QUESTION FOR ALL ON THE BOARD: If http smuggling, http splitting, and man in the middle attacks are so dangerous aren't you scared of being easily hacked?
I have a router, and my router has never hacked so far?

So, why making apocalyptic statements?
I've been for hours surfing, downloading, entering all kinds of websites, and I have never seen this!?
Should I consider myself a lucky guy?

Do you consider yourselves lucky guys, since from the posts you have never been attacked by these forms of attacks?

However, I do remember an particular situation where I was under thinking that I've been a victim of ARP spoofing (if that was the case, I'm not sure if that was ARP spoofing attack)?
The fact the router blocked all traffic and shut itself down, and restarted itself-weird situation indeed, but this was 6 months ago, at least.

If router blocks all of these attacks by shutting itself down against mentioned attacks and than restarting itself, than there shouldn't be any problem, right?

I wonder if Stem has tested any router of software firewall against these attacks, since it seems it he is honestly one of posters who can actually speak with the knowledge, testing and experience that he has, especially to make companies to do better filtering against such and other forms attacks.

Cheers.

-{ Quote: "QUESTION FOR ALL ON THE BOARD: If http smuggling, http splitting, and man in the middle attacks are so dangerous aren't you scared of being easily hacked?
I have a router, and my router has never hacked so far?

So, why making apocalyptic statements?
I've been for hours surfing, downloading, entering all kinds of websites, and I have never seen this!?
Should I consider myself a lucky guy?

" }-


well pandlouk did say that http smuggling, and http splitting are very very hard to stop so I presume that the modified http packets would just simply travel thru and bypass your Router without affecting it along with all the other normal http traffic on port 80.

But still if pandlouk can explain what is achieved by this attack???

-{ Quote: "well pandlouk did say that http smuggling, and http splitting are very very hard to stop so I presume that the modified http packets would just simply travel thru and bypass your Router without affecting it along with all the other normal http traffic on port 80.

But still if pandlouk can explain what is achieved by this attack???" }-

Yes, I would like to know that, what is the main target, because if it's true that hacker can easily exploit this in/through my router, than it has been bypassed so many times, without possibility of detection, which means I've been hacked 100 times at least, and yet, on my computer nothing malicious has ever happened, not yet.
Isn't that ironic?
Perhaps, block all traffic or shutdown and restarting istelf is the only and the most secure solution, and that I think pretty much any software or hardware firewall/router actually has it.
I would simply like to know more about these attacks: ARP spoofing, man-in-the-middle attack, http splitting and http smuggling-what they represent and how truly dangerous are they?

-{ Quote: "
well pandlouk did say that http smuggling, and http splitting are very very hard to stop so I presume that the modified http packets would just simply travel thru and bypass your Router without affecting it along with all the other normal http traffic on port 80." }-That simple it is.

-{ Quote: "But lets say for arguments sake if there was a successful 'http splitting and or http smuggling' attack which got thru your router and software firewall, what specifically would the attack achieve? what damage would it do to your pc?" }-You won´t take any notice. Your router and firewall are no help. If you connect to the internet you are passive part of all seeing eye (master and control central for http-poisoning and http-smuggling) if you want it or not. HTTP is a old protocol, there is no security to expect here. Maybe you understand now why the whole discussion about security is a farce, the main aim of monopolists and huge software companies is to reduce the attacks of kiddies, botcher and amateurs because they make too much noise, that is what they call bringing security to your home. But the biggest hole is kept silent and under the hood: HTTP. HTTP is the spy glass of the elite. Remember: The best intrusion will never be noticed except you take a deep look into it and make some long term forensics.

-{ Quote: "So, why making apocalyptic statements?
I've been for hours surfing, downloading, entering all kinds of websites, and I have never seen this!?
Should I consider myself a lucky guy?" }-Only naive. The dangerous is the hidden the things you will never notice
unless you make strong efforts to understand the reason and to look behind.

Try to keep your naivity as long as possible but with entering this board your worry-free concept might be shocked step by step.

-{ Quote: "Yes, I would like to know that, what is the main target, because if it's true that hacker can easily exploit this in/through my router, than it has been bypassed so many times, without possibility of detection, which means I've been hacked 100 times at least, and yet, on my computer nothing malicious has ever happened, not yet.
Isn't that ironic?" }-Probably you need a lesson in understanding the system of a virus. Aim of a sophisticated viral system is not to destroy its hosts nor to bother them too much it is a silent adaption to survive, to spread and to own and control more and more.

-{ Quote: "That simple it is.

You won´t take any notice. Your router and firewall are no help. If you connect to the internet you are passive part of all seeing eye (master and control central for http-poisoning and http-smuggling) if you want it or not. HTTP is a old protocol, there is no security to expect here. Maybe you understand now why the whole discussion about security is a farce, the main aim of monopolists and huge software companies is to reduce the attacks of kiddies, botcher and amateurs because they make too much noise, that is what they call bringing security to your home. But the biggest hole is kept silent and under the hood: HTTP. HTTP is the spy glass of the elite. Remember: The best intrusion will never be noticed except you take a deep look into it and make some long term forensics.

Only naive. The dangerous is the hidden the things you will never notice
unless you make strong efforts to understand the reason and to look behind.

Try to keep your naivity as long as possible but with entering this board your worry-free concept might be shocked step by step.

Probably you need a lesson in understanding the system of a virus. Aim of a sophisticated viral system is not to destroy its hosts nor to bother them too much it is a silent adaption to survive, to spread and to own and control more and more." }-

Well, I guess this is all true, but still I consider myself enough experienced to know when my security has been compromised-so far, it hasn't been.
Trust me I would know it.

Maybe you should first find a definition for what you call security.

For you security might be this way: Surfing the web without interruptions, everything looks fine, no anomalies to see,
I can do what I want to do without being bothered.

Maximum security (which is nearly unachievable) means: I surf the web, leave zero traces, I am absolutely encrypted, nothing can leak me (even no aqua, h2o, eau, retaw or water, ota, tao, dao ;)) I can do what I want but nobody can notice my presence, I am like a shadow, a phantom.

If you achieved to bypass the eye you would achieve to fool the devil. Isn´t that a challenge?

-{ Quote: "Maybe you should first find a definition for what you call security.

For you security might be this way: Surfing the web without interruptions, everything looks fine, no anomalies to see, I can do what I want to do without being bothered." }-

And actually, your might not believe it, but this is the way on what my experience is based:
Surfing the web without interruptions, everything looks fine, no anomalies to see.
This is why I always find a hard time to believe that security can be so much compromised.
But this is just me, maybe I'm just one in a million, who knows?
I guess it all depends on the user itself!?

I am having some difficulty understanding the risk factors involved regarding this HTTP smuggling, splitting etc.

I understand that:
1. It cannot be blocked by current firewall technology
2. No one knows who is behind its organized use.

These two points have been repeated over and over here so many times that the phrase, "Be Afraid! Be very afraid!!" pops up instantly in my mind when I see this topic being discussed.

What I am still missing is,
"Exactly WHY should I be afraid?!"
"Exactly what am I risking by failing to take this issue more seriously?"

I have seen some ask questions similar to the ones I ask myself, but these are generally rebuffed with something along the lines of, "I don't have time to explain, if you want to understand spend some time educating yourself and read the information you can find here, or set up a test network and perform the tests you can find there".

Well, I have read some of the links, and it is still not clear to me why I should be so afraid; maybe I am just too stupid to comprehend the so-simple-a-child-could-understand explanations in these links.

Also, I guess I must always be eternally grateful to my professors in college that they didn't brush me off and point me to my textbook when I had a question, eh? :-D

Anyway, my question was, and is still essentially this:
WHY should I be afraid?

-{ Quote: "Anyway, my question was, and is still essentially this:
WHY should I be afraid?" }-It depends on you, you don´t have to
if you have no problem with big brother.

-{ Quote: "I understand that:
1. It cannot be blocked by current firewall technology
2. No one knows who is behind its organized use." }-
Isn´t that reason enough to become alarmed.

Who is behind? This question is interesting, I could answer you this in fragments but that were only a drop of a hot stone.
There is a lot of system, edu, org, gov and elite behind, for sure but probably also enough guys from the industry
mixed up with some hardcore people and probably some of the internet founder too, those who have the knowledge of decades on their side. It would become a long list I guess. This is a very speculative zone there is a high probability that several young black, grey or white hats are part of it too. Maybe the upper core are only a few but they might have countless henchmans.

There is a company from Quebec that claims to make your windows system safe against viral http packets: http tunnel (http://www.http-tunnel.com/html/solutions/http_tunnel/client.asp)

Bypassing firewall to secure http, sounds like from one dummy security to the other.

-{ Quote: "It depends on you, you don´t have to
if you have no problem with big brother." }-
I do have a problem with big brother, but I try not to worry about things over which I have no control.


-{ Quote: "Isn´t that reason enough to become alarmed.

Who is behind? This question is interesting, I could answer you this in fragments but that were only a drop of a hot stone.
There is a lot of system, edu, org, gov and elite behind, for sure but probably also enough guys from the industry
mixed up with some hardcore people and probably some of the internet founder too, those who have the knowledge of decades on their side. It would become a long list I guess. This is a very speculative zone there is a high probability that several young black, grey or white hats are part of it too. Maybe the upper core are only a few but they might have countless henchmans." }-

Since apparently all of the powerful upper echelons of society are involved, it appears that the outcome is inevitable, and therefore this is not something that I need to be worried about.

Regardless, thank you for helping me clear this up in my head, and I apologise to the other readers for helping to keep this OT subject alive in this thread.

-{ Quote: "The only solution I found so far that claims to make your system safe against viral http packets: http tunnel (http://www.http-tunnel.com/html/solutions/http_tunnel/client.asp)" }-
Is this http tunnel similar to Tor?

-{ Quote: "Since apparently all of the powerful upper echelons of society are involved, it appears that the outcome is inevitable, and therefore this is not something that I need to be worried about.

Regardless, thank you for helping me clear this up in my head, and I apologise to the other readers for helping to keep this OT subject alive in this thread." }-You are welcome.

-{ Quote: "I do have a problem with big brother, but I try not to worry about things over which I have no control.
" }-Yes but they bother and disturb people with e.g. cyberstalking just to name one of their psyops, another one is sporadic attacks against their opponent systems and ddos attacks against their servers.

-{ Quote: "Is this http tunnel similar to Tor?" }-Don´t know. At least it sounds secure.

-{ Quote: "And actually, your might not believe it, but this is the way on what my experience is based:
Surfing the web without interruptions, everything looks fine, no anomalies to see.
This is why I always find a hard time to believe that security can be so much compromised.But this is just me, maybe I'm just one in a million, who knows?
I guess it all depends on the user itself!?" }-

It might help you to think about how we came to use the word "virus" with computers in the first place. Malware can be exactly like a germ - unseen, located where you might least suspect it, but easy to catch. Virus=germ=unseen. Things aren't always as they seem. Hope that analogy (albeit simple) might help.

I think this is more of "Privacy" or "Nuisance" Issue with modified packets coming in rather than a actual security Issue on your PC. like I say in the other thread to solve this use a encrypted vpn tunnel with a proxy server.

That said I would love to see Hacker try and bypass my MD rules, Shadow Defender and take control or Drop a virus on my pc. :D :D :D

The mod must have read my thoughts, that was also my thought to split the topic.
-{ Quote: "to solve this use a encrypted vpn tunnel with a proxy server." }-
Good idea. But many proxies are insufficient to filter smuggling requests it must be a very good one.

-{ Quote: "regarding the man in the middle attacks Discussion in this thread, my understanding is that a man in the middle attack is a hacker intercepting packets in transit and modifying them before they finish their journey to your pc.

I can't see how its possible for any firewall to prevent this. all tho a firewall can filter out the modified packets but not prevent some one intercepting the packets in transit.

I guess the best and only defense against this is using an SSH encrypted tunnel to a proxy server?" }-
.
Regarding MITM attacks there are at least two scenarios I'm aware of. One is open wi-fi where anyone can "sniff" unencrypted transmissions. The other is a trojan/keylogger infection that can grab your data as you type it into a browser, etc. I don't see how data could be intercepted on route to your PC, unless we're talking CIA :)

-{ Quote: ".
Regarding MITM attacks there are at least two scenarios I'm aware of. One is open wi-fi where anyone can "sniff" unencrypted transmissions. The other is a trojan/keylogger infection that can grab your data as you type it into a browser, etc. I don't see how data could be intercepted on route to your PC, unless we're talking CIA :)" }-

-{ Quote: ".
I don't see how data could be intercepted on route to your PC, " }-

But sniffing unencrypted transmissions is the same thing as intercepting traffic on route to your PC is it not?

-{ Quote: "

Good idea. But many proxies are insufficient to filter smuggling requests it must be a very good one." }-

But the difference is that no one can target you individually, they can of course
target the unencrypted traffic going out from the proxy server IP but they wouldn't know who's traffic it is.

And good proxy servers are normally behind a layer 7 hardware fire wall much better than the general home user.

-{ Quote: "It might help you to think about how we came to use the word "virus" with computers in the first place. Malware can be exactly like a germ - unseen, located where you might least suspect it, but easy to catch. Virus=germ=unseen. Things aren't always as they seem. Hope that analogy (albeit simple) might help." }-

I'm sorry, but from your word and the words of others, my security should have been compromised at least 100 times, literally, and it just does not happen.
I have never picked up a malware or anything else compromising, really.
I'm quite sure that there are here people who can offer the same experience.

-{ Quote: "But the difference is that no one can target you individually, they can of course
target the unencrypted traffic going out from the proxy server IP but they wouldn't know who's traffic it is.

And good proxy servers are normally behind a layer 7 hardware fire wall much better than the general home user." }-That´s true, not directly targeting but what happens with the packets, they will be reduced or even minimized.
Instead of a broken pipe you now have a leaky water faucet.

-{ Quote: "I don't see how data could be intercepted on route to your PC, unless we're talking CIA " }-What CIA can do others also could do.

-{ Quote: "Can we please talk about these MITM attacks in the other thread because, while I don't find this subject alarming, I do find it fascinating, and would like to learn more." }-Agree.

-{ Quote: "I'm sorry, but from your word and the words of others, my security should have been compromised at least 100 times, literally, and it just does not happen.
I have never picked up a malware or anything else compromising, really.I'm quite sure that there are here people who can offer the same experience." }-

I hear this a lot. But think of the logic. People are killed while crossing streets every day. Yet, I don't pretend it's not a risk simply because I have crossed the streets thousands of times without ever being injured. Drug side-effects kill thousands every year. However, I can't claim that such and such a drug must be safe (even if it has killed a bunch of people) because I took it and was just fine. There are tons of analogies like this. The logic of "it hasn't happened to me," just doesn't compute. Nobody breaks a hip by falling on the ice - until they do. Nobody gets their house blown away in a tornado - until they do. Taking your logic to the extreme, nobody has ever been murdered - until they were murdered; that doesn't mean they were safe from murder before because they had never been murdered (until they were). I hope I'm making sense as I am trying to show how the logic you are using is flawed in a way that is....well....logical.

-{ Quote: "I hear this a lot. But think of the logic. People are killed while crossing streets every day. Yet, I don't pretend it's not a risk simply because I have crossed the streets thousands of times without ever being injured. Drug side-effects kill thousands every year. However, I can't claim that such and such a drug must be safe (even if it has killed a bunch of people) because I took it and was just fine. There are tons of analogies like this. The logic of "it hasn't happened to me," just doesn't compute. Nobody breaks a hip by falling on the ice - until they do. Nobody gets their house blown away in a tornado - until they do. Taking your logic to the extreme, nobody has ever been murdered - until they were murdered; that doesn't mean they were safe from murder before because they had never been murdered (until they were). I hope I'm making sense as I am trying to show how the logic you are using is flawed in a way that is....well....logical." }-


I think this a wrong analogy, since I cross a street and my eyes in this case are my firewalls, so it depends on my eyes if the car is going to kill me. Obviously, people just don't pay attention on that. Drug-side effects?
It's comparable to open all ports on your computer and your computer is having malware-side effects. It all depends just how much you want your security gets compromised.
If you're going by dangers that internet offers, I would never buy router or modem, and I would never connect to the net, and yet I'm surfing without any trouble, none has yet shown interest in breaking through my protection-or it couldn't.
I simply think people make too exaggerating statements about security getting compromised. So what if big brother is watching me now?
I honestly don't care until some malware enters my computer, so far it just didn't happen.
Of course, mostly it depends on the surfer, but I have learned lessons from near past, and now everything is just ok.

But someone has yet to prove that my computer's security is compromised.

-{ Quote: "
Of course, mostly it depends on the surfer, but I have learned lessons from near past, and now everything is just ok.

But someone has yet to prove that my computer's security is compromised." }-
I think this is not optimum approach.

It is like saying that since no one has yet proven that you have cancer, you don't have cancer.

If you have computer connected to any network, there is always possibility that your security has been compromised without your knowledge.

-{ Quote: "The mod must have read my thoughts, that was also my thought to split the topic.
" }-
I was pleasantly surprised to see this new thread, although I hope the addition of the "Big Brother" in the title doesn't detract from serious discussion about this HTTP smuggling & splitting thing.
For example, "Who is behind this and why?"
Questions like those allow for answers rife with speculation and conjecture.
Since nothing can be proven, no conclusions can be made, and the dialog just goes around and around.

-{ Quote: "Good idea. But many proxies are insufficient to filter smuggling requests it must be a very good one." }-
I believe I do not have enough knowledge about this smuggling/splitting to ask a thought-provoking question and the procedure involved appears quite complicated.
I think I will start educating myself by reading this HTTP specification over a few cups of coffee.

Can you please tell me what the fuss is all about?
Mrk

Some explanation for the questions raised before (I'll try to keep it very very simple without getting in details).

-----------------------------------
About 'man in the middle attacks':
'Man in the middle attack' is when someone intercepts your traffic between your computer and it's destination.
"your pc" <=> "attackers pc" <=> "remote destination"

The most common situations that it can happen:
1. unsecured public wifi networks
2. home not protected wifi networks
3. internet lan-type connections. (if your ISP provider is good it won't happen)
4. vpn or tunneling connections (if you do not trust the provider do not use them).
5. malicious proxie providers

How you can protect yourself:
a. Never use user names, passwords or other sensitive data through unencrypted protocols. Examples: use https instead of http, skype instead msn, etc.
b. Applies to 1,2,3 and 4 if possible use a firewall that can protect against arp poisonig attacks or that at least can warn you about those attacks.

----------------------------------------
About http splitting and http smuggling:
SystemJunkie at least esagarates. I am not a big fan of conspiracy theories or anything like that.

Are they dangerous? Yes, especially because you will not notice them. Although is a subject where I have limited knowledge I'll try to give some simple explanations.

They can be used:
1. to attack the cache server.
2. to attack your browser.

1. In this case there are used mainly for redirections. For example you request a page X and instead of that you are redirected on page Y of the same site or even to another site.
2. When they are used to attack the browser they can be used for either redirections, exploiting, drive by downloads and buffer overflows.

How you can protect yourself:
1. Install snort (http://www.snort.org/start/requirements)on your machine (it can block some of these attacks).
2. Set your browser to always clear it's cache, cookies, etc. when you close it.
3. When you want to do online shopping or to login in a important site close all the tabs, clear the browser cache, close and reopen your browser.
---------------------------

hope it helps,
Panagiotis

-{ Quote: "But sniffing unencrypted transmissions is the same thing as intercepting traffic on route to your PC is it not?" }-.
Unencrypted transmissions over a wireless connection can be easily "sniffed" FROM your PC, because you're broadcasting in the open. That's different from traffic being intercepted on route TO your PC. The primary concern is protecting information that you intentionally transmit, such as the logon credentials to your online banking account or your credit card number during an online transaction. The bad guys don't care where your credit card number is going, they just want to capture it. The point is you can almost completely protect yourself from this kind of attack by keeping your system clean and encrypting your data. Use a VPN when you're on open wi-fi and only enter sensitive information on secure websites (the ones that use SSL and show the "lock" symbol in the browser). For data to be intercepted on route TO your PC I believe you would have to be intentionally targeted, hence my reference to the CIA :-X

CoolWebSearch.

Virtually all the main firewall vendors leave ARP protection as optional. I think that pretty much sums up the likelihood average users are going to be a victim of this.

The average user is most vulnerable in ad hoc situations. You have to protect yourself with the strongest encryption available to you, ultra obnoxiously difficult passwords, a decent VPN solution, and caution about who is looking over your shoulder. All the basics of network/internet sensibility still apply.

I think everyone is affected, when it comes to HTTP-poisoned-attachments.
Nobody can use permanent HTTPs. Sometimes you want to use search engines and then you are already part of the game. HTTP is totally insecure and perfect eldorado for all secret orgs. Related to VPN maybe someone can post some links for good, simple, reliable and easy to use VPN for all in here.

Concerning Snort, the service doesn´t want to start on my vista 64 system and it looks like a special art to use it. Probably needs a lot of practice and time until someone can use it effectively.

Incredible that there is no simple solution to avoid these ugly damn little poison packets. I studied them but I hate to read their primitive communications, how they track each and everything on this planet and how disrespectful, cold and crude they talk about the people. Actually I evade to use my sniffer.

For open wi-fi hotspots I've been using Hotspot Shield from AnchorFree. This is a free (ad driven) VPN service. When the service is active a small ad is placed at the top of the webpage. It's not very intrusive and if this bugs people you can use Opera (the ads don't appear). They collect the usual data so they can target the ads. Read the privacy policy after installing and connecting to the service (it's not available on the home page). The problem with a VPN service of course is you're trusting they won't abuse your personal information. It would be nice to read some third party reviews about the trustworthiness of the service.

www.hotspotshield.com

-{ Quote: "

----------------------------------------
About http splitting and http smuggling:
SystemJunkie at least esagarates. I am not a big fan of conspiracy theories or anything like that.

Are they dangerous? Yes, especially because you will not notice them. Although is a subject where I have limited knowledge I'll try to give some simple explanations.

They can be used:
1. to attack the cache server.
2. to attack your browser.

1. In this case there are used mainly for redirections. For example you request a page X and instead of that you are redirected on page Y of the same site or even to another site.
2. When they are used to attack the browser they can be used for either redirections, exploiting, drive by downloads and buffer overflows.

How you can protect yourself:
1. Install snort (http://www.snort.org/start/requirements)on your machine (it can block some of these attacks).
2. Set your browser to always clear it's cache, cookies, etc. when you close it.
3. When you want to do online shopping or to login in a important site close all the tabs, clear the browser cache, close and reopen your browser.
---------------------------

hope it helps,
Panagiotis" }-

Thanks for the reply pandlouk

I think most of us here already sufficient protection from drive by downloads.

like I say before its more of a nuisance and privacy issue rather than a actual security issue on your pc.

nuisance being the fact that you can't load the correct web page. ie redirections.

I have browser cache and global cookies blocked/disabled. and it is harder for my browser to be directly attacked because it doesn't even connect to the internet because it sits behind either admuncer or Proxomitron which acts as a Proxy.

I would probably set up a SSH tunnel before I installed snort tho.

regarding HTTPS/SSl

I wouldn't use HTTPS/SSl and I don't trust it. Blue coat which a lot of ISPs use can Literally decrypt and look into HTTPS/SSl traffic.

https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/106cf640-c31c-2b10-2a84-cfb7ff000710
http://www.bluecoat.com/news/pr/2129
http://news.cnet.com/Blue-Coat-to-cleanse-encrypted-traffic/2100-1029_3-5940533.html

Last year I was having certificate problems because my old ISP was playing middle man games when I was trying to log into secure websites with HTTPs.
So I set up a SSH tunnel and logged into the HTTPs websites inside my SSH tunnel.

-{ Quote: "regarding HTTPS/SSl
I wouldn't use HTTPS/SSl and I don't trust it. Blue coat which a lot of ISPs use can Literally decrypt and look into HTTPS/SSl traffic.

https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/106cf640-c31c-2b10-2a84-cfb7ff000710
http://www.bluecoat.com/news/pr/2129
http://news.cnet.com/Blue-Coat-to-cleanse-encrypted-traffic/2100-1029_3-5940533.html

Last year I was having certificate problems because my old ISP was playing middle man games when I was trying to log into secure websites with HTTPs.
So I set up a SSH tunnel and logged into the HTTPs websites inside my SSH tunnel." }-
Hmm.

This appears to confirm my suspicion that "privacy on the internet" is an oxymoron.

-{ Quote: "I think this is not optimum approach.

It is like saying that since no one has yet proven that you have cancer, you don't have cancer.

If you have computer connected to any network, there is always possibility that your security has been compromised without your knowledge." }-

Yes, but like with cancer also with computer you should/would eventually see symptoms, really.
There are zero symptoms so far.

-{ Quote: "Thanks for the reply pandlouk

I think most of us here already sufficient protection from drive by downloads.

like I say before its more of a nuisance and privacy issue rather than a actual security issue on your pc.

nuisance being the fact that you can't load the correct web page. ie redirections.

I have browser cache and global cookies blocked/disabled. and it is harder for my browser to be directly attacked because it doesn't even connect to the internet because it sits behind either admuncer or Proxomitron which acts as a Proxy.

I would probably set up a SSH tunnel before I installed snort tho." }-
You are welcome :)

The biggest problem with splitting attacks is that they can be used for delivering exploiting code in chunks(truncated in smaller pieces).
This way they can circumvent all the current defences (firewalls,avs,hips).

And no, you will not notice that something is wrong since the malicious code resides only in ram (and is not triggered until all it's chunks are loaded) and leave no evidence whatsoever of the attack. The only way to catch it and analise it, is to perform a full dump of your ram.

That is why I said that you should close and reopen your browser.

Panagiotis

-{ Quote: "like I say before its more of a nuisance and privacy issue rather than a actual security issue on your pc. " }-Yes it is a privacy issue but if you think about the fact that someone could allegedly c&c a remote system with prepared udp packets it could become a security issue too.

-{ Quote: "The biggest problem with splitting attacks is that they can be used for delivering exploiting code in chunks(truncated in smaller pieces).
This way they can circumvent all the current defences (firewalls,avs,hips).

And no, you will not notice that something is wrong since the malicious code resides only in ram (and is not triggered until all it's chunks are loaded) and leave no evidence whatsoever of the attack. The only way to catch it and analise it, is to perform a full dump of your ram." }-That is exactly what I wanted to express to the publicity as one of the most problematic threats nowadays.

-{ Quote: "The only way to catch it and analise it, is to perform a full dump of your ram." }-
What tools do you recommend to dump RAM?

I have been having trouble RAM related. The only way the problem is cleared, remove power 15-30 seconds. If not, the trouble will follow acrossed reboots.

Would be interesting to see what is causing it.

Also;

I have found that Gigabit ethernet has direct memory access. Can the malicious packets jump to other memory regions?

What should such a ram dump be useful for? First of all ram analysis takes a lot of time, second of all then you only see their activities but this isn´t enough for prevention.

-{ Quote: "CoolWebSearch.

Virtually all the main firewall vendors leave ARP protection as optional. I think that pretty much sums up the likelihood average users are going to be a victim of this.

The average user is most vulnerable in ad hoc situations. You have to protect yourself with the strongest encryption available to you, ultra obnoxiously difficult passwords, a decent VPN solution, and caution about who is looking over your shoulder. All the basics of network/internet sensibility still apply." }-


What do you suggest for encryption: I'm planning to use something/anything for encryption, but I don't know on what type of encryption to rely on, since I have router-lan situation/protection.
Yes, an encryption would be nice.

-{ Quote: "I think everyone is affected, when it comes to HTTP-poisoned-attachments.
Nobody can use permanent HTTPs. Sometimes you want to use search engines and then you are already part of the game. HTTP is totally insecure and perfect eldorado for all secret orgs. Related to VPN maybe someone can post some links for good, simple, reliable and easy to use VPN for all in here.

Concerning Snort, the service doesn´t want to start on my vista 64 system and it looks like a special art to use it. Probably needs a lot of practice and time until someone can use it effectively.

Incredible that there is no simple solution to avoid these ugly damn little poison packets. I studied them but I hate to read their primitive communications, how they track each and everything on this planet and how disrespectful, cold and crude they talk about the people. Actually I evade to use my sniffer." }-

If that's true, I would ask you for a favor, and ask if you could this test while I'm on the net and surfing?
I know, it's a weird request, since nobody wants to get their security compromised.
Neither do I, but I just can't help myself, it's a disease, or obsession when it comes to hackers...

-{ Quote: "since nobody wants to get their security compromised." }-
Read my subtitle? There is no security.. The smuggling thing is a privacy issue first, secondly it can become a security issue too, if they want or are able to.
-{ Quote: "but I just can't help myself, it's a disease, or obsession when it comes to hackers..." }-
I guess it is better for your health not to dig as deep then I did. Calm down, stay relaxed. ;)

-{ Quote: "regarding HTTPS/SSl

I wouldn't use HTTPS/SSl and I don't trust it. Blue coat which a lot of ISPs use can Literally decrypt and look into HTTPS/SSl traffic.

https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/106cf640-c31c-2b10-2a84-cfb7ff000710
http://www.bluecoat.com/news/pr/2129
http://news.cnet.com/Blue-Coat-to-cleanse-encrypted-traffic/2100-1029_3-5940533.html

Last year I was having certificate problems because my old ISP was playing middle man games when I was trying to log into secure websites with HTTPs.
So I set up a SSH tunnel and logged into the HTTPs websites inside my SSH tunnel." }-

They do not "decrypt" SSL. What they do is nothing but a MITM attack.

-{ Quote: "I wouldn't use HTTPS/SSl and I don't trust it. Blue coat which a lot of ISPs use can Literally decrypt and look into HTTPS/SSl traffic.

https://www.sdn.sap.com/irj/scn/go/p...4-cfb7ff000710
http://www.bluecoat.com/news/pr/2129
http://news.cnet.com/Blue-Coat-to-cl...3-5940533.html

Last year I was having certificate problems because my old ISP was playing middle man games when I was trying to log into secure websites with HTTPs.
So I set up a SSH tunnel and logged into the HTTPs websites inside my SSH tunnel." }-The provider is not trustworthy at all, maybe some of the poison packets are managed by them who knows. What I observed by net analysis is that they work very region specific. They observe the area where you and I are living and the people around your corner, especially those people who are very close to your home and where one connect to the net as example. Very sure is that they do this surveillance and observation globally and they always have some henchmans only some meters or some houses away from your home. I am 100% convinced about that, I did a lot of network forensics over the past two years, I watched about what they talked, which people were affected and so on. I had no problems to decipher a lot of their fragged, scrambled and anagramed packets. Whether this was/is isp, internet mafia, cia, m$, nsa, bnd or some other secret orgs it doesn´t matter, only to see how they work and communicate was from interest to me. These hidden groups and secret organizations have a superior position to all of us usual citizens because their informative advantage is unimaginable.

-{ Quote: "The provider is not trustworthy at all, maybe some of the poison packets are managed by them who knows. What I observed by net analysis is that they work very region specific. They observe the area where you and I are living and the people around your corner, especially those people who are very close to your home and where one connect to the net as example. Very sure is that they do this surveillance and observation globally and they always have some henchmans only some meters or some houses away from your home. I am 100% convinced about that, I did a lot of network forensics over the past two years, I watched about what they talked, which people were affected and so on. I had no problems to decipher a lot of their fragged, scrambled and anagramed packets. Whether this were isp, internet mafia, cia, m$, nsa, bnd or some other secret orgs it didn´t matter, only to see how they work and communicate was from interest to me." }-

Ummm hmmm.

Fact is they are there and it would be better if they weren´t there where they are.

The most amazing thing is that they let you talk about all this instead of vanishing you .... hmmm ....
Mrk

-{ Quote: "The most amazing thing is that they let you talk about all this instead of vanishing you .... hmmm ...." }-That makes you wonder and it doesn´t makes me wondering that you think that simple and awkward.:o

-{ Quote: "They do not "decrypt" SSL. What they do is nothing but a MITM attack." }-

True but they do have the Ability to decrypt tho.

back to the topic at hand.

we need to discuss

1. ways of filtering out HTTP smuggling & splitting traffic.

2. Is your pc strong enough to with stand such attack if HTTP smuggling & splitting traffic gets in.

So how would layer 7 DPI hardware firewall cope with filtering out HTTP smuggling & splitting traffic? what about Proxomitron?

-{ Quote: "You are welcome :)

The biggest problem with splitting attacks is that they can be used for delivering exploiting code in chunks(truncated in smaller pieces).
This way they can circumvent all the current defences (firewalls,avs,hips).

And no, you will not notice that something is wrong since the malicious code resides only in ram (and is not triggered until all it's chunks are loaded) and leave no evidence whatsoever of the attack. The only way to catch it and analise it, is to perform a full dump of your ram.

That is why I said that you should close and reopen your browser.

Panagiotis" }-

A good HIPS which monitors system memory and limits the permissions your browser can do should be able to prevent such attacks??

-{ Quote: "what about Proxomitron?" }- Looks not promising, not comfortable and buggy afaik.

-{ Quote: "A good HIPS which monitors system memory and limits the permissions your browser can do should be able to prevent such attacks??" }-
No. No chance. 0. The packets attach themselves at the end of usual http traffic, sometimes they are embedded in different filetypes, kind of stego.

-{ Quote: "1. ways of filtering out HTTP smuggling & splitting traffic." }-
One thing is sure, neither any software firewall can do that, nor any usual router will be able to block it.

Firewall ip blacklisting, VPN/tunneling combined with very good proxies can limit their activities but not totally
stop the "tao water", afaik.

-{ Quote: "Looks not promising, not comfortable and buggy afaik.
." }-

not comfortable and buggy? well I don't find it buggy its quite a stable app.



-{ Quote: "
No. No chance. 0. The packets attach themselves at the end of usual http traffic, sometimes they are embedded in different filetypes, kind of stego." }-

ok lets gets back to yours and pandlouk original statement.

-{ Quote: "-{ Quote: "You are welcome :)

The biggest problem with splitting attacks is that they can be used for delivering exploiting code in chunks(truncated in smaller pieces).
This way they can circumvent all the current defences (firewalls,avs,hips).

And no, you will not notice that something is wrong since the malicious code resides only in ram (and is not triggered until all it's chunks are loaded) and leave no evidence whatsoever of the attack. The only way to catch it and analise it, is to perform a full dump of your ram.
Panagiotis" }-
That is exactly what I wanted to express to the publicity as one of the most problematic threats nowadays." }-

-{ Quote: "Yes it is a privacy issue but if you think about the fact that someone could allegedly c&c a remote system with prepared udp packets it could become a security issue too.
" }-

Specifically what type of security issue? are you saying it is able to plant a virus or trojan? can you elaborate more.

-{ Quote: "not comfortable and buggy? well I don't find it buggy its quite a stable app." }-I am not sure if we mean the same thing, it was a sort of proxy manager but when I tested it (long time ago...) it crashed and made difficulties.

-{ Quote: "pecifically what type of security issue? are you saying it is able to plant a virus or trojan? can you elaborate more." }-That is a difficult story because it is not much talked about and it is highly specific likely the majority don´t know that it exists. It is no visible virus or trojan it is so damn subtle, probably it will only appear in ram, usually nobody will notice it, except when they test new poc´s of their "matrix system". The whole system works in kind of viral stream packets.

It is not known if these effects are part of it but several people noticed the same: Sometimes it has sideeffects you see some tiles at top of your browser or when you play a game and everything freezes, the tiles also appear in game hangs. That is what people call the malicious bios script. It is assumed that this script is used as os independent control mechanism. You should also check ACPI and Malware topic of searching several people see connections here.

It re-acts like a moody beast, imho it is also able to breach security setups, I would go that far that it is one of their trainings to destroy latest firewall setups of citizens. But it doesn´t happen regular, it is a irregular thing, like waves in the ocean. Not really predictable.

The latest issue of this moody control monster is at best described by Searching, I have a similar issue on one system:
-{ Quote: "It appears to be related to temperature of the CPU when trying to do scans in safe mode.
Time varies to shutdown. Only occurs while using Windows.
The fan just doesn't come on. When it reaches threshhold temperature, shuts down.
I spent over an hour in this loop of trying to get into safe mode computer shuts off.

When in Linux I don't have any issues. Fan runs, temps OK. No shutdown issues.

What malwares might attack/use power management?" }-
This is a very present attack poc of them, in this case specifically for windows systems as it seems.

It is a ACPI fake temperature overkill issue that inevitably leads to auto shutdown on windows systems,
it fakes the temp read out that in turn forces windows to shut down. Don´t ask me why they test this but it is the most recent attack and I guess it comes out of this global http-smuggling-eye.

SystemJunkie, you are doing it again! You are taking something that is real and extrapolating something totally unrealistic from it.

HTTP smuggling & splitting are real types of attacks. They are in simplest terms ways of getting data to pass thru the protections of firewalls or other application defenses. They are not in and of themselves a form of malware.

Getting data thru a firewall and getting it passed an application verification routine, on its own won't do anything. That data must still trigger some other form of infection or exploitation. These might include: corrupting contents of a cache server; injecting XSS exploits into user web accesses; causing buffer overflows in the applications themselves; or using any of the other normal infection vector.

HTTP smuggling & splitting attacks are not magic. By assigning these unstoppable, supernatural powers to them, which many of your posts here are doing, you are grossly exaggerating their uses, and just spreading the most extreme form of FUD.

And, all the stuff about a "global http-smuggling-eye" "a moody beast" and, of course "hidden groups and secret organizations' that globally have "some henchmans only some meters or some houses away from your home" is just way over the top! ("henchmans, some meters away from 'all of us', world-wide... How many millions of henchmans are on the payroll exactly? :what: )

Any hope of talking about the actual, far less sensational and non-magical truths regarding HTTP smuggling & splitting, is totally lost in the paranoid conspiracy theorist non-sense posted in this thread.

If people want to talk about the actual technical properties of these attack methods, start a new thread. But, stick to reality, not any of this global conspiracy, X-Files/Matrix-like, uber monitoring, hidden monster, new world order non-sense.