From Network World:
This story appeared on Network World at
Top 10 Web hacking techniques of 2010 revealed
No. 1 attack goes after Microsoft’s ASP.NET Web framework
By Tim Greene, Network World
January 24, 2011 09:51 AM ET
A Web hack that can endanger online banking transactions is ranked the No. 1 new Web hacking technique for 2010 in a top 10 list selected by a panel of experts and open voting. Called the Padding Oracle Crypto Attack, the hack takes advantage of how Microsoft’s Web framework ASP.NET protects AES encryption cookies.
If encryption data in the cookie has been changed, the way ASP.NET handles it results in the application leaking some information about how to decrypt the traffic. With enough repeated changes and leaked information, the hacker can deduce which possible bytes can be eliminated from the encryption key. That reduces the number of unknown bytes to a small enough number to be guessed.
The developers of the hack — Juliano Rizzo and Thai Duong — have developed a tool for executing the hack.
Padding Oracle was voted No. 1 by a voting process that included Ed Skoudis, founder of InGuardians; Girogio Maone, the author of NoScript; Armorize CEO Caleb Sima; Veracode CTO Chris Wysopal; OWASP Chairman and CEO Jeff Williams; security consultant Charlie Miller of Independent Security Evaluators; IOActive director of penetration testing Dan Kaminsky; Steven Christey of Mitre; and White Hat Security vice president of operations Arian Evans.
The ranking was sponsored by Black Hat, OWASP and White Hat Security, and details of the hacks will be the subject of a presentation at the IT-Defense 2011 conference next month in Germany.
Here are the rest of the top 10 Web hacks voted in the competition:
2. Evercookie — This enables a Java script to create cookies that hide in eight different places within a browser, making it difficult to scrub them. Evercookie enables the hacker to identify the machine even if traditional cookies have been removed. (Created by Samy Kamkar.)
3. Hacking Autocomplete — If the feature in certain browsers that automatically completes forms on Web sites (autocomplete) is turned on, script on a malicious Web site can force the browser to fill in personal data by tapping various data stored on the victim’s computer. (Created by Jeremiah Grossman.)
4. Attacking HTTPS with Cache Injection — Injection of malicious Java script libraries into a browser cache enables attackers to compromise Web sites protected by SSL. This will work until the cache is cleared. Nearly half the top 1 million Web sites use external Java script libraries. (Crated by Elie Bursztein, Baptiste Gourdin and Dan Boneh.)
5. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution — Gets around cross site request forgery defenses and tricks victims into revealing their e-mail IDs. Using these, the attackers can reset the victim’s passwords and gain access to their accounts. (Created by Lavakumar Kuppan.)
6. Universal XSS in IE8 — Internet Explorer 8 has cross-site scripting protections that this exploit can circumvent and allow Web pages to be rendered improperly in a potentially malicious manner.
7. HTTP POST DoS — HTTP POST headers are sent to servers to let them know how much data is being sent, then the data is sent very slowly, eating up the servers’ resources. When many of these are sent simultaneously, the servers are overwhelmed. (Created by Wong Onn Chee and Tom Brennan.)
8. JavaSnoop — A Java agent attached to the target machine communicates with the JavaSnoop tool to test applications on the machine for security weaknesses. This could be a security tool or a hacking tool, depending on the user’s mindset. (Created by Arshan Dabirsiagh.)
10. Java Applet DNS Rebinding — A pair of Java applets direct a browser to a pair of attacker controlled Web sites, forcing the browser to bypass its DNS cache and so make it susceptible to an NDS rebinding attack. (Created by Stefano Di Paola.)
Here is an article that I thought is worth reading about public wireless. It contains some interesting things to look for the next time you decide to connect to the “FREE” public wireless.
Source: OnGuard Online (http://www.onguardonline.gov/topics/hotspots.aspx)
Using a Wi-Fi Hotspot?
- Only log in to websites that are fully encrypted.
Is this hotspot secure?
- If a hotspot doesn’t require a password, it’s not secure.
- If a hotspot asks for a password through your browser simply to grant access, or it asks for a WEP password, it’s best to treat it as if it were unsecured.
- You can be confident a hotspot is secure only if you are asked to provide a WPA password. If you’re not sure, the information you enter could be at risk. WPA2 is the most secure.
Public wireless networks – those Wi-Fi hotspots in coffee shops, libraries, airports, hotels, universities, and other public places – allow people to access the internet through a shared network. While convenient, they’re often not secure. You’re sharing the network with strangers, and some of them may be interested in your personal information.
Technology experts at the Federal Trade Commission (FTC), the nation’s consumer protection agency, say encryption is the key to keeping your personal information secure online. Encryption scrambles the information you send over the internet into a code so that it’s not accessed by others. When using wireless networks, it’s best to send personal information only if it’s encrypted – either by an encrypted website or a secure network. An encrypted website protects only the information you send to and from that site. A secure wireless network encrypts all of the information you send while online.
How to Identify an Encrypted Website
If you send email, share digital photos and videos, use online tools to manage calendars and contact lists, use social networks, or bank online, you’re sending personal information over the internet. The information you share is stored on a server – a powerful computer that collects and delivers content. Many websites, such as banking sites, use encryption to protect your information as it travels from your computer to their server.
To determine if a website is encrypted, look for https at the beginning of the web address (the “s” is for secure), and a lock icon at the top or bottom of your browser window. The exact position of the lock depends on which browser you use. Some websites use encryption only on the sign-in page, but if any part of your session isn’t encrypted, the entire account could be vulnerable. Look for https and the lock icon the entire time you’re on the site, not just when you sign in. You can also click on the lock icon to display information about the site and help you verify that it’s not a fraudulent website.
Public Wireless Networks
Most Wi-Fi hotspots don’t encrypt the information you send over the internet and are not secure. If you use an unsecured network to log in to an unencrypted site – or a site that uses encryption only on the sign-in page – other users on the network can see what you see and what you send. They could hijack your session and log in as you. New hacking tools – available for free online – make this easy, even for users with limited technical know-how. Your personal information, private documents, contacts, family photos, and even your login credentials could be up for grabs.
An imposter could use your account to impersonate you and scam people you care about. In addition, an attacker could test your username and password to try to gain access to other websites – including sites that store your financial information.
Protect Your Information
So what can you do to protect your information? Here are a few tips:
- When using a Wi-Fi hotspot, only log in or send personal information to websites that you know are fully encrypted. And keep in mind that your entire visit to each site should be encrypted – from the time you log in to the site until you log out. If you think you’re logged in to an encrypted site but find yourself on an unencrypted page, log out right away.
- Don’t stay permanently signed in to accounts. When you’ve finished using an account, log out.
- Do not use the same password on different websites. It could give someone who gains access to one of your accounts access to many of your accounts.
- Many web browsers alert users who try to visit fraudulent websites or download malicious programs. Pay attention to these warnings, and take the extra minute or so to keep your browser and security software up-to-date.
- If you regularly access online accounts through Wi-Fi hotspots, use a virtual private network (VPN). VPNs encrypt traffic between your computer and the internet, even on unsecured networks. You can obtain a personal VPN account from a VPN service provider. In addition, some organizations create VPNs to provide secure, remote access for their employees.
- Some Wi-Fi networks use encryption: WEP and WPA are the most common. WPA encryption protects your information against common hacking programs. WEP may not. If you aren’t certain that you are on a WPA network, use the same precautions as on an unsecured network.
- Installing browser add-ons or plug-ins can help, too. For example, Force-TLS and HTTPS-Everywhere are free Firefox add-ons that force the browser to use encryption on popular websites that usually aren’t encrypted. They don’t protect you on all websites – look for https in the URL and the lock icon to know a site is secure.
I was recently reading an article on the best anti-virus software for 2011 by PC Magazine (http://www.pcmag.com/article2/0,2817,2372364,00.asp). I certainly like the author’s definition of a ‘virus’:
As always, when I say “antivirus,” I mean a utility that protects against all kinds of malicious software, not just viruses. Trojans, spyware, rootkits, keyloggers, adware, scareware—a proper antivirus must handle all of these.
All of his/her analysis between each ant-virus is very good and quite accurate. But there is one thing that I feel he/she needs to talk about. That is the overhead the anti-virus has on your machine. Overheat means how much memory and processing power the software is using. If a software is using much of your computer resources, it will slow down the overall performances of your computer. This to me becomes counter productive. So watch out for that when you decide on the software to purchase.
The Untangle Server is a multi-function firewall. It simplifies and consolidates the many network and security products that businesses need at the gateway to the Internet.
Untangle comes as standard with these free, open-source applications:
Web Filter – Prevents access to undesirable web sites
Virus Blocker – Prevents viruses from reaching computers on the network
Spam Blocker – Stops junk email from getting through
Ad Blocker – Blocks online adverts that waste network capacity
Attack Blocker – Stops denial of service (DOS) attacks
Phish Blocker – Protects people from identity theft “phishing”
Spyware Blocker – Protects people from websites that install malware
Firewall – Hides your network from the Internet
QoS – Allows internet traffic prioritization
Intrusion Prevention – Protects the network from hackers
Protocol Control – Blocks protocols for online games, IM & P2P
OpenVPN – Allows secure remote access to the internal network
Reports – Shows who is doing what online
Automatic updates – No need to install updates – we do it for you
Untangle has 2 network deployment options:
Router: Dedicated server that performs routing & firewall services
Transparent Bridge: Dedicated server that drops seamlessly behind existing routers & firewalls
Untangle runs on standard hardware as a bare-metal install, or in VMware.
Untangle runs on generic Intel/AMD hardware. A Pentium III processor, 2 NICs and 512MB of RAM is the min spec for smaller networks and multi-core chips with extra RAM really make Untangle sing for larger networks. More specific sizing guidance and links to the community hardware compatibility list can be found on the Hardware Requirements wiki.
Maybe you are but maybe you aren’t. Have you tried the latest Anti-Virus called Microsoft Security Essentials? It is free!
About Microsoft Security Essentials
Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.
Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.
Comprehensive malware protection
Simple, free download*
Easy to use