lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <15250.1332567890@turing-police.cc.vt.edu>
Date: Sat, 24 Mar 2012 01:44:50 -0400
From: Valdis.Kletnieks@...edu
To: Dave <mrx@...pergander.org.uk>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Apple IOS security issue pre-advisory record

On Sat, 24 Mar 2012 00:52:45 -0000, Dave said:
> I am not an expert so please, for my education, correct me if I am wrong.
> Is it not so much the request, but what the request is made with?

It's a pretty safe bet that most of the 300 clicky-clicky types did *not* use
wget to test what it was.

> Would not requesting with wget mitigate any attack?

Well, assuming that the perpetrator doesn't have a 0-day for wget. ;)

> The source of the page and any scripts called by the page should be enough to
> ascertain whether the page is malicious or not.

"should" is the operative term.  But that only works if the miscreant is lazy
enough to point their link directly at the malicious content.  If they're
smart, they'll point at a page that looks legit, but loads Javascript from some
3rd party that loads more Javascript from a 4th party that that loads more crud
from a server you've pwned. I've hit pages on mainstream websites with noscript
enabled, and had 25+ different sites' Javascript blocked, and as you enable
sites you just get *more* sites in the list.

I just hit http://www.msnbc.msn.com, and NoScript blocked something from
2011.wimbleton.com. Malicious? Out of date?  What *other* domains will that
site end up loading *more* crud from?  Who knows?

Trying to sort this type of stuff out is part of the reason why drive-by pwning
is so common - the fact that the page came from someplace reasonably trustable
like the BBC or similar tells you *nothing* about where alll the content on the
page came from.



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ