Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, August 04, 2006

Researchers warn over Web worms

Exploiting a lack of security checks in browsers and Web servers, Web worms and viruses are likely to become a major threat to surfers, security researchers speaking at the Black Hat Briefings warned.  Billy Hoffman, lead research and development researcher, SPI Dynamics In separate presentations, researchers showed off techniques for using Javascript code on Web pages to grab browser histories and scan internal networks as well as using AJAX—a technology that adds interactive features to Web sites—to create Web viruses that can steal personal information.  The threats are not only theory, but have been used to attack MySpace users and Yahoo users, said Billy Hoffman, lead research and development researcher for Web security firm SPI Dynamics.

“We went from screwing around and having fun on MySpace to an attacker harvesting e-mail addresses to sell to spammers, all in less than 8 months,” Hoffman said.

Such attacks are just an early sign of things to come, said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, who talked about Javascript threats at Black Hat.  Grossman showed off techniques for detecting which of a list of popular sites that a victim has visited and demonstrated a way to port scan an internal network to which the victim is connected, all through Javascript and without exploiting vulnerabilities.

Considered by many security researchers to be a less-than-hackerly technique used by script kiddies, phishers and spammers to fool trusting users, cross-site scripting (XSS) is a key method for injecting malicious code into a victim’s Web session.  Cross-site scripting allows a malicious Web site to inject code into the context of another Web site; a user that believes they are interacting with a popular social networking site, might instead be loading a script in from some other malicious site.

“If you don’t want your Web site to be helping spread malware, the best way to prevent it is to resolve your cross-site scripting issues,” Grossman said.

Secure Sockets Layer (SSL) encryption, far from helping secure against such attacks, could instead aid them in dodging detection by intrusion detection, or prevention, systems, he said.

http://www.securityfocus.com/news/11405

Posted on 08/04
WarningsPermalink