Why is Microsoft Internet Explorer 6 still the third most popular browser? The biggest reason organizations do not upgrade, according to this article, is that they are running third party applications that do not work properly with IE8. In fact, Gartner estimates that 40% of in-house applications do not work properly with IE8.
Another reason, since most social media sites do not work well with IE6, companies stay with IE6 as a form of URL filtering!! Of course, the security risks associated with this strategy far outweigh the benefits.
Bruce Schneier highlights “Control Fraud.” While I never heard the term before, once you read about it, it will sound familiar.
This is an interesting paper about control fraud. It’s by William K. Black, the Executive Director of the Institute for Fraud Prevention. “Individual ‘control frauds’ cause greater losses than all other forms of property crime combined. They are financial super-predators.” Black is talking about control fraud by both heads of corporations and heads of state, so that’s almost certainly a true statement. His main point, though, is that our legal systems don’t do enough to discourage control fraud.
Rob Enderle discusses employees leaking proprietary information to competitors. Rob focuses on Oracle’s efforts against HP, speculating that Larry Ellison’s hiring of Mark Hurd is part of a plan to acquire HP.
During a battle–competitive, political, or otherwise–detailed information about the other side’s strategy, weaknesses, and tactics can result in huge benefits for the firm that acquires it. In security, it is our job to plug leaks–which are difficult to find–to identify the potential for them. On the short list would be executives or employees who were passed over for critical promotions, complained about abuse, were identified as surplus but still working, or who were known to be disgruntled and aggressively looking for outside work.
Employees like this should be considered a security risk. Care should be taken to control the information they have access to, specifically looking for indications that information coming into their possession isn’t being passed outside the company.
It’s hard to believe that Firesheep is only two weeks old. In response to Firesheep, Microsoft said it will convert its Hotmail / Windows Live email service to SSL. Google did this for Gmail some time ago, well before Firesheep.
Facebook says it will also address the issue in the coming months.
So here’s the basic: SHODAN (Sentient Hyper-Optimized Data Access Network) is a search engine, but instead of indexing web page content, it indexes banners information. It indexes data on HTTP, SSH, FTP, TELNET and SNMP services for almost the whole Internet. You can find it at http://www.shodanhq.com.
In other words it’s a massive port scanner to help you find vulnerable network devices. Why waste time doing your own scanning, when all you have to do is query Shodan.
The method uses techniques from signal detection theory and statistical learning to detect domain names generated from a variety of algorithms, including those based on pseudo-random strings, dictionary-based words, and words that are pronounceable but not in any dictionary. It has a 100-percent detection rate with no false positives when 500 domains are generated per top-level domain. When 50 domains are mapped to the same TLD, the 100-percent detection rate remains, but false positives jump to 15 percent.
05. November 2010 · Comments Off on HTML5 Tricks Hijack Browsers To Crack Passwords, Spew Spam – Andy Greenberg – The Firewall – Forbes · Categories: blog · Tags: HTML5, Javascript, malware
As usual, new technology spawns new threats. HTML5 will be no different.
HTML5 allows a website to run javascript processes that request data from another site, and to launch invisible scripts “in the background” on a user’s machine for long periods of time, says Kuppan. “With HTML4, after twenty seconds the browser would freeze,” he says.
And this:
Once the hacker has control of a user’s browser, it can be used to do all the same sorts of unpleasant things that botnets of malware-hijacked computers generally do: By repeatedly requesting data from another site–Kuppan says javascript can make around 10,000 requests a minute–it can overwhelm a target’s server and knock it offline. Or by creating and filling the sort of entry field typically used on corporate websites for leaving feedback, it can send mass emails to a list of addresses.
And this:
To keep users on a page longer while his scripts run, Kuppan suggests a trick that involves a clever form of “clickjacking.” Using javascript, an invisible link can be inserted wherever a user clicks on a page to open another tab with the desired destination. Since most users leave unused tabs unattended, a script can run on the original tab, potentially for hours, without the user’s knowledge.
We will need a tool which gives users better visibility into what’s going on their workstations and the ability to either automatically take actions against anomalous behavior or give users options to take actions.
Richard Bejtlich offers the obvious, but usually difficult to implement answer to the following question:
Let’s say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?
Bejtlich offers two answers which generally converge into one: focus on assets, i.e. the most critical assets in your organization.
Ideally, the log, flow, event collection and analysis system you are using has the ability to discover all network attached assets and then enable you to group them into IT/Business Services. The you can prioritize your focus based on the criticality of each IT/Business Service.
