Re: OMIGOD CIQ HACKING THE WORLD.

[Pablo Ximenes <pablo () ximen es>]

Hi,

2011/12/7 Dan Rosenberg <dan.j.rosenberg () gmail com>

> On Wed, Dec 7, 2011 at 9:09 AM, Pablo Ximenes <pablo () ximen es> wrote:
That's a good question.  As you've mentioned, the URL falls within the
> HTTP request, the entirety of which is protected by SSL.  So I would
> argue that the URL is content that should remain secret in an SSL
> session.  I haven't made up my mind whether the same applies to
> non-HTTPS URLs.  The issue is further complicated by the fact that
> perhaps the domain (without query parameters) that's being requested
> shouldn't be considered secret since this is readily available by
> looking at DNS.
Well, let´s take a look at a simple HTTP request:

POST /login.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows;pt-BR; rv:1.8.0.11) Gecko/20070312
Firefox/1.5.0.11
Accept: text/xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

username=jdoe&pass=god



In this case, the URL being visited is http://www.example.com/login.php

In order to capture this URL, the eavesdropping software would have to open
up the contents of the HTTP payload, get information from the method line
(1st line, POST), then get information from the "Host:" line, Merge them
together and then assemble the original URL. Bottom line is that the
eavesdropping software has to look at the contents in order to assemble
this seemingly "header" information. I would say this info is content and
not header, even for non-HTTPS requests, don´t you think?

Even though DNS leaks some info, as you mentioned it´s never the full URL.
Also, there´s the DNS cache, URL domain names get resolved once in a while,
and chache is used quite often.

And that´s only for URLs, I wonder how deep they would have to digg into
HTTP payloads in order to get other metrics that they might be collecting.
As you already said the samgung model has direct indication of collection
of "Request type" (GET, POST, etc), "content length" (port of the request´s
payload), and "status code" (part of the reply´s payload!), all of which
would need deep inspection of HTTP payload request contents as I mentioned.



> Please note that I'm not a lawyer, so I don't know the wording of any
> laws related to this sort of thing.  Also remember that it remains to
> be seen whether URL data is/was being collected at all, which is
> obviously a key piece of information with regards to the legal issues
> at hand.
Assuming those metrics were intended mostly for debugging purposes, It is a
fair assumption that they were indeed colleting this info, since it´s very
a important piece of data for debugging their data network in terms of
application level.

-Dan
>

Att,

Pablo Ximes


>  >
> > > Regards,
> > > Dan
> >
> >
> > Regards,
> >
> > Pablo Ximenes
> >
> > > > Regards,
> > > >
> > > > Pablo Ximenes
> > > >
> > > > 2011/12/6 Christian Sciberras <uuf6429 () gmail com>
> > > > > Or not...
> > > > >
> > > > > http://vulnfactory.org/blog/2011/12/05/carrieriq-the-real-story/
> > > > >
> > > > > On the other hand, where that l33t hacker Drew (aka xD 0x41)?
> > > > > Thought he'd enlighten us with more of his awesome hacking powers on
> > > > > this
> > > > > issue.
> > > > >
> > > > > _______________________________________________
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/