All Major Browsers Vulnerable To Clickjacking

September 29, 2008 – 6:49 am

Security research sites are buzzing about a new attack description called “clickjacking.” The descriptions are still pretty vague, but they are scary enough that US Cert has weighed in and browser vendors are reported to have patches in the works.

The basic description of the attack is that it allows the attack to trick the user into clicking on something other than what they thought they were clicking on. The two researchers who discovered the technique say that it “…gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.” This click could be the gateway to many other kinds of exploits on your system.

The researchers pulled a speech they were to give last week on it, as well as proof of concept code that was said to affect every major browser and “an Adobe product” (Flash? Acrobat?)

Source:
http://blogs.pcmag.com/securitywatch/2008/09/all_major_browsers_vulnerable.php

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted in Internet, Privacy, Security | No Comments

Web Gives Hackers More Territory, Tools

September 28, 2008 – 8:54 am

As more people become accustomed to Web surfing and downloading software and multimedia, legitimate Web sites have become the favorite targets of hackers.

“The hacking of legitimate Web sites is the biggest threat today,” said David Freer, Symantec’s vice president for consumer business in Asia-Pacific and Japan.

Freer revealed that based on the latest Threat Landscape study made by Norton (Symantec’s manufacturer of security solutions), the Web is emerging as the preferred platform for security attacks and no longer just the users’ PCs.

“The threat landscape is driven by consumer behavior,” Freer said, explaining that since people are accustomed to viewing and downloading multimedia online, many hackers use this to trick users into installing fake codes and setting up applications.

“The exploits focus on Web browser and plug-in vulnerabilities, but attacks based on trickery are emerging as the dominant tactic,” he said. “This means more attacks will be language and service-specific.”

Norton observes that attackers focus heavily on finding Web site flaws since it is much easier than “traditional” vulnerability; and that research and patch times are much lower — only 4% of the vulnerabilities for the second half of 2007 were patched as of March 2008.

“We observe 10,000 unique attacking domains (Web sites) daily and 1,500 of these have not been seen attacking users previously,” Freer said.

Source:
http://www.pcworld.com/article/151618/web_hackers_security.html?tk=rss_news

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted in Internet, Privacy, Security | No Comments

Trojan can grab extra personal banking data

September 27, 2008 – 7:59 am

A Trojan horse program now available to a growing number of fraudsters can add data entry fields to legitimate online banking sites and entice consumers to give up sensitive information such as bank card numbers and PINs (personal identification numbers).

The Limbo malware integrates itself into a Web browser using a technique called HTML (Hypertext Markup Language) injection, said Uri Rivner, head of new technologies at RSA Consumer Solutions, a division of EMC. Because it’s so closely integrated in the browser, it can operate even while the user is at the real bank site and can actually change the layout of that site, he said.

“Nothing tells you that something is wrong here, with one exception: You’re being asked to provide some information that you were never asked to do before,” Rivner said during a briefing for reporters and analysts earlier this week. “If you are convinced that you are now communicating with the bank, the fraudsters can get away with anything they like.”

Limbo can get onto a user’s computer through many paths, including both pop-up messages that ask you to download an add-on program and methods that are invisible to the user, he said. They sometimes get on to PCs in conjunction with other phishing attacks.

Source:
http://www.networkworld.com/news/2008/092608-trojan-can-grab-extra-personal.html?fsrc=rss-security

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted in Internet, Privacy, Security | No Comments

Off to Scotland

September 14, 2008 – 8:31 am

Creating backups of the websites and databases, packing up the laptops, yanking the hard drives out of the desktops and storing everything offsite just in case.  I’ll be back from Scotland on the 30th and should have plenty of pictures to post.

See ya..

Troy

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted in General BS | No Comments

NoScript mitigates HTTPS cookie hijacking attacks

September 11, 2008 – 8:34 am

The invaluable NoScript for Firefox plug-in just got a tad better.

According to Giorgio Maone, the developer behind the popular browser extension, a new experimental feature called “Forced Secure Cookies” has been added to NoScript v1.8.0.5 to mitigate the HTTPS cookie hijacking attack vector discussed at DEFCON 16 last month.

Source:
http://blogs.zdnet.com/security/?p=1882

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted in Internet, Privacy, Security | No Comments

Previous Entries
Next Entries  
Copyright 2008 PC Sympathy - Entries (RSS) or Comments (RSS)