![]() |
||||
| ||||
![]() |
||||
|
||||
![]() |
![]() Saturday, January 28, 2006 via http://www.juancole.com/ The Victory of Hamas and the Miseries of Bush's PoliciesMy article about the victory of Hamas in the Palestinian elections is out at Salon.com.Excerpt: ' Hamas, or the Islamic Resistance Movement, a branch of the Egyptian Muslim Brotherhood, has come to power in Palestine. In his press conference on Thursday, Bush portrayed the Palestinian elections in the same way he depicts Republican Party victories over Democrats in the United States: "The people are demanding honest government. The people want services. They want to be able to raise their children in an environment in which they can get a decent education and they can find healthcare." He sounds like a spokesman for Hamas, underlining the irony that Bush and his party have given Americans the least honest government in a generation, have drastically cut services, and have actively opposed extension of healthcare to the uninsured in the United States. But the president's attempt to dismiss the old ruling Fatah Party as corrupt and inefficient, however true, is also a way of taking the spotlight off his own responsibility for the stagnation in Palestine. Bush allowed then Israeli Prime Minister Ariel Sharon to sideline the ruling Fatah Party of Yasser Arafat, to fire missiles at its police stations, and to reduce its leader to a besieged nonentity. Sharon arrogantly ordered the murder of civilian Hamas leaders in Gaza, making them martyrs. Meanwhile, Israeli settlements continued to grow, the fatally flawed Oslo agreements delivered nothing to the Palestinians, and Bush and Sharon ignored new peace plans -- whether the so-called Geneva accord put forward by Palestinian and Israeli moderates or the Saudi peace plan -- that could have resolved the underlying issues. The Israeli withdrawal from Gaza, which should have been a big step forward for peace, was marred by the refusal of the Israelis to cooperate with the Palestinians in ensuring that it did not produce a power vacuum and further insecurity. ' The rest is here at Salon.com posted by Juan @ 1/27/2006 06:35:00 AM 8 comments Minister of Industry Almost Killed US Tilting to Sunni Arabs? Assassinations in Kirkuk, a near-death of the minister of industry (and actual deaths of his bodyguards), the death of a GI and wounding of another in a roadside bombing, were among the violent incidents in Iraq on Thursday. Guerrillas also attacked a convoy of oil tankers, in their continued quest to starve Baghdad of energy, and they killed two clerics in the capital. Another important labor union leader has been assassinated. Iraq the Model: Iraqi journalists face jail time for writing critically about their society. This NYT piece implies that a Kurdish dissident journalist has been released after having been sentenced to 30 years for criticizing Kurdish warlord Massoud Barzani; as I understand it, he is to be retried. Reuters reports that some Iraqi Shiites and other observers believe that the Bush administration is shifting away from its earlier alliance with the Iraqi Shiites, preferring the Iraqi Sunni Arabs. The rationale is said to be a dawning realization in Washington that the Iraqi Shiites would not react positively to a US attack on Iran. Given the increasing focus on Iran's nuclear energy program by Bush, his allies in the Iraqi South are becoming increasing liabilities, given their own warm relations with Tehran. Al-Hayat [Ar.] reports that the military adviser to Jalal Talabani reported that there had been contacts with the Iraqi guerrillas for the purpose of increasing Iraqi security in all regions of Iraq. The newspaper alleged that Iraqi clans of Anbar Province for the second day continued a campaign against foreign fighters styling themselves al-Qaeda in Mesopotamia, capturing 270 of them. The clans around Ramadi are also said to have helped the Iraqi army capture 200 "terrorists." (See Gilbert Achcar's translation from yesterday, below). The article says that the clan leaders have also been talking to Sunni clerics, preparing the way for talks between the Iraqi government, the US led coalition, and guerrilla leaders as early as next week. [Cole: I think Talabani's office is vastly exaggerating these developments, and don't trust al-Hayat's editorial line on these alleged conflicts within the guerrilla movement. Their articles on it read to me as though they are attempting to convince themselves, and perhaps the guerrillas, of this story. On the other hand, the story that the US military will meet next week with guerrilla leaders is entirely plausible. Such contacts are not new, and the question is whether they will produce anything of value.] Gen. Casey has admitted that the US army is stretched in Iraq. Further pipeline sabotage and bad weather at Basra will keep Iraqi exports to only about 1 million barrels a day for at least the next month. A new report says that the US will not be able to use the $18 bn voted by Congress to complete water, sanitation and electricy projects related to rebuilding Iraq. Reuters says, "Only 49 of 136 planned water- and sanitation-related projects will be completed and only about 300 of 425 planned electricity-related projects." The article blames Saddam for having run down Iraq but does not mention the role of stringent US-backed international sanctions in degrading Iraqi society in the 1990s. posted by Juan @ 1/27/2006 06:30:00 AM 6 comments Split in Sunni Guerrilla Movement Gilbert Achcar kindly shares this translation of an article from al-Hayat on splits in the Sunni Arab guerrilla movement. ' The AMS: We Are Now Waging Two Battles: Against 'the Occupation' and Against 'the Terrorists' Sunni Clans Take the Initiative of Launching a Campaign to Expel Zarqawi's Followers and 'Foreigners and Intruders' From Al-Hayat Newspaper, London; January 26, 2006 Baghdad-London -- There are still more consequences to the wave of assassinations targeting Sunni political and religious figures participating in the political process, and the killing of 42 police recruits in Ramadi by extremist Islamist followers of Abu-Musab al-Zarqawi, the leader of "al-Qaeda's Organization in the Land of the Two Rivers." A new escalation took the form of additional Arab Sunni tribal clans joining the campaign aimed at liquidating this organization. The "Popular Clan Committees" launched a large campaign chasing Zarqawi's group in Ramadi "in order to expel them to Syria beyond Iraqi borders." Sheikh Osama al-Jedaan, the head of the al-Karabila clan in Qa'im, on the Syrian border, said that the "Clan Committees" have started a military campaign against the "terrorists," asserting that security formations composed of Ramadi inhabitants are searching for people wanted by the Iraqi government and by their own "government." He emphasized that this operation aims at expelling from Iraqi borders "foreigners and intruders" coming from other states of the region. Six armed groups belonging to "the Iraqi resistance" recently declared war on Zarqawi's "terrorist" organization. A Sunni religious figure from the province of al-Anbar told Al-Hayat that the groups that destroyed the Sunni provinces belong to the "terrorists and takfiris" [a label attached to the most fanatical Islamic fundamentalists]. He added that the best measure to be taken in order to stabilize the situation is that the inhabitants of the province (the clans) expel these groups. He expressed his regret that some Sunni families gave refuge to "the terrorist elements" although they constitute no more than 50 per cent [certainly a typographic error for a much lesser percentage] of the armed men, attributing this to several reasons among which are "wrong understanding, material need, fear from them, or the desire to take revenge on foreign troops." He asserted that this support and the silence kept with regard to terrorist groups have ended after Sunni families suffered from "the assassinations targeting Sunni figures and the killing of police recruits, the responsibility of which was claimed by al-Qaeda's organization." He said that the resistance fractions acting within the "popular committees" to cleanse Ramadi have ceased their operations against US troops (a truce), but that this does not mean that they trust the Americans or disregard the necessity that they get out of Iraq. This Sunni sheikh asserted that the mediation of the Ramadi notables between the resistance and US troops "have succeeded in convincing the resistance elements of the necessity of expelling the terrorists, and anyone who excommunicates [takfir] a Muslim Iraqi and kills Shias on the basis of their religious identity, but they did not succeed in increasing their confidence in US authorities." One of the sheikhs of the Sunni al-Dulaim clan in Ramadi said that the city inhabitants have started to understand the true nature of the armed groups that kill in the name of religion and resistance. He told Al-Hayat that many Ramadi inhabitants have given material and logistical support to the Arab fighters, but understand nowadays the goal of these armed groups, which is to sow the seeds of "a sectarian conflict by killing Shias on the basis of their religious identity and excommunicating the people working in the police or in the government in general." Moreover, a member of the al-Bubaz Sunni clan, the largest clan in Samarra, stated that his city was quiet and had gotten rid of the terrorists by the action of its seven major clans (Bu-Nisan, Bu-Abbas, Bu-Badr, and others), adding that "the inhabitants of Samarra are ready to support the clan committee in Ramadi, and that they stand by waiting for any sign in order to join them in fighting the terrorists." In the same context, Issam al-Rawi, a member of the Association of Muslim Scholars, said that Arab Sunnis are now waging two battles, one against government apparatuses and the other against "terrorist gangs." Al-Rawi added that the AMS praises the efforts of the inhabitants of Ramadi to oppose terrorism, especially Zarqawi who "once excommunicates the Shias and their religious authorities, and another time excommunicates the Sunnis and the AMS, allowing Iraqi blood to be spilled." He explained that the AMS believes in resistance, but calls the terrorists to stop attacking Iraqis. In the same way, a leader of the "Brigades of the 1920 Revolution" in al-Anbar told Al-Hayat that most "fractions of the patriotic Iraqi resistance" disapprove the way Zarqawi's organization deals with Iraqi civilians as well as his overdoing in targeting the police and army "in all regions of Iraq." [This last precision put between quote marks by the reporter hints at the very unfortunate sectarian twist -- now corrected apparently -- of many Iraqi armed groups who supported bloody attacks against gatherings of Iraqi police and army recruits as long as they were in Shia areas and changed their mind when the same turned to Sunni areas as happened recently in Ramadi.] He said that "these fractions ["of the patriotic Iraqi resistance"] have called to concentrate the resistance efforts on targeting 'occupation' soldiers, instead of wasting time and effort in confrontations with the army, police and national guard, while occupation soldiers are thus enabled to recover." This does not mean that "Iraqi army and police will be immune from our attacks in case they targeted the 'mujahideen' or treated people badly or assaulted them." He added that "the mujahideen have resorted to a new kind of operation reducing the risk for civilians, such as putting explosive charges on roads outside the cities and practicing sniping inside the cities." He also said that "the rift between the patriotic resistance and the extremists has worsened progressively, but that "the last straw was the extremists' attack on police recruits in Ramadi, at a time when most resistance fractions in al-Anbar had met and agreed unanimously on not hurting them as there is a need for police, especially in the city of Ramadi." Published in Al-Hayat, Jan. 26, 2006, translated by Gilbert Achcar. ' posted by Gary Williams at 6:22 PM | link | Wednesday, January 25, 2006 XST Strikes BackFrom: Amit Klein (AKsecurity) Date: 01/25/06 08:32:38 websecurity@webappsec.org Subject: [WEB SECURITY] Technical Note by Amit Klein: "XST Strikes Back" Technical note XST Strikes Back (or perhaps "Return from the Proxy"...) Amit Klein, January 2006 Introduction ============ About three years ago, the concept of "Cross Site Tracing" [1] was introduced to the web application security community. In essence, the classic XST is about amplifying an existing XSS vulnerability such that HttpOnly cookies and HTTP authentication credentials can be compromised. This is done using a client side XmlHttpRequest object that sends a TRACE request back to the server, receives the request echoed back by the server's TRACE function, and extracts the information from the echoed back request. The recommendation in [1] is to turn off TRACE support in the web server, which indeed takes care of the attack as described. However, let us now consider a situation wherein there is a proxy server somewhere between the client (browser) and the server. In such case, it is possible to force the proxy server (at least, in theory) to respond to the TRACE request, rather than the origin server itself. Thus, HTTP TRACE can still be used to compromise the credentials of the user, even if the server does not support the TRACE request. The technique ============= Forcing the first proxy server in the chain to respond to the TRACE request (rather than forward it) is as simple as including an HTTP request header "Max-Forwards: 0" ([2], section 14.31). So, for IE (up to and including 6.0 SP1) and for Mozilla/Firefox (up to and including Firefox 1.0.6), the XSS payload should be (IE code, Mozilla/Firefox modifications commented): var x = new ActiveXObject("Microsoft.XMLHTTP"); // var x = new XMLHttpRequest(); x.open("TRACE","/",false); x.setRequestHeader("Max-Forwards","0"); x.send(); // x.send(""); alert(x.responseText); In IE 6.0 SP2, it seems that Microsoft silently removed support for TRACE in the XmlHttpRequest object. That is, no method starting with "TRACE" is allowed. However, a simple trick, involving a technique similar to the one used in [3] and [4] can be used to bypass this protection. Instead of using "TRACE" for the method, one can simply use "\r\nTRACE". To quote from [2] (section 4.1): "In the interest of robustness, servers SHOULD ignore any empty line(s) received where a Request-Line is expected. In other words, if the server is reading the protocol stream at the beginning of a message and receives a CRLF first, it should ignore the CRLF." So the XSS payload for IE 6.0 SP2 would be: var x = new ActiveXObject("Microsoft.XMLHTTP"); x.open("\r\nTRACE","/",false); x.setRequestHeader("Max-Forwards","0"); x.send(); alert(x.responseText); Squid (2.5stable10/NT) ,Apache (2.0.54 mod_proxy) and other popular proxy servers were found to support TRACE and Max- Forwards. Recommendations =============== Proxy server vendors -------------------- 1. Ship proxy servers with default secure configuration, namely no TRACE support disabled. 2. In the least, enable turning off support for TRACE via a configuration option. Proxy server owners/maintainers ------------------------------- Disable support for TRACE. 1. For Squid, add the following to the Squid configuration file (squid.conf): acl TRACE method TRACE ... http_access deny TRACE 2. For Apache, use mod_rewrite to prevent support for TRACE (see [1]). Make sure to place the directive in the the httpd.conf file. Also, It would be a good idea to append the "[nocase]" flag to the RewriteCond directive, to ensure case insensitive comparison (though it seems that Apache will only serve fully uppercase HTTP methods). Browser vendors -------------- Disable support for TRACE in the XmlHttpRequest object. Make sure you do it right though. Web site owners --------------- As a workaround (perhaps not too practical), enable SSL traffic only to your site. Summary ======= This is yet another example of peripheral web security issue, such as the ones discussed in [5]. A web application may be compromised through issues that are beyond the control of the web site owner - in this case, support for TRACE in browsers and proxy servers. In fact, in many cases the site owner has no way of even knowing that the attack took place, because the TRACE request is answered at the proxy server, and never arrives at the web server (of course, if the first proxy server is the site's reverse proxy server, or if no proxy server at all is present, then the site owner may find out). It seems that the TRACE method should be disabled across the board - not just in web servers, but also in proxy servers and in browsers (and possibly in other web devices). References ========== [1] "Cross-Site Tracing (XST)", Jeremiah Grossman, January 20th, 2003 http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf [2] "Hypertext Transfer Protocol -- HTTP/1.1" RFC 2616 http://www.ietf.org/rfc/rfc2616.txt [3] "XS(T) attack variants which can, in some cases, eliminate the need for TRACE", Amit Klein, WebAppSec mailing list submission, January 26th, 2003 http://www.securityfocus.com/archive/107/308433 [4] "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more...", Amit Klein, BugTraq mailing list submission, September 24th, 2005 http://www.securityfocus.com/archive/1/411585 [5] "Meanwhile, at the other side of the web server", Amit Klein, BugTraq mailing list submission, June 9th, 2005 http://www.securityfocus.com/archive/1/401866 --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/ posted by Gary Williams at 9:15 AM | link | Tuesday, January 24, 2006 Broken screen now replacedMy screen broke and they want $700 i reeokace it, so I got a monitor (for $20) and tonight my daughter sent me a new Dell home puter too!!!! Tomorrow I'll open the box and unload the new puter...Wish ne luck! posted by Gary Williams at 11:07 PM | link | |
![]() |
|
![]() |
![]() |
|
![]() |
![]() |
||||
![]() |