Do You Trust The Link?

[alexander]

Craig, let me answer your questions first, i'll tell nikgod next time i talk to him, to stop by and put in his 2 cents...

 

What I don’t understand about XSS attacks is how they are any worse than simply spamming of keyword padding to attract visits to a simple malicious site. Cookies and other client-side data visible to scripts aren’t intended to store authentication data. No even mildly secure authentication-requiring website in my experience uses cookies in such a way, and a site such myspacelayoutspy.com, which allows a script to be passed via a HTTP GET or PUT is just a wild, dangerous, foolish place.

 

Quite simply, the email padding going to a malicious website is simpler to spot, you are going to http://www.somemaliciouswebsite.com, and most people that look at the links before clicking them, will quickly notice that there is a problem. The danger of XSS is that it routes you to a valid domain, i.e. it routes you to the real website https://www.bankofamerica.com or Welcome to Facebook! | Facebook, and a crafty hacker will not change the look of the page at all, so a user suspects nothing wrong with the page, all the security identifiers are the same, everything looks 100% legit, only problem is, that it's not...

 

In short, it seems to me that for a non-malicious site to be vulnerable to XSS attacks, it must implement intentionally perverse features

it just has to have one coding mistake, like most other exploits, a simple, stupid mistake in hundreds of thousands of lines of code, and late knights.... and they have been found everywhere, from myspace, to google, to msn, to bank of america, to federal websites and anywhere in between. Danger is, unless they are reported, they are not likely to be fixed...

 

unless your browser allows such unwise actions as the unconfirmed installation of ActiveX controls

what about flash, if you find an exploit in flash or shockwave, or say quick time, you can now embed your exploit into a page with a valid, known and trusted domain link... and it can be anything, if you find a bad practice in processing images and can embed exploits into those, you can embed the images on those same pages, and yeah, it's easier to click that link, after all, it's federal gov-t telling you that they found problems in your recently submitted tax form, and they want you to verify your data...

 

Though I’ve no reason to doubt the claim that XSSs are the largest category of security abuses on the internet

nope, i'd say SQL injection... but using mostly the same concept though, but much more devastating...

 

the possible gain of such attacks is nearly nil.

I'd beg to differ.

This vulnerability can be extremely dangerous if A creates a XSS Worm, inject into his own blog. When B visits A's blog, his own blog is infected and unintentionally pass the worm to all his friends who visit his blog page later on. In just a day, it's hard to imagine how many Yahoo! accounts' cookie are stolen.

 

similarly, you can steal other info, i mean, look, you say it cant be dangerous, but say you discover a volnurability in say BoA, i pick on it for its convenience ofcourse. You recreate the look of a login process, and make it easy for users to disclose the user id and password for their acct, infact after they go through your process, they log into their account, even though you now own their data. The user ID on the acct is the user's SSN.... now you have one's ssn, and their password into their bank accounts. you tell me now if it's a dangerous attack vector?

 

You create a crafty email and send it to millions of BoA users... with even 1 percent response, even less, you can easily have info for well over a 1000 bank accounts, ssns, and probably passwords into their other accounts (as people like to use one password for everything), probably its their email password, and any social networking sites. Pick any one, log in, find their names, addresses emails, log into their email, find what they are like as a person, also if they have a flickr acct, or a social networking website addiction, in a matter of hours you have more then enough info to easily facilitate an indentity takeover...

 

I just want you to see, that just because i didn't do anything bad with it, XSS though only client-side scripting, is still extremely dangerous...

 

Hopefully if you get that out of this thread, i have done my duty to educate people about having better security practices on the net...

[Moontanman]

While I don't pretend to understand all the technical details here I do know what the end result is, theft! I think anyone who does this should be hung by the neck until dead, far to many people are vulnerable to such things and end up loosing their life savings and or other things to some sneaky dipstick, someone just took $1000 out of my bank account due to hackers stealing bank account info. May they all burn in this life, hell can wait!

[freeztar]

someone just took $1000 out of my bank account due to hackers stealing bank account info.

 

Really!?

 

Is this a fictional scenario or did this really happen?

[alexander]

dunno, moon seems really pissed, sound pretty real...

[Moontanman]

Really!?

 

Is this a fictional scenario or did this really happen?

 

Unfortunately it's real, I had checks bouncing all over hell and creation. I got the money back but bounced checks have a way of going on forever! My land lord didn't think it was funny either.

[freeztar]

:shrug:

 

Sorry to hear that. My dad had his identity stolen years ago and his credit has never recovered.

 

How long ago did this happen? Have you taken the appropriate measures?

[Moontanman]

:shrug:

 

Sorry to hear that. My dad had his identity stolen years ago and his credit has never recovered.

 

How long ago did this happen? Have you taken the appropriate measures?

 

I found it a few days ago, the actual removal of money occurred last Saturday. My bank is supposed to take care of it but I have ordered new debit cards and new pin numbers and all that stuff. The bank says they will take care of it but i am still monitoring the situation on a daily basis to make sure no unauthorized debits occur on my account. Not much money there to start with so not much chance of any one really getting rich off me.

[freeztar]

Have you cleaned your computer thoroughly?

I would be paranoid if that happened, checking port activity, remote scanning, the works...

[Moontanman]

Have you cleaned your computer thoroughly?

I would be paranoid if that happened, checking port activity, remote scanning, the works...

 

 

Believe it or not I don't keep any financial info on my computer. the bank says the hacking took place at a remote location from a business that i had bought something at with my debit card. If the news is to be believed it was probably Barns and Nobel. I have dial up and I don't leave my computer on line unattended. I did run bot and virus checks for all the good that will do me.

[alexander]

unfortunately it is more oftenly then not a problem at a database level of a company that one has dealt with (directly or inderectly).

 

You hear about records being stolen all the time, BigY i think just had a few dozen thousand records stolen, and you hear about this stuff on almost a monthly basis... more often then not, the data leaves a location that is not well secured, outside of anyone's reach, and people at fault are employees of that company, because they opened a bad link, or they got socially engineered to give up some data, or neglected to update some server, and next thing, shazaam, people get screwed. There are thousands of credit card numbers and names and ssns being traded on the black market every day... they get them from somewhere ;)

 

it is sad, and unfortunate that these things happen, and that is why i try to educate you guys, about problems that while seemingly unimportant, may cause a big deal of damage...

[Moontanman]

unfortunately it is more oftenly then not a problem at a database level of a company that one has dealt with (directly or inderectly).

 

You hear about records being stolen all the time, BigY i think just had a few dozen thousand records stolen, and you hear about this stuff on almost a monthly basis... more often then not, the data leaves a location that is not well secured, outside of anyone's reach, and people at fault are employees of that company, because they opened a bad link, or they got socially engineered to give up some data, or neglected to update some server, and next thing, shazaam, people get screwed. There are thousands of credit card numbers and names and ssns being traded on the black market every day... they get them from somewhere ;)

 

it is sad, and unfortunate that these things happen, and that is why i try to educate you guys, about problems that while seemingly unimportant, may cause a big deal of damage...

 

I have a real problem with people who steal and or lie to take advantage of someone. I am a very trusting person and I like being able to trust people. Some one who takes advantage of some one and takes from them is a low life in my book. I have always lived by the rule , if it's not yours leave it alone!

[alexander]

I agree with you completely, however (and you really dont want to get me started on this) corruption in our society, the unscrupulousness of some people, the view of others being their own and capitalistic black whole of our current society have seemed to leave good people, right people that live by good principals, hurt. It's unfair to steal the last dollar from a starving child, but in the eyes of a cracker, all is a fair game...