Just saw this insightful post at PC Pro, about five new hidden security threats. These are all based on (relatively) recent developments in tech, like QR codes and SMS. Even the URL obfuscation, one of the oldest phishing tricks in the book, takes on a new form when modern handheld devices and Twitter feeds rely so heavily on URL-shortening services or just abbreviating the URL.
It’s important for webmasters to remember that if you own a website, you are always an attack vector. Others can be targeted by compromising your site. And with the profusion of new gadgets cropping up, new vulnerabilities in them come up before half of us even get around to learning how to use one…
Just in case there’s a few designers out there who still haven’t gotten the word, here’s a great, simple explanation of how web page code injection works. It’s astonishingly simple. Read through this example, then try it on your own website if you have a PHP page that takes variables as part of its URL (who doesn’t these days?). In a nutshell, code injection works when your URL ends with something like “?search=something” and then your script does not check for valid input in the variable “search” before using it.
XSS vulnerabilities are also easy to discover. For instance, imagine a cURL script that runs through your bookmark file and looks for the characters ‘?’ or ‘=’ in a link. It then tries to fetch a page for each of those links with something like ‘
‘ and then checks the returned page for the text ‘EXPLOIT ME’ somewhere in the body. If it finds that, it adds the link to its list of pages with exploit potential.
You could just Google random dictionary words and find dozens of sites per day with a system like that! So don’t assume that a potential vulnerability will never be found – they get discovered and used every day. Continue reading
You might have heard that, amid the recent rash of cyber-attacks on high-profile institutions, that Citicorp got hacked. Details of some 200,000 bank accounts got compromised. But the news gets weirder when you consider how it was done, in the most blazingly obvious way.
Briefly, credit card customers noticed that their credit card account number showed up in the URL of any given page when they were on the Citigroup website. Well, what happens when we substitute another credit card number? Oops, that shows you the page for that card! Great, let’s write a script to have wget or lynx or something run through all the 16-digit combinations and save whatever pages it finds for later phishing.
Yeah, it was that simple.
The lesson we can all take away: Think of everything! While it may seem blindingly obvious now that not hashing the account number in the user’s visible URL was a bad idea, would you have thought of a similar hole that large on your own site? One expert is quoted in that article that he: “…wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.”
Cybersquatting is the ugly-sounding name of an ugly, but borderline-legal, practice of registering a domain name with the intent to profit from the goodwill of a trademark belonging to someone else. The problem is, as is usually the case with gray laws, the proving of intent.
ICANN has the “Uniform Domain Name Resolution Policy”, which it applies as a sort-of rule-of-law for resolving cybersquatting cases. But you’re probably heard where their rulings are controversial, no? There does seem to be some huge corporations out there who win a lot of exclusive rights to domains that shouldn’t have anything to do with them, while small businesses are lucky if they can get their case heard at all.
Take the case of “Microsoft vs MikeRoweSoft” that was settled recently. This one is almost anyone’s call. On the one hand, there’s no way you could confuse the two domains when typing them into a web browser. On the other hand, Mike Rowe admitted that he’d done it as a joke. On another hand, even Microsoft spokesman Jim Desler admitted that they may have been too aggressive in their defense of the “Microsoft” trademark. The case got settled for what amounts to a treasure chest of party favors and Mike Rowe made some money off the deal, so all’s well that ends well?
In a world where we have Linux paper towels and MicroSoft laundry detergent, proving who has the rights to a particular trade name can be a slippery task, especially with the international market. Is anybody out there finding new sound-alike domains, such as those recently recovered by the group CitizenHawk?