Log in

View Full Version : Airscanner Audits Pocket IE, Demonstrates Concept Vulnerability


Janak Parekh
02-01-2005, 04:00 PM
<div class='os_post_top_link'><a href='http://www.airscanner.com/tests/ie_flaw/ie_attack.htm' target='_blank'>http://www.airscanner.com/tests/ie_...w/ie_attack.htm</a><br /><br /></div><i>"There are several weaknesses in Pocket IE that can be used to trick end users into submitting local and/or sensitive data, such as usernames and passwords. The potential for exploiting these vulnerabilities are restricted only by an attacker’s imagination. However, Pocket IE is not as powerful as its big brother, and as such, an attacker is limited in what techniques she can use to launch the attack. For example, Pocket IE has no support for the IFrame tag, which is extremely useful in XSS and browser-based attacks. In addition, Pocket IE does not support every JavaScript command commonly used by attackers. The final example presented below is an attempt to combine these individual flaws into one attack and is only meant to serve as a proof of concept."</i><br /><br />While most of these aren't explicit flaws or vulnerabilities, Seth over at AirScanner gives a demonstration of how they could be used to transmit potentially sensitive information, and how it might be worth hardening Pocket IE. Still, as Seth points out, Pocket IE is simply much less vulnerable to most attacks by virtue of being a less sophisticated piece of software. It's also worth pointing out that since Pocket PCs are ARM-based, it's difficult to get targeted exploit code on your device. Nevertheless, if you do sensitive financial transactions and the like from your Pocket PC, use your common sense and make sure not to use potentially spoofed links from third parties. (Note that the site has examples of spoofed URLs, so if you're accessing it from a corporate environment that might filter or tag such stuff as malicious code you might want to access it from somewhere else. There is no actual exploit on the website, just examples of what one may be able to do.)

surur
02-01-2005, 04:43 PM
Talk about scaring up a profit. Will they "audit" ppc's further and then publish their findings widely "for our own good", so we know how vulnerable we (now) are? Will they write 90% of the virus code, as a "proof of concept" and leave the payload up to their blackhat associates, "for our own good"?

People talk about security through obscurity, but most exploits are from vulnerabilities that had been published by the so-called "good guys", because we all know "information wants to be free". And of course they would'nt mind selling you a nice fat subscription either.

I have enough cr*p running on my pocketpc to have it bogged down further by a virus scanner. I recently switched of my virus scanner on my laptop, and the thing worked 5 times faster. No more pausing for 10 second when opening up a word document. No more labouring when looking at a directory.

I think the anti-virus people are as bad (or even worse) that the virus writers, and Im sure the CEO of Norton is laughing all the way to the bank every time a new exploit is published by the so called "security researchers". :evil:

Surur

rangor
02-01-2005, 04:45 PM
Let's hope the Minimo project (http://www.mozilla.org/projects/minimo/) gets well and truely underway for pocketpc baced ARM devices...

Still, in the meantime, we've got NetFront. Personally, I never use PIE unless I have no control over it popping up!

Janak Parekh
02-01-2005, 06:56 PM
People talk about security through obscurity, but most exploits are from vulnerabilities that had been published by the so-called "good guys", because we all know "information wants to be free". And of course they would'nt mind selling you a nice fat subscription either.
As a security researcher, I don't agree completely. Full disclosure is the way to get problems fixed. If you read the article carefully, they're just providing advice that URLs can be spoofed, and you should be aware of that. If it's a clear attack vector (e.g., a buffer overflow), then it is considered good behavior in the security community to first contact the vendor and wait 30 days before publishing, but this is not an explicit attack -- just rather a combination of things that are non-obvious that can lead to undesirable behavior.

Besides, Airscanner doesn't sell software to "fix" this; it's a disclosure, akin to what is commonly done on mailing lists like Bugtraq. They're one of the few in the PDA field who are taking a hard look at PDA security, and I'm glad they are.

--janak

Jon Westfall
02-01-2005, 07:52 PM
I think the real issue here is that we can never release information so that it is only used by the "good guys" who will fix it. Invariably, the bad guys will get ahold of the information as well, and use it. We can't shoot the messenger here when we really would like to shot the 'bad guys' who make us run antivirus software. I feel the same slow-pain when openeing word documents that I'VE written because Norton feels the need to scan them, but without more efficient code or smarter users, right now we're stuck with it.

Although there are days when I switch off Norton just to get the speed back... but I am fully capable of rebuilding my system after a virus attack (even if that means a complete rebuild) - most others aren't. Therefore, I wouldn't recommend that idea.

The best case scenario: enough security minded individuals track these things as they come out and fix them before problems arise.

Just some of my ramblings...

ctitanic
02-01-2005, 09:48 PM
Talk about scaring up a profit. Will they "audit" ppc's further and then publish their findings widely "for our own good", so we know how vulnerable we (now) are? Will they write 90% of the virus code, as a "proof of concept" and leave the payload up to their blackhat associates, "for our own good"?

People talk about security through obscurity, but most exploits are from vulnerabilities that had been published by the so-called "good guys", because we all know "information wants to be free". And of course they would'nt mind selling you a nice fat subscription either.

I have enough cr*p running on my pocketpc to have it bogged down further by a virus scanner. I recently switched of my virus scanner on my laptop, and the thing worked 5 times faster. No more pausing for 10 second when opening up a word document. No more labouring when looking at a directory.

I think the anti-virus people are as bad (or even worse) that the virus writers, and Im sure the CEO of Norton is laughing all the way to the bank every time a new exploit is published by the so called "security researchers". :evil:

Surur

are you a psyco? Did you read my mind? this people are making a good marketing by publishing those news and for free. They are not paying anything. In another hand they are telling others what to do so they can go and fix it later. Itīs good to educate people but you have to think the method to do it. If you are educating both groups, users and hackers at the same time IMMO is better that you donīt educate anybody. ;)

ctitanic
02-01-2005, 09:55 PM
People talk about security through obscurity, but most exploits are from vulnerabilities that had been published by the so-called "good guys", because we all know "information wants to be free". And of course they would'nt mind selling you a nice fat subscription either.
As a security researcher, I don't agree completely. Full disclosure is the way to get problems fixed. If you read the article carefully, they're just providing advice that URLs can be spoofed, and you should be aware of that.

--janak

Janak, you can do the same thing without giving any details, you can warn people about "phishing" method by telling what is and telling then that not bank or any other institutions send emails asking for personal information such as SS, Name, Bank Account, User Names, passwords, neither they sent you emails asking you to click in a link where you are asked to provide that information. If anyone has any doubt about any email asking to click in a link the best thing to do is to go to the front page of that institution from another IE windows and try to find that link there, if you donīt find anything, send an email to that institution taking the email from that site (not from the email) asking if they sent you such email, or just call them. You can educate people without giving any information to hackers. ;)

Janak Parekh
02-02-2005, 05:39 AM
You can educate people without giving any information to hackers. ;)
As an academic, I appreciate the detail that's given in many of these kinds of advisories. Not only does it help me understand what's going on, it can often help site owners craft an appropriate response based on the technical nature -- and it may differ based on what the technical aspects are. Moreover, I can tell you that in security research people are developing technical solutions that actually circumvent things like browser holes. For example, new products are coming out today that circumvent phishing methods by detecting things like spoofed URLs. Documentation as to the aspects of how they work is critical in designing such products.

One of the most reknowned security forums, for example, is USENIX Security (http://www.usenix.org/events/bytopic/security.html). If you take a look there, there are tons of research papers that go into great technical detail on a broad range of topics. This is how both top-of-the-line commercial and academic security experts work towards developing comprehensive, long-term solutions. It's not a new practice, it's extremely productive, and it ultimately benefits consumers.

And if you really think the "hackers" don't know these things before the advisories are published, you'd be surprised. They have many backchannels where this stuff is discussed sooner than later.

--janak

Cybrid
02-08-2005, 07:32 PM
Let's hope the Minimo project (http://www.mozilla.org/projects/minimo/) gets well and truely underway for pocketpc baced ARM devices...

Still, in the meantime, we've got NetFront. Personally, I never use PIE unless I have no control over it popping up!
If linux and/or Netfront were the "magic bullet" to all PC ills, we'd all have switched a long time ago.
The reason why they are currently more secure is because they are a overall minority. It is more time effective to attack MS products since they are 90% of the world.
There are known exploits in firefox and thunderbird as well....
I'm sure if airscanner did a work-over on Netfront....some thing somewhere would come up as an undesired result.
It's simply the nature of things....You create software with the best of your abilities and someone does something unpredicted with it...the results cannot be anticipated. You simply patch as fast as it becomes known. Therein lies the rub. I have seen Norton miss viruses while AVG catch them. Both are current! Someone explain that to me? Perhaps since AVG updates every Tuesday?
I have Nortons update scheduled similarily but.....

Janak Parekh
02-08-2005, 09:54 PM
It is more time effective to attack MS products since they are 90% of the world.
That is a common explanation, but not necessarily correct. Case-in-point: Apache is the dominant webserver on the Internet today, but IIS has seen far more exploits than Apache.

The fact of the matter is, until recently Microsoft didn't place the same emphasis on security that they now do. I can give you some technical examples if you like, but really, XP SP2 is the first major step in solving this, and hopefully that progress will reverbrate through their product line.

--janak

Cybrid
02-08-2005, 10:59 PM
It's simply the nature of things....You create software with the best of your abilities and someone does something unpredicted with it...the results cannot be anticipated. You simply patch as fast as it becomes known. Therein lies the rub. I have seen Norton miss viruses while AVG catch them. Both are current! Someone explain that to me? Perhaps since AVG updates every Tuesday?
I have Nortons update scheduled similarily but..... I believe I also said the above?
You simply patch as fast as it becomes known.
I will be among the first to complain about MS' complacency in regards to many if not all their products and getting it fixed.


Edit:
It is also possible that since 90% of the world is MS, few will have the experience to attack Apache. Being linux based and all.

Janak Parekh
02-08-2005, 11:09 PM
You simply patch as fast as it becomes known.
I know this, and believe me, I'm planning deployment of the 13 some-odd patches that came out today for Microsoft products. But that's not the only strategy one should use. There are products which are designed more securely than others, and part of corporate strategy is to figure out which are a good compromise between security and functionality and to adopt them. For example, ActiveX in IE is useful for corporate intranets as a web application deployment system, but is a major irritant for outside web browsing.

It is also possible that since 90% of the world is MS, few will have the experience to attack Apache being linux based.
Nope. First, Apache is not "Linux-based". It runs on a ton of platforms, including Windows, Mac OS X, and Linux. Second, there are plenty of Linux exploits out there. As it stands, my Linux boxes are being attacked constantly by password-guessing rootkits. I've also worked with boxes that have been rooted. It's not that unusual.

Incidentally - I didn't mean to imply that only Windows products have vulnerabilities. There are multiple mail servers for UNIX operating systems, and of those, sendmail by far has the poorest security record. In fact, I'd suggest that Exchange, from my experience, has a much better security record than sendmail.

(Also, Windows doesn't have a 90% marketshare in the server/service environment.)

--janak

Cybrid
02-09-2005, 01:59 AM
I know this, and believe me, I'm planning deployment of the 13 some-odd patches that came out today for Microsoft products. But that's not the only strategy one should use. There are products which are designed more securely than others, and part of corporate strategy is to figure out which are a good compromise between security and functionality and to adopt them. For example, ActiveX in IE is useful for corporate intranets as a web application deployment system, but is a major irritant for outside web browsing. Yes. I agree. My comment in the first re: AVG vs. Norton....AVG also uses heuristic analysis, and is quick to push out updates. All software companies require a very pro-active approach to security.


Nope. First, Apache is not "Linux-based". It runs on a ton of platforms, including Windows, Mac OS X, and Linux. I could have sworn......:) running on different OS'....so does firefox, open office, several others....
Well anyway, somewhere along the line I musta assumed wrong...I'd have to research but I'd rather take your word.


Second, there are plenty of Linux exploits out there. As it stands, my Linux boxes are being attacked constantly by password-guessing rootkits. I've also worked with boxes that have been rooted. It's not that unusual.
Incidentally - I didn't mean to imply that only Windows products have vulnerabilities. There are multiple mail servers for UNIX operating systems, and of those, sendmail by far has the poorest security record. In fact, I'd suggest that Exchange, from my experience, has a much better security record than sendmail.
(Also, Windows doesn't have a 90% marketshare in the server/service environment.) I did mention alternate OS vunerabilities.
90% PC= 90%People with windows experience. I could muddle through a finger pecked DOS session but linux..? Maybe in a few years....
Statistically If someone were to ping and probe a random IP....He'd have more success with a Windows exploit script. Ergo a hacker seeking to do evil is better of attacking/ testing on a windows box.....Ergo, greater energy is being spent on attacking windows...make sense?

Janak Parekh
02-09-2005, 02:06 AM
Statistically If someone were to ping and probe a random IP....He'd have more success with a Windows exploit script. Ergo a hacker seeking to do evil is better of attacking/ testing on a windows box.....Ergo, greater energy is being spent on attacking windows...make sense?
Not quite. ;) I do intrusion-detection research as part of my day job. While you're right in that your average "skr1pt k1dd13z" might do this, they're increasingly not the group of people to be concerned with.

The serious worm propagators and hackers do long-term low-frequency ping scans and use the fingerprinted response to determine what OS the unit is running well in advance of an actual attack. They then do very fast targeted attacks based on what their goal is. This is largely how most modern worms work. If you simply randomly probe IPs, you're likely to have a very slow spread rate as routers will drop invalid-targeted packets and firewalls will drop legitimately-targeted packets. This causes timeouts to be greater and decreases your overall throughput.

I'm not going to go into the technical details of how vulnerabilities are efficiently exploited to avoid getting people mad at me, but it's become far more clever than that -- and all platforms are targeted nowadays in my experience. We haven't truly seen a cross-platform, multi-vector worm yet, but it's coming soon.

Now, phishing and similar non-exploit vulnerabilities are a bit different. Do the phishers target their URL spoofing techniques towards IE far more than Firefox? Yes. Has IE been poorly coded in URL formatting and scanning? Yes. Could Firefox be designed better from the ground-up in processing URLs? Sure. Is it? No clue -- but my point all along was that you can't necessarily extrapolate that from marketshare.

Also, by using non-majority browser(s), you will be statistically luckier in this regard, and at least Firefox is being developed faster than IE. And no ActiveX makes it useful to deploy in family environments who click "Install" on everything. :P

--janak

Cybrid
02-10-2005, 05:44 AM
Well. Thanks for the education in that regard...,however, since the original post is about PIE and my original post is about the fact that Netfront doesn't necessarily give you a "magic bullet" I believe my statement still stands...You say so your self....
While you're right in that your average "skr1pt k1dd13z" might do this, they're increasingly not the group of people to be concerned with.
Yes, they are the group to be personally concerned with. The smaller more educated hacker groups may concentrate on webservers, etc, or whatever using well disciplined attack methods. But the average user is "small fish" to them. the larger group of half baked "skr1pt k1dd13z" are more likely to attack the regular user. They will more likely be focused on IE and PIE......greater energy.

Now, phishing and similar non-exploit vulnerabilities are a bit different. Do the phishers target their URL spoofing techniques towards IE far more than Firefox? Yes. Has IE been poorly coded in URL formatting and scanning? Yes. Could Firefox be designed better from the ground-up in processing URLs? Sure. Is it? No clue -- but my point all along was that you can't necessarily extrapolate that from marketshare. No, I suppose not. The extrapolation is an assumption. I simply think it is apt from the guy I responded to's point view. I nor he is ever going to be personally concerned an exploit that runs on Atari, Palm, OS 2, Sun SPARC or some other software we are unlikely to recognize even in passing. It would be the other guy's problem.


Also, by using non-majority browser(s), you will be statistically luckier in this regard, and at least Firefox is being developed faster than IE. And no ActiveX makes it useful to deploy in family environments who click "Install" on everything. Oh yes. Exactly! a non majority browser........but what happens when it becomes the majority? say in a few years Firefox becomes numero uno....Is it not going to have a bullseye painted on it's back much like IE? Whether it is built better is your department....Like any form of encryption/ human subject of torture/ rock in a river.... it can be broken ....given time and enough resources.

P.S. I'm still trying to get "Bonzi Buddy" off of my 'lil sisters PC....:D

Cybrid
02-11-2005, 10:07 AM
Security experts are advising that spyware that targets browsers from the Mozilla Foundation has been spotted--a threat that could worsen as its Firefox browser takes market share from Microsoft.
Stu Sjouwerman, the founder of Sunbelt Software, said on Tuesday that the anti-spyware company has discovered what it believes is the first spyware to take aim at surfers using Mozilla browsers.
Richard Stiennon, vice president of threat research at Webroot Software, which also develops anti-spyware tools, said that the malicious software does not target Firefox specifically.
"According to my research team, this site does not target Firefox, but it does target Mozilla," Stiennon said. "(It's) only a matter of time now until a Firefox spy is discovered."
Although the spyware is only installed if users agree to download a certain file, many users are likely to click through, as the download's dialogue box gives no indication of the file's malicious payload, Sjouwerman said.
"It's done in a way that people might not recognize as a normal install, and will work in Firefox," Sjouwerman said. "It's not a full-fledged spyware attack yet, but it definitely shows where it's going."
Experts believe that Mozilla-based browsers such as Firefox have become a greater target for spyware as their market share has rapidly increased over the last six months--from 2.4 percent in May to 7.4 percent in November, according to Web traffic measurement company OneStat.com. Firefox has said that it is aiming for 10 percent of Web surfers by the end of 2005.
Writers of viruses and spyware for browsers have typically concentrated on Internet Explorer, because of its near-total market dominance. But that could be changing now that Firefox is making gains at the expense of Microsoft's browser.
Sjouwerman said that "stealth spyware" targeted at Firefox is "bound to happen" as hackers are currently working hard trying to find security holes in the open-source browser. "There's a small army of rogue programmers that are tearing Firefox apart," he said.
But Graham Cluley, a senior technology consultant at security company Sophos, said he is not sure what type of spyware will target Firefox.
"It's hard to predict precisely what form spyware for Firefox may take, as it will depend in part on what security flaws may be found in the Firefox code in the future, and how quickly the community responds to patch those vulnerabilities," Cluley said.
David McGuinness, a Mozilla contributor, said Firefox protects PC users by displaying a yellow information bar if a site that is not Update.mozilla.org tries to automatically install code. But he warned that it will be more difficult to protect systems against a stealth install.
"It all boils down to user education. People can install applications with variable amounts of effort from all browsers. It's the stealth attacks that are the problem, where people get infected without running anything themselves," McGuinness said.




http://news.com.com/Spyware+takes+aim+at+Mozilla+browsers/2100-7349_3-5569635.html?part=rss&amp;tag=5569635&amp;subj=news.7349.20

Janak Parekh
02-11-2005, 04:38 PM
Yes, they are the group to be personally concerned with. The smaller more educated hacker groups may concentrate on webservers, etc, or whatever using well disciplined attack methods. But the average user is "small fish" to them. the larger group of half baked "skr1pt k1dd13z" are more likely to attack the regular user. They will more likely be focused on IE and PIE......greater energy.
I disagree. When I refer to the script kiddies, I mean those in the basement cooking up little scripts. They're generally harmless.

Exactly! a non majority browser........but what happens when it becomes the majority? say in a few years Firefox becomes numero uno....Is it not going to have a bullseye painted on it's back much like IE?
Not necessarily. For example, the article you referred to isn't all that well-written. If you've used Firefox, you know they've made XPIs difficult to install from any non-authorized site, and this was a move specifically made after the first spyware XPI was found. It takes at least 5 clicks to install it, if not more, unless it's an XPI from update.mozilla.org. The fact that the community built this solution into Firefox in less than 6 months after the first one was discovered clearly suggests that, unlike IE, the Firefox team is watching and actively responding against threats. It's easy to manufacture spyware against IE, and continues to be so, since all versions of IE 6 that are not XP SP2 are clearly not being changed as per Microsoft's dictum.

--janak

Cybrid
02-15-2005, 09:43 PM
I disagree. When I refer to the script kiddies, I mean those in the basement cooking up little scripts. They're generally harmless.--janak
There we have a difference of opinion. Just remember...the professional hackers didn't simply graduate from MIT and then decide on a life of crime. The script kiddy grows up and does refine his skill with time.

Not necessarily. For example, the article you referred to isn't all that well-written. If you've used Firefox, you know they've made XPIs difficult to install from any non-authorized site, and this was a move specifically made after the first spyware XPI was found. It takes at least 5 clicks to install it, if not more, unless it's an XPI from update.mozilla.org. The fact that the community built this solution into Firefox in less than 6 months after the first one was discovered clearly suggests that, unlike IE, the Firefox team is watching and actively responding against threats. It's easy to manufacture spyware against IE, and continues to be so, since all versions of IE 6 that are not XP SP2 are clearly not being changed as per Microsoft's dictum.

--janakDoesn't that fall under the patch a.s.a.p. category? And yes, I've already conceded MS' slow and unreliable record in this regard. They ought to be much faster and proactive in dealing with known exploits.

My posts have had a singular point that unless you and a host of like minded individuals actively went through an application's code with the intent of finding holes, you cannot consider it to be completely secure. The possibilities and new previously unconsidered attack methods are just too high. To assume so, is precisely the type of complacency we must avoid.

I'm beginning to feel like this guy :frusty:

Janak Parekh
02-15-2005, 10:52 PM
There we have a difference of opinion. Just remember...the professional hackers didn't simply graduate from MIT and then decide on a life of crime. The script kiddy grows up and does refine his skill with time.
My professional experience suggests otherwise.

Doesn't that fall under the patch a.s.a.p. category? And yes, I've already conceded MS' slow and unreliable record in this regard. They ought to be much faster and proactive in dealing with known exploits.
No. There's a difference between a security patch and a redesign for security. IE in XP SP2 was a redesign for security. Ditto for Firefox.

My posts have had a singular point that unless you and a host of like minded individuals actively went through an application's code with the intent of finding holes, you cannot consider it to be completely secure.
True, but there's more to designing software than making sure you don't have buffer overflows. There are logic constructs that can make it easy for bad things to happen, even if they're not themselves bugs. That's the distinction between IE and Firefox in the past. This may be changing, as Microsoft has just announced they'll release an IE7 which is more geared to security.

--janak

Cybrid
02-16-2005, 12:16 AM
My professional experience suggests otherwise. Aww...c'mon....are MIT grads turning to a life of crime? :D
FAIK ....there may be underground hacker "schools" but in general....don't you think that hackers might have underground forums or equivalent? Where they trade tips, tools, teach/ learn?


No. There's a difference between a security patch and a redesign for security. IE in XP SP2 was a redesign for security. Ditto for Firefox. Semantics. potato=potayto. I suppose I should say fix, prevent, make improvements to, whatever....
While there may be a specific jargonized meaning to "patch" but I meant it in a comprehensive way. If that offends your professional sensibilities...My bad...I'm sorry.


True, but there's more to designing software than making sure you don't have buffer overflows. There are logic constructs that can make it easy for bad things to happen, even if they're not themselves bugs. That's the distinction between IE and Firefox in the past. This may be changing, as Microsoft has just announced they'll release an IE7 which is more geared to security.

--janakAgain that falls under MS=complacent. Ok! I get it!:)

Janak Parekh
02-16-2005, 12:20 AM
Aww...c'mon....are MIT grads turning to a life of crime? :D
No, I don't mean graduate students, but rather organized black-hat groups. Perhaps you're calling them script kiddies. I consider the term more appropriate for the random single kids bored out of their mind playing around with downloads off the 'Net. I'd accept it's a semantic difference.

Semantics. potato=potayto. I suppose I should say fix, prevent, make improvements to, whatever....
Ah, but as a Computer Scientist, that semantic is rather different. It's more like "potato=apple". Patching something means fixing a specific bug (e.g., if a line of code is to input a buffer that overflows a declared character array), as opposed to a design flaw.

Again that falls under MS=complacent. Ok! I get it!:)
To MS's credit, they've "gotten" the fact that they were complacent, and are currently rearchitecting things.

--janak

Cybrid
02-16-2005, 04:54 PM
No, I don't mean graduate students, but rather organized black-hat groups. Perhaps you're calling them script kiddies. I consider the term more appropriate for the random single kids bored out of their mind playing around with downloads off the 'Net. I'd accept it's a semantic difference. Well, I understood the term to mean "random single kids bored out of their mind playing around with downloads off the 'Net".....I'm just saying that those same kids later join those "black hats"


Ah, but as a Computer Scientist, that semantic is rather different. It's more like "potato=apple". Patching something means fixing a specific bug (e.g., if a line of code is to input a buffer that overflows a declared character array), as opposed to a design flaw. As per my earlier...my bad. I'm sorry.


To MS's credit, they've "gotten" the fact that they were complacent, and are currently rearchitecting things.cool.



--janak[/quote]

Janak Parekh
02-16-2005, 04:57 PM
As per my earlier...my bad. I'm sorry.
Heh, don't apologize. :P It's a worthwhile discussion, one that the entire industry is having and, finally, finally, people are starting to realize that infinite flexibility of a network-based platform isn't always a good thing.

--janak

Cybrid
02-16-2005, 05:09 PM
And just to continue this interesting discussion...if you have time...


Browsers Hit by Spoofing Flaw
A security hole has been reported for nearly every browser in use -- including Firefox, Safari, OmniWeb, Mozilla, Opera and Netscape -- with the notable exception of Internet Explorer, which is not among the crop of browsers directly affected by the flaw.

Security firm Secunia has issued an advisory warning users that a problem related to domain name implementation could be used to carry out phishing scams through Web address spoofing. The vulnerability has been ranked as "moderately critical."


Public Domain


The spoofing flaw arises from the way that browsers handle Web addresses that include international characters in International Domain Name URLs.


The flaw can be exploited by registering domain names with international characters that resemble more commonly used characters.


For example, a zero can be put in place of the letter "O" leading to the registration of "Micr0s0ft.com."


Wide Reach


The flaw affects a broad range of browsers that use the open-source Gecko browser kernel, according to Secunia.


Anyone using Firefox, Safari, or the like, could be visiting spoofed sites without realizing it. Since some phishing scams rely on fake sites to collect personal information, users could be opening themselves up to identity theft.


Because there is not yet a patch, Secunia researcher Thomas Kristensen told NewsFactor that the most effective way to avoid the flaw is to surf responsibly.


"The best thing you can do is not to follow links that you don't trust," he said. "Type the URL into the address line, rather than just clicking from one link to another."


Trouble Free IE


The fact that IE is not struck by the flaw is ironic to some, considering that the browser often garners security advisories. Some universities have grown so tired of IE security problems that they have encouraged students to switch to Firefox.


The reason IE is given a clean bill of health in this latest security round is not due to tighter security measures, Kristensen said. Rather, it is because of the browser's age.


"The functionality at play here is a rather new thing," he noted. "IE doesn't have it. Some users have downloaded it via a plug-in from Verisign, though, so they'll be affected."


Secunia and others in the security community are eager for ICANN (news - web sites) and the browser vendors to address the problem soon. "This is a serious security issue," Kristensen said. "We hope something can be done before many more people acquire these domain names."


http://story.news.yahoo.com/news?tmpl=story2&amp;u=/nf/20050209/tc_nf/30348

Janak Parekh
02-16-2005, 05:12 PM
And just to continue this interesting discussion...if you have time...
Not entirely, so I'll give you the short version: The Mozilla Foundation has decided to disable the IDN extensions for the time being (http://www.mozillazine.org/talkback.html?article=6073) until a long-term solution can be worked out. It's not an easy problem to solve. It appears that the solution will have to be to work with the international registrars to make sure people don't register identical-looking names. How else do you deal with the fact there are several characters that look like "o"? ;)

--janak

Cybrid
02-16-2005, 07:44 PM
I suppose it just boils down to mastering your OS' and it's applications. Doesn't matter what you run (there are better or worse similar apps...whatever! you need to be able to comfortably use it.)...it simply is one where you as a user have to be on top of things. As the user you need to make the effort to be informed and vigilant. With the right set of skills just about any OS could be made as secure as it could be. Complacency and ignorance in a user is the greatest threat. Nuttin new there.

meandering sidenote: It's kinda like chess. The endless possibilities and variation mean there is no absolute killer game.

You can tell the "book learnt" from the self taught "thinkers". The book guys have a great beginning and sometimes even an endgame but the "thinker" really only has to vary his game in an unexpected way to overcome the "book".