Sep 16 2009 6:31PM GMT
Posted by: Troy Tate
malware,
malicious software,
ad revenue,
computer network,
network access,
PC,
hardware,
software,
social engineering,
licensing,
permit,
Security,
information security,
browser security,
information security management,
user education
Yesterday Fierce CIO reported that New York Times falls victim to rogue ad. This is a trend that seems to be happening more frequently. Rogue malware ads are appearing in a lot of places these days in areas most people would trust as authoritative and reliable sources of information. It is unknown how much the rogue malware “seller” may have gotten by putting the ad on the NY Times website but they likely made something from unsuspecting users. The NY Times did suffer some amount of loss since they disabled all third party ads until the rogue ad was removed. What would you do if an ad popped up on a trusted website saying your computer was infected? Most IT professionals would disregard the message as their systems SHOULD already be protected. However, how much of the general population is not an IT professional (at least outside of their own home
)?
What can and should the security industry do to educate users about these social engineering tactics? Should computers be “licensed” or “permitted” to be on the internet to reduce threats to unsuspecting users? That’s a thought for you… what governing body would issue these computer use permits? What would the rate infrastructure be like - based on processor/memory or bandwidth? Where would the permit fees go? Would there be some internet oversight body that uses the fees to have inline malware filters?
Thinking out loud here folks - offer some suggestions. Your input is welcome and appreciated.
Thanks for reading and let’s continue to be good network citizens!
=========================
20090918 Update:
E-Week reports that there is a surge in click fraud. According to the article this is similar to the NY Times advertisement malware threat discussed above. I fear this trend will only get worse. What is a legitimate advertiser or web services organization to do?
Apr 29 2009 1:02PM GMT
Posted by: Troy Tate
browser,
Security,
web security,
browser security,
Internet Explorer,
Chrome,
Safari,
Firefox,
web development
If you develop websites or manage webservices, then you should check out the Browser Security Handbook that Google publishes on their code.google.com website. The Browser Security Handbook currently has three sections:
Part 1: Basic concepts behind web browsers
- Uniform Resource Locators
- True URL schemes
- Pseudo URL schemes
- Hypertext Transfer Protocol
- Hypertext Markup Language
- Document Object Model
- Browser-side Javascript
- Javascript character encoding
- Other document scripting languages
- Cascading stylesheets
- Other built-in document formats
- Plugin-supported content
Part 2: Standard browser security features
- Same-origin policy
- Same-origin policy for DOM access
- Same-origin policy for XMLHttpRequest
- Same-origin policy for cookies
- Same-origin policy for Flash
- Same-origin policy for Java
- Same-origin policy for Silverlight
- Same-origin policy for Gears
- Origin inheritance rules
- Cross-site scripting and same-origin policies
- Life outside same-origin rules
- Navigation and content inclusion across domains
- Arbitrary page mashups (UI redressing)
- Gaps in DOM access control
- Privacy-related side channels
- Various network-related restrictions
- Local network / remote network divide
- Port access restrictions
- URL scheme access rules
- Redirection restrictions
- International Domain Name checks
- Simultaneous connection limits
- Third-party cookie rules
- Content handling mechanisms
- Survey of content sniffing behaviors
- Downloads and Content-Disposition
- Character set handling and detection
- Document caching
- Defenses against disruptive scripts
- Popup and dialog filtering logic
- Window appearance restrictions
- Execution timeouts and memory limits
- Page transition logic
- Protocol-level encryption facilities
Part 3: Experimental and legacy security mechanisms
- HTTP authentication
- Name look-ahead and content prefetching
- Password managers
- Microsoft Internet Explorer zone model
- Microsoft Internet Explorer frame restrictions
- Mozilla and Safari HTML5 storage experiments
- Microsoft Internet Explorer XSS filtering
- Script restriction frameworks
- Origin headers
- Mozilla content security policies
This is a good resource for developers and administrators to understand browser & web security considerations.
Thanks for reading and let’s continue to be good network citizens.