ISSA-LA Meeting on Hacking Intranet Website and Best Security Measures#

Yesterday's ISSA (Information Systems Security Association) LA chapter's monthly member meeting was highlighted by Jeremiah Grossman's presentation on Hacking Intranet Websites from the Outside and Best Practice Security Measures . Stan Stahl of Citadel information security group and president of ISSA-LA chapter invited us to this lunch meeting which was very informative from development and architectural perspective. I along with a few work colleagues attended and immsensely enjoyed it.

Jeremiah is CTO of white hat security and a security enthusiast. In a brief conversation with him about CAPTCHA's effectiveness, he summarized it as "bad guys are winning". By using promiscuous websites as CAPTCHA validation engines, they have created a mechanical turk to avoid the bot detection; and of course the OCR's are getting better and better too. In response to another question about blocking IP's for suspicious activity, he mentioned that intelligence based on IP is not a bad solution but in presence of anonymity engines like Tor, its not quite deterministic and should be used with care. The CTO of White hat security mentioned Cross-site request forgery as one of the biggest up coming threats which is getting more and more press.

The presenter listed the following as his top 10 web 2.0 vulnerabilities list and provided samples during his demo about each of these. Here is an excerpt from his blog. Check out the fill list on his blog.

  1. Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model)
  2. Internet Explorer 7 "mhtml:" Redirection Information Disclosure (PATCHED)
  3. Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
  4. Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images)
  5. Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3's)
  6. Forging HTTP request headers with Flash
  7. Exponential XSS (Multi-site propogation)
  8. Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)
  9. Web Worms - (MySpace, Xanga)
  10. Hacking RSS Feeds

Here is a link to his earlier talk this year. From a .NET developer's point of view, effective usage of framework features to avoid XSS was highly recommended. Most of these issues would be covered by following the OWASP top 10 list best practices however web developers should also be at least aware of exploits which are beyond their control and are more browser/platform dependent (item 3, 4, 5 and 6 on the list) so they will be able to respond with a contigency plan in case of any such compromises.

With Ajax talking directly to web services, the risk of attack is on the rise. Here are multiple videos about Ajax Hacking (and prevention using ASP.NET)

References:

ha.ckers.org web application security lab





Security
7/19/2007 6:09:51 AM (Pacific Standard Time, UTC-08:00) #    Comments [0]  |  Trackback
Tracked by:
"Interesting Finds: July 20, 2007" (Jason Haley) [Trackback]
"Computer Security Tips" (Computer Security Tips) [Trackback]
"World Wide Web Resources" (World Wide Web Resources) [Trackback]
"Small Business Administration" (Small Business Administration) [Trackback]
"Technology and Electronics" (Technology and Electronics) [Trackback]
"Banks and Money" (Banks and Money) [Trackback]
"Business Career Center" (Business Career Center) [Trackback]
"Credit Card Services" (Credit Card Services) [Trackback]
"Web Hosting Reviews, Web Site Hosting" (Web Hosting Reviews, Web Site Hosting) [Trackback]
"Internet Marketing and Advertising" (Internet Marketing and Advertising) [Trackback]
"Free Anal Porn Videos" (Free Anal Porn Videos) [Trackback]
"High School Online" (High School Online) [Trackback]
"Book Reviews Guide Online" (Book Reviews Guide Online) [Trackback]
"Web Site Design" (Web Site Design) [Trackback]
"Ecommerce Tips and Resources" (Ecommerce Tips and Resources) [Trackback]
"Free Software Downloads" (Free Software Downloads) [Trackback]
"Local Jobs Guide" (Local Jobs Guide) [Trackback]
"Software Development Guide" (Software Development Guide) [Trackback]
"Online Journals Guide" (Online Journals Guide) [Trackback]
"Top Internet Business" (Top Internet Business) [Trackback]
"Cheap Custom Built Computers" (Cheap Custom Built Computers) [Trackback]
"Latest Book Reviews" (Latest Book Reviews) [Trackback]
"Business Ideas Forum" (Business Ideas Forum) [Trackback]
"Website Templates and Web Design, Graphic Layouts" (Website Templates and Web D... [Trackback]
"Computer Network Security" (Computer Network Security) [Trackback]
"Online High Schools" (Online High Schools) [Trackback]
"Programming Tutorials" (Programming Tutorials) [Trackback]
"Family Christian Bookstore" (Family Christian Bookstore) [Trackback]
"Computer Maintenance Tips" (Computer Maintenance Tips) [Trackback]
"Online Merchant Accounts" (Online Merchant Accounts) [Trackback]
"Distance Learning Tips and Advices" (Distance Learning Tips and Advices) [Trackback]
"Hardcore Anal Sex" (Hardcore Anal Sex) [Trackback]
"How To Start A Blog" (How To Start A Blog) [Trackback]
"Accept Credit Cards Online" (Accept Credit Cards Online) [Trackback]
"Free Online Tax Returns" (Free Online Tax Returns) [Trackback]
"Network Marketing Opportunities" (Network Marketing Opportunities) [Trackback]
"Premium Hosting Packages" (Premium Hosting Packages) [Trackback]
"Power Of Law Forms" (Power Of Law Forms) [Trackback]
"Cool Myspace Layouts" (Cool Myspace Layouts) [Trackback]
"Best Coffee Shops" (Best Coffee Shops) [Trackback]
"Web Hosting Providers Directory" (Web Hosting Providers Directory) [Trackback]
"Shared Hosting Resources" (Shared Hosting Resources) [Trackback]
"Best Jewelry Stores Online" (Best Jewelry Stores Online) [Trackback]
"Myspace Graphics and Backgrounds, Myspace Stuff" (Myspace Graphics and Backgrou... [Trackback]
"Online Marketing Business" (Online Marketing Business) [Trackback]
"Customized Design Solutions" (Customized Design Solutions) [Trackback]
"Job Search Tips and Resources" (Job Search Tips and Resources) [Trackback]
"Unique Custom Design Resources" (Unique Custom Design Resources) [Trackback]
"Cool Myspace Layouts" (Cool Myspace Layouts) [Trackback]
"Popular Science" (Popular Science) [Trackback]
"How To Start A Blog" (How To Start A Blog) [Trackback]
"Christian Symbols and Christian Resources" (Christian Symbols and Christian Res... [Trackback]
"Cell Phones Tracer" (Cell Phones Tracer) [Trackback]

 

Name
E-mail
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):
All content © 2009, Adnan Masood
About the Author

View Adnan Masood's profile on LinkedIn
Send mail to Adnan Masood



Adnan Masood's MCPD Transcript Logo - Microsoft Certified Professional Developer

Adnan Masood's MCTS Transcript Logo - Microsoft Certified Technology Specialist

Adnan Masood's MCSD Transcript Logo - Microsoft Certified Solution Developer Adnan Masood's MCAD Transcript Logo - Microsoft Certified Application Developer
Adnan Masood's SCJP Transcript Logo


Co-founder of the San Gabriel Valley .NET Developers Group
Member Association for Computer Machinery
Member Association for Computer Machinery special interest group on data mining and knowledge discovery

Subscribe to RSS Feed Syndicate XML

Locations of visitors to this page

On this page
Calendar
<January 2009>
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
25262728293031
1234567
Archives
 Full Archives By Category
November, 2008 (2)
October, 2008 (4)
September, 2008 (9)
August, 2008 (7)
July, 2008 (8)
June, 2008 (5)
May, 2008 (3)
April, 2008 (4)
February, 2008 (8)
January, 2008 (4)
November, 2007 (1)
October, 2007 (1)
September, 2007 (2)
August, 2007 (3)
July, 2007 (9)
June, 2007 (7)
May, 2007 (2)
April, 2007 (5)
March, 2007 (2)
February, 2007 (2)
January, 2007 (8)
December, 2006 (5)
November, 2006 (13)
October, 2006 (10)
September, 2006 (11)
August, 2006 (2)
July, 2006 (1)
June, 2006 (1)
May, 2006 (18)
April, 2006 (7)
March, 2006 (7)
February, 2006 (12)
January, 2006 (13)
December, 2005 (21)
November, 2005 (31)
October, 2005 (28)
September, 2005 (7)
August, 2005 (10)
July, 2005 (12)
June, 2005 (3)
May, 2005 (3)
March, 2005 (2)
December, 2004 (10)
November, 2004 (4)
October, 2004 (2)
September, 2004 (6)
August, 2004 (10)
July, 2004 (3)
June, 2004 (4)
May, 2004 (4)
April, 2004 (4)
March, 2004 (13)
February, 2004 (4)
Sitemap
 .Poetry
 DevConnections
 Events
 Generic
 Life
 PDC
 Research & Development
 Security
 Travel
 Web Services
Blogroll OPML
microsoft
Blogroll
Disclaimer

Powered by: newtelligence dasBlog 1.8.5223.2

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

Send mail to the author(s) E-mail

Theme design by Jelle Druyts