Antisocial networking sites.THE NEXT TIME YOU VISIT a Web site on which users contribute much of the content--say, social networking sites A Web site that provides a virtual community for people interested in a particular subject or just to "hang out" together. Members create their own online "profile" with biographical data, pictures, likes, dislikes and any other information they choose to post. like Myspace or photo-sharing sites like Flickr--be aware that some of the content other users are contributing may be malicious. [ILLUSTRATION OMITTED] This malicious content uses simple JavaScript code that can be placed on a Web site. These attacks are particularly dangerous because they take advantage of the way the code is meant to work. JavaScript is a programming language used on Web sites for simple functions such as opening a pop-up window pop-up window n (Comput) → Popup-Fenster nt or causing a button to change when the cursor (1) The symbol used to point to some element on screen. On Windows, Mac and other graphics-based screens, it is also called a "pointer," and it changes shape as it is moved with the mouse into different areas of the application. moves across it. It can be embedded Inserted into. See embedded system. in a Web page's HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. code, and, like HTML, JavaScript runs in the Web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. , not on the server, so it doesn't need to exploit a computer vulnerability or an unpatched browser. Billy Hoffman Billy Hoffman, also known as Acidus, is an American hacker, born in Atlanta, Georgia on October 15, 1980. Biography His father is a sales consultant and his mother is a historian and a former high school social studies teacher. , lead research engineer at SPI (1) (Stateful Packet Inspection) See stateful inspection. (2) (Service Provider Interface) The programming interface for developing Windows drivers under WOSA. Labs, says that SPI has created a proof-of-concept JavaScript scanning tool that determines the IP address of the computer it's on and then scans to see what other devices--Web servers, wireless routers A network device that combines a wireless access point (base station), a wired LAN switch and a router with connections to a cable or DSL service. Wireless routers provide a convenient way to connect a small number of wired and any number of wireless computers to the Internet. , and so on--are on that network. Another part of the JavaScript code then looks at images it finds on those devices; since many Web servers contain images of a standard size and name, locating images of specified sizes and names allows the server to be fingerprinted. All of this information can be sent back to a third party again simply by using JavaScript functionality that reaches out to other Web sites for images. Hoffman says that mapping and fingerprinting a network from the inside provides an attacker with a cache of information that is typically hard to get. "Normally an attacker needs to do a lot of work to get that type of information," he says. "He needs to hack around your firewall, or park in front of your headquarters and try to find an open access point that's not secured." [ILLUSTRATION OMITTED] When an internal user behind a firewall unwittingly executes the malicious JavaScript, all this information can be gathered quickly. Mikko Hyponnen, director of antivirus research at F-Secure, says that his team audited two well-known social networking sites with millions of registered users (not including Myspace) and quickly found that both sites were vulnerable to these kinds of attacks. Hyponnen says that this attack scenario is "perfectly preventable" when Web sites carefully validate content being input by users and weed out code that doesn't belong. "The bottom line is, whatever the situation is, you don't want to have pages where users can post their own JavaScript, which would then be executed by other users. That's a major no-no, that's something that's behind most of these attacks, and Web sites don't need that functionality." @ AN SPI LABS RESEARCH BRIEF, DETECTING, ANALYZING, AND EXPLOITING INTRANET APPLICATIONS USING JAVASCRIPT, HAS MORE DETAILS. GET IT AT SM ONLINE BY CLICKING ON "BEYOND PRINT." |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion