February 01, 2007 | Comments: (0)
From the Demo 2007 show floor: When you want to buy from a Web site or open a piece of mail, how do you know if you should trust the site or sender? Will thieves try to steal your identity, flood you with spam, or sneak malware onto your system? It's a nasty dilemma, and the wrong decision can have far-reaching consequences. One likely solution -- part of a Symantec's Identity Initiative -- relies on identity and reputation to help consumers make smart decisions.
A back-end platform and a desktop client (which will ship sometime this year as a yet to be determined part of the Norton 2008 product line), the Identity Initiative taps into Symantec's worldwide labs and response centers, which monitor spam attacks and collect information and make assessment on sites around the clock.
Here's how it works: When a site or email asks for personal information, the Norton client pops up with a rating of the requester's reliability and a recommendation about whether you should share your information. Ultimately users make the decisions, but the Norton client provides informed, up-to-the minute advice.
If Norton gives a green light, you can proceed with impunity. Similarly, a red light warns you that skullduggery is afoot. For those maybe-yes maybe-no cases, users can have the Norton client help manage their credentials and mask their identity. By clicking a checkbox, for instance, users can have Norton generate a site specific e-mail address (as opposed to their regular address), which they can supply when requested. Norton will then route the email as needed. Similar safeguards are planned for VoIP numbers and one-time credit card numbers (in cooperation with financial institutions).
Symantec plans to use other ID systems, including Yahoo ID and OpenID, to augment their reputation information. Pricing and distribution are not yet determined. Smart money says Symantec will release at least some version of this as a free download, with a paid enhanced version available as well.
We'll almost certainly be seeing a greater industry-wide emphasis on the concept of reputation as a means of circumventing fraud, and I think Symantec has its heart and head in the right place with this initiative. This app is a good start, even if it isn't the last word in identity management. Anything that gives nervous consumers a leg up on the bad guys, though, is more than welcome.
Posted by Steve Fox on February 1, 2007 12:53 AM
September 25, 2006 | Comments: (0)
Big-name sites outted for XSS holes
What do adobe.com, yahoo.com, cbs.com, bbc.co.uk, microsoft.com, and vh1.com have in common?
Well, aside from the obvious (they're all domain names ending with "dot-something"), they've all earned the dubious distinction of being publicly exposed on ha.ckers.org's forum, sla.ckers.org, for suffering XSS vulnerabilities.
XSS, which stands for cross-site scripting, enables an attacker to inject hostile HTML and script code into the Web application user's browser session. According to Symantec's recently released Internet Security Threat Report: "Cross-site scripting attacks take place when Web applications gather data from a user or other source and then create an output of that data on a user's Web browser. Not only could this allow an attacker to steal confidential information, it could also allow an attacker to insert malicious code onto the host through malicious scripts."
Since August, contributors to the sla.ckers forum have been posting specific exploitable URLs on various Web sites that are ripe to be used for XSS attacks. According to research organization Mitre, XSS vulnerabilities have become tastier targets than attacks such as buffer overflows.
In addition to posting the XSS security flaws, posters on sla.ckers discuss the potential damage that malicious hackers could wreak with them. One individual, who goes by the screen name maluc, posted the following:
"Nonpersistent XSS are a dime a dozen, [I] can post them all day long.and while it's correct to say they're not as volatile as persistent ones, they're still equally useful for phishing and cookie/form theft.
still though, i find that the persistent ones tend to have many more possibilities, and on juicier sites to boot.
for example: [a URL on myspace.com] allows persistent XSS from quicktime javascript injection, thanks to pdp for pointing that out on gnucitizen.org ... ."
The companies whose security holes have been outted may count themselves fortunate in that the contributors to sla.ckers.org purport not to be acting maliciously nor exploiting the vulnerabilities they find. Rather, they claim to be performing a public service by exposing the real dangers that XSS vulnerabilities pose.
Originators (i.e. the individuals who discover and report the security flaw) are supposed to contact organizations about their Web site's security vulnerability and attempt to work together to fix it, according to sla.ckers's full-disclosure policy. Failing that, the originator is free to post the security hole. "You basically have 5 days to return contact to the [originator], and must keep in contact with them *at least* every 5 days. Failure to do so will discourage them from working with you and encourage them to publicly disclose the security problem."
Originators do want credit for their work, though, according to the FDP. "Academia has historically and religiously provided credit when referencing all types of works and research; the issue provided by the originator should also be thought of as research, and the originator should be credited accordingly."
It continues: "Now, beyond that, it may be in the vendor's best interest to promote good relations with the researcher, and one suggested way is to provide updates and product licenses."
Sla.ckers members' XSS work has gotten some exposure of late on sites such as darkreading.com, prompting comments on the message board such as "Keep up the good work. Sooner or later companies will start taking this seriously" and "... Perhaps this will not just speed up the process but force companies to do something about it."
What do you think? Is sla.ckers performing a valuable public service with its controversial actions?
Posted by Ted Samson on September 25, 2006 05:25 PM
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Disaster Recovery in Minutes
- Protecting Microsoft(R) Applications
- Reduce Recovery Times and Tape Costs
