Just not famous enough…

Date February 27, 2008

Turns out that I’m just not famous enough (or photogenic enough, or chicken-little enough) for Fox 11 news :)

Last week, McAfee (the parent company of Foundstone) PR was contacted by a producer of Fox 11 news (local Fox channel in the Los Angeles area) asking for an “expert in web security” that would do a couple of quotes/interview to camera for a story they were putting together.  Our McAfee guy, got in touch with Foundstone, and as I’m apparently the “web expert”, and in the Los Angeles area, we had a quick talk on the phone.  The only advance info I got about what the call was going to be about was “stealing pictures from locked sites online” and something I had never heard of before – “fuskering“.

Basically, the story was about people “hacking into photo sites”, and “stealing” potentially embarrassing images to post up elsewhere.  In researching the term I found that it wasn’t a new attack method at all, but just using pattern matching to perform direct requests to a server to display/pull images (those crazy kids – I just can’t keep up with their language any more!).  Talking to the producer/reporter he was very concerned about this – oh the humanity!  I basically said that it’s not a “real” hack – sure people are able to get images they aren’t really supposed to be able to access, but this has been known about for some time, and if people really are stupid enough to put embarrassing pictures up on any public site (with unknown security, locked/private/protected it doesn’t matter), then they really don’t have anything to complain about – the sound-bite I used was “don’t put up anything you wouldn’t want your mom to see, locked or unlocked”.  As soon as it leaves your computer you aren’t in control any more.

We were supposed to film on Thursday, but heard nothing back.  Nothing on Friday either (despite both of McAfee and Foundstone PR people trying to get back in contact), and I had to fly out to Phoenix on Monday anyway for on-site client work.  This is what appeared on Tuesday night.  Get ready for the shock and awe!

So props to Joel Scambray (an ex-Foundstone guy I might add ;) ) for doing this – he’s clearly more “camera friendly” than I am, and perhaps more willing to say what Fox 11 wanted to hear.  However, they obviously cut his “interview” down to like 5 second, and the only thing he was really able to get out was “you should expect the sites you are using have some sort of security vulnerability” and “70-80-90% of sites have security vulnerabilities”, so wasn’t able to add anything “meaningful” to the story unfortunately (and totally not his fault – he knows his suff).  This is one of the reason that I don’t like Fox news (on any channel) as it seems it’s all about the scandal/shock/scare and nothing else – no education (on how/why this happens or for what users can/can’t do).

Anyway, if Fox 11 won’t do it, I will. 

“Fuskering” basically is…

  • pulls a number of images/pages/etc within a range “expanding” request based off a pre-identified “pattern”.  E.g. “www.example.com/image[1-3].jpg” becomes www.example.com/image1.gif, www.example.com/image2.gif, www.example.com/image3.jpg
  • It generally relies on someone “finding” an image first, then “fuskering” for others that might be from the same user, like using known sequence numbers from digital camera images (eg. DSC12345.jpg – once you find one, other images are in that sequence either ascending or descending in time) as a good starting point.
  • There are a number of tools out there that do this automatically.  I’m not going to link to them, but any Google-fu and you should be able to find them.  Personally, Perl and a shell script would have done it for me.
  • Sites are mostly “vulnerable” because they use the security by obscurity pattern – if an image link is “known” by a user (either because they have been sent it, or because they have permission to see the link and therefore the site displays it to them), then the image is viewable.  If someone has the time/resources to perform random requests, or crawl for one “interesting” image and then fusker for others, it’s quite likely that other image links could be discovered and then requested.
  • The lack of an authorization check on displaying the image itself (rather than on the display of the link) is often one of the security trade-offs that a site might decide to make – displaying links to only the “allowed” images as a page is being created isn’t much of a performance trade off – the site has to dynamically generate the page anyway somehow (on demand, or pre-processed).  However, performing a secondary authorization check during the request for an actual image (whether it’s to the .jpg, .gif, etc, directly or via a “proxy” script) may be too much of a performance hit if lots of users are accessing the site pulling images.

So, the age old “security by obscurity” and “security vs performance trade-off” arguments.  It’s just a shame the Fox 11 didn’t do anything other than scare people from putting photos online, but what more did I really expect.  In the end, I’m quite glad I didn’t do the interview.

Category Posted in Misc, Security

One Response to “Just not famous enough…”

  1. February 27th, 2008 at 11:02 pm

    Hacking » Blog Archive » Just not famous enough… said:

    [...] Read the rest of this great post here [...]


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>