Quick Search
Categories
Recommended Reading:
|
A Government Big Enough to Supply Everything You Need is Big Enough to Take Everything You Have... The Course of History Shows That as a Government Grows, Liberty Decreases. ~ Thomas Jefferson |
|
You may find links that lead to
interesting information, or there
may be links to undesirable sites.
If you find any of these undesirables,
PLEASE let us know the URLs so
we can block them from our campaign. |
Major Security Sites Hit By Cross-Stie Scripting Bugs
- 6-12-2008
- Categorized in: IDENTITY THEFT
June 12, 2008 (TechWorld.com) The Web sites of three of the security industry's best-known companies include security flaws that could be used to launch scams against customers, according to a new report.
The report, from security watchdog site XSSed, verified 30 cross-site scripting (XSS) vulnerabilities across the sites of McAfee, Symantec and VeriSign. The flaws could be used to launch scams or implant malicious code on the systems of visiting users, according to XSSed.
Recent research has shown that attackers are increasingly -- even predominantly -- now using legitimate sites to host their malware, a tactic that makes the malware distribution sites more difficult to shut down.
XSSed said its results show that even major security firms are not exempt from the problem.
In January, XSSed found that 60 Web sites that had received a "Hacker Safe" certification from McAfee Inc.'s ScanAlert service were in fact vulnerable to XSS attacks.
McAfee and other major security firms have downplayed the seriousness of XSS flaws, compared with, for instance, vulnerabilities that allow an attacker direct access to customer data stored on a server.
In recent months, the real-world exploitation of XSS flaws has boomed, exploiting major Web sites such as MySpace.com, PayPal and a major Italian bank.
Last week, ScanSafe Ltd. reported that 68% of all malware it blocked in May was found on legitimate sites that had been hacked, more than quadruple the level of a year earlier.
Such flaws can be used to steal user cookies, to steal Web site log-in credentials and to exploit users' trust of a site in other ways. In theory, they can be shut down quickly once the owner of the site is made aware of the problem.
However, the techniques used by hackers are highly automated, allowing them to "colonize" large numbers of vulnerable sites at once, ScanSafe noted. By contrast, the fixes are not necessarily so easy, researchers have noted.
In a research note in May, F-Secure Corp. noted that one legitimate site had been repeatedly hacked and used to spread malicious code, and each time, it needed to be contacted to fix the problem.
"The site cannot simply be pulled offline without collateral damage to the legitimate business. So the Web site's administrator must be contacted to repair the damage," said F-Secure researcher Sean Rowe in the note.
Reprinted with permission from Techworld. Copyright 2006 IDG, all rights reserved.
The report, from security watchdog site XSSed, verified 30 cross-site scripting (XSS) vulnerabilities across the sites of McAfee, Symantec and VeriSign. The flaws could be used to launch scams or implant malicious code on the systems of visiting users, according to XSSed.
Recent research has shown that attackers are increasingly -- even predominantly -- now using legitimate sites to host their malware, a tactic that makes the malware distribution sites more difficult to shut down.
XSSed said its results show that even major security firms are not exempt from the problem.
In January, XSSed found that 60 Web sites that had received a "Hacker Safe" certification from McAfee Inc.'s ScanAlert service were in fact vulnerable to XSS attacks.
McAfee and other major security firms have downplayed the seriousness of XSS flaws, compared with, for instance, vulnerabilities that allow an attacker direct access to customer data stored on a server.
In recent months, the real-world exploitation of XSS flaws has boomed, exploiting major Web sites such as MySpace.com, PayPal and a major Italian bank.
Last week, ScanSafe Ltd. reported that 68% of all malware it blocked in May was found on legitimate sites that had been hacked, more than quadruple the level of a year earlier.
Such flaws can be used to steal user cookies, to steal Web site log-in credentials and to exploit users' trust of a site in other ways. In theory, they can be shut down quickly once the owner of the site is made aware of the problem.
However, the techniques used by hackers are highly automated, allowing them to "colonize" large numbers of vulnerable sites at once, ScanSafe noted. By contrast, the fixes are not necessarily so easy, researchers have noted.
In a research note in May, F-Secure Corp. noted that one legitimate site had been repeatedly hacked and used to spread malicious code, and each time, it needed to be contacted to fix the problem.
"The site cannot simply be pulled offline without collateral damage to the legitimate business. So the Web site's administrator must be contacted to repair the damage," said F-Secure researcher Sean Rowe in the note.
Reprinted with permission from Techworld. Copyright 2006 IDG, all rights reserved.
|
The Aim of Public Education is Not to Spread Enligtenment at All; It is Simply to Reduce as Many Individuals as Possible to the Same Safe Level, to Breed a Standard Citizenry, to Put Down Dissent and Originality. ~ HL Mencken |
|
The Cure for Health Care and Indigenous Power is to Remove the AMA and FDA, and Unleash the Power and Creativity of the Free Market. Many People Have Been Brainwashed into Thinking the State Protects Them. The Truth is the Exact Opposite. ~ Morris Fishbein |
|
You may find links that lead to
interesting information, or there
may be links to undesirable sites.
If you find any of these undesirables,
PLEASE let us know the URLs so
we can block them from our campaign. |