Thursday, January 7, 2010

Security Smorgasbord, vol 2 no 1

Cross-Site Scripting (XSS) bug in home firewalls allows bad guys to take control:

By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.

"What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," Kamkar told El Reg. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required."

Personally, I'm not sure how bad this is. There's no doubt that Kamkar knows his stuff - her created the first Myspace worm a couple years back. However, there ia an easy way you can break this: don't let your browser remember your router's password. Write the password down (yes, this is usually a Really Bad Thing; it's not this time) and tape it to the router. When you have to log into the router (once in a blue moon), read the password and manually type it in.

That way, if you stumble across a XSS link, Mr. Bad Guy will have to guess your password.

-------------------------------------------------------

Slovakia plants bombs on unsuspecting airline passengers:

Irish police have released a man held over an explosives find, after Slovak authorities admitted planting them in his luggage as part of a security test.

The explosives were among eight contraband items placed with passengers at Bratislava and Poprad-Tatry airports last weekend.

The 49-year-old man unwittingly brought the material into Dublin when he returned from his Christmas holidays.

Wow. Not sure what else to say, other than they've said they're sorry. Or something.

----------------------------------------------------------

Adobe flaw being exploited, still no patch.

At least Adobe is working on an automatic Updater like Firefox has. Now if we could just get one for Internet Explorer 8 ...

-----------------------------------------------------------

American Banker's Association: use dedicated PC for online banking:
The FBI and the American Bankers Association have issued a warning to small business owners to use a separate computer for online banking.

Small businesses, as well as churches, non-profit organizations and local government agencies and school districts, are prime targets for cyber theft, USA Today reports. The criminals depend on "banking Trojans," malicious software spread through the Internet that allows them to steal funds by manipulating electronic transfers.

Experts say a computer used only for banking is less likely to become infected than one used for e-mail and browsing the Web.

Good advice, really. This is a big, big deal. There is a lot of malware activity targeting these people.

1 comment:

Anonymous said...

Re explosives on airlines: Without an initiator all your average plastic explosive is, is flammable waxy stuff; it will sustain the temperatures associated with flight in the baggage compartment, and the shocks, because it is designed for such an environment.

They didn't specify how much material they used, but explosives smell distinctly so it shouldn't have taken much.

Jim