512 posts tagged “security”
2007
A typical phishing email will have a generic greeting, such as 'Dear User'. Note: All PayPal emails will greet you by your first and last name.
HTTPOnly cookie support in Firefox. Five years after the bug was filed, HTTPOnly cookie support has gone in to the Mozilla 1.8 branch. This is a defence in depth feature that has been in IE for years—it lets you set cookies that aren’t available to JavaScript, and hence can’t be hijacked in the event of an XSS flaw.
E-Voting Ballots Not Secret; Vendors Don’t See Problem. “You know things are bad when questions about a technical matter like security are answered by a public-relations firm.”
VeriSign’s SeatBelt OpenID plugin for Firefox. The first good example of browser integration for OpenID. It catches phishing attempts by watching out for rogue OpenID consumers that don’t redirect to the right place.
Bruce Schneier interviews Kip Hawley. The head of the Transportation Security Administration in conversation with one of his most eloquent critics.
DNS Pinning Explained. With diagrams.
(somewhat) breaking the same-origin policy by undermining dns-pinning. This is the best technical explanation of the DNS rebinding attack I’ve seen. The linked demo worked for me in Safari but not in Camino.
Your browser is a tcp/ip relay. Thoroughly nasty new(ish) attack that breaks the same-domain policy and allows intranet content to be stolen by a malicious site. Using virtual hosts (hence requiring the Host: header) is the best known protection.
Side-Channel Attacks and Security Theatre. “In order to mount most of these attacks the attacker must be local [...] every good security person knows that if your attacker has the ability to run stuff on your machine, it is game over, so why are we even caring about these attacks?”
E-Trade financial tried using a RSA fob as a second factor of authentication, but as of their 11/07/06 financial report their fraud losses continue to increase. That said, they considered this program a success because users indicated they feel safer and are more likely to provide assets.
CSRF Redirector. Smart tool for testing CSRF vulnerabilities, by Chris Shiflett.
Anyone who recently downloaded GreaseMonkey scripts from userscripts.org should check their scripts. I haven’t confirmed this, but this Jyte claim suggests that userscripts.org was hacked and cookie stealing code inserted in to some of the scripts. UPDATE: Not hacked; just bad scripts submitted through the regular process.
Safari Beta 3.0.1 for Windows. A nice fast turnaround on fixes for security flaws in the beta.
Safari for Windows, 0day exploit in 2 hours (via) Once again, down to handling of alternative URL protocol schemes.
Security Breach. A statement from Dreamhost.
Firefox promiscuous IFRAME access bug. Lets malicious sites “display disruptive or misleading contents in the context of an attacked site” and intercept keystrokes! The demo worked in Camino 1.5 as well. Avoid using Gecko-based browsers until this is patched?
Gaping holes exposed in fully-patched IE 7, Firefox (via) Michal Zalewski released a new Firefox 2.0 vulnerability in addition to the IE cookie stealing one.
IE vulnerability allows cookie stealing. Full exploit against the same-domain cookie origin policy, so malicious sites can steal cookies from elsewhere. Avoid using IE until this is patched.
Massive Dreamhost hack, WordPress not to blame
On mezzoblue, Dave Shea reports that someone had modified every index.php and index.html file on his site to include spam links at the bottom of the page, hidden inside a <u style="display: none;">. Dozens of other people in his comments reported the same thing happening to their sites.
Unsettling. Sounds like there might be a massive scripted hack going on against out of date WordPress installs on Dreamhost. Check your site. See also discussion in the comments attached to this post.
Top XSS exploits by PageRank. Yahoo!, MSN, Google, YouTube, MySpace, FaceBook all feature.
XSSed. Cross-site scripting resource and vulnerabilities archive, including reported (unpatched) holes ordered by PageRank.
The Twitter API Respects Your Privacy. Not Twitter’s fault: The users who exposed their data through Twittervision had given that site their username and password; Twittervision was failing to hide protected updates.
There’s a hole in your Twitter. If you’ve been using friends-only messages on Twitter they may currently be exposed via the API.
Introducing http:BL (via) Project Honey Pot announce a new blacklist service for blocking comment spammers and e-mail spiders using information from their network of honey pots.
Most HTML templating languages are written incorrectly. “If you ever find yourself in the position of designing an html template language, please make the default behavior when including variables be to HTML-escape them.” I couldn’t agree more.
JSON and Browser Security. Douglas Crockford suggests using secret tokens to protect JSON content, and avoiding wrapper hacks to protect unauthorised JSON delivery as they may fall foul of undiscovered browser bugs in the future.
Fortify JavaScript Hijacking FUD. Bob Ippolito points out the flaws in the recent widely disseminated JavaScript Hijacking paper. While the paper does miss some important details, it’s good that more people are now aware of the security implications involved in serving JSON up wrapped in an array.
Chris Shiflett: My Amazon Anniversary. Chris Shiflett discloses an unfixed CSRF vulnerability in Amazon’s 1-Click feature that lets an attacker add items to your shopping basket—after reporting the vulnerability to Amazon a year ago!
XSS. Sanitising HTML is an extremely hard problem. The sanitize helper that ships with Rails is completely broken; Jacques Distler provides a better alternative.