Khaine
join:2003-03-03
Australia
| Open The Door to the Intranet
From Slashdot:
quote:
JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"
|
|
norwegian
Premium
join:2005-02-15
Outback
 ·WestNet Broadband
|
Link ?
I see that the door (browser) has the same old issue. You need it to open to view sites and their information, yet you then need to shut it down to stop anything from getting in.
No wonder we all are so confused on what to do to secure ourselves. |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
 ·Verizon FIOS
| reply to Khaine
quote:
Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.
This gets more ridiculous by the day.  Turn the damn thing off for all but your Trusted sites.
--
Courage is being scared to death but saddling up anyway.
|
|
dervari
join:2000-01-17
Atlanta, GA
clubs: | reply to Khaine
Get a firewall that has Deep Inspection capabilities instead of these so-called "SPI" firewalls. |
|
claudeo
join:2000-02-23
Redmond, WA
| reply to Khaine
Most of those vulnerabilities rely on human engineering + XSS rather than XSS alone. If you use a current version of the browser and don't engage in stupid behaviors the risks are much lower.
Most of the remaining risk is caused by business considerations, not user behavior or JavaScript per se. Much of the activity on the web is funded through advertising. Most of the advertising on the web depends on cross-domain references that bring content from "foreign" servers into the same web page as the content from the servers we trust. This is sometimes not done cleanly. It is quite amazing to see how many JavaScript errors happen in web pages that use third party advertising once you put the ad servers in the restricted zone to prevent them from using JavaScript. |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
 ·Comcast
| ... or use a firewall that denys those ad servers from connecting in the first place.  
--
Think outside the Fox... Opera |
|
Khaine
join:2003-03-03
Australia
| reply to norwegian
said by norwegian  :Link ? Slashdot link: »it.slashdot.org/article.pl?sid=0···/0547227
Article its referring to: »news.com.com/JavaScript+opens+do···ubj=news
»www.blackhat.com/html/bh-usa-06/···Grossman |
|
SpannerITWks
Premium
join:2005-04-22
| reply to Khaine
Funny how no ones going over the top about it in this thread, cos it's the same exploit as in this one - »CSS beats JS 4 safer website design !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
·AT&T Southeast
 ·Cingular Wireless
·AT&T CallVantage
| Both threads contain a refererence to the same so-called exploit, but the two threads are entirely different. Don't worry, I don't expect you to understand that.
If it makes you feel any better, I still think this so-called exploit is just hype designed to sell a bogus protection product.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
Test your firewall.
Smell the flowers. |
|
SpannerITWks
Premium
join:2005-04-22
| reply to Khaine
NetFixer
In here - »it.slashdot.org/article.pl?sid=0···/0547227 - is this -
" An anonymous reader writes
"C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. "
The clickable link in that text goes to here - »news.com.com/JavaScript+opens+do···ubj=news - which is Exactly the same link i gave in my thread - »CSS beats JS 4 safer website design !
So i understand it perfectly, it's others who seem to have difficulties, and also can't follow links etc !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
helpmerhonda
@optonline.net
| reply to dervari
dervari,
care to share an example of a firewall with deep inspection capabilites? are they suitable (and affordable) for the home/home office setting? I was thinking about getting
the D-Link DSD-150 Internet Security Adapter- does that count? |
|
PeeWee
Premium
join:2001-10-21
Clovis, CA
clubs:
·Pacific Bell - SBC
·Comcast
| said by helpmerhonda :
dervari,
care to share an example of a firewall with deep inspection capabilites? are they suitable (and affordable) for the home/home office setting? I was thinking about getting
the D-Link DSD-150 Internet Security Adapter- does that count?
I'd like to hear that answer myself.
--
Nemo me impune lacessit. [No one provokes me with impunity] -- Motto of the Crown of Scotland |
|
