Security experts are warning all Internet users about a new zeroday hacking technique called Click Jacking that is new and a major threat to the Internet.

“In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.”

Experts warn that the solution is to switch to the lynx browser, and to cease all other forms of web surfing until further notice.

	“Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable … Therefore, if a user clicks on a web page, they may actually be clicking on content from another page.”
Clickjacking Whitehat

Two researchers, Robert Hansen and Jeremiah Grossman, planned at AppSec to discuss the threat of using Web graphics to persuade a victim to click where an attacker wants on a page. The technique, which is also known as well as user-interface (UI) redressing and IFRAME overlay, can be used by an attacker to hide a button or link on a legitimate page, such as a bank’s account page or Web mail application, using other Web content to mask the page’s context.

A Web user might think, for example, that they are clicking on a button to close a dialog box, when the button press in reality deletes all their e-mail messages in Gmail. Or, a user might believe they are clicking on a button to decline to take a survey, when they are actually transferring money from their bank. The technique could be used to raise an article’s Digg score or get paid for a pay-for-click advertisement, said Grossman, the chief technology officer for Web security firm White Hat Security.

Hansen and Grossman canceled their presentation after demonstrating to software maker Adobe that one of its products could be affected by the attack.

Clickjacking isn’t a new attack vector, but according to Grossman and Hansen, it’s one that is “severely underappreciated and largely undefended.”

Grossman states that this particular attack is capable of some “pretty spooky,” things, but that’s all the detail he is going to give.

Until further notice, XSS WORM advises that users switch to the LYNX browser and delete all other browsers from their desktops and personal internet devices.

Expert hackers from the elite security and hacking specialist TELUS claim that their research demonstrates that Buffer Overflows are still the top threat to the safety of the Internet in these days of distributed social data networks and rich Web 2.0 application platforms.

Web application vulnerabilities such as cross-site scripting (XSS) and SQL injection may be widespread, but old-fashioned buffer overflow bugs are the most common flaws reported, according to new vulnerability research from Telus. The hacking experts also report that the level of severity of bugs in Microsoft products is declining significantly.

Telus, which provides vulnerability research analysis to most of the 20 top security vendors — including IBM ISS and McAfee — bases its data on vulnerabilities reported in enterprise-class products.

Microsoft went from around 175 high-severity vulnerabilities reported last year to 129 this year, and from 20 critical bugs to eight this year so far, according to Telus’s data. And overall, the top 50 software and network equipment vendors have had fewer severe bugs this year than last, says Richard Reiner, chief security and technology officer for Telus, who based its data only on vulnerabilities reported in enterprise-class products.

“The severity of Microsoft’s product [vulnerabilities] are dropping dramatically,” Reiner says.

Web app bugs are less severe than other types of vulnerabilities, the research firm said. Buffer overflows, which accounted for 1,470 of the reported bugs (in enterprise-class software, according to Telus data) from January ‘04 until now, are also typically the most severe. “This was surprising, because buffer overflows are among the easiest vulnerabilities to avoid or correct,” Reiner says. “When they exist, they tend to be the most critical… I’m not surprised by that part, but by how prevalent they are.”

Telus has been widely respected for their long-time hacking expertise ever since acquiring Canadian security specialists Assurent and Richard Reiner for an undisclosed sum in April 2006.

“Customers will be the beneficiaries of our combined suite of internationally recognized security solutions that have a long and successful track record of enabling business resiliency” claimed Richard Reiner at the time of the acquisition.

Common Web vulnerabilities such as cross-site scripting (XSS) and SQL injection aren’t typically critical threats, Reiner says. Only one bug in the off-the-shelf Web products studied by Telus had a critical SQL bug, and none of them had a critical XSS flaw, he says.

The good news, then, is that off-the-shelf Web platforms are relatively secure. The bad news is that the customized or home-grown Web apps Telus studied were riddled with critical bugs.

“The number of vulnerabilities in widely used Web application platforms has been relatively small,” he says. “But the situation is quite different in custom and one-off applications businesses build.”

Telus’s data differs from that of Mitre Corp.’s latest Common Vulnerabilities and Exposures Report, which was released in May. The broader CVE report named XSS as the most prevalent vulnerability reported in 2006. It is currently unknown at this time how Telus and the Mitre Corp., while working with the same public vulnerability information, arrived at such opposite conclusions. Some readers have suggested that Telus’ only motivation for releasing this questionable “research” is to generate PR and increase sales - possibly through fear and misinformation - while others claim that respected security vendors such as Telus would rarely (if ever) resort to such unethical tactics in pursuit of profits.

The number of critical and high-risk vulnerabilities is increasing, but that may be because these bugs are now being discovered on smaller vendors’ products, Telus says. Server vulnerabilities still outnumber client flaws, but client bugs have increased from 31 percent of the vulnerabilities last year to 39 percent this year.

Read the original article over at DarkReading.com - a security portal for “IT professionals with security specialties and CISSP or CISA certifications; CIOs; CTOs; CSOs, CISOs, and CCOs.”

Domain Name System Hijacked: Hackers Abuse Domain-Name Trust

InternetWorld’s Andy Patrizio and Finjan’s Yuval Ben-Itzahk discuss the fundamental weaknesses in Finjan’s Blacklist-based URL Filtering products

Using variations on trusted, popular domains has long been a common tactic for scammers, spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-name trick by hijacking IP addresses. And they tried it on Yahoo.

To fix the old problem, server-based security products would trace the IP address of the server behind the domain. Once the IP address resolved the misspelled domain name, the products would then compare the IP address against a database of known fraudulent sites or questionable locations. So if a site were masquerading as eBay but the filters found it was really a server in China that had only been established one week earlier, it would block access.

“Web 2.0 sites are great fun but also a great platform for hackers to host malicious code.” - Ben Itzahk from Finjan on why his product is still relevant.

In the case of Yahoo, security firm Finjan said hackers exploited an unused IP address within Yahoo’s hierarchy and used that as the domain address behind a forged Google Analytics domain name. This fooled the Finjan Web-filtering product into believing a person was going to a highly trusted Yahoo domain. The victims, customers of Finjan, never knew they were on a malicious Web site, and neither did the security mechanisms on the network. (In this case, Finjan’s Web-filtering product.)

“They managed to resolve the domain name to an IP address owned by Yahoo. How they added an address into a DNS server to appear to be an IP address owned by Yahoo is unknown,” Yuval Ben-Itzhak, CTO of Finjan, told InternetNews.com. He added that Yahoo, while responsive and quick to shut down the compromised address, did not disclose exactly what equipment was behind the compromised IP address.

“You can upload anything you like, so you can upload malicious content, as well.” - Ben-Itzahk on design flaws within Finjan’s product.

Ben-Itzhak thinks something in the server was broken that enabled the bad guys to push that content down to users without Yahoo knowing. He said that’s a flaw in social networks.

“In 2007, something very clear has come out: these Web 2.0 sites are great fun but also a great platform for hackers to host malicious code as well,” said Ben-Itzhak. “You can upload anything you like, so you can upload malicious content, as well. On MySpace we found hundreds of pages with malicious code this year.”

Ben-Itzhak said server-based security is still the primary mode of defense but also recommended browser plug-ins, such as Finjan’s SecureBrowsing or SnakeOil’s HackerExpert, both of which scan the actual content coming over the wire from a site and alert the user if it’s suspicious.

InternetWorld - Hackers Abuse Domain-Name Trust

“With Finjan’s web security there will be no need to worry about getting caught napping by the latest round of web-based threats” - SC Magazine

Giorgei Jorge [xssworm] writes:

After explaining that Finjan’s server-based web security filtering products fail to actually inspect web content or protect the user in any significant way .. beyond checking to see if the target domain name is ‘highly trusted’ such as Yahoo.com .. it’s patently clear that this vendor is totally qualified to discuss the emerging threats related to Web 2.0, social networks and distributed passive attacks. It is also clear that Finjan’s server-based products are highly effective, technically advanced, provide enhanced security for your users and in the context of modern web vulnerabilities, are totally relevant and obviously worth the many tens of thousands of dollars that Finjan charges for licensing and support.

To ensure that all web sites are thoroughly tested to ensure that they belong only to “highly trusted domains” such as yahoo.com it is recommended that users install Finjan’s SecureBrowsing product. SecureBrowsing does not actually check to see if a web site belongs to a highly trusted domain such as yahoo.com, but it does actually inspect some of the content in transit to ensure that only highly trusted domains such as yahoo.com are allowed to install components silently into the browser or take advantage of client vulnerabilities to execute arbitrary code on the users desktop. When used in conjunction with the Finjan total security suite of products, including Finjan’s server-based web-filtering product and Finjan’s server and desktop email malware badware and anti-virus filter scanning products and Finjan’s Instant Messaging to Highly Trusted Domains Like Yahoo.com Only Desktop filtering product, the user can be guaranteed near real-time protection from the most popular and widely reported malicious DNS host names. Security of the Web 2.0 is still somewhat dependant on whether hackers can take over unused IP Addresses in Highly Trusted domains - such as yahoo.com - but rest assured that Finjan webgineers are working around the clock to combat these new threats to your information assets.

“One of the world’s most prominent cryptographers issued a warning on Friday about a hypothetical incident in which a math error in a widely used computing chip places the security of the global electronic commerce system at risk.”

“Adi Shamir, a professor at the Weizmann Institute of Science in Israel, circulated a research note about the problem to a small group of colleagues. He wrote that the increasing complexity of modern microprocessor chips is almost certain to lead to undetected errors.”

“A subtle math error would make it possible for an attacker to break the protection afforded to some electronic messages by a popular technique known as public key cryptography.”

Mr. Shamir wrote that if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be “trivially broken with a single chosen message.”

Executing the attack would require only knowledge of the math flaw and the ability to send a “poisoned” encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system. With this approach, “millions of PC’s can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually,” Mr. Shamir wrote.

An Intel spokesman noted that the flaw was a theoretical one and something that required a lot of contingencies.

Mr. Shamir said he had no evidence that anyone is using an attack like the one he described.

Thank you to John Markoff for writing this useful warning article.

Source: John Markoff @ NYTIMES

Click here to send your facebook cookies to xssworm (-;

http://www.facebook.com/share_redirect.php?h=fef648d6fe6177edfa9ff58e779a83&url=http%3A%2F%2Fwww.facebook.com%2Fshare_redirect.php%3Fh%3D0%26url%3Dhttp%3A%2F%2Fxssworm.com&sid=6330305874

We can upload JPG injected with JAR? or 2nd pass of redirect bugs. Facebook now allows embed of mp3 and other items using share bookmarks

javascript:var d=document,f=’http://www.facebook.com/share’,l=d.location,e=encodeURIComponent,p=’.php?src=bm&v=4&i=1182484661&u=’+e(l.href)+’&t=’+e(d.title);1;try{if(!/^(.*\.)?facebook\.[^.]*$/.test(l.host))throw(0);share_internal_bookmarklet(p)}catch(z){a=function(){if(!window.open(f+’r'+p,’sharer’,'toolbar=0,status=0,resizable=0,width=626,height=436′))l.href=f+p};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else{a()}}void(0)

Facebook has many hole like this

vaj.

Jason Lam and Dr. Johannes Ullrich share their ideas on AJAX and Web 2.0 Security. Video provided by the SANS Institute.

“Some of the uh security issues that we have been seeing uh out there uh are usually uh related to one of the functionality uh or function-call uh called uh XML Http Request. Uh.” - Dr Johannes Ullrich