The best practices for mitigating this popular form of attack often are not being deployed

View full post on DarkReading – All Stories

23 posts left…

It’s been known for a long time that HTTP can set cookies that can be read in HTTPS space because cookies don’t follow the same origin policy in the way that JavaScript does. More importantly, HTTP cookies can overwrite HTTPS cookies, even if the cookies are marked as secure. I started thinking of a form of session fixation during our research that uses this to the attacker’s advantage. Let’s assume the attacker wants to get access to a user’s account that’s over SSL/TLS. Now let’s assume the website sets a session cookie prior to authentication and after authentication the site marks the cookie as valid for whatever username/password combo it receives.

First, the attacker goes to the website before the victim gets there so he can get a session cookie. Then, if the victim is still in HTTP for the same domain the attacker can set a cookie that will replay to the HTTPS website. So the attacker sets the same cookie that he just received into the victim’s browser. Once the victim authenticates, the cookie that the attacker gave the victim (and knows) is now valid for the victim’s account. Now if the victim was already authenticated or had already gotten a session token, no big deal. The attacker overwrites the cookie, which at worst logs the user out. Once the victim re-authenticates, voila – session fixation. Now all the attacker has to do is replay the same cookie in his own browser and he’s in the user’s account.

View full post on ha.ckers.org web application security lab

Certain compromised websites are detecting which browser (Firefox, Chrome, IE) the visitor is using and present to them a fake malware/reported attack warnings that urge them to download an "upgrade"/…

View full post on Help Net Security – News

– John Bambenek bambenek at gmail /dot/ com

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

Last month, my colleague Christopher Burgess shared some thoughts on the “double-edged sword” of location-based services at the Huffington Post. In his post, Christopher highlighted how these services could alternately be a benefit, and where they might cross a line and become undesirable. Recently, some US Federal courts have heard cases about the legality of GPS tracking, including how and when such tracking should require a search warrant. While it will be up to people with far more legal experience than I have to debate exactly how these decisions will impact individual rights vs. police or government powers, I do think that there is something to be concerned about from a purely technical viewpoint. Whether used by government officials or attackers who have unauthorized access to this information, location-based data could result in a person being picked from a crowd when they least expect it.

View full post on Security