Tag Archives: press

The oracle strikes again – “Browser OS” threats start to appear

Posted on by
3

Moving on from the social networking issues we outlined in the past couple of weeks, after following the predictions, and their materialization (here, here, here in the announcement of Gmail offline, here, and here), we can already see the “Browser OS”, as we dubbed it in our annual threat and predictions report, begin to materialize as well.

As per a recent Register article, threats related to Google Gears™ have started to appear – taking advantage of the extended capabilities granted to the browser – just like we predicted in our report. We named Google’s Gears, Adobe’s Air and Microsoft’s Silverlight as the prominent technologies that would be the enabler for the “Browser OS” and would be scrutinized for their security implications.

As always, we are not here to say “nay” to every new technology – just the opposite these technologies are the future, and they enable businesses and individuals alike to be more productive and have a better web experience. The only claim here is that more focus should be put on measures that take these technologies into account when implying to provide internet and web security, and enough forward looking vision to execute on it.

Fighting an infection vector with new standards – ClickJacking

Posted on by
Reply

If you haven’t heard yet, the newest version of Microsoft’s Internet Explorer 8 (RC1) have been endowed with support for “Anti-Clickjacking” (for more background on clickjacking, check out: http://ha.ckers.org/blog/20080915/clickjacking/).

This new feature is basically an implementation for a new header (X-FRAME-OPTIONS) that is returned from a server which defines the scope of “netsing” that is allowed for a specific site. This means that sites can potentially have control over whether their content is allowed to be rendered inside an IFrame element – and where (on pages from 3rd party sites, only on pages within the site itself, or not at all).

The solution that is being proposed here is nice, but time will tell if or when sites would start adopting it. Nevertheless, while playing around with the new feature behavior, I noticed that without much PR, Firefox is also supporting the same functionality.

cj
Image 1: blocking the inclusion of a site in an IFRAME where the site returned a header X-FRAME-OPTIONS: DENY

cj2
Image 2: Firefox blocking the included IFrame, and showing the actual header returned from the site.

Now with only Chrome and Opera to jump on the bandwagon, we might actually have a chance to see some changes in the web security landscape (as you may remember – most of the web borne attacks are delivered through the inclusion of an invisible IFrame hosting malicious code). That isif only this protocol could have been reversed to define that no IFrames should be rendered ON a said site, thus preventing injected IFrame elements from being delivered to the users of a compromised site.

Gear up – predictions for 2009 has begun to materialize

Posted on by
Reply

How about answering email messages when you are not online? Easy, right? But, if you are using a webmail account that used to be a problem; so was reading unopened messages or older messages in your inbox. Well, not anymore, Gmail Goes Offline!

The AIRC annual threat report with the 2009 predictions could not have been published in a better timing. As you may have noted, one of our predictions focused on the anticipated broader use of the browser as an “operating system” – which means that more and more functionality that used to belong to your Windows/Linux/Mac is now handled by the browser. From a security standpoint that means more focus on vulnerabilities related to the browser and the applications run on it, and less on the OS itself.

Google’s Gears was namely one of the technologies I named that should be followed as it basically enables a broader and easier use of web applications – even when you are offline. This means that you can still edit documents, and now read and write emails when your Laptop/Notebook/Netbook is offline (on the train, choppy WiFi signal, no 3G coverage, etc…). It works out of the box if you are using Chrome, and just needs Gears to be installed if you are not. The installation is much like Microsoft’s Silverlight and Adobe’s Air which are also mentioned on our report.

Have fun, and keep an eye out for what could possibly be one of the first web borne attacks that could occur offline? :-)

What’s been on people’s minds lately?

Posted on by
Reply

As we have been predicting (and following during 2008), the criminal’s mind is very much attuned to public mind. The current issues that everyone (well, at least a lot of us) has been dealing with are the current economical situation, and what president Obama is going to do about it. Without fail, eCriminals have been worried about the same issues, and in their latest “marketing” efforts have made sure that relevant internet sites will cater for themselves as well. Reports by Websense and Sophos show how both the official Barack Obama website, and a couple of popular job sites have been compromised in an attempt to capitalize on the volume of traffic that has been hitting these sites.

As usual, no much surprise here (read more details about the “almanac” of web security here), still, be careful out there – even on sites which you supposedly trust. Common sense usually trumps the irresistible urge to click and approve everything shown to you when trying to get to some content.