dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5785

Ivybridge_I7
Cyber-Crime Researcher OpSec
Premium Member
join:2004-06-09
Daytona Beach, FL

4 recommendations

Ivybridge_I7

Premium Member

7 reasons why legimate Websites are no longer safe

7 reasons Websites are no longer safe
By Bill Brenner | Sep 11, 2009
»www.cw.com.hk/content/7- ··· ger-safe

Conventional wisdom is that Web wanderers are safe as long as they avoid sites that serve up pornography, stock tips, games and the like. But according to recently gathered research from Boston-based IT security and control firm Sophos, sites we take for granted are not as secure as they appear.
Among the findings in Sophos' threat report for the first six months of this year, 23,500 new infected Web pages -- one every 3.6 seconds -- were detected each day during that period. That's four times worse than the same period last year, said Richard Wang, who manages the Boston lab. Many such infections were found on legitimate websites.

In a recent interview with CSOonline, Wang outlined seven primary reasons legitimate sites are becoming more dangerous.

1. Polluted ads
Many legitimate sites rely on paid advertisements to pay the bills. But Wang said recent infection statistics gathered by his lab show that they are often hiding malware, without the knowledge of the website owner or the user.

"A lot of sites supported by advertisers, rather than contracting directly with the advertiser, work through ad agencies and network affiliates," Wang said. "Some of these affiliates are less than diligent in reviewing content for flaws and infections."

Ads that incorporate Flash animation and other rich media are often rife with security holes attackers can exploit. When the user clicks on the ad, the browser can be (and often is) redirected to sites that download malware in the background while the user is reading the legitimate site. Someone in the ad-providing supply chain can be the culprit, though tracing a compromise back to them can be exceedingly difficult, Wang said.

Whatever the case may be, a downloaded Trojan is then free to gather up usernames, passwords and other sensitive banking data.

2. SQL injection attacks
SQL injection attacks are among the most popular of tactics and have been used in several high-profile incidents in the last couple of years. For example, see "SQL Injection Attacks Led to Heartland, Hannaford Breaches."

SQL injection is a technique that exploits a flaw in the coding of a Web application or page that uses input forms. A hacker might, for example, input SQL code into a field that is intended to collect email addresses. If the application doesn't include a security requirement to validate that the input is of the correct form, the server may execute the SQL command, allowing the hacker to gain control of the server.

"The hacker essentially takes advantage of flaws related to shoddy site development," Wang said.

3. User-provided content
It doesn't take a genius to write a comment to a blog posting or something they see on a social networking site like Facebook or Twitter. The bad guys know this and are therefore taking the opportunity to pollute discussion threads and other sources of user-supplied content with spam-laden links.

"You can get comment spam, completely irrelevant comments including links to sites trying to sell you stuff," Wang said. "They can also try posting full links to malicious sites or work in a little scripting, depending on the filter they are trying to work around."

4. Stolen site credentials
Using the types of malware and social networking tactics described above, as well as other means, attackers can steal the content provider's log-in credentials. From there it's no sweat logging into the site and making changes. It typically is a change so subtle and small that it escapes notice. The tiny bits of code added in can then steal the site visitor's credit card or other data.

5. Compromised hosting service
This one is similar to number 4, where the credentials of the content provider are stolen and hackers log in to make sinister changes. Through this vector, Wang said the bad guys could potentially poison thousands of sites the provider is hosting in one strike.

6. Local malware
The website you visit may be perfectly safe, but if there's malware hidden on your own machine you can unwittingly become part of the attack, Wang said. For example, the user can visit their online banking site, and when typing in a user name and password the Trojan is there to record that information and pass it back to the attacker, allowing him to go in later and empty out your account or that of others.

7. Hacker-engineered fakes
Finally, there's the problem of hackers trying to sell you fake merchandise that includes phony security software. If a box appears warning that your machine may have been infected and that you must immediately download a particular security tool to remove it--a common occurrence if you have visited a site that surreptitiously downloads malware onto your computer--it's a sure sign of trouble.

"You spend your $39.95 and you get a worthless piece of software, and at the same time you have given them your credit card data," Wang said.

What is one to do if their website relies on ads and open access? Wang suggested IT security administrators use security scanners against anything coming in by way of third-party hosts and, for in-house apps and other online property, that developers redouble efforts to write more ironclad code.

For those who heavily rely on third-party forums, a wise practice is to take a daily scan of vulnerability reports that may affect those providers and to keep up to date on security patches that will harden your own environment against these threats, he added.

bcool
Premium Member
join:2000-08-25

bcool

Premium Member

Sobering. Is it just plain time to pull the plug?

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

said by bcool:

Sobering. Is it just plain time to pull the plug?
Let's go back to bulletin board systems (BBS') days.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird to Ivybridge_I7

Premium Member

to Ivybridge_I7
The "communications system" starting at the user's fingers on a mouse/keyboard and ending with a completed user activity involving web activity is inherently insecure in the manner in which it is usually implemented and operated, all things considered. Not that it has to be and not that it cannot be made more secure... just that it usually is insecure. There are simply too many things that have to be done "just right" on a continual and consistent basis at the computer/software installation level, at the interfacing servers, at the target website, and in the mind/habits of the user... and given the 'usual' things that are done, airtight security doesn't stand a chance. Yet, in such an environment, the grand illusion is still widespread that such users can ever "securely" use their computers to do all manner of financial or sensitive matters over the web. There are too many software/settings security weaknesses, too many determined bad guys, and too many bad user habits to have any realistic expectations of a secure Internet experience for all too many users.

Many users simply don't have a clue, even now after years of Internet security fiascos involving their computers or their data stores at various websites. Many other users simply want some installable band-aid for which they can pay a few bucks, while still continuing to practice bad user habits. Regardless, in these cases and under such conditions, any expectation of ultimately secure web activities is simply wishful thinking. And, in too many cases, the target website has as many bad security situations as the person visiting it... which is a form of "user" problem in itself, with the site operators being the relevant 'users' in that case.

Yet we are all too-often treated to glowing pretensions that a "typical" web activity/transaction can be blissfully secure, based on what (on paper and in principle) it could be - but not based on what it typically is, on a full end-to-end "communication system" basis for all too many users.

Sigh...!

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

1 edit

Dustyn to Ivybridge_I7

Premium Member

to Ivybridge_I7

is it safe....

Is BBR safe?

swhx7
Premium Member
join:2006-07-23
Elbonia

swhx7 to Ivybridge_I7

Premium Member

to Ivybridge_I7

Re: 7 reasons why legimate Websites are no longer safe

The idea of avoiding "bad" websites - whether disreputable or mainstream - is just the wrong concept.

The ony viable approach is to make sure, as far as reasonably possible, that your system can't be compromised regardless of what internet destinations you interact with.

This includes: don't use IE; keep browser and plugins patched up to date; use non-root/non-Administrator account; use Noscript.

Pentangle
With our thoughts we make the world.
Premium Member
join:2006-06-01
Vancouver BC

Pentangle

Premium Member

To which I would add: implement a software restriction policy for non-admin accounts and only browse the Internet from non-admin accounts.

voiplover
Premium Member
join:2004-05-28
Portsmouth, NH

voiplover

Premium Member

One simple step that you need to do is block ad sites.
I found the directions here on BBR. I'll look for them and post the link unless some one can please beat me.

Did I just say that???

DrModem
Trust Your Doctor
Premium Member
join:2006-10-19
USA

DrModem to Dustyn

Premium Member

to Dustyn

Re: is it safe....

said by Dustyn:

Is BBR safe?
BBR is a hacker engineered lie.

Pinan

join:2000-09-02
Murrieta, CA

Pinan

said by DrModem:

said by Dustyn:

Is BBR safe?
BBR is a hacker engineered lie.
Huh?

AB57
Premium Member
join:2006-04-04
equatorial

1 recommendation

AB57 to bcool

Premium Member

to bcool

Re: 7 reasons why legimate Websites are no longer safe

said by bcool:

Is it just plain time to pull the plug?
Errr . . well, ummm . . . . no.
But, I can only speak for myself on that one.

I travel the wide world of the Web. No doubt some of the sites encountered in my travels are some of the very same that the common wisdom would advise to avoid at all costs.

Yet I seem to somehow be able to avoid downloading and installing malware on my machine. I don't think that's pure dumb luck, and I don't even begin to think I'm alone in the success of my avoidance-- in fact, quite the opposite.
I know there are those with equal, greater, and lesser security skills than myself who also manage to negotiate the WWW while at the same time maintaining an uncompromised machine.

Because there are robberies on the subway at night does not mean that anyone who travels on the subway after dark will become the victim of a robbery.

My machine stays plugged in.
But if we don't see another post from you by Christmas, we'll know that you've gone a different direction.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to swhx7

Premium Member

to swhx7
I see no reason to tell folks that warez, porn and gambling sites are just fine to visit.

I say stay away from the bad sites and that includes sites like Facebook that rob you of all privacy as well as obviously bad sites.

Also, use the Proxomitron with Sidki's latest filter set. You won't get compromised ads (or any ads) or a lot of other bad stuff like questionable IFrames and Flash Player will be toggled off at any site using it. You can toggle it on if you want to see the movie and you have Flash Player installed.

On my virtual machines, I do not have Service Packs or any Microsoft patches installed (except for the two I had to install to be able to install IE8) but I have never been infected. I have the Proxomitron (would not use the Internet without it), ProcessGuard on the XP machine and ZAPro on the Vista machine and Avira on all machines but Avira has never found an actual virus ...only FP's. I run as Admin on all the machines.

Oh, and did I say I stay the hell away from Facebook (except reading a page there if really necessary but allowing no cookies and NEVER getting an account), Yahoo (bad privacy policy), Twitter (that goes without saying), etc. People who get infected are those who are uneducated about computer security and click on any and everything, those who do not use something like Proxomitron, basically those who believe they can have their cake and eat too and who, thus, exercise no judgment such as willy-nilly clicking on any site that might have the lyrics they just absolutely have to have, etc.

It is not necessary to run as limited user unless you are unwilling to learn about computer security and practice safe hex and use a few programs such as the Proxomitron, a classic HIPS, or firewall with a good one builtin, NoScript, AdBlock, etc. It is also best to not allow Flash Player installs. But if you are addicted to it then at least use the Proxomitron or some other application so it does not open automatically at a site but only when you push the toggle switch and keep it scrupulously up to date.

CajunTek
Insane Cajun
Premium Member
join:2003-08-08
Arlington, TX

CajunTek to Ivybridge_I7

Premium Member

to Ivybridge_I7
Hmmm,

What has me wiondering here is... What the heck is a safe website?

Over the past 2 years I have cleaned up folks who were infected on Fox, MSNBC, Comcast's home page, WFAA (Dallas area TV station)... and many others.. So how is this a new thing?

DrModem
Trust Your Doctor
Premium Member
join:2006-10-19
USA

DrModem

Premium Member

A page with no ads and no links.

VikingBob
Go Jets Go!
Premium Member
join:2004-06-05
MB Canada

VikingBob

Premium Member

And no javascript, no flash, etc....

dvd536
as Mr. Pink as they come
Premium Member
join:2001-04-27
Phoenix, AZ

dvd536 to Dustyn

Premium Member

to Dustyn

Re: is it safe....

said by Dustyn:

Is BBR safe?
hotmail isn't. every once in a while they try to serve an infected ad.
Bananas9
Premium Member
join:2004-08-18
Santa Barbara, CA

Bananas9 to Ivybridge_I7

Premium Member

to Ivybridge_I7

Re: 7 reasons why legimate Websites are no longer safe

Safe or not safe, there are ways around it. Namely Portable Apps, that run off a thumb drive. Also linux in a ram session with your settings encrypted, or use a pristine save file.

It's not time to pull the plug yet, just time to re-wire.

EGeezer
Premium Member
join:2002-08-04
Midwest

1 recommendation

EGeezer to Ivybridge_I7

Premium Member

to Ivybridge_I7
I've never subscribed to the mantra of "If you don't go to dodgy sites, you're safe." Good security processes reduce exposure and mitigate damage. Sensible browsing is only one of many practices that keep systems and data safe.

Mr Neutron
Impassioned Gibberish
Premium Member
join:2005-05-30
Gorham, ME

Mr Neutron to Mele20

Premium Member

to Mele20
said by Mele20:

I say stay away from the bad sites and that includes sites like Facebook that rob you of all privacy as well as obviously bad sites.
Facebook "robs people" of their privacy entirely at their own behest.

I understand where you're coming from, and Facebook isn't exactly my favorite site, but Facebook is a prime example of a social networking site where the end lusers are fools to themselves.

If I don't choose to post any of my personal information on Facebook, they have no way of gathering any more information on me than any other site I visit (i.e. they can determine my IP address and browser). Again, I'm not a huge fan of Facebook, but let's fix the blame where it actually lies, please.

There's enough FUD floating around the InterTubes as it is.

gattaca
Premium Member
join:2003-05-28
USA

gattaca

Premium Member

said by Mr Neutron:

Facebook "robs people" of their privacy entirely at their own behest.
[. . .]
I'm not a huge fan of Facebook, but let's fix the blame where it actually lies, please.

There's enough FUD floating around the InterTubes as it is.
Actually, Facebook very much IS to blame for some privacy concerns on their website.

While Facebook provides tools that allow its users to limit who has access to their profiles, there are significant ways for user information to "leak" to other sources that the user did not explicitly allow.

For example, when one takes a Facebook "quiz" (and everyone does), their profile information AND the profile information of all of their friends is provided to the creator of the quiz.

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

2 edits

1 recommendation

Selenia to Ivybridge_I7

Premium Member

to Ivybridge_I7
Thank you for the article. While I know this stuff, this is very well compiled and written to prove the point. Now, I can just point people here(instead of wasting my breath) when they tell me that they don't need to worry about security because they only go on (insert big name site here) and don't download any attachments and such. It seems many with this type of thinking are just stubborn. Maybe this *might* get through to some of them, since it is very well written.

Edit: changed brackets to parentheses. It seems BBR does not show stuff within brackets, mangling my original post.
Bobby_Peru
Premium Member
join:2003-06-16

1 recommendation

Bobby_Peru to Ivybridge_I7

Premium Member

to Ivybridge_I7
I do not know if the article is listing their 7 reasons in any order of frequency/severity/success, but their #1. reason "legitmate Websites are no longer safe" is "1. Polluted Ads". While some may argue that this stated reason falls under the bailiwick of The Department Of Redundancy Department, in any case it has long been recognized as an avenue of attack.

Luckily, for folks who use Firefox, the dedicated folks who bring you Adblock Plus, and the the continuation of the late Rick's EasyList Filter Sets, along with GM's (the James Brown of Fx extensions... ) NoScript, and/or HOST files (see also Spyware Blaster and SpyBot S & D), can greatly reduce, at a minimum, their #1 reason.

Blocking 3ed Party effluence, for any browser, serves both to increase security/privacy, as well as help preserve any slight residual sanity.

Razzy12345
@rr.com

Razzy12345 to Mele20

Anon

to Mele20
said by Mele20:

IOh, and did I say I stay the hell away from Facebook (except reading a page there if really necessary but allowing no cookies and NEVER getting an account), Yahoo (bad privacy policy), Twitter (that goes without saying), etc. People who get infected are those who are uneducated about computer security and click on any and everything, those who do not use something like Proxomitron, basically those who believe they can have their cake and eat too and who, thus, exercise no judgment such as willy-nilly clicking on any site that might have the lyrics they just absolutely have to have, etc.
So Mele20... you live in Hilo, HI... next to Ice Pond? Hmmm... those same information you have in your profile can be exact same information on Facebook.. except Facebook may require you to have an account to view AND approved (by you) friend list to view those pictures on Facebook profile. By default, your profile is set only friends you choose to view your informations on your profile page. You can set your profile so anyone in the world can view your profile. You can set your profile so NOONE but your friend list can even see your profile picture. But then, why make a Facebook page if you're gonna do that? No sense.

And with my guest access to this forum, I can view your pictures by default.

koma3504
Advocate
Premium Member
join:2004-06-22
Granbury, TX

koma3504

Premium Member

But this site Does not have all the explotable stuff that facebook has.

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

2 recommendations

Doctor Four to Ivybridge_I7

Premium Member

to Ivybridge_I7
#1 is easily preventable - by not using IE, using a hosts file, Firefox with Adblock Plus and NoScript, SpywareBlaster, and in case something does manage to get in, Malwarebytes.
Bobby_Peru
Premium Member
join:2003-06-16

1 recommendation

Bobby_Peru to koma3504

Premium Member

to koma3504
said by koma3504:

But this site Does not have all the explotable stuff that facebook has.
Yes, but it does have a very unusually high percentage of extremely handsome and beautiful members! EMV (Explotability May Vary)
fartness (banned)
Donald Trump 2016
join:2003-03-25
Look Outside

fartness (banned) to Ivybridge_I7

Member

to Ivybridge_I7
It will only get worse I imagine. Like STDs of the internet.

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

EUS to Ivybridge_I7

Premium Member

to Ivybridge_I7
Funny how it's up to the public to secure their computers against poor security implementation on the server's side, usually driven by quick $$, and poor implementation, and whether caused by sql infection, unpatched security, or advertisements gone bad, etc. When are the supposed I.T. "professionals" going to take responsibility for their mistakes/poor judgment?
No one else sees this?
Ravenheart
join:2006-02-10
Berkeley, CA

Ravenheart to gattaca

Member

to gattaca
said by gattaca:

For example, when one takes a Facebook "quiz" (and everyone does), their profile information AND the profile information of all of their friends is provided to the creator of the quiz.
The ACLU of Northern California put up its own quiz to demonstrate this fact, for anyone who has a Facebook account and is curious enough:

»norcal.aclu.org/site/Mes ··· id=51661

They suggest joining in pressuring Facebook to tighten up practices like this one.

Razzy12345
@rr.com

Razzy12345 to koma3504

Anon

to koma3504
said by koma3504:

But this site Does not have all the explotable stuff that facebook has.
You mean the majority people click a link from Facebook believing it's legit after they sees a (fake) login prompt? Gotcha.