Sunday, August 06, 2006

Slow Down! I'm gettin' dizzy

I was just reading some guy's blog on security. He was talking about JavaScript Malware and how one could not only collect so much info from a website visitor, running a malicious script, but also launch entire attacks entering DMZs and exploiting vulnerabilities deep inside a secure network.

I'm just beginning to learn javascript but I am able to understand that what this guy is talking about is possible. Like let's do it today possible. And it occured to me: forget the security experts, forget the guys in dirty jeans attending BlackHat or Defcon. How many internet users are aware of malicious javascripts? Or Cross Site Scritping? How many super-duper administrators?

Here's a simple example based on a scenario from the above blog. Some guy works as a low level programmer or tech support or sth. Nobody pays much attention to him. His job is as simple as writting Installers or changing backup tapes and ink cartridges. The company's network is secure with super firewalls, VLANs etc. That guy, while bored, enters a CSS vulnerable site let's say MySpace. The attacker has put there a script which is downloaded once the website loads. That's it! The employee didn't see anything strange happening. He continues surfing around while that malicious script is running in the background collecting information about his computer, the network topology, previous network destinations, cached information, passwords etc. That same script may contain exploit code targeting well protected, private network equipment. Boom! How about that?

It may have already happened. Even to you. Homework: Download noScript Extension for Firefox. And surf your favorite sites. Every time a javascript is about to run, noScript blocks it and informs you about it. You'll be surprised to find out how many scripts are running while you are casually visiting a forum or a news site.

All this has a point. 90% of the people I know feel threated by viruses on floppy disks or kidz trying to steal their credit card info. Such an illusion. Somebody may already have hijacked their PC to assemble a botnet and they'll still be running their Antivirus once a week scanning for boot sector viruses :P

Right now technology is a big vector. The majority of people are stuck at the tail and few are shapping things at the head. Unfortunately there's a huge gap in the middle.

This very moment vulnerabilities are being found, exploits are designed and by tomorrow these people will own the world. Can YOU keep up?

No comments: