Firefox 3.5 and IE8 Abused to Spy Inside Intranets
By using HTTP requests as pseudo pings
http://news.softpedia.com/news/Firefox-3-5-and-IE8-Abused-to-Spy-Inside-Intranets-117269.shtml
Two security researchers have devised proof-of-concept "ping sweeping" attacks, which leverage on the new Cross-Origin Resource Sharing implementation in Firefox 3.5, as well as the one already existing in Internet Explorer 8. A design weakness can allow attackers to remotely map Web servers on an internal network by using HTTP requests as pings.
XMLHttpRequest is a common API used in AJAX libraries in order to send HTTP requests directly to web servers and return the results as XML or plain text directly into the scripting language. In previous browser implementations, XMLHttpRequest was limited by the JavaScript same origin policy, meaning that HTTP or HTTPS requests could only be sent by an application to the domain that loaded it.
All of that changed with the introduction of the Cross-Origin Resource Sharing (CORS) specification, which allows such requests to be made cross-site. For security purposes, the specification requires the exchange of specific headers, which servers can use to enforce origin-domain restrictions.
However, as reputed Web security researcher Robert "RSnake" Hansen points out, even if with such resource-accessing restrictions are put in place, the ability to make the request itself can be abused. "Although an attacker is not allowed to know if the page was there or not (only if it was allowed to see the content or not), the attacker is still allowed to make an initial request. In doing so that initial request can be used as a pseudo 'ping' sweep," he explains.
Obviously, this is not a real ICMP ping, but an HTTP variant, which can still be used to "tell if the site is there or not because it will either return immediately […] or it will wait around much longer […] before the browser gives up." By leveraging on this architectural weak spot, Hansen claims that a "substantial amount of internal address space" can be scanned for web servers rather quickly.
In order to support his theory, the researcher has created a PoC example, which scans a limited number of intranet IP addresses if the client visiting the page is behind a local router. It is also worth mentioning that port 80 does not necessarily have to be opened in order for this attack to work.
Fortunately, the popular NoScript Firefox extension can be used to mitigate the issue, because of its ABE (Application Boundaries Enforcer) component. Disabling JavaScript globally, something which NoScript does by default, will also block such attacks.
However, Internet Explorer 8 has its own proprietary variant of XMLHttpRequest too. It is called XDomainRequest and is implemented using the same Cross-Origin Resource Sharing specification. Inspired by RSnake's idea, another application security researcher, going by the online handle of Inferno, has devised a similar attack against Microsoft's browser.
----------
Malware is their Business…and Business is Good!
I cribbed the title from Megadeth - I admit it. However when looking at this year’s growth in malware it seems disturbingly appropriate. Economic downturn globally or not, malware production continues at a record setting pace because this is how many cybercriminals make their money (malware long ago stopped being about fun and bragging).
We here at Avert Labs have seen almost as much unique malware in the first half of 2009 as we did in ALL 2008. This is quite something when you consider that in 2008 we saw the greatest growth in malware ever:
...
----------
Solar storms have caused serious disruptions
This is the second of a three-part summary of a recent National Research Council report Severe...
Rerouted flights cost airlines $10,000 to $100,000 per flight. Numerous anomalies were reported by deep space missions and by satellites at all orbits. GSFC Space Science Mission Operations Team indicated that approximately 59% of the Earth and Space science missions were impacted. The storms are suspected to have caused the loss of the $640 million ADEOS-2 spacecraft. On board the ADEOS-2 was the $150 million NASA SeaWinds instrument. Due to the variety and intensity of this solar activity outbreak, most industries vulnerable to space weather experienced some degree of impact to their operations.
----------
UK couple chases bank over 'phantom' withdrawals
When Emma Woolf of London logged into her online account with Abbey National bank in early March,...
----------
"Panda Burning Incense" author to work in “Computer Security”
According to Yangtze River News, the author of the virus “Panda Burning Incense,” is due to be released from prison at year’s end and plans on working in computer security. Li Jun, also known as the “Virus King,” designed the “Panda Burning Incense” virus that wreaked havoc across the Chinese internet from December of 2006 to January of 2007. The virus infected between 300-500,000 computers daily; with at least 10 million infected in total. The virus earned Li between 3-5,000 yuan each day and the highest day’s income was 10,000 yuan.
----------
43 Minutes LateIs Out, Circuit Rules
By JEFF GORMAN
(CN) - A creditor is not entitled to participate in bankruptcy proceedings because it missed the filing deadline by 43 minutes, the 7th Circuit ruled.
----------
Companies offer to pay breach fines
Chuck Miller July 21, 2009
Two credit-card payment processors are offering to cover merchants' fines and penalties in the event of a data breach.
----------
Web browser flaw enables attacks against EV SSL
Angela Moscaritolo July 21, 2009
Two security researchers are set to show how, due to a common browser vulnerability, extended-validation SSL certifications don't offer much more protection than traditional certs.
----------
Industry group releases software integrity framework
Dan Kaplan July 21, 2009
Not enough emphasis is placed on the integrity of software, according to a software assurance group, which hopes to change that mentality with a new framework.
----------
Author of Torture Memos Pranked in Classroom
John Yoo, a former deputy attorney general who has faced intense criticism for authoring constitutionally-questionable memos justifying torture and the government’s warrantless wiretapping program, was confronted last week during a lecture he was giving on international law at Chapman University School of Law, a private school in Southern California.
After Yoo mentions the Constitution during his lecture, and asks the students if they have any questions, an Australian comedian from the show Chaser’s War on Everything is seen wearing a black hooded robe and standing on top of his desk with his arms outstretched, recalling one of the most iconic images of U.S. torture captured in the now-infamous Abu Ghraib photos.
The comedian says, “Actually, Professor, I’ve got one question. Uhm, how long can I be required to stand here ’til it counts as torture?”
----------
'Freak With Bullhorn' Visits Verizon CEOAfter easily purchasing his cell information online...02:18PM Wednesday Jul 22 2009 by Karl Bode
Apparently Verizon's recent shiny privacy facelift didn't impress some people. The Consumerist points to one self-proclaimed "freak with bullhorn" from Zug.com who visited the home address of Verizon CEO Ivan Seidenberg to complain about lax privacy policies, after he was easily able to buy the CEO's personal cell phone information online. Verizon faced a privacy backlash earlier this year over the way the carrier shares privacy information within the Vodafone/Verizon family of companies. Seidenberg never appears during the somewhat useless but amusing effort, a video of which is here. When Verizon recently proclaimed that consumer protection laws weren't needed because public shame would keep the company honest, it's doubtful that this is what they had in mind.
----------
Australian Police Start War DrivingWill fight against unsecured APs for 'mum, grandma and grandpa...'01:09PM Tuesday Jul 21 2009 by Karl Bode
According to the Sydney Morning Herald, The Queensland Police "fraud squad" is crowing about being the first police force in the world to drive around scanning for open Wi-Fi hotspots, warning AP owners that they need to tighten up security. Detective Superintendent Hay tells the Herald that "it was illegal to use someone else's network bandwidth without their permission," though in most countries the laws are unclear on the subject. Trying to bring down the world's largest free ISP (linksys) is probably an uphill battle, though Hay tells the paper the effort will "save mum, grandma and grandpa from losing their life savings, having their identity stolen or losing their kids' inheritance."
----------
Tiburon Wants To Photograph Every Car Entering And Leaving... But Don't Worry About Your Privacy
Tiburon is a nice little wealthy coastal town a little ways north from where I happen to live. It's a cozy place to go for a nice meal out or something -- usually somewhere I'll take visiting friends or relatives. It's certainly not a place where you'd expect there to be a big crime problem, and, indeed, the facts seem to bear that out. But, apparently, that's not stopping the local gov't from deciding to set up cameras to photograph and record every car entering and leaving the town. It will also record and use the license plate info. If that sounds like a bit of an invasion of privacy, well, the town's Manager, Peggy Curran, insists you're just paranoid...
----------
Chinese Worker Kills Himself over Missing iPhone Prototype
A 25-year-old Chinese worker for Foxconn, Sun Danyong, has reportedly committed suicide after finding out that a fourth-generation iPhone prototype he was entrusted with went missing. According to DigitalBeat, this story is mainly meant to show how Apple’s secretive ways put a large amount of pressure all the way to the bottom of its international supply chain.
----------
Apple: iPhone adoption in the enterprise to climb
In its quarterly investor report, Apple executives said that 5.2 million iPhones were sold in the quarter, a year-over-year unit growth of 626 percent thanks to the release of the iPhone 3G S. The new iPhone is currently constrained worldwide, and managers couldn’t say when the supply problem would ease. In addition, the supply issue could slow upcoming introductions in some world markets by a number of week, executives said.
Just as interesting were the statements about acceptance of enterprise and government market customers for the iPhone. In Tuesday’s analyst conference call, Apple CFO Peter Oppenheimer said the company saw great opportunity in these markets.
According to Oppenheimer, some 20 percent of Fortune 100 companies had placed orders of 10,000 units or more. And some governmental agencies had made orders up to 25,000 units.
The security and encryption features of iPhone OS 3.0 is the difference, he said.
Check Out: Bits from Apple’s iPhone deployment guide for the enterprise
----------
Cybercrime Paper
"Distributed Security: A New Model of Law Enforcement," Susan W. Brenner and Leo L. Clarke.
Abstract:Cybercrime, which is rapidly increasing in frequency and in severity, requires us to rethink how we should enforce our criminal laws. The current model of reactive, police-based enforcement, with its origins in real-world urbanization, does not and cannot protect society from criminals using computer technology. This article proposes a new model of distributed security that can supplement the traditional model and allow us to deal effectively with cybercrime.
----------
Permalink
Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month, Security Fix has learned.
... As a result, Flake concluded, Microsoft may have fixed only a subset of the problem on Windows with its patch this month.
----------
Mind Games: How Social Engineers Win Your Confidence
Brian Brushwood, founder of Scam School, demonstrates the four simple psychological mechanisms underlying social engineering mind games.
Read more
----------
E-commerce Fraud: The Latest Criminal Schemes
Sebbe Jones, manager of fraud and disputes at 2Checkout, details the latest criminal techniques using online payment transactions.
Read more
----------
CIOs: Add Extortion to Your Worry Lists
July 21, 2009 · Comment
By Cara Garretson, Veteran Business and Technology Journalist
The idea of having confidential records shopped to competitors and then offered up for sale to the highest bidder would be enough to keep any CIO up at night. Yet, as scary as this scenario is, cyber extortion remains rare. The bigger threat - one that should legitimately keep IT professionals up at night - is on the inside.
----------
Tools for Detecting Spoofed Email Headers
July 20, 2009 · Comment
By Bozidar Spirovski, CISSP, MCSA, MCP
In the age where a huge percentage of all attacks are done through e-mail, very few of us know how to analyze where this e-mail was sent from. This analysis must go beyond the sender e-mail displayed in your e-mail client (which are easily spoofed). Here is a simple tutorial on analyzing Internet headers.
----------
Lawmakers: Electric utilities ignore cyber warnings
The U.S. electrical grid remains vulnerable to cyber and electromagnetic pulse attacks despite years of warnings, several U.S. lawmakers said today.
The electric industry has pushed against federal cybersecurity standards and some utilities appear to be avoiding industry self-regulatory efforts by declining to designate their facilities or equipment as critical assets that need special protection, said U.S. Rep. Yvette Clarke, a New York Democrat and chairwoman of the House Homeland Security Committee's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
"This effort seems to epitomize the head-in-the-sand mentality that seems to permeate broad sections of the electric industry," Clarke said.
----------
BlackBerry maker: UAE partner's update was spyware AP – 53 mins ago
DUBAI, United Arab Emirates - BlackBerry users in the Mideast business centers of Dubai and Abu Dhabi who were directed by their service provider to upgrade their phones were actually installing spy software that could allow outsiders to peer inside, according to the device's maker.
----------
Report: Shortage of cyber experts may hinder govt AP – Wed Jul 22, 6:27 am ET
AFP
WASHINGTON - Federal agencies are facing a severe shortage of computer specialists, even as a growing wave of coordinated cyberattacks against the government poses potential national security risks, a private study found.
----------
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment