Category: Warnings

“We went from screwing around and having fun on MySpace to an attacker harvesting e-mail addresses to sell to spammers, all in less than 8 months,” Hoffman said.

Such attacks are just an early sign of things to come, said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, who talked about Javascript threats at Black Hat. Grossman showed off techniques for detecting which of a list of popular sites that a victim has visited and demonstrated a way to port scan an internal network to which the victim is connected, all through Javascript and without exploiting vulnerabilities.

Considered by many security researchers to be a less-than-hackerly technique used by script kiddies, phishers and spammers to fool trusting users, cross-site scripting (XSS) is a key method for injecting malicious code into a victim’s Web session. Cross-site scripting allows a malicious Web site to inject code into the context of another Web site; a user that believes they are interacting with a popular social networking site, might instead be loading a script in from some other malicious site.

“If you don’t want your Web site to be helping spread malware, the best way to prevent it is to resolve your cross-site scripting issues,” Grossman said.

Secure Sockets Layer (SSL) encryption, far from helping secure against such attacks, could instead aid them in dodging detection by intrusion detection, or prevention, systems, he said.

http://www.securityfocus.com/news/11405

Over the next year, we will see increased threat activity in the following areas: Phishing Phase II: a continued assault on personally identifiable information through web and application server manipulations; Attacks on the network infrastructure itself; Web services attacks; Mobile services exploits.

You think you are responding to a web query on a known server (the innocent fruit juice) when actually you have been redirected to a phishing site (the alcohol) by the good site. However, we have been warned so many times not to trust email that we apply much greater scepticism to it. As a result, the phishers are now applying more common hacker techniques such as HTTP request smuggling (HRS) or more common techniques such as DNS cache poisoning to cause site redirection by the trusted sites themselves. When we are on a compromised web server (i.e. the trusted site itself) we don’t have any way of easily verifying the fact that it has been compromised. In fact, this will be the major new form of phishing and I think we should be using a new term: The author proposes spyking.

The danger, as always, lies in the silent capture and exploitation of the consumer’s personally identifiable information and the loss of confidence in our e-commerce systems. This is a more dangerous threat in terms of the scale of destruction and we will continue to see its expansion.

Probably the biggest news in network security in 2005 was the exposing of the Cisco embedded web server flaw inside IOS. Every Cisco router running IOS 11.0 to 12.x was vulnerable. This also underlines the fact that 1) the embedded model of security in the network device is more dangerous than an overlay model and 2) that a monoculture (Cisco networking monopoly) is bad from a security standpoint. The enormity of the IOS flaw in terms of the number of devices affected is not to be underestimated and indeed can be viewed as a threat to national security since so many government sites use Cisco gear, too.

Thus, while not a new threat by definition, in fact the existence of unpatched systems well into next year will make it a vulnerability to watch.

With the advent of the web services revolution many vendors came out with security devices to safeguard the basic protocols of service oriented architectures (SOA). As web site developers roll out WAP enabled or 3G enabled sites, there is a strong likelihood that new vulnerabilities will be created because the technology is in its early stages of development.

http://www.it-observer.com/articles/1183/threat_landscape_future/

The pesky thing about WiFi security is that it also extends beyond the confines of the enterprise network, as Gartner notes. “Managing wireless security also involves managing users and devices when they are connected from remote branch offices, hot spots, and home offices,” says analyst Rachna Ahlawat.

http://www.darkreading.com/document.asp?doc_id=98497&WT.svl=news2_5

Customers running Windows XP SP1 must migrate to Windows XP SP2 over the next three months, or they’ll lose incident support as of Oct. 10. Microsoft also said it won’t release any more security updates for SP1 after that date. Microsoft reminded solution providers and end users Wednesday that support for Windows XP Service Pack 1 (SP1) will end Oct. 10.

During its monthly security briefing, Microsoft executives told customers to prepare their migrations over the summer. Microsoft said it’s open to signing Custom Support Agreements to extend support and hot fixes for Windows XP SP1 for eligible enterprise customers that have plans to migrate to Windows XP SP2.

Microsoft also reiterated that extended support for Windows 98, Windows 98 SE and Windows Millennium Edition (ME) will end July 11. Microsoft’s Software Update Service 1.0 reaches the end of its lifecycle on Dec. 6.

http://www.informationweek.com/windows/showArticle.jhtml?articleID=189401599

Yet it’s not only carriers that could be concerned with the type of attack Pena and Moore launched, says Seshu Madhavapeddy, CEO of VoIP security company Sipera Systems.

Madhavapeddy says these types of attacks are relatively easy to carry out and could hit at enterprises just as easily as carriers.

Infonetics Research predicts spending on VoIP will jump from $1.2 billion in 2004 to more than $23 billion in 2009.

Emerging technologies like unified communications that include voice, video, and data in one console, intended to drive collaboration through the roof, have the potential to put more and more information at the fingertips of hackers. They warn about phishing not unlike what companies and consumers see in e-mails.

And VoIP networks are just as susceptible to crippling denial-of-service attacks as are data networks, and mass calls generated by a worm could overload networks or kill productivity with ceaseless phone calls and messages.

http://www.informationweek.com/news/showArticle.jhtml;jsessionid=CI2HW0LHSD1GKQSNDLOSKHSCJUNN2JVN?articleID=188702963

http://networks.org/?src=reuters:2006-05-31T133801Z_01_N31454900_RTRUKOC_0_US-WEATHER-HURRICANES-GRAY