe CTF 2.0

posted by vinay gautam

This is a thing I did. It was a cracking contest held by Stripe (who run a pretty neat service, btw), and it ended today. I was third to beat level 7 and twentieth to beat level 8, so here is the tale of how I came upon the solutions.

I haven’t reproduced the entirety of each puzzle below, because that would suck, but if you’re lucky maybe you can still sign up and follow along. If not, Stripe has promised to release the puzzles (and solutions) tomorrow. I think.

Level 0: Secret Safe

This one was written in JavaScript and implemented really simple security-by-obscurity storage: you provide a namespace, and it either stores data for you under some key or tells you all keys and data stored under that namespace.
This was the intro level, so the solution was pretty obvious, but actually less obvious than I expected for a level called “0”. The offending line is:
1
    var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"';
The key is actually stored as namespace.key. So the “exploit” is just to enter % as the namespace, and voilà, every secret is revealed. The db doesn’t know the difference between a % in your literal query and a % in your bound parameter, so any key containing a period (i.e., all of them) is selected. I suppose you’d call this LIKE injection.
It’s not vanilla SQL injection, but it relies on the same principle as all injections: dropping arbitrary data blindly into a structured format.

Level 1: Guessing Game

PHP this time, and a similar idea, really. Enter the password, receive the data, which is stored in a file.
This one relied on recognizing a hilariously awful standard PHP function:
1
2
      $filename = 'secret-combination.txt';
      extract($_GET);
extract() takes all the keys of a hash and dumps them into your local namespace, as variables. The line above implements the infamous register_globals.
That’s just a low blow, Stripe. :)
Solution, then, is to use a query string of ?attempt=&filename=junk. The file won’t exist, PHP will cheerfully read it and return something falsey, and that’ll compare equal to the empty string.
The vulnerability here is called “PHP”. Yeah, whatever, PHP runs Facebook, I don’t care, go away.

Level 2: Social Network

PHP again. Now we’re getting into exploits I have, tragically, actually seen in the wild. The password is still stored in a file (that cannot be read directly), but now the only real entry point to the program is uploading an avatar.
So. Yeah.
my_avatar.php
1
<?php echo file_get_contents('../password.txt');
Upload that as your avatar and visit the URL. PHP injection.
Props to level 1 for reminding me that file_get_contents exists.

Level 3: Secret Vault

Level 2 was the last of the PHP puzzles. Now we’re getting serious. This one is a Flask app—i.e., Python.
This is a sequel to the Secret Safe, but it’s the same general idea, except that namespaces and keys have been replaced with genuine usernames and passwords.
A glance over the code, and something stands out:
1
2
    query = """SELECT id, password_hash, salt FROM users
               WHERE username = '{0}' LIMIT 1""".format(username)
This, then, is the obligatory SQL injection puzzle.
I am shamed to admit I took a few minutes on this—way longer than I should have. I tried to trick SQLite into running multiple statements here, or embedding an INSERT/UPDATE inside this SELECT. Those don’t work, which is good.
I didn’t get it until I rephrased the question as: how can I trick this query into retrieving data that’s not really from the users table?
Oh, right. New username:
' UNION SELECT (select id from users where username = 'bob'), '2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae', '
Which produces the final query:
1
2
3
4
SELECT id, password_hash, salt FROM users WHERE username = ''
UNION
SELECT (select id from users where username = 'bob'), '2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae', ''
LIMIT 1
There are no usernames of '', so the first SELECT doesn’t find anything. The second one pretends to be bob’s id, a constructed SHA1 hash, and an empty salt. Result is a single row that tricks the app into thinking my password of “foo” is correct.

Level 4: Karma Trader

A Ruby app, built on Sinatra. I can’t beat the original description:
The Karma Trader is the world’s best way to reward people for good deeds. You can sign up for an account, and start transferring karma to people who you think are doing good in the world. In order to ensure you’re transferring karma only to good people, transferring karma to a user will also reveal your password to him or her.
This should sound more ludicrous than it is, but I genuinely believe there are people in the world who would think this is a great idea.
The gimmick here is that an existing user, karma_fountain, has both unlimited karma and also the password to level 5 as his own password. To get it, obviously I need to make it look like he has give me karma.
This was hard. Because there’s a catch.
The database access all uses Sequel (a little db library) and bound params, so there’s no SQL injection. There are no silly oversights like extract. I can create as many users as I want, but I can only make them send karma to each other; I can’t make anything that looks like karma_fountain.
There are no obvious exploits. I can’t fake anything on the server.
I was going slightly crazy until I noticed some hints.
Perhaps you read Encyclopedia Brown books, or similar kid mysteries. I loved those. I started tearing through them once I noticed that most of the solutions revolved around some minor detail that received undue importance in the story, like just how many quarts of water were given to dogs before a race.
And so it was here. Quite a lot of code, relative to the size of this dinky app, is dedicated to updating and displaying a last_active timestamp. That’s utterly pointless; I’m the only one using this thing, and I know when I’ve been active.
But wait! From the app itself:
If you’re anything like karma_fountain, you’ll find yourself logging in every minute to see what new and exciting developments are afoot on the platform.
Below this is a list of all registered users, and their last-active timestamps.
karma_fountain did indeed have a very recent timestamp.
I refreshed the page.
The timestamp advanced by precisely one minute.
Brilliant.
That made the solution obvious: I created a new account with a password of:
<form id="x" method="post" action="transfer"><input type="hidden" name="to" value="eevee2"><input type="hidden" name="amount" value="100000"></form><script>document.getElementById('x').submit();</script>
Then I sent karma_fountain a single karma. One minute later, the bot hit the page again, dutifully executed my XSS, and sent me ten thousand karma and the next password.
(The bot is still going; as of this writing i have 60000499 karma.)

Level 5: Domain Authenticator

Ruby and Sinatra again. The app implements a federated identity system: you provide a username, password, and URL. It posts your username and password to the URL, and if the response is AUTHENTICATED, it considers you as logged in. If you log in with a URL hosted on a level05-*.stripe-ctf.com machine, it’ll also tell you the password for level 6.
The trick, of course, is that nothing running on the machine actually implements this protocol, and in fact there is no implemented provided at all.
There is one more hint: the production app can only make requests to *.stripe-ctf.com machines, butsomeone “forgot” to firewall off the ports on the level 2 machines. You know, those machines that let me upload and run any code I want. So, that’s nice.
This one was good. I actually didn’t really solve it. I found most of the solution, but then I accidentally tripped over something else that was even better.

My solution

I entered a URL with letters in the port. The app crashed and showed me a generic Rack error page, with debugging information.
Now, much like Flask, Rack (and thus Sinatra) handles sessions by default by serializing a hash, tacking on a signature, and storing the whole shebang in a cookie. The upside is that this doesn’t require any server-side setup or maintenance whatsoever. The downside is that this is fucking bozotic, because it let me do the following.
You see, the Rack debug page exposes the key used to sign session cookies.
With that, it wasn’t particularly difficult to construct a fake cookie that claimed I had already been authenticated by level05-2.stripe-ctf.com. (I actually ran into a bit of trouble here: I took the original cookie from Firefox, but tried to inject it in Chromium, which already had a cookie editor installed. It took me a few minutes to notice that Rack also tracks your user agent in your cookie, and ignores it if the cookie and browser don’t match. So, minor props there. Then I found out that Firebug can edit cookies; problem solved.)
@kevinlange later pointed out to me that this actually works for all three Rack puzzles: 4, 5, and 6. I believe he informed Stripe of the unintended exploit, and it was fixed the next day: errors now serve the generic Apache 500 page.
I wasn’t quite sure whether this was intentional or not; after all, it was a legitimate exploit, but it didn’t require mucking with level 2 at all. But I had access to level 6, so whatever.

The real solution

The username and password are, of course, an irrelevant distraction. There’s no list of usernames and passwords anywhere, so they can’t possibly matter.
The real puzzle here is tricking the app into thinking level05 has verified you. And since there’s only one thing running on level05, the puzzle is tricking the app into thinking it has verified you.
The first step is to try feeding the app to itself as the URL. That produces:
An unknown error occurred while requesting https://level05-2.stripe-ctf.com/user-abcdefghij/: 500 Internal Server Error
The app is calling itself, but the second call has no pingback URL, so it gets confused and dies. Hmm.
Lucky for me, the app examines params, which is a combined hash of both GET and POST data. So I can make it not crash, at least, by feeding it https://level05-2.stripe-ctf.com/user-vmscdesvlp/?pingback=www.google.com.
Remote server responded with: Host not allowed: www.google.com (allowed authentication hosts are /\.stripe-ctf\.com$/). Unable to authenticate as foo@level05-2.stripe-ctf.com.
A valiant start. I can keep this loop going as long as I please, but without an actual authentication somewhere, I won’t get very far. And that’s where the level 2 servers come in.
pingback.php
1
 AUTHENTICATED
I don’t know why they mentioned “high ports” not being firewalled off; the above is all you need. There’s already an HTTP server running, after all.
Upload this guy, try to authenticate as https://level02-2.stripe-ctf.com/user-zlbgqlkyoe/uploads/pingback.php, and I get:
Remote server responded with: AUTHENTICATED.  Authenticated as foo@level02-2.stripe-ctf.com!
Wrong server, but getting there.
This is actually as far as I got before accidentally breaking Rack, but the rest isn’t too difficult. The actual check for authentication uses the following regex:
1
      body =~ /[^\w]AUTHENTICATED[^\w]*$/
(That’s why I have an extra space in pingback.php: to match the weird [^\w] atom. Should be \b, but, whatever.)
Trouble is brewing: how can I trick the level05 app into putting the word “AUTHENTICATED” at the end of a response? It always prints trailing literal text!
Well, it’s an uncommonly known quirk (and hilarious potential source of exploits—like this one!) of Ruby regular expressions that they are treated as multiline by default. That means ^ and $ don’t match the beginning or end of a string; they match the beginning or end of a line.
Now the solution is easy peasy. In fact, I don’t even have to do anything, because my pingback.php already contains a trailing newline. The final URL is https://level05-2.stripe-ctf.com/user-vmscdesvlp/?pingback=https://level02-2.stripe-ctf.com/user-zlbgqlkyoe/uploads/pingback.php and we’re off to the races.
Remote server responded with: Remote server responded with: AUTHENTICATED . Authenticated as foo@level02-2.stripe-ctf.com!. Authenticated as foo@level05-2.stripe-ctf.com!
The newline became a space in HTML land, of course.
Back to the main page, and the password is revealed.

Level 6: Streamer

The last of the Ruby/Sinatra puzzles. This is a little “stream of posts” app, built with Bootstrap and jQuery. Once again, I have an automated friend, except now he taunts me over time:
Streamer is soo secure
Yes, we’ll see about that.
Again, his password is the password to the next level. I’m told in advance that his password contains some number of quotation marks and apostrophes, and I can see from the code that any such characters anywhere in any request cause an immediate abort. Lame. I do know that his password appears on the user info page, but of course, only if you’re logged in as him.
XSS and CSRF seem to be no good here; the template is actually escaping things now. (Shame on someone for not making that the default.) But this is the first puzzle with client-side JavaScript. After some useless futzing with bogus usernames, that seems promising.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
      var username = "<%= @username %>";
      var post_data = <%= @posts.to_json %>;

      function escapeHTML(val) {
        return $('<div/>').text(val).html();
      }
      function addPost(item) {
        var new_element = '<tr><th>' + escapeHTML(item['user']) +
            '</th><td><h4>' + escapeHTML(item['title']) + '</h4>' +
            escapeHTML(item['body']) + '</td></tr>';
        $('#posts > tbody:last').prepend(new_element);
      }

      for(var i = 0; i < post_data.length; i++) {
        var item = post_data[i];
        addPost(item);
      };
There are only a few places user data gets put in here: the username and the posts. The username is easily breakable, but that only affects me here. The post elements are escaped by the hacky but correctescapeHTML function. So what does that leave?
It leaves JSON.
JSON is structured, yes, but it doesn’t know or care about HTML. After all, the JSON representation of <b> is just "<b>", and the JSON representation of </script> is just "</script>", the one thing that can break out of an inline script tag.
So I can just write a post like this:
</script><script>alert("gotcha");
And the JS will execute.
But wait! I’m not allowed to send any data that contains quotes or apostrophes. This really is super secure!
Unless I make it:
</script><script>alert(String.fromCharCode(103, 111, 116, 99, 104, 97));
And that’s basically the solution. Take advantage of the provided jQuery to fetch user_info on my friend’s behalf, extract the password, and post it as a message. The final trick is remembering to somehow encode the password (as I’m told it also contains quotes); I just url-encoded the whole page and posted that. Easy peasy.

Level 7: WaffleCopter

Back to Python, but now we’ve moved on beyond websites: this is an API endpoint. There’s a very simple web interface that tells me my API key and shows a lot of my API requests.
I’m supposed to make a request for a privileged waffle, but requests are signed with my API key. They look like this:
count=1&lat=42.39561&user_id=5&long=-71.13051&waffle=dream|sig:30d0ca71b00bbe5e649628b8a7f2f88f90e17c27
The signature is a SHA1 hash of my API key plus the rest of the request.
So. Now what? The database is solid. There’s no other player here. Surely I’m not supposed to just crack SHA1. Surely.
Well, let’s see. The first thing I notice is that the server code does its own parsing of the query:
1
2
3
4
5
6
7
8
9
def parse_params(raw_params):
    pairs = raw_params.split('&')
    params = {}
    for pair in pairs:
        key, val = pair.split('=')
        key = urllib.unquote_plus(key)
        val = urllib.unquote_plus(val)
        params[key] = val
    return params
This is standard affair, with the lone exception that it doesn’t do anything special to handle multiple values for the same key. But that doesn’t help me; I only know how to sign my own requests, and adding more junk data to those isn’t helpful.
I flail around for a bit. Then I notice this.
1
2
3
4
5
@app.route('/logs/<int:id>')
@require_authentication
def logs(id):
    rows = get_logs(id)
    return render_template('logs.html', logs=rows)
This block only lets registered users see API logs, but it doesn’t check which user you are. And sure enough, I can visit /logs/2 and see some requests for privileged waffles! But, alas, nobody has requested the particular waffle I need, which rules out a replay attack. If I could take one of these requests and just run it with a different waffle…! But I cannot.
OR CAN I.
I couldn’t think of anything to attack besides the hash itself. SHA1 has some theoretical weaknesses that make it simpler to attack than mere brute-forcing, but nothing practical, or that I could reasonably be expected to do here.
do know that SHA1, like many hash algorithms, operates on blocks at a time. I also know that I can add to an existing request, because later keys overwrite previous ones.
And this was enough to shake loose an old memory: you can attack hashes by appending to the message. The googles swiftly told me that this is called a hash length extension attack (creative!). The googles also provided an implementation for SHA1, saving me the trouble of figuring out how to recreate a hash function’s last internal state.
All I need to know is the length of the key—which I have, because mine is the same length—and the hash of my existing message. The attack implementation tacked on a bunch of NULs until the end of the block, tacked on my extra &waffle=liege, and computed a new hash without ever knowing user 2’s key. Chuck it at the API endpoint and I unlock level 8.
That last part ended up being surprisingly painful. I fucked around with curl for at least ten minutes trying to get it to send the request correctly, but it never worked quite right, even using --data-binary and a file. (I had to send literal NULs in the request; the server checks the signature before doing any url-decoding.) In the end I just hacked up client.py to send my forged request instead of computing a real one.
This level is a little unnerving, because the code almost does everything right. Ignoring all but one parameter in the presence of duplicates is reasonable and ubiquitous. SHA1 is still fairly solid. The API log leak was an oversight, but a pretty minor one. And using a hash with a “salt” as a signature sure sounds like it should be reliable. How many people have honestly heard of hash length extension (well, more have now) and will remember to think about it when writing code like this? A few very minor mistakes allowed me to break this application wide open. Imagine if this were a real ordering system; I could use someone else’s request and replace the item and the delivery “address”, then order whatever I wanted.
The Right Thing would be to use HMAC, which is built for exactly this purpose (verifying messages), and which demonstrates once again that you should not ever write crypto code, even if it’s just assembling some stuff to pass to SHA1.
It’s kind of funny that the code I found came from another sec challenge, though.

Level 8: PasswordDB

The final boss. I was the third player to get this far.
A Python app, again. But not Flask. No, not Flask, because it doesn’t even have a real Web interface. It speaks HTTP, but it only takes a JSON blob and spits one back out at you.
No, no, not Flask. This is Twisted.
Awesome.
Here’s the deal: they wrote a service that acts as a little password vault for the final password. It listens on HTTP for a JSON blob containing a possible password, and either confirms or denies that the password is correct. As a helpful secondary feature, I can also provide a list of host/port pairs for it to ping (“webhooks”) with the same response it gives to me, so this service can be used for remote authentication or something.
There is no database. There is no JavaScript, no HTML. The password isn’t even stored in the primary service: it’s broken into four pieces and given to four other processes, then forgotten. When the master service gets a request, it breaks the given password into four chunks, connects to the other processes one at a time via TCP, and checks that each chunk is valid. As soon as a chunk is reported invalid, the master service stops trying and reports a failure to the client.
As a clue, the description emphasizes that level 2 is not correctly firewalled, and lets slip that it even hassshd running. Which is nice, because the master service once again only connects to other machines in the Stripe network.
And that’s all I get.
Hmmmmm.
I freely admit I spent the rest of the afternoon and evening puzzling over this. I downloaded it, I ran it locally, I found nothing. I consulted blackhat friends and Twisted expert friends. Nothing. Even after they started sprinkling hints (explicitly mentioning the version of Twisted, emphasizing it was not a timing attack), the best I could find was… er… a timing attack. Which didn’t work. I read over Twisted’s changelog half a dozen times looking for something, anything, that could make a crack of a difference.
The webhooks were useless; they just received the same information I did. The sshd was useless, because it was only useful for using the webhooks. The JSON encoding and decoding was solid. I found a way to discover what ports the four side processes were bound to, but they were all bound to localhost, so that wasn’t helpful. All I could think of was getting onto the actual machine and looking at the argv for the children, because that’s the only place the password still existed. And that wasn’t really keeping with the spirit of this contest.
It wasn’t until late at night that the first player beat level 8, knocking me down to fourth on the leaderboard. Stripe released yet another hint: they’d changed the app slightly, so logged output would include the host and port instead of just an incrementing request id. Still no idea. It was clearly reasonable to brute-force one chunk at a time—the password was a 12-digit number, so this required only 4000 guesses—but there was no way to target only a single chunk.
I slept on it.
I woke up from dreams of networking. Clearly it had to be the webhooks, but those didn’t send any useful information. I joined #level8 at the suggestion of a coworker, but only a few people had figured out the trick, and they weren’t saying anything helpful.
If the webhooks weren’t revealing anything directly, it had to be a side channel attack. It absolutely, definitely wasn’t a timing attack. So what else would a TCP connection reveal?
As a last resort, talking out loud helps. I was convinced the chunk servers’ bound ports were still important, somehow.
11:22 < subleq> i am completely stuck
11:22 < eevee> i am also lacking inspiration
11:23 < hm_> does chunk_Server ports matter ?
11:23 < eevee> i have ssh and nc and webhooks and my ports but these things do not go together usefully.  i am missing something
11:24 < hm_> i have chunks ports.. but i dont see how it matters in the method i m trying now
11:24 < trevis_> i would venture to say that ports dont really matter, at least with my approach
11:24 < eevee> i assume getting the ports was where the twisted version hint came from
11:24 < eevee> oh really
11:24 < trevis_> i have a working local, but remote fails pretty hard
11:25 < hm_> me too
11:25 < hm_> local find the chunks in minutes.. remote has lot of noise
11:25 < subleq> what noise?
11:25 < trevis_> remote, im barely even able to get requests out now it seems
11:25 < subleq> it can't be time, i can't measure a difference in time even locally
Ports, ports, ports. I better hurry if the server is already overloaded. Ports, ports, ports.
Ports…
11:26 < eevee> wait
11:26 < eevee> oh no
11:26 < eevee> oh no i think i get it
11:26 < eevee> oh fuck
I’ve never had IRC logs of a flash of inspiration before.
Ports.
It is common knowledge that services listen on a port. Web servers, for example, tend to listen on port 80. Most people who would describe themselves as computer-literate are, at least, dimly aware of this.
Slightly less common knowledge is that when you connect to a server, you use a port as well. But it’s not a fixed, known port like 80; it’s just some random-ass big number. When the server responds to you, it sends the response to this port, called an ephemeral port (because it’s released as soon as the connection ends). I imagine most people who’ve done much networking know this, but nobody really thinks about it because it’s almost always handled automatically by very low-level networking code.
I performed a quick comparison.
With the latest Twisted, 12.something, the client ports used to connect to the chunk servers are effectively random. Not useful at all. With the Twisted version Stripe specified in their very first hint, the client ports areconsecutive.
And that, my friends, is the exploit.
Allow me to illustrate.
  • I ask if the password is 111222333444.
  • The master server breaks it up into four chunks: 111222333444.
  • The master server asks the first chunk server if its chunk is 111. This requires an ephemeral port, say, 50000.
  • The chunk server responds with yes.
  • The master server asks the second chunk server if its chunk is 222. Now the ephemeral port is 50001.
  • This chunk server responds with no.
  • The master server stops trying and dutifully tells me no.
The master server tested two chunks in the process of checking my password, and it used up two ports. If I turn around and immediately check a password again, it’ll use ports 50002 and 50003.
Okay, that’s neat, but doesn’t tell me anything, because I can’t see those ports.
Oh wait I totally can! I SSHed into the level 2 server, left running a crappy little Python script that listened on a socket and printed out the client port used to connect to it, and tried the above again with a webhook pointed at my script.
Now the sequence of events is:
  • I try 111222333444.
  • The master server asks the first chunk server if its chunk is 111. This uses port 50002. Chunk server says yes.
  • The master server asks the second chunk server if its chunk is 222. This uses port 50003. Chunk server says no.
  • The master server stops trying and decides no. It contacts my webhook to say no. This uses port 50004, which I can see. Then it tells me no as well and stops.
Now, if I immediately try the same password a second time, I know two ports that were used: 50004 and 50007. That’s three used for the request, which means two chunk servers were contacted, which meansthe first chunk must be correct.
Thus it’s possible to bruteforce, one chunk at a time. I wrote a script to do this, sending off a request to the server, ignoring the response, and immediately listening for a webhook.
There’s a slight wrinkle here, because other people are also using the same machine, and they’re chewing up client ports too. So getting a delta of 3 doesn’t mean the first chunk must be right; only that it could be right. It could also be wrong, but something else could have used a port in the interim. On the other hand, if the delta is 2, then the master server can only have contacted one chunk server and immediately given up, so the first chunk must be incorrect.
To be reasonably confident, I decided that several deltas of 3 with no deltas of 2 for the same chunk means it’s probably correct.
I let it run, and gradually cracked some chunks. Only a few people had finished level 8 when I started, but an hour or so later I was barely a third done, and the leaderboard was rapidly filling up. I ended up racing someone else on IRC for the very last slot on the first page (which was the only page at the time): I’d been sloppy and missed the correct second chunk, he’d been sloppy and done similar, and he was using Go versus my Python. For the last chunk I bruteforced against the app from my own machine, not bothering to check for ports, and I ended up running curl in a loop in eight terminals, each one trying a different first digit, and crossed my fingers as he rapidly caught up. The curls started finishing, still with no answer, and I was starting to freak out when I finally got my last chunk of 882. (Ugh.) I captured the flag and, as tradition requires, performed the engineer’s victory dance.
You can see my terrible script if you so desire. (There’s also a list of solvers.) I am so sorry for the tabs. The level 2 machine didn’t have my .vimrc and I was in a hurry. Please don’t think less of me.
I don’t know if level 8 even has a real moral. This is so obscure I can’t even find where Twisted mentions changing it, and it was a very specific set of circumstances that let me crack the password.

End

This was a ton of fun, and mad props to Stripe for setting it up (again!). I kinda regret not even trying the first one, and I certainly look forward to the third. :)

TextAloud


TextAloud


Top Five Features:

  1. Text ALOUD software is used to convert text into spoken audio. People who do not like to read can just download this software and, after converting the data to audio, they can listen. It will reduce eye stress as well.
  2. Text that is converted to audio can be listened to on your PC and can be created as MP3 or WMA files for use in portable devices like iPods, MP3 Players, CD Players and PocketPCs. This can reduce the time spent on machines and enables you to listen while travelling.
  3. This software consists of advanced pronunciation tools. This can increase our pronunciation skills without going to any institutes or using any other software.
  4. This software has optional premium voices for a wide variety of accents and languages.  Many famous voices are also present. This feature can enhance listening skills and enhance the talent of mimicry.
  5.  Text Aloud is used by Windows users and also MAC users. Toolbar plug-ins for Internet Explorer, Firefox, and Outlook are also available so you do not have to waste any time.
��������������
Ease Of Use:
  1. It is easy to download and work on without any effort.
  2. This site provides demos with three options - .exe, Flash and Java. You can look into that for understanding of the software and a quick view of it all.
  3. Text Aloud software is very easy to use. Just click on the speak button and it will convert text to speech. Users need no prior technological knowledge. 
Help And Support:The developer offers many support features, such as FAQs, an email facility and tutorials.  These things can be effectively used to find out all about the software so that you can use it effectively.
The top three reasons to choose Text Aloud:
  1. If you do not want to read eBooks, Newspapers, mails or any other documents then download Text Aloud software and convert it to audio so that you can listen to it.
  2. It is best used for clarity can save time when reading the whole document.
  3. If you are visually impaired then you can still read using this tool.
Summary:
The top 3 reasons to get Text Aloud software:
  1. If you do not want to read eBooks, Newspapers, mails or any other documents then download Text Aloud software and convert it to audio so that you can listen to it.
  2. It is best used for clarity can save time when reading the whole document.
  3. If you are visually impaired then you can still read using this tool.
Text Aloud is a great product to use. It is time saving software that reads text from email, web pages, reports and more aloud on PC. This is used to create MP3 or WMA files for playback on iPods, MP3s or TV.
The 3 most important features to look for when you download Text Aloud software:
  1. Text ALOUD software is used to convert text into spoken audio. People who do not like to read can just download this software and, after converting the data to audio, they can listen. It will reduce eye stress as well.
  2. Text that is converted to audio can be listened to on your PC and can be created as MP3 or WMA files for use in portable devices like iPods, MP3 Players, CD Players and PocketPCs. This can reduce the time spent on machines and enables you to listen while travelling.
  3. This software consists of advanced pronunciation tools. This can increase our pronunciation skills without going to any institutes or using any other software.
The best Text Aloud software features:
  1. People that do not like to read can just download this software and, after converting the data��  to audio, they can listen instead.
  2. It has advanced pronunciation tools.
  3. It reduces stress because anything can be heard as an audio file.

Able Reader and AT Natural Voices


Able Reader and AT Natural Voices


Top Five Features:

  1. This product consists of exciting new Natural Voices from AT&T Labs. We can get these voices on individual PCs and experience text-to-speech quality that was previously available only in a server-based environment. As this software has many natural voices, anyone in the field of imitation can use this to enhance his or her bright future.
  2. We can purchase this product online, which provides options for two types of customer. 1. Previous customers and 2. First time customers. This can help individuals to choose the correct one by going straight to it for downloading, which can also decrease the time spent on selecting the voices.
  3. To find out more about the quality of AT&T Natural Voices, you should know that the site provides many famous voices. The sample voices provided can be accessed in either WAV or MP3 format. This made it easy to check the quality of voice with a single click on the links to audio files. This will launch the PC’s default media player and allows samples of the text to speech program to be heard, such as Text Aloud.
  4. Able Reader and AT&T Natural Voices software is compatible with all versions of Windows, from Win98 to Vista. The system requirements are also minimal - a 300 MHz Processor w/ 128mb RAM and 500MB Free Disk Space (16 kHz versions require 1GB Free Disk Space). This means it is helpful to have an ordinary PC.
  5. A 30 days money back guarantee is also available for this software. This will show how good the software is.

Ease Of Use:

  1. Easy to download and work on without much effort.
  1. We can easily get natural voices selected in the software we use, including Text Aloud, Weather Aloud, News Aloud and Stocks Aloud.
  1. Very user friendly if you want to select any voice to listen to.

Help And Support:

The company offers many support features, such as providing FAQs for asked questions, email facilities to write the company about any doubts or technical problems, and finally several tutorials.  These things mainly used to know more about the software to use it effectively.
The top three reasons to choose Able Reader and AT&T Natural Voices:
  1. By using Natural Voices, we can listen to many natural voices from famous personalities
  2. It allows you to imitate famous voices.
  3. It is easy to download and can be used in WAV or MP3 formats.

Summary:

The top 3 reasons to get Able Reader and AT&T Natural Voices software:

  1. By using Natural Voices, we can listen to many natural voices of famous personalities.
  1. It allows you to imitate famous voices.
  1. It is easy to download and makes use of both WAV and MP3 formats.
To read email, web pages, reports and more aloud on a PC with natural voices using Text Aloud, we needAT&T Natural Voices for better natural voices from famous characters. This is used to create MP3 or WMA files, which can be used as playback for iPods, MP3s or TV. This is one of the most user friendly software packages.

The 3 most important features to look for when you download Able Reader and AT&T Natural Voices Software:

  1. This product consists of exciting new Natural Voices from AT&T Labs. We can get these voices on individual PCs and experience the text-to-speech quality previously available only in a server-based environment. As this software has many natural voices, anyone in the field of imitation can use this.
  2. We can purchase this product online, which provides options for two types of customer. 1. Previous customers and 2. First time customers. This can help individuals to choose the correct one by going straight to it for downloading, which can also decrease the time spent on selecting the voices.
  3. To find out more about the quality of AT&T Natural Voices, you should know that the site provides many famous voices. The sample voices provided can be accessed in either WAV or MP3 format. This made it easy to check the quality of voice with a single click on the links to audio files. This will launch the PC’s default media player and allows samples of the text to speech program to be heard, such as Text Aloud.

Power Text to Speech Reader


Power Text to Speech Reader

Top Five Features:

  1. Power Text to Speech Reader software is used to convert text into spoken audio. People that do not like to read can just download this software and, after converting the data to audio, they can listen. It will reduce eye stress as well. This can open and read the Word, PDF, Email, RTF and HTML files directly.
  2. Text that is converted to audio can be listened to on a PC or can be created as MP3 or WAV files, which can be uploaded to portable devices like iPods, MP3 Players, CD Players and PocketPCs. This can reduce the time spent on machines and you can listen while travelling. The "Output Sample Frequencies" and "Output Bitrates" options allow you to make a choice between the quality and the size.
  3. Supports multiple languages including American English, British English, Spanish, Dutch, French, German, Italian, Portuguese, Japanese, Korean, Russian, and so on.
  4. This software has optional premium voices for a wide variety of accents and languages.  Many famous voices are also present. This feature can enhance listening skills as well and can also enhance the talent of mimicry.
  5. Just as an alarm clock, the Power Text to Speech Reader can announce the time to you a designated intervals, depending on your settings.
Ease Of Use:
  1. It is easy to download and work on without the need to put in any effort.
  2. Power Text to Speech Reader can monitor the Windows clipboard and automatically process its contents. This feature makes it easy to read web pages, e-mail messages, documents and much more.
  3. Power Text to Speech Reader software is very easy to use. One a click of a button and it will convert text to speech. No prior technological knowledge is required. 
Help And Support:The designer is offering many support features, including FAQs, email facilities and other forms of help as and when you need them These mainly help to teach you more about the software to use it effectively.
The top three reasons to choose Power Text to Speech Reader:
  1. If you are not interested in reading eBooks, newspapers, mails or any other items then you can download the Power Text to Speech Reader software and convert it to audio so that you can listen instead.
  2. It is best used for clarity problems and is also time saving because you do not have to read the whole document.
  3. If you are sight impaired then you can really use this to “read” anything you like.
Summary:
The top 3 reasons to get Power Text to Speech Reader Software:
  1. If you are not interested in reading eBooks, newspapers, mails or any other items then you can download the Power Text to Speech Reader software and convert it to audio so that you can listen instead.
  2. It is best used for clarity problems and is also time saving because you do not have to read the whole document.
  3. If you are sight impaired then you can really use this to “read” anything you like.
The 3 most important features to look for when you download Power Text to Speech Reader software:
  1. Power Text to Speech Reader software is used to convert text into spoken audio. People that do not like to read can just download this software and, after converting the data to audio, they can listen. It will reduce eye stress as well. This can open and read the Word, PDF, Email, RTF and HTML files directly.
  2. Text that is converted to audio can be listened to on a PC or can be created as MP3 or WAV files, which can be uploaded to portable devices like iPods, MP3 Players, CD Players and PocketPCs. This can reduce the time spent on machines and you can listen while travelling. The "Output Sample Frequencies" and "Output Bitrates" options allow you to make a choice between the quality and the size.
  3. Supports multiple languages including American English, British English, Spanish, Dutch, French, German, Italian, Portuguese, Japanese, Korean, Russian, and so on.
The best Power Text to Speech Reader software – our top 3 choices:
  1. Multi language support.
  2. Can be imported to devices like iPods, MP3 Players, CD Players and PocketPCs.
  3. If you are sight impaired then you can really use this to “read” anything you like.

6 Ways To Make SEO Your Company's Second Nature


6 Ways To Make SEO Your Company's Second Nature

company-suits
It's important for an in-house SEO to recognize that your job is not to do or handle SEO for the entire organization. Taking the view that SEO is your responsibility and yours alone will mean you stay siloed, away from the rest of the organization – which ultimately will impact your ability to be effective. Instead, as in-house SEOs its our job to make sure that search engine marketing happens – whether its done by us or by other people in the company.
To accomplish this we need to incorporate SEO into the day-to-day business of the company. Unless you can be everywhere at once, sooner or later a big project is going to come along that gets way too far in the development process before you even find out about it – and that's when SEO-unfriendly site changes get implemented before your very eyes. Only by operationalizing SEO, by making it part of the way everyone who touches the website goes about their business, can we ensure success. In this model, you grow from being the person who does SEO to a subject-matter expert and the curator of a company-wide effort toward better digital marketing. Here are 6 ways to operationalize SEO:
1. Make SEO Goals Part of the Annual Review/Goal-Setting Process for Relevant Staff.
Work with your team members to get SEO initiatives included in the goal-setting process. This might be something like increasing inbound links for your PR team, or lowering site load time for your dev team. People are much more likely to work toward SEO goals if they're common goals that are fully incorporated into their job tasks, rather than favours you ask them to do in addition to their regular duties.
2. Update Your Processes and Documentation to Include SEO Tasks.
Whenever possible, you should be trying to make SEO-related tasks as repeatable, scalable and template-driven as possible. That means working to integrate SEO considerations into existing processes whenever you can, rather than adding another set of processes on top. To make sure changes last, update documentation as well.
3. Add SEO Targets to Statements of Work.
Just like with internal staff, vendors and consultants are much more likely to follow through on SEO tasks if they're tied to how performance is measured. Spell your deliverables out in statements of work so everyone's clear on what's expected.
4. Add SEO KPIs to Team Reports.
Anyone who's been on a diet can tell you that what gets measured, gets improved. Making other teams responsible for relevant SEO metrics " and getting those metrics included in their regular reports – gives teams clear goals to shoot for, consistent reminders of what were trying to accomplish, and a sense of ownership of the SEO KPIs they touch. For the dev team, these metrics might be something like page speed or number of errors. For the copywriting team it might be percentage of pages with unique content.
5. Educate, Educate, Educate!
Its your job to be the voice of SEO during project planning, to make sure important elements aren't overlooked. Like I said earlier, though, you cant be everywhere. Regular education empowers other team members to consider the SEO impact of projects that get introduced when you're not around. You don't have to teach every team everything about SEO. Instead, hold regular meetings (it's nice if you can throw in some free lunch) and present team-specific training around the SEO best practices that are most likely to affect that team. Keep everyone updated on the latest search engine trends and the state of your site's SEO overall. Over time, the entire team will be better equipped to make SEO-friendly decisions around the site.
6. Become an Honorary Member of the IT/Development Team(s).
An in-house SEO usually sits on the Marketing team, and that's appropriate. But the IT and Development teams have an absolutely huge impact on the website. Become an honorary member of the teams. You don't have to go to all their meetings, but drop in to a planning or prioritization meeting once a month or so. Its the best way to get the inside scoop on what they're up to and provide an SEO-focused perspective; its also the best way to gain insight into their goals and struggles. Helping your co-workers achieve their goals is the best way to get them to help you achieve yours (a well-placed round of drinks or two doesn't hurt either).
The more you can get your entire organization working toward SEO perfection, the more successful you'll be. Doesn't that sound better than trying to do it all by yourself?

Yesware – A Sales Tool To Aid Your Link Building


Yesware – A Sales Tool To Aid Your Link Building


Over the past year or so you have probably noticed that link building is getting tougher. Gone are the days (well, nearly) when a list of directories and other low quality tactics are going to get you the traction you need in the SERPs – and rightly so.
No matter whether you are working on your own site, work in house or are part of an agency you need to start stepping up your game. You need to move away from the idea of 'building links' and more towards the idea of 'earning links' by doing #RCS.
The problem with this is it takes time. It takes time to implement. It takes time to come to fruition.
Instead of taking short cuts on the links you build, you need to get smarter on how you go about it.
And that is where Yesware can help you

The good folks at Yesware describe their product this way:

Email for Salespeople.
Track emails, create templates, CRM sync, & more.
  • Find out who opens your emails and clicks on your links.
  • Email templates help you say the right thing, real fast.
  • Sync emails to your CRM with one click.
  • Get insights into your email with reports.
A sales tool? A sales tool to assist your link building?
Your new link building mindset has to change if you are going to survive Google's new stance on links and anchor text. The animal apocalypse is well under way and there have been plenty of casualties. Your new mindset needs to think past quick wins, you need to be building relationships, creating partnerships, fostering creativity, thinking long term. You need to be investing in creating the best content in your niche,blogger outreach, real PR and doing what companies did before the Internet came along and convinced us all that everything had to happen right now.
The best link builders have long known that hustle and thinking outside the box are the keys to long term success. Some have even pointed out that link builders should be thinking like salesmen. So dust off that old Robert Cialdini book, learn a thing or two about creating persuasive emails, fire up Yesware and start providing value.

So what is Yesware?

Essentially it is a free Gmail plug-in that helps you track email opens and create templates for quick responses. When building links it can be indispensable for saving your precious time and working out which relationships you should spend more time on.

So show me how it will help me

After activating you will see a little box in your Gmail dashboard. When you first turn it on you are going to need to send a test email to make sure that everything is tracking nicely. After that you can track every email you send to see whether the recipient opens the email, where they open it and using what device.
It looks like this:
the yesware box

This shows the last email that was opened. By clicking the red box with the mail symbol you can expand the box for a more detailed analysis on who has opened your emails (and at a glance which subject lines appear more successful).
yesware box expanded
If you are more of a visual person you can see your progress as a map or as a chart – nice!
yesware map
yesware chart
If this was all that Yesware could do you would be pretty happy – its free for a 100 tracks – and very reasonably priced after. It actually has other features that will prove essential in you link building and blogger outreach efforts.

Tell me about the templates

We all know that when building relationships that are going to form part of your link building plan that you shouldn't be sending out form letters. That doesn't mean that you can't have a range of easily customisable templates that will save you time when you are contacting a number of people.
Lets say, for example, that you are approaching a number of sites for potential guest post opportunities. You are likely to need a number of templates to make the whole process quicker:
  1. A customisable 'approach' email – allowing for personalisation but containing your core message
  2. A customisable 'heres your post that you wanted to see' email
  3. A 'thanks for putting my post up – can I do anything else' email
  4. A 'did you read my post that I sent over' reminder email
In the example below you can see a couple of these templates in action – this box appears when you compose or reply to an email.
email templates in yesware
There are a couple of things going on in this picture, so allow me to elaborate.
  • The prospecting button is clicked which means it is showing me the templates that I have added to this section (you will see the templates are broken down into the sales process).
  • There are three templates in this example (2,3 and 4 from my list above – these guys got lovely intro emails!!)
  • To the left you can see there are three numbers, these are the open rates (my reminder email has open rate of 100% – reminders are important! The template with the post attached has 84% open rate – which means I have a couple to chase up. My thank you email has a much lower open rate – as expected – but lets me know that these are potentially relationships that I should foster.)
  • You will also see that track button is checked.
  • The two buttons are Use (for choosing a selected template) and the blue button is Share (for sharing templates with your link building buddies).
Pretty useful, right?
If you are driven by a sales like mentality you can even set yourself goals to make sure that you are consistently reaching targets and creating more valuable relationships.
goals in yesware
When you add into the equation that Yesware has some rather nice dashboards that you can log into on their actual site as well – you have a piece of software that is perfect for helping you keep track of the success of your outreach and relationship building.
template report
If you liked this, you'll love 6+ Best Link Building Tools That Help Your Organize and Track the Mess

Making your JMeter tests timeless.


Making your JMeter tests timeless.


At work, we use Apache JMeter for load testing applications or API’s we build.
JMeter is an amazing open source tool with an even more amazing community behind it, so if you’ve never used it, you surely are missing on a great piece of software.
Anyway, one thing that used to annoy me a bit, was the fact that when creating tests for API’s, I’d sometimes need to pass in dates.
So imagine the following case:
You’re testing that your API can create a new book in your bookstore for a specified date, but the business rules imply that you can only create a new book with a release date in the future.
If I had hard coded this to a date in the near future, I would then need to update it at some point as to always make sure my dates really were in the future.
I could also put a date very far in the future, but my business rules again dictate that I can only pass in dates up to 60 days in advance, so I’d end up having to update my tests in about two months or so.
Come the user defined variables:
With JMeter, you can create “user defined variables” (add -> config element -> user defined variables) and assign values to it. Those variables can be created with JavaScript, so you could potentially create a variable in there, that would always default to today’s date plus a given number of days (in this example anything that didn’t exceed 60 days)
JMeter - User Defined Variables
The code for your user defined variable would look like this:
${__javaScript(var d=new Date();d.setDate(d.getDate() + 60); var date=d.getDate(); var month=d.getMonth()+1; $DATE=d.getFullYear() + "-" + (month<10?"0"+month:month) + "-" + (date<10?"0"+date:date);,DATE)}
view rawfile1.jsThis Gist is brought to you using Simple Gist Embed.
What it does is simply create a new date, add 60 days to it, and then format it as “yyyy-mm-dd”. You could change the number of days and format easily by moving things around.
A sample request would then look something like this:
&lt;book&gt;
 &lt;name&gt;The Magic Book&lt;/name&gt;
 &lt;isbn&gt;0123456789&lt;/isbn&gt;
 &lt;category&gt;children&lt;/category&gt;
 &lt;release&gt;${date}&lt;/release&gt;
&lt;/book&gt;
Which would generate a request as such:
PUT http://my.api.com/v1/books/add
PUT data:
&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;book&gt;
 &lt;name&gt;The Magic Book&lt;/name&gt;
 &lt;isbn&gt;0123456789&lt;/isbn&gt;
 &lt;category&gt;children&lt;/category&gt;
 &lt;release&gt;2012-11-01&lt;/release&gt;
&lt;/book&gt;
And with that, your tests become timeless, as you can run then whenever you like without having to worry about updating dates.

Researchers: Java Zero-Day Leveraged Two Flaws


Researchers: Java Zero-Day Leveraged Two Flaws


New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.
Esteban Guillardoy, a developer at the security firmImmunity Inc., said the underlying vulnerability has been around since July 28, 2011.
“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”
ONE BILLION USERS AT RISK?
How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).
To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia’s 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.

EXPLOIT WORKS AGAINST OS X, LINUX
Not long after news broke that miscreants were exploiting an unpatched security hole in Java to break into PCs, I began seeing tweets from non-Windows users urging people to switch to Mac OS X or Linux. Unfortunately, this latest Java exploit has been shown to work flawlessly to compromise browsers on all three operating systems.
According to Rapid7, the Java exploit found being used in targeted attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a free software tool built to test the security of networks. Rapid7 saidthe exploit has been successfully tested to work against nearly all browser configurations on Windows systems, and against Safari on OS X 10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04.
WHO BURNS THROUGH TWO-ZERO DAYS IN ONE SHOT?
On Monday, I interviewed the author of the BlackHole exploit kit, an extremely popular software package sold in the underground that is designed to be stitched into hacked sites and use browser exploits to drop malware on visiting PCs. The BlackHole author said he intended to (and did, it appears) fold the exploit intohis kit, but said he was surprised that someone would just leak such a reliable exploit, which he said would fetch at least $100,000 if sold privately in the criminal underground.
This stats page, shared by researchers at Seculert, comes from a working BlackHole exploit panel. The success rate of this kit — 21 percent — is roughly double the normal rate thanks to the inclusion of this Java zero-day.
But lost in all of the coverage of this vulnerability is the growing body of evidence suggesting this Java exploit was first wielded in targeted espionage attacks of the sort used to extract corporate and government secrets. So who burns through two zero day flaws to execute a targeted attack? In all likelihood, an individual or group motivated by a non-materialistic ideology, or at least a certainty that what will be gained is worth far more than the vulnerability itself.
Experts at Silicon Valley-based AlienVault published an analysis that highlighted some interesting text strings in the exploit (“xiaomaolv” and conglaiyebuqi”) which suggest the initial attacks were paired with Chinese crimeware known as the Gondad Exploit Kit.
Other curious markers in the exploit code indicate that the targeted attacks were carried out using Internet servers that have been connected with other targeted espionage attacks traced back to Chinese threat actor groups. Among the control servers used in this latest attack was “domain.rm6.org,” an Internet address that played a central role in the Nitro attacks of 2011, which according to Symantec and other security firms was a series of Chinese-based espionage attacks directed against at least 48 chemical and defense companies.
Unfortunately, the miscreants involved in these targeted attacks have been finding success using the same resources and tools well into 2010 and earlier. That’s according to a presentation given in 2010 by researchers exploit and malware researchers Val Smith and Anthony Lai, called “Balancing the Pwn Deficit” (PDF).
The paper details the history and methods of Chinese hacking groups, and notes that the two strings found in the most recent Java exploit are a favorite invocation for script variables that are re-used in various attack tools of Chinese origin. The terms “xiaomaolv” and conglaiyebuqi” and several others used, they found, come from lyrics from songs by the artist known as Jay Zhou.
“The fact that there are embedded song lyrics, potentially tells us several things,” they wrote. “One, it helps to confirm that this attack was created in the geographic region assumed. It is unusual for attackers from one country and language, to take lyrics from a popular song in another country and language and embed them in their attacks.”
PATCH AVAILABLE?
As I noted earlier this week, Oracle has moved Java to a patch cycle of every four months, and its next security update is not scheduled until October. On Tuesday, I contacted Oracle to find out if they intended to address this problem separately before then, but I have not yet received a response. Nor could I find any mention of this problem on any of the various Java blogs that Oracle inherited when it took control of Java from Sun a few years ago. In fact, most of those Java blogs seem to have gone missing.
In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.
Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.
If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I  would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (ChromeIE9Safari, etc.) with Java enabled to browse only the site that requires it.

Attackers Pounce on Zero-Day Java Exploit


Attackers Pounce on Zero-Day Java Exploit


Attackers have seized upon a previously unknown security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.
A Metasploit module developed to target this Java 0-day.
News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post byFireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.
Initial reports indicated that the exploit code worked against all versions of Internet ExplorerFirefox andOpera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).
Also, there are indications that this exploit will soon be rolled into the BlackHole exploit kit. Contacted via instant message, the curator of the widely-used commercial attack tool confirmed that the now-public exploit code worked nicely, and said he planned to incorporate it into BlackHole as early as today. “The price of such an exploit if it were sold privately would be about $100,000,” wrote Paunch, the nickname used by the BlackHole author.
Oracle is not scheduled to release another security update for Java until October. In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.

Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.
If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I  would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (ChromeIE9Safari, etc.) with Java enabled to browse only the site that requires it.
For browser-specific instructions on disabling Java, click here.
If you must use Java, security experts are prepping an unofficial patch for the program that should blunt this vulnerability, but it is being offered on a per-request basis at this point. A number of experts I know and respect have vouched for the integrity of this patch, but installing third-party patches should not be done lightly. Note that regressing to the latest version of Java 6 (Java/JRE 6 Update 34) is certainly an option, but not a very good one either. If you do not need Java, get rid of it, and if you do need it for specific applications or sites, limit your use of Java to those sites and applications, using a secondary browser for that purpose.

Dropbox Now Offers Two-Step Authentication


Dropbox Now Offers Two-Step Authentication

Online file-backup and storage service Dropbox has begun offering a two-step authentication feature to help users beef up the security of their accounts. The promised change comes less than a month after thecompromise of a Dropbox employee’s account exposed many Dropbox user email addresses.
Dropbox users can take advantage of the new security measure by logging in at this link, and then clicking the “Security” tab. Under account sign in, click the link next to “Two-step verification.” You’ll have the option of getting security code sent to your mobile device, or using one of several mobile apps that leverage the Time-based One-Time Password algorithm.
If you’re already familiar with the Google Authenticator app for Gmail’s two-step verification process (available for Android/iPhone/BlackBerry) this is a no-brainer: When prompted,  open the app and create a new token, then use the app to scan the bar code on your computer screen. Enter the key generated by the app into your account settings on the site, and you’re done. Other supported apps include Amazon AWS MFA (Android) and Authenticator (Windows Phone 7).

Note that DropBox users will need to download the latest version of the Dropbox client (1.4.17 on Windows/Mac) to access their files via the Dropbox desktop software interface after enabling two-step authentication.
Some readers have asked which method of two-step verification is more secure: Text message or mobile app? Text messages are perhaps faster and easier, but they introduce yet another potential avenue of compromise: The mobile provider. In a recent attack against the chief executive of Cloudflare, for example, miscreants were able to break into the executive’s Gmail account even though he had instructed Google’s 2-step verification feature to send codes to his phone. That attack succeeded because the miscreants were able to trick a customer service representative at his mobile phone provider — AT&T — into forwarding his messages to another account.

Recent Posts