| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4F6DA168.4010601@propergander.org.uk> Date: Sat, 24 Mar 2012 10:26:48 +0000 From: Dave <mrx@...pergander.org.uk> To: Valdis.Kletnieks@...edu Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Apple IOS security issue pre-advisory record -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/03/2012 05:44, Valdis.Kletnieks@...edu wrote: > On Sat, 24 Mar 2012 00:52:45 -0000, Dave said: >> I am not an expert so please, for my education, correct me if I am wrong. >> Is it not so much the request, but what the request is made with? > > It's a pretty safe bet that most of the 300 clicky-clicky types did *not* use > wget to test what it was. > >> Would not requesting with wget mitigate any attack? > > Well, assuming that the perpetrator doesn't have a 0-day for wget. ;) > >> The source of the page and any scripts called by the page should be enough to >> ascertain whether the page is malicious or not. > > "should" is the operative term. But that only works if the miscreant is lazy > enough to point their link directly at the malicious content. If they're > smart, they'll point at a page that looks legit, but loads Javascript from some > 3rd party that loads more Javascript from a 4th party that that loads more crud > from a server you've pwned. I've hit pages on mainstream websites with noscript > enabled, and had 25+ different sites' Javascript blocked, and as you enable > sites you just get *more* sites in the list. > > I just hit http://www.msnbc.msn.com, and NoScript blocked something from > 2011.wimbleton.com. Malicious? Out of date? What *other* domains will that > site end up loading *more* crud from? Who knows? > > Trying to sort this type of stuff out is part of the reason why drive-by pwning > is so common - the fact that the page came from someplace reasonably trustable > like the BBC or similar tells you *nothing* about where alll the content on the > page came from. Pretty much as I thought. I investigate some, (when not too busy) of the links in the unsolicited mails I receive and concur with what you have written here. I always browse with NoScript/adblock/cookie monster/Ref control enabled regardless of whether I think I can trust the site or not. I learned a long time ago to ditch Outlook/IE and only view email in plain text. I am curious and I do like to play with malware on a VM. I am also a novice, so perhaps I am over cautious. Then again, I think there is no such thing as over cautious when a great deal of the miscreants trying to own systems or phish for credentials are more knowledgeable than I. I just wish I had more time to study and research. Doesn't the the -e, robots=off, --page-requisites and -H wget directives enable one to collect all the necessary files that are called from a page? Cheers Dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBT22haLIvn8UFHWSmAQK0+Qf/ZnrC052vEWDlHGMT3bDt8RJiiGlVd7E1 IwnzmlnI549Ojw89vwxkcKsZDlMLmcEJ13peVfLYpanKEyau/3BW3zx/3ulfhvli ab0EdJfj0I3vlrEZgXLY7jmNOiJ50Fkm7IwC/9CjR7LSGFC5o9K9OWojc1gb6eN3 04wXMM588SX8njiSGx4Mtc+/VVNif1Jskkfgl58CvcA8DmFA3fyPMx7DtgxeiY08 XoEK6xJ41mQ9shFjkIkbeFGhHtWjunbQmcgGJixFcsBQvJrZF418XhRp7hAqdEhw BnQj2T4BixTdzHJzIeWEsn8nPId1n8V4hH3jW+h//+ev6U21+KCgpw== =DLjT -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists