Regarding the second part of the post, it appears the Omniture connection is a little
more straightforward than Smith makes it out to be. Verisign is simply using their
SiteCatalyst web activity reporting product, which is the same tool we use at rgj.com.
Check out our source -- it's at the bottom of the page. It's no different than any
other Javascript-based site-stat tool, except that SiteCatalyst has a very nice
interface and feature set. Pretty pictures keep the sales and marketing folks happy.
That doesn't take away from the primary issue, but I just hate to see Omniture tarred
with Verisign's well-deserved brush.
-Marcel
Marcel Levy <[EMAIL PROTECTED]>
-----Original Message-----
From: christopher neitzert <[EMAIL PROTECTED]>
Sent: Thu, 18 Sep 2003 09:26:25 -0400
To: Jay MacDonald <[EMAIL PROTECTED]>
Cc: RLUG Mailing List <[EMAIL PROTECTED]>; RAWUG list <[EMAIL PROTECTED]>
Subject: Re: [RLUG] Verisign monopoly abuse of DNS
Yes, this is sickening.
There are quite a few evil ramifications of this including XSS exploits
in IE: IF you've got Internot Exploder handy try this:
http://";alert('verislime');".net
ISC has released a patch and there are hundreds of other patches out
there for most server setups.
There are even sites that list patched DNS servers. (which I'm sure will
be posted here sooner or later *cough* fo0bar)
And.
this posting from Full-Disclosure is alarming to me:
From:
Richard M. Smith
<[EMAIL PROTECTED]>
To:
[EMAIL PROTECTED]
Subject:
[Full-Disclosure]
VeriSign hires
Omniture to snoop
on typos
Date:
Wed, 17 Sep 2003
11:07:52 -0400
Hi,
Here's another interesting angle on the Verisign Site Finder Web site.
VeriSign has hired a company called Omniture to snoop on people who make
domain name typos. I found this Omniture Web bug on a VeriSign Site
Finder Web page:
http://verisignwildcard.112.2o7.net/b/ss/verisignwildcard/1/G.2-Verisign
-S/s03509671784255?[AQB]&ndh=1&t=17/8/2003%2010%3A39%3A28%203%20240&page
Name=Landing%20Page&ch=landing&server=US%20East&c1=www.elinkprocess.com/
html/minibank_1000.html&c2=www.elinkprocess.com/html/minibank_1000.html%
20%2803/00%29&c12=Yes&c13=03&c14=No&c15=00&c16=Yes&c17=15&c22=NOT%20SET&
g=http%3A//sitefinder.verisign.com/lpc%3Furl%3Dwww.elinkprocess.com/html
/minibank_1000.html%26host%3Dwww.elinkprocess.com&r=http%3A//www.google.
com/search%3Fas_q%3Dmini-bank%2B1000%26num%3D100%26hl%3Den%26ie%3DUTF-8%
26oe%3DUTF-8%26btnG%3DGoogle%2BSearch%26as_epq%3D%26as_oq%3D%26as_eq%3D%
26lr%3D%26as_ft%3Di%26as_filetype%3D%26as_qdr%3Dall%26as_occt%3Dany%26as
_dt%3Di%26as_sitesearch%3D%26safe%3Dimages&s=1024x768&c=32&j=1.3&v=Y&k=Y
&bw=1024&bh=538&ct=lan&hp=N&[AQE]
The query string of the URL contains the usual things such as the Web
page URL, the referring URL, browser type, screen size, etc. This query
string is built on the fly by about 50 lines of JavaScript embedded in
the Verisign Web page.
The Omniture server sets a cookie so that people can be watched over
time to see what typos they are making.
Here's a bit more about the Omniture snooping service:
http://www.omniture.com/announcement.html
Note to Omniture: Yes, I was using Google to research security issues
with the Mini-Bank 1000 ATM, but my interests are purely academic. ;-)
Richard M. Smith
http://www.ComputerBytesMan.com
Patch your bind, and I am writing rules to block verislime from
accessing my networks.
love
chris
--
Christopher Neitzert http://www.neitzert.com/~chris
775.853.5314 - [EMAIL PROTECTED] - GPG Key ID: 7DCC491B
_______________________________________________
RLUG mailing list
[EMAIL PROTECTED]
http://www.rlug.org/mailman/listinfo/rlug
