ebook img

Frametrapping the Framebusting Defense. - SecNiche Security Labs PDF

20 Pages·2011·0.99 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Frametrapping the Framebusting Defense. - SecNiche Security Labs

nneettwwoorrkk SSEECCUURRIITTYY IISSSSNN 11335533--44885588 OOccttoobbeerr 22001111 wwwwww..nneettwwoorrkksseeccuurriittyynneewwsslleetttteerr..ccoomm Featured this issue: CCoonntteennttss Android insecurity Web security under threat 1 Social networking in the workplace 20 The smartphone and tablet operating in Google’s official Android Market. Lurid launches attack on Russia 20 system Android is four years old, Some analysts compare the situation but its developers seem to have learned to the bad old days of Windows and FEATURES Android insecurity 5 little about security in that time. believe that installation of security soft- The smartphone and tablet operating system Android is Although loosely based on the Linux ware is now essential. And still more four years old, but its developers seem to have learned kernel, the OS has a number of features little about security in that time. Some analysts compare analysts believe that the most crucial the situation to the bad old days of Windows and believe that make it intrinsically insecure. that installation of security software is now essential. And step of all is user education, discovers There has been a continuous flow of still more analysts believe that the most crucial step of all Steve Gold. is user education, discovers Steve Gold. reports of trojanised malware found not just in rogue online app stores but also Full story on page 5… Frametrapping the framebusting defence 8 Framebusting code can prevent one type of clickjacking, but new features of HTML 5 allow a malicious developer Frametrapping the framebusting defence to nullify this protection. New iframe attributes can bypass the protection mechanisms provided by framebusting code. Although the new iframe attributes have been introduced Framebusting code can prevent vided by framebusting code. Although to improve the user experience, they can also be exploited to launch successful web attacks, including clickjacking, one type of clickjacking, but new the new iframe attributes have been as Aditya Sood and Richard Enbody of Michigan State features of HTML 5 allow a malicious introduced to improve the user experi- University explain. developer to nullify this protection. ence, they can also be exploited to launch Defending the network several times over 12 New iframe attributes – currently sup- successful web attacks, including click- Modern networks can be attacked in a variety of ways, meaning that companies need different types of protec- ported only by Google Chrome but likely jacking, explain Aditya Sood and Richard tion. Condensing multi-layered protection into a single to be introduced on other browsers – can Enbody of Michigan State University. device, updated by the vendor, provides the best protec- tion for resource-constrained companies. The more points bypass the protection mechanisms pro- Full story on page 8… protection that a company covers, the more likely it is to fend off the majority of generic attacks on the Internet, says James Harris of ZyXEL. Defending the network several times over Mitigating denial of service attacks in hierarchical wireless sensor networks 14 Modern networks can be attacked intrusion. Condensing multi-layered protec- Due to the considerable research and development invested in a variety of ways, meaning that tion into a single device, updated by the in new networking protocols, Wireless Sensor Networks companies need different types of pro- vendor, provides the best protection for (WSNs) have proved to be an important emerging field. However, their limited battery and power options, process- tection. James Harris of ZyXEL explains resource-constrained companies. The more ing capability and memory make WSNs vulnerable to a that companies need to cover all bases variety of network attacks, say Rohan Nanda and P Venkata points protection that a company covers, Krishna of the Vellore Institute of Technology, India. when it comes to information security. the more likely it is to fend off the majority Defence in depth is a crucial technique Cloud computing: new challenges and of generic attacks on the Internet. opportunities 18 for small to medium-size businesses (SMBs) We are witnessing a shift in the cloud computing and that want to protect themselves against Full story on page 12… virtualisation landscapes as a new model of security arises in response to the demand for clarity into how to harness the consumption of elastic computing resources. Web security under threat If we look back at traditional server-based and hosting provision for security, it was very much belts and strong vendor-supported braces that allowed customers to have The technologies that secure the whether current technologies are a perimeter-based security that enclosed their assets and provided assurance. How is this changing as a result of web have been under a lot of up to the job. the move to a cloud-based model, ask Richard Morrell strain. The hacking of Diginotar, the Diginotar was breached by an Iranian and Akash Chanrashekar of Red Hat. Dutch Certificate Authority (CA), hacker who generated more than 530 REGULARS and the revelation of potentially rogue SSL and EV-SSL certificates. This News in brief 3 dangerous flaws in SSL/TSL proto- first came to light when Google users Products 4 cols have renewed debate about Continued on page 2… Events 20 IISSSSNN 11335533--44885588//1101 ©© 22001111 EEllsseevviieerr LLttdd.. AAllll rriigghhttss rreesseerrvveedd TThhiiss jjoouurrnnaall aanndd tthhee iinnddiivviidduuaall ccoonnttrriibbuuttiioonnss ccoonnttaaiinneedd iinn iitt aarree pprrootteecctteedd uunnddeerr ccooppyyrriigghhtt bbyy EEllsseevviieerr LLttdd,, aanndd tthhee ffoolllloowwiinngg tteerrmmss aanndd ccoonnddiittiioonnss aappppllyy ttoo tthheeiirr uussee:: PPhhoottooccooppyyiinngg SSiinnggllee pphhoottooccooppiieess ooff ssiinnggllee aarrttiicclleess mmaayy bbee mmaaddee ffoorr ppeerrssoonnaall uussee aass aalllloowweedd bbyy nnaattiioonnaall ccooppyyrriigghhtt llaawwss.. PPeerrmmiissssiioonn ooff tthhee ppuubblliisshheerr aanndd ppaayymmeenntt ooff aa ffeeee iiss rreeqquuiirreedd ffoorr aallll ootthheerr pphhoottooccooppyyiinngg,, iinncclluuddiinngg mmuullttiippllee oorr ssyysstteemmaattiicc ccooppyyiinngg,, ccooppyyiinngg ffoorr aaddvveerrttiissiinngg oorr pprroommoottiioonnaall ppuurrppoosseess,, rreessaallee,, aanndd aallll ffoorrmmss ooff ddooccuummeenntt ddeelliivveerryy.. SSppeecciiaall rraatteess aarree aavvaaiillaabbllee ffoorr eedduuccaattiioonnaall iinnssttiittuuttiioonnss tthhaatt wwiisshh ttoo mmaakkee pphhoottooccooppiieess ffoorr nnoonn--pprrooffiitt eedduuccaattiioonnaall ccllaassssrroooomm uussee.. NEWS ...Continued from page inject data into the target’s session. It’s in Iran reported problems, but it’s now also slow: decrypting one byte takes a EEddiittoorriiaall OOffffiiccee:: EEllsseevviieerr LLttdd known that numerous domains have few seconds and a typical encrypted TThhee BBoouulleevvaarrdd,, LLaannggffoorrdd LLaannee,, KKiiddlliinnggttoonn,, been threatened. The hacker claimed cookie might take as much as half an OOxxffoorrdd,, OOXX55 11GGBB,, UUnniitteedd KKiinnggddoomm FFaaxx:: ++4444 ((00))11886655 884433997733 to be the same person who previ- hour. However, the researchers say they WWeebb:: wwwwww..nneettwwoorrkksseeccuurriittyynneewwsslleetttteerr..ccoomm ously breached Comodo, another CA. expect this to get faster. PPuubblliisshheerr:: GGrreegg VVaalleerroo Diginotar has since been removed as a The vulnerability affects TLS 1.0. EE--mmaaiill:: gg..vvaalleerroo@@eellsseevviieerr..ccoomm root CA from all main browsers, and the However, while TLS 1.1 and 1.2 are not EEddiittoorr:: SStteevvee MMaannssffiieelldd--DDeevviinnee US-owned company has gone into vol- affected, they are also not properly sup- EE--mmaaiill:: ssmmdd@@ccoonnttrraarriisskk..ccoomm untary bankruptcy. ported by the vast majority of browsers SSeenniioorr EEddiittoorr:: SSaarraahh GGoorrddoonn For a short period, users of Windows and websites. Other technologies that IInntteerrnnaattiioonnaall EEddiittoorraall AAddvviissoorryy BBooaarrdd:: DDaarriioo FFoorrttee,, EEddwwaarrdd AAmmoorroossoo,, AATT&&TT BBeellll LLaabboorraattoorriieess;; XP and Server 2003 were left vulnerable use TLS 1.0, such as instant messaging FFrreedd CCoohheenn,, FFrreedd CCoohheenn && AAssssoocciiaatteess;; JJoonn DDaavviidd,, TThhee when an update issued by Microsoft, software and Virtual Private Networking FFoorrttrreessss;; BBiillll HHaannccoocckk,, EExxoodduuss CCoommmmuunniiccaattiioonnss;; KKeenn LLiinndduupp,, CCoonnssuullttaanntt aatt CCyylliinnkk;; DDeennnniiss LLoonngglleeyy,, QQuueeeennssllaanndd UUnniivveerrssiittyy designed to block Diginotar certificates, (VPN) systems, may be at risk too. ooff TTeecchhnnoollooggyy;; TTiimm MMyyeerrss,, NNoovveellll;; TToomm MMuullhhaallll;; PPaaddggeett only removed a limited number of them The researchers have produced proof PPeetttteerrssoonn,, MMaarrttiinn MMaarriieettttaa;; EEuuggeennee SScchhuullttzz,, HHiigghhttoowweerr;; EEuuggeennee SSppaaffffoorrdd,, PPuurrdduuee UUnniivveerrssiittyy;; WWiinnnn SScchhwwaarrttaauu,, IInntteerr..PPaacctt and would still have treated other certifi- of concept Javascript code called Browser PPrroodduuccttiioonn SSuuppppoorrtt MMaannaaggeerr:: LLiinn LLuuccaass cates as valid. Exploit Against SSL/TLS (Beast). Working EE--mmaaiill:: ll..lluuccaass@@eellsseevviieerr..ccoomm Meanwhile, two researchers claim to with a network sniffer, this decrypts cook- have unveiled a significant flaw in the ies from a website, which would enable SSuubbssccrriippttiioonn IInnffoorrmmaattiioonn AAnn aannnnuuaall ssuubbssccrriippttiioonn ttoo NNeettwwoorrkk SSeeccuurriittyy iinncclluuddeess 1122 operation of SSL and Transport Layer an attacker to gain access to restricted iissssuueess aanndd oonnlliinnee aacccceessss ffoorr uupp ttoo 55 uusseerrss.. Security (TLS). At the Ekoparty security accounts – for example, on PayPal. PPrriicceess:: EE11111122 ffoorr aallll EEuurrooppeeaann ccoouunnttrriieess && IIrraann conference in Buenos Aires, Thai Duong Software vendors such as Microsoft UUSS$$11224444 ffoorr aallll ccoouunnttrriieess eexxcceepptt EEuurrooppee aanndd JJaappaann ¥¥114477 552255 ffoorr JJaappaann and Juliano Rizzo released details of a tech- and Google have acknowledged the ((PPrriicceess vvaalliidd uunnttiill 3311 DDeecceemmbbeerr 22001111)) nique that uses a plaintext recovery attack feasibility of the attack but have TToo ssuubbssccrriibbee sseenndd ppaayymmeenntt ttoo tthhee aaddddrreessss aabboovvee.. TTeell:: ++4444 ((00))11886655 884433668877//FFaaxx:: ++4444 ((00))11886655 883344997711 to break the encryption of online sessions. downplayed the likelihood of exploits EEmmaaiill:: ccoommmmssaalleess@@eellsseevviieerr..ccoomm,, oorr vviiaa wwwwww..nneettwwoorrkksseeccuurriittyynneewwsslleetttteerr..ccoomm The weakness it exploits has been known appearing in the wild. Google has since SSuubbssccrriippttiioonnss rruunn ffoorr 1122 mmoonntthhss,, ffrroomm tthhee ddaattee ppaayymmeenntt iiss about for some time but, until now, has released a developer version of the rreecceeiivveedd.. PPeerriiooddiiccaallss ppoossttaaggee iiss ppaaiidd aatt RRaahhwwaayy,, NNJJ 0077006655,, UUSSAA.. PPoossttmmaasstteerr sseenndd aallll UUSSAA aaddddrreessss ccoorrrreeccttiioonnss ttoo:: NNeettwwoorrkk been regarded as largely theoretical. Chrome browser that it says defeats this SSeeccuurriittyy,, 336655 BBllaaiirr RRooaadd,, AAvveenneell,, NNJJ 0077000011,, UUSSAA The attack exploits the way in which attack method. At the time of writing, PPeerrmmiissssiioonnss mmaayy bbee ssoouugghhtt ddiirreeccttllyy ffrroomm EEllsseevviieerr GGlloobbaall RRiigghhttss TLS block ciphers operate, using Cipher Microsoft said it was preparing a fix, and DDeeppaarrttmmeenntt,, PPOO BBooxx 880000,, OOxxffoorrdd OOXX55 11DDXX,, UUKK;; pphhoonnee:: ++4444 11886655 884433883300,, ffaaxx:: ++4444 11886655 885533333333,, eemmaaiill:: ppeerrmmiissssiioonnss@@eellsseevviieerr..ccoomm.. YYoouu Block Chaining (CBC). With this meth- has also suggested switching to stream mmaayy aallssoo ccoonnttaacctt GGlloobbaall RRiigghhttss ddiirreeccttllyy tthhrroouugghh EEllsseevviieerr’’ss hhoommee ppaaggee od, each block of plaintext is first XOR’d encryption – for example, using RC4 – ((wwwwww..eellsseevviieerr..ccoomm)),, sseelleeccttiinngg ffiirrsstt ‘‘SSuuppppoorrtt && ccoonnttaacctt’’,, tthheenn ‘‘CCooppyyrriigghhtt && ppeerrmmiissssiioonn’’.. IInn tthhee UUSSAA,, uusseerrss mmaayy cclleeaarr ppeerrmmiissssiioonnss aanndd mmaakkee against the previous, encrypted block. rather than the AES block encryption ppaayymmeennttss tthhrroouugghh tthhee CCooppyyrriigghhtt CClleeaarraannccee CCeenntteerr,, IInncc..,, 222222 RRoosseewwoooodd This avoids the problem, encountered normally used with TLS 1.0. DDrriivvee,, DDaannvveerrss,, MMAA 0011992233,, UUSSAA;; pphhoonnee:: ++11 997788 775500 88440000,, ffaaxx:: ++11 997788 775500 44774444,, aanndd iinn tthhee UUKK tthhrroouugghh tthhee CCooppyyrriigghhtt LLiicceennssiinngg AAggeennccyy RRaappiidd when each block is simply encrypted Mozilla has stated on its blog that CClleeaarraannccee SSeerrvviiccee ((CCLLAARRCCSS)),, 9900 TTootttteennhhaamm CCoouurrtt RRooaadd,, LLoonnddoonn WW11PP 00LLPP,, UUKK;; tteell:: ++4444 ((00))2200 77663311 55555555;; ffaaxx:: ++4444 ((00))2200 77663311 55550000.. OOtthheerr individually, of repeated blocks of Firefox is not vulnerable. “The technical ccoouunnttrriieess mmaayy hhaavvee aa llooccaall rreepprrooggrraapphhiicc rriigghhttss aaggeennccyy ffoorr ppaayymmeennttss.. ciphertext being identical whenever the details of the attack require the ability to DDeerriivvaattiivvee WWoorrkkss SSuubbssccrriibbeerrss mmaayy rreepprroodduuccee ttaabblleess ooff ccoonntteennttss oorr pprreeppaarree lliissttss ooff aarrttii-- plaintext is the same. Such repetitions are completely control the content of connec- cclleess iinncclluuddiinngg aabbssttrraaccttss ffoorr iinntteerrnnaall cciirrccuullaattiioonn wwiitthhiinn tthheeiirr iinnssttiittuuttiioonnss.. PPeerrmmiissssiioonn ooff tthhee PPuubblliisshheerr iiss rreeqquuiirreedd ffoorr rreessaallee oorr ddiissttrriibbuuttiioonn oouuttssiiddee often the basis for successful cryptanalysis tions originating in the browser, which tthhee iinnssttiittuuttiioonn.. PPeerrmmiissssiioonn ooff tthhee PPuubblliisshheerr iiss rreeqquuiirreedd ffoorr aallll ootthheerr and subsequent decryption. In the CBC Firefox does not allow,” said the post. ddeerriivvaattiivvee wwoorrkkss,, iinncclluuddiinngg ccoommppiillaattiioonnss aanndd ttrraannssllaattiioonnss.. EElleeccttrroonniicc SSttoorraaggee oorr UUssaaggee approach, the first block of text is XOR’d In the wake of the controversy sur- PPeerrmmiissssiioonn ooff tthhee PPuubblliisshheerr iiss rreeqquuiirreedd ttoo ssttoorree oorr uussee eelleeccttrroonniiccaallllyy against an Initialisation Vector (IV). rounding Beast, Qualys has announced aannyy mmaatteerriiaall ccoonnttaaiinneedd iinn tthhiiss jjoouurrnnaall,, iinncclluuddiinngg aannyy aarrttiiccllee oorr ppaarrtt ooff aann aarrttiiccllee.. EExxcceepptt aass oouuttlliinneedd aabboovvee,, nnoo ppaarrtt ooff tthhiiss ppuubblliiccaattiioonn mmaayy The weakness in TLS 1.0 is that the its support for the Convergence bbee rreepprroodduucceedd,, ssttoorreedd iinn aa rreettrriieevvaall ssyysstteemm oorr ttrraannssmmiitttteedd iinn aannyy ffoorrmm oorr bbyy aannyy mmeeaannss,, eelleeccttrroonniicc,, mmeecchhaanniiccaall,, pphhoottooccooppyyiinngg,, rreeccoorrddiinngg oorr IV is not random and unpredictable, as project, initiated by security researcher ootthheerrwwiissee,, wwiitthhoouutt pprriioorr wwrriitttteenn ppeerrmmiissssiioonn ooff tthhee PPuubblliisshheerr.. AAddddrreessss it should be. Instead, the final ciphertext Moxie Marlinspike, who has previ- ppeerrmmiissssiioonnss rreeqquueessttss ttoo:: EEllsseevviieerr SScciieennccee GGlloobbaall RRiigghhttss DDeeppaarrttmmeenntt,, aatt tthhee mmaaiill,, ffaaxx aanndd eemmaaiill aaddddrreesssseess nnootteedd aabboovvee.. block of the previous message is used. ously disclosed flaws in SSL technol- NNoottiiccee NNoo rreessppoonnssiibbiilliittyy iiss aassssuummeedd bbyy tthhee PPuubblliisshheerr ffoorr aannyy iinnjjuurryy aanndd//oorr ddaamm-- This opens the possibility of an attacker ogy. According to Marlinspike, the SSL aaggee ttoo ppeerrssoonnss oorr pprrooppeerrttyy aass aa mmaatttteerr ooff pprroodduuccttss lliiaabbiilliittyy,, nneegglliiggeennccee being able to trick the user into sending ecosystem has too many CAs and too oorr ootthheerrwwiissee,, oorr ffrroomm aannyy uussee oorr ooppeerraattiioonn ooff aannyy mmeetthhooddss,, pprroodduuccttss,, iinnssttrruuccttiioonnss oorr iiddeeaass ccoonnttaaiinneedd iinn tthhee mmaatteerriiaall hheerreeiinn.. BBeeccaauussee ooff a given message so that the encrypted many digital signatures. A breach, like rraappiidd aaddvvaann c ceess iinn tthhee mmeeddiiccaall sscciieenncceess,, iinn ppaarrttiiccuullaarr,, iinnddeeppeennddeenntt version can be compared to the plaintext the one suffered by Diginotar, can cause vveerriiffiiccaattiioonn ooff ddiiaaggnnoosseess aanndd ddrruugg ddoossaaggeess sshhoouulldd bbee mmaaddee.. AAlltthhoouugghh aallll aaddvveerrttiissiinngg mmaatteerriiaall iiss eexxppeecctteedd ttoo ccoonnffoorrmm ttoo eetthhiiccaall ((mmeeddiiccaall)) copy. This might be achieved with a major disruption to the system. The ssttaannddaarrddss,, iinncclluussiioonn iinn tthhiiss ppuubblliiccaattiioonn ddooeess nnoott ccoonnssttiittuuttee aa gguuaarraanntteeee oorr eennddoorrsseemmeenntt ooff tthhee qquuaalliittyy oorr vvaalluuee ooff ssuucchh pprroodduucctt oorr ooff tthhee ccllaaiimmss cross-site scripting (XSS) exploit. Convergence system uses a small number mmaaddee ooff iitt bbyy iittss mmaannuuffaaccttuurreerr.. Exploiting this vulnerability is not of loosely confederated and trusted PPrree--pprreessss//PPrriinntteedd bbyy easy. The attacker must have a great deal ‘notary’ servers that can authenticate SSL MMaayyffiieelldd PPrreessss ((OOxxffoorrdd)) LLiimmiitteedd of control over the network, in order certificates by comparing the to sniff the traffic, and must be able to Continued on page 20... 2 Network Security October 2011 NEWS In brief Flaws in Chrome operation, reverse engineering the bot malware, 12 seconds, a seven-character one in under five More than a quarter of extensions for Google cracking the communication protocol, and minutes and an eight-character password in Chrome analysed by three researchers in the developing tools to attack the peer-to-peer four hours. Using high-end graphics cards, it’s US contained vulnerabilities. Adrienne Porter infrastructure and sinkhole the botnet. possible to run through 10.3 billion passwords Felt, Nicholas Carlini and Prateek Saxena at a second, so that even eight-character passwords the University of California, Berkeley, analysed New CESG scheme for IT security profes- might be brute-forced in just a few minutes. 100 extensions, including the 50 most popu- sionals lar and seven that are each used by 300,000 The Communications Electronics Security Worried online banking users people or more. They found that 27 contained Group (CESG) – the information assurance Research by McAfee shows that, while 92% of flaws that could be exploited across the web authority branch of GCHQ – has unveiled UK bank account users now access their accounts or via unsecured wifi. The weaknesses were all details of a new certification scheme for IT online, only 33% are happy about it: the rest do based on Javascript injection vulnerabilities. security professionals. The scheme will be not feel confident that their details are completely The researchers identified a total of 51 exploit- managed initially by the APM Group and the safe. And they may have good reason: it seems able flaws across the 27 extensions. There’s British Computer Society (BCS, the Chartered that only 39% of online banking users have more information here: <http://www.adrien- Institute for IT). The scheme will focus on comprehensive security software installed on their neporterfelt.com/blog/?p=226>. developing and delivering an IA Specialist computers. The majority – 54% – use only basic Certification Scheme for anyone working in anti-virus. Password security is also an issue: 16% German authorities may be using illegal any government department. It will certify IA of users write their login credentials on a piece back door specialists against specific IA roles and skills of paper, 15% keep them somewhere on their The German police force’s use of ‘lawful inter- aligned to the competency framework – Skills computers or smartphones, 23% use an easy to ception’ malware may be going beyond the lim- for the Information Age (SFIA) and BCS’ remember password, such as a maiden name or its of the law, according to hacker collective the SFIAplus. It will cover six roles: security and pet’s name, and 15% use an easy to remember Chaos Computer Club (CCC). German courts information risk advisor; security architect; date – the kinds of details that might be found allow the use of the so-called ‘Bundestrojaner’ accreditor; IA auditor; IT security officer; and on their Facebook profiles. Nearly a third (30%) (‘federal trojan’) in instances where wiretapping communications security officer. There will be reuse the same password elsewhere. has been authorised. This trojan includes func- certification available at three levels for each tions such as recording Skype conversations. role: practitioner; senior practitioner; and lead High-risk mobile users are your best workers However, the CCC says it has reverse-engi- practitioner. Research by Forrester suggests that mobile neered the code and has discovered functionality workers – regarded as high-risk from a security that is not allowed by law. This includes the abil- Market expands for database security point of view – might also be an organisation’s ity to download from the Internet, run remote As databases connect to an ever-growing list most valuable people. A survey of nearly 5,000 code and allow remote access to the computer. of applications, there is a burgeoning need for workers found that the 20% that are mobile, Sophos says it has also analysed the code and products to secure them. Forrester Research has using laptops, tablets and smartphones to con- confirms that it is able to eavesdrop on sev- concluded that the market for such products will nect to the corporate network, also create the eral communications channels, including Skype, grow by 20%, reaching $1.2bn by 2014. “The most value for money, being highly produc- MSN Messenger and Yahoo Messenger; record database security market is likely to converge tive. The report recommends that those firms Skype audio calls; log keystrokes in a number of with the overall data security market in the looking to reduce the risk from mobile systems web browsers; take screengrabs; and communi- future, as DBMS vendors extend the security should not focus on the platforms but on spe- cate with a remote website. There has been no features that are bundled with their products,” cific applications. This is because it’s the appli- confirmation that the malware, also known as wrote Noel Yuhanna in a recent report. “Larger cations that actually create the vulnerabilities ‘0zapftis’ and ‘R2D2’, that was examined by the database security vendors such as Fortinet, IBM, in an organisation’s defences. The report, ‘State CCC is in fact the official police trojan. McAfee and Oracle will continue to dominate of the Workforce Technology Adoption 2011’, the database security market and are likely to is available here: <http://www.forrester.com/ Another botnet taken offline acquire independent vendors to fill gaps in their rb/Research/state_of_workforce_technology_ Microsoft has again taken down a botnet using security portfolio.” Another report by Enterprise adoption_us_benchmark/q/id/60894/t/2>. legal avenues. The Kelihos botnet commanded Strategy Group (ESG) says there has been con- 40,000 machines and was used for distribut- sistent under-investment in database security Massive ID theft arrests ing spam, mounting DDoS attacks and other and that, combined with the perceived danger of US law enforcement authorities have made what criminal activities. Following its successes with Advanced Persistent Threats (APTs), a major rise they claim to be the largest number of arrests Rustock and Waledac, Microsoft mounted in data volumes and the appearance of multiple connected with an identity theft and credit card Operation b79 as part of its Microsoft Active access points, including mobile, this is now a fraud operation. Arrest warrants were issued for Response for Security (MARS) initiative. major concern for IT departments. 111 people, with 86 soon ending up in custody. Unlike previous operations, however, this one The remaining 25 are still wanted. At the culmi- involved a named defendant – Dominique GPU cracks passwords in seconds nation of the two year-long Operation Swiper, Piatti, whose dotFREE Group SRO com- A £30 graphics card can now be used to proc- the arrested people – who are said to have oper- pany is alleged to have hosted Command and ess as many as 158 million passwords a second, ated in five gangs – included bank tellers, retail Control (C&C) servers using the domain claims web hosting firm UKFast. The company workers, restaurant workers and alleged profes- cz.cc. Microsoft obtained a court order allow- carried out research as part of Cyber Security sional criminals. They are accused of stealing ing it to take control of cz.cc, although it Awareness Month. It found that an nVidia credit card data, obtaining it from carder forums is working with Piatti to determine which GeForce GT220 graphics card can be used as and from ‘suppliers’ in places such as Russia, subdomains might be in use for legitimate pur- a processor to run password-cracking software. Libya and China. Fake or cloned cards were then poses. Kaspersky also played a key role in the A six-character password could be cracked in used to buy goods in US stores. 3 October 2011 Network Security REvIEWS Reviews If you’re in that position, this is definitely in this time of tight BOOK REVIEW the book for you. Presented in No Starch’s regulation and usual clean and accessible style, and with highly damaging Collingbourne’s clear prose, you’ll be writ- data breaches, it’s ing basic scripts in no time. Of course, while essential that all Ruby lends itself to quick and dirty program- security profession- ming, it also has the structures and features als get to grips with to support complex, large-scale and carefully risk issues. developed code (we get exception handling Evan Wheeler, introduced in Chapter 9). There’s a good sec- director of information security for Omgeo, tion on modules – a fundamental element in teaches this subject at US universities and also developing reusable code – and how they can wrote the Security Risk Management course for The Book of Ruby be used as namespaces. the SANS Institute. He’s therefore well-placed Huw Collingbourne. There are short chapters on YAML and to elucidate both the conceptual and practical Published by No Starch Press (ISBN: 978-1-59327-294-4). Marshal, Ruby’s methods of serialising data for facets of the subject. Price: $39.95, 370pgs, paperback. storage and retrieval. And there’s another on The emphasis is this book is on the latter. The Ruby programming language has acquired regular expressions – highly lucid, fortunately, It provides enough of a grounding in informa- particular relevance for security professionals as this is a subject that trips up many people. tion security risk concepts that you understand and penetration testers. Its simple syntax, weak These sections are exhaustive, but they’re why certain policies and processes are needed typing and widespread adoption on all popular enough to get you started producing workable and why they are implemented in certain platforms makes it ideal for hacking together programs. And Collingbourne provides plenty ways. But the main stress is placed on practical quick scripts or tools to get the job done. On of pointers throughout the book for people techniques that security professionals can use the other hand, it’s an object-oriented environ- who want to explore more. in their day-to-day work. ment that supports the creation of complex It’s clear, though, that the author expects The book is in three main sections. The programs and frameworks. Add the support you to be interested in producing serious code, first gives an overview of why risk assessments provided by an enthusiastic community, with not just hack scripts. There are separate chap- are necessary, how they relate to the business, thousands of ready-made modules, or ‘mixins’, ters on threading, for enhanced performance, and introduces the concept of the risk man- and you have a platform for sophisticated pro- and debugging. agement lifecycle. The second section gives gramming. And, of course, it is the language This is not a book geared around Ruby on more detail about assessment and analysis of Metasploit. Rails, the web-oriented implementation of the techniques, such as risk exposure factors, and Author Huw Collingbourne starts off in a language which is how most people encounter risk evaluation and mitigation strategies. very conventional manner. Yes, there is a ‘Hello the language. As Collingbourne points out, The third section is where everything is world’ program – all one line of it. But, in a many web developers have used Ruby on Rails brought together. It’s effectively a blueprint you manner suiting the nature of the language, without ever properly understanding the under- can apply to your own organisation to create before he gets into the basic stuff (control struc- lying language. You do get a chapter on the and run a risk management programme. If you tures and variable types) he quickly tackles the framework, in which you learn how to write don’t have such a programme in place already, object oriented features of Ruby. To give you the code to run a blog. But if your only real Wheeler’s guidelines will help you create one an idea of the pace, the author is talking about interest in Ruby is to use it in place of PHP or from scratch and give you confidence that superclasses and subclasses by page 17. ASP to create dynamic websites, then you need nothing has been overlooked. If you already It will help if you have some program- a different book. The Book of Ruby, on the have a risk management programme, it will be ming experience already. In fact, I think this other hand, is a perfect introduction to Ruby as worth your while matching it against Wheeler’s approach probably mirrors how the majority of a versatile, all-round programming language. approach to see where the weaknesses might lie readers will be approaching this book. While and where you can improve efficiency. some people may choose Ruby as their first- Clearly, the primary audience for this book Security Risk Management ever programming language – and it certainly is people who have direct responsibility for Evan Wheeler. wouldn’t be a bad choice – it’s more likely that Published by Syngress assessing and managing risk in an organisa- most readers will have at least hacked out some (ISBN: 978-1-59749-615-5). tion. And they can use this as a manual. Perl, PHP, JavaScript or possibly Python scripts Price: $49.95, 340pgs, paperback. However, even if your job doesn’t directly in the past. They’ll be picking up this book Too few organisations, and even IT security involve managing risk in a formal sense, this because they have seen the rise in popularity of professionals, approach information security book will help you, as an information security Ruby, and have watched its widespread deploy- from a risk perspective. All too often, security professional, understand why what you’re ment, and need to get up to speed. is seen as a technical or networking issue. But doing is important. 4 Network Security October 2011 FEATURE Android insecurity Steve Gold, freelance journalist As an operating system, Android is still relatively young. Originally developed by the Open Handset Alliance, an open source initiative piloted by Google, the company, Android Inc, was acquired by Google back in 2005.1 After a couple of Steve Gold years gestation, the Android 1.0 OS was formally unveiled in November 2007. Thanks to the continuing support of the True multi-tasking silently in the background, alongside Open Handset Alliance – a consortium normal apps in the foreground, and for of more than 80 software, hardware and Equally atypical is the multi-tasking the user to be none the wiser. In fact, telecoms companies – Google has released approach taken by Android. Rather than if – as is the case with many of the lat- most of the Android code under the operate on a threaded basis, the operat- est smartphones and tablets – a device Apache Licence, a free software licence. ing system allows multiple applications never runs out of memory, Android will The platform also enjoys the backup of to run at the same time. It is a true keep all of these processes running in the the Android Open Source Project (AOSP) multi-tasking operating system, despite background. Even if memory resources when it comes to the maintenance and the hardware limitations of many budget are limited, the operating system will further development of the smartphone/ and mid-range smartphones and tablet look at the process priority of the apps in tablet computer operating system. computers seen to date. Just as surpris- memory and decide which one to drop. Structurally, Android consists of a ing for a resource-limited environment, Malware developers have therefore coded kernel based on the original Linux ker- Android does not close applications their rogue apps to sit in the background, nel, with middleware, libraries and APIs when the user/architecture has ‘done’ but with a high priority, giving their app coded in C running on an application with them. This design specification was the longest possible lifetime in a device framework that includes Java-compatible mandated by Google to help prevent power cycle, which can last several days libraries based on Apache Harmony. excessive interactions by smartphone and when battery recharging is carried out. Overlaying this is a Dalvik virtual tablet computer users. Once Android determines that it needs machine – the broad coding equivalent It is also a major security failing, as it to remove a process, it does this brutally, of Windows 98 sitting on top of a DOS possible for an app to be coded to run simply force-killing the code. The kernel environment – which runs the apps devel- oped by Google’s Android operation, as well as a raft of third-party developers. Most of the mainstream apps are downloaded from Google’s official Android Market – analogous to Apple’s iTunes portal – but there are a great many third-party markets, including some run by smartphone and tablet computer vendors. Almost all apps run in a customised version of Java and, although Android’s main kernel is derived from the Linux kernel, it is now recognised as a fork or offshoot of the main Linux develop- ment stream. From a coding perspective, Android does not have a native X win- dowing system, nor does it support the full set of standard GNU libraries – limi- tations that make it difficult to port exist- ing Linux applications or libraries to the smartphone/tablet platform. Data storage is similarly non-standard, as Android uses SQLite, a lightweight relational database, Google’s Android Market, from which most apps are downloaded. for data storage purposes. 5 October 2011 Network Security FEATURE can then immediately reclaim all resources Google responded to criticism by roll- virus software seen around that period. used by the process, without relying on ing out a forced update to those tracked However, the difference today, he that application being well written and users that had installed the apps, but the argues, is that malware authors are far responsive to a polite request to exit. In vulnerability remains, so perpetuating more experienced and sophisticated in theory, allowing the kernel to immediate- the problem for older operating system their development capabilities, having ly reclaim application resources makes it a version users of Android that download cut their teeth on the ubiquitous PC. lot easier to avoid serious out-of-memory fresh versions of the infected apps.2,3 “You also have to remember that, right situations, but the bad news is that a This perhaps explains why, in August up until the end of the last century, most rogue app can reboot – perhaps in a less 2011, Lookout Security said it estimated malware authors were in it for the fun resource-hungry passive state – and sit that between half a million to a million and glory,” he says. “Today, however, it’s quietly in the background. Furthermore, Android users were infected by malware mainly about the money.” because the kernel keeps track of the in the first half of the year. At the same activities of current and closed apps, a time, the security research firm said it “I think that users of Android rogue app will normally return to the had seen an increase in the number of devices must be educated about same state as when it was killed. infected apps from 80 to 400 in the the need to install suitable same period.4 software, and only download Malware ahoy their apps from known and Cause for concern? reputable sources” In August 2010, Kaspersky Lab dis- covered an SMS trojan – Trojan-SMS. So, how vulnerable is Android – and Depending on whom you talk to, he AndroidOS.FakePlayer – that came dis- if you install suitable security software explains, the malware market is worth guised as a media player that runs in the that verifies downloads as clean and around $6-7bn dollars a year in criminal foreground while also sending out text periodically checks your smartphone or revenue terms. “It’s also alarming that the messages, also in the foreground, but rewards for programming malware are so without the users’ knowledge or consent. much greater on the darker side of the Even when shunted into the background fence. And since Android is so open to by high-priority apps, the trojan contin- malware infections, there is clearly a lot ues to generate text messages, usually to more risk with using the operating system Russian premium rate numbers. It took than with other platforms,” he says. “I Android until February 2011 before a think that users of Android devices must patch update to the operating system be educated about the need to install suit- was issued. able software, and only download their A month later, in March 2011, as apps from known and reputable sources.” widely reported at the time, Google The only piece of good news that withdrew 58 malicious apps – infected Luka has to offer about Android is that with the DroidDream malware – from tech-savvy people today learn quickly the official Market. However, during from their mistakes, so if they get hit by the 10 days the apps were available, they malware once, they rarely get hit again. were installed by an estimated 260,000 Android devices. The large number of The analyst view Pavel Luka, ESET. installs was due to the apps being free (and cracked) versions of previously Over at Bloor Research, Nigel Stanley, paid-for software, which led to a predict- tablet computer for malware – should the IT analysis firm’s practice leader on able swarm of viral downloads. you be concerned? security, also draws parallels between the DroidDream – a turning point in According to Pavel Luka, CTO of early evolution of the PC and the recent Android malware – was notable for ESET – the Bratislava-based IT security – and rapid – evolution of Android. As exploiting a bug in versions of Android vendor that released a full, free-of- part of his masters degree in security at older than 2.2.2. Although an update charge security suite for Android earlier Royal Holloway, he says he has complet- to the operating system that killed this year – as an operating system, ed a major dissertation on the insecurity DroidDream was rolled out in short Android is still at the beginning of its of the Android smartphone and tablet order, many users of smartphones do development cycle. As such, he says, computer operating system – and he not update their operating system, parallels can be drawn with the devel- found it wanting. Badly. which means many millions of users opment of the early PC operating sys- Stanley adds that he looked at the remained vulnerable – at the time of tems seen in the 1980s and early 1990s platform from the data loss and leakage writing in September 2011 – to the – DOS, Windows 3.x and Windows 98 perspective, kicking off with the smudge effects of the malware. are clear examples – and the early anti- test – a test of touch-screen devices 6 Network Security October 2011 FEATURE ability of the device to generate text References messages in the background without the user being aware of it. And for 1. Elgin, Ben. ‘Google buys Android the reasons outlined earlier in this for its mobile arsenal’. Bloomberg feature, Android was a dismal failure Businessweek, 17 Aug 2005. Accessed in this regard. Sep 2011. <http://www.businessweek. com/technology/content/aug2005/ “Overall, Stanley says he views tc20050817_0949_tc024.htm>. Android as a massive failure 2. Kincaid, Jason. ‘Google responds to on the security front, as the Android malware: will fix infected hardware – and the operating devices and ‘remote kill’ malicious system – is designed without apps’. TechCrunch, 5 Mar 2011. Accessed Sep 2011. <http://tech- any intrinsic security in mind” crunch.com/2011/03/05/android- Stanley says that email was also inse- malware-rootkit-google-response/>. Nigel Stanley, Bloor Research. cure, as there is no mechanism within 3. Messmer, Ellen. ‘Google still scram- Android that he found that allows users bling to recover from DroidDream to see if, after continued input of the – or security software – to look at the Android attack’. Computerworld, same password or lock pattern, it was headers of messages for signs of spoofing 9 Mar 2011. Accessed Sep 2011. easy to reduce the number of digits to and similar subterfuge. You cannot, he <http://news.idg.no/cw/art. ‘try’ before gaining unauthorised access. notes, verify the sender of an email for cfm?id=1A027DCB-1A64-6A71- Android (or, at least, the devices that this reason. CE9D9C2D6D3115FE>. were tested) failed. Overall, Stanley says he views Android 4. ‘Lookout Mobile Threat Report’. Then there is the data storage medium as a massive failure on the security front, Lookout Mobile Security, Aug 2011. – in the case of Android, the microSD as the hardware – and the operating sys- Accessed Sep 2011. <http://bit.ly/ card. The operating system failed here tem – is designed without any intrinsic putdbX>. too, since it was very easy to remove the security in mind. Even if the operating Resources card – which is not password locked at system were reworked significantly to the operating system level – and access counter the security shortcomings, he • Markoff, John. ‘I, Robot: The the contents on an external device. says the hardware lets things down. Man Behind the Google Phone’. This contrasts, Stanley notes, with the “I can’t see a way around the security New York Times, 4 Nov 2007. microSD cards seen on Windows Phone issues,” he says, adding that, for the Accessed Sep 2011. <http:// 7 devices, where the card is typically hundreds of millions of Android users www.nytimes.com/2007/11/04/ soldered onto the system board of the worldwide, the security genie is well technology/04google.html>. handset for security. and truly out of the bottle. • ‘Android’. Open Handset Alliance. Next up on the test front was the abil- For those users that have committed Accessed Sep 2011. <http://www. ity to interpret data flowing across the to the smartphone and tablet operat- openhandsetalliance.com/android_ cellular, Bluetooth or wifi connections of ing system, Stanley says that education overview.html>. the device. It was very easy, says Stanley, on security is essential, although he • ‘Android 3.0 Platform Highlights’. who installed a debugging app on the notes that the cellular carriers are now Android Developers, May 2010. handset and watched ID and password starting to wake up to the task on their Accessed Sep 2011. <http://developer. data flowing – in the clear – across the hands and beginning the long process android.com/sdk/android-3.0-high- various comms channels. of educating users on the need for on- lights.html>. “While there is no individual packet device security. • Rao, Leena. ‘Google: 3 billion analysis available, it was a trivial mat- Android apps installed; downloads up ter to install Wireshark on an external 50% from last quarter’. TechCrunch, About the author system and watch the operating system 14 Apr 2011. Accessed Sep 2011. generate the GPS data – including the Steve Gold has been a business journal- <http://techcrunch.com/2011/04/14/ latitude and longitude co-ordinates – ist and technology writer for 26 years. A google-3-billion-android-apps- transmitted at the operating system level qualified accountant and former auditor, installed-up-50-%-from-last-quarter/>. in clear text,” he says. he has specialised in IT security, business • ‘Android is a malware cesspool – and matters, the Internet and communica- users don’t care’. InfoSecurity, 15 Jun SMS bombing tions for most of that time. He is techni- 2011. Accessed Sep 2011. <http://www. cal editor of Infosecurity and lectures infosecurity-magazine.com/view/18692/ The next stress test that Stanley tried regularly on criminal psychology and android-is-a-malware-cesspool-and- was SMS bombing, measured by the cybercrime. users-dont-care>. 7 October 2011 Network Security FEATURE Frametrapping the framebusting defence Richard J Enbody Aditya K. Sood Aditya K Sood and Richard J Enbody, Michigan State University Iframes are interactive frames that are placed in web pages to show third-party not possible to frame that website in an content as a part of the parent website. As a result, the third-party content becomes iframe. However, there are many varia- inline with the parent web page. However, iframes can also be used to conduct web- tions to this code.2 The generic Proof of based attacks. One of the most pernicious types of attack, clickjacking, depends Concept (PoC) has been hosted at the on framing the website in an iframe and then using User Interface (UI) redressing SecNiche website.3 A generic HTML attacks to exploit the trust that users have with legitimate websites.1 page has been designed which has the following HTML code as presented The basic technique of clickjacking is in Listing 2. The resulting web page is Listing 1: Framebusting to add a transparent layer of UI objects, shown in Figure 1. The HTML page is code in action thereby tricking a victim into clicking used as a part of the standard method on a hidden button or link to route the // Code (A) in which HTML 5 iframe attributes are victim to a malware-driven domain. The if(top.location != location) { top. used to frametrap it. result is a legitimate page with a mali- location.href = document.location.href; } cious overlay. Users think they are click- Declarative security – ing on the legitimate page, but are actu- // Code (B) – more robust X-Frame-Options ally clicking on objects created by the if(top != self) top.location.href = malicious code injected by the iframe. location.href; Declarative security has been introduced Legitimate sites can prevent this abusive as one of the new browser-based security use of their pages by inserting code to solutions in order to strengthen client-side force their page objects on top – busting Listing 2: HTML security against attacks, including click- out of the frame. In order for legitimate jacking attacks.4 The X-Frame-Options Webpage with sites to prevent the pages being abused header is one of the major parts of the Framebusting code in such clickjacking attacks, there are declarative security mechanism.5 It is a <html> two ways to ‘framebust’ the code, as dis- custom HTTP header that can be used <script type=“text/javascript”> cussed below. by the applications or websites to send an if(top.location != location) { top. HTTP response. This mechanism forces location.href = document.location.href;} Framebusting code the browser (assuming it supports the if(top != self) top.location.href = declarative solution) to framebust the par- location.href; Framebusting code is the common </script> ent website if an attacker tries to iframe preventive solution against this type of <body> it. It is browser dependent, but in real- clickjacking attack. Using this code, a <center><h1>FrameBusting Code – ity most of the browsers implement this developer attempts to force the legiti- Platform</h1></center> declarative security solution. In this case, mate page on top, effectively burying <hr></hr> the website throws the X-Frame-Option any malicious overlay. This means that 1. <b>if(top.location != location) { top. HTTP response headers as presented in location.href = document.location. the application or website is not allowed Figure 2. href;}</b><br> to be framed within an iframe. Several The X-Frame-Options header uses 2. <b>if(top != self) top.location.href = variations of the code exist, but the most the two basic values, which are DENY location.href; [More Robust]</b> commonly used framebusting codes are and SAMEORIGIN. If the X-Frame- <hr></hr> presented in Listing 1. Option header is used with a value of <center>(C) SecNiche Security (http:// Basically, framebusting code per- SAMEORIGIN, the web page can be www.secniche.org)</center> forms a generic conditional check and </body> framed in another web page provided executes an action based on it. When </html> they are using the same origin policy. this code is applied in a website, it is If DENY is used, the webpage cannot 8 Network Security October 2011 FEATURE be framed in any scenario. SecNiche Security has designed a Mozilla Add- on that scans HTTP responses from every web page that is opened in Firefox to detect whether a particular website is using the X-Frame-Option HTTP header as a part of a declarative security solution. The tool is currently in the experimental stages. Figure 3 shows the output of the add-on. However, the most widely used solution is the framebusting code as discussed earlier. This framebusting solution potentially reduces the attack surface as this code can be interpreted Figure1: Framebusting web page. successfully by all browsers. Browser design and HTML 5 support Browsers play a critical role in determin- ing the success of any web attack. There are certain artefacts that should be taken into account in order to understand the web attacks that are browser specific. • Different browsers are built on differ- ent architectures that have different types of rendering engines. For exam- ple, Internet Explorer uses Trident whereas Google Chrome uses WebKit. • The support for different JavaScript objects and technologies varies widely Figure 2: X-Frame-Options header in use. across browsers. For example, Google Chrome supports HTML 5 advanced Google Chrome’s support for HTML surprisingly, Google Chrome is more vul- tags whereas other browsers such as 5 was tested using the HTML 5 test nerable to the HTML 5 attacks than the Internet Explorer and Firefox have website, and it was noted that Google other browsers. The next section explains not yet completely achieved advanced Chrome scores maximum points as com- the technique of abusing HTML 5 to support for HTML 5. As a result, pared to the other widely used brows- bypass framebusting mechanisms. some HTML 5 attacks can work in ers.7 Figures 4, 5 and 6 show the HTML Google Chrome but not in the other 5 support provided by Google Chrome, Abusing HTML5 iframe browsers. Internet Explorer and Mozilla Firefox attributes • Design agility varies from browser respectively. to browser. Protection mechanisms This rating shows how effectively HTML 5 is the fifth revision of HTML against client-side attacks depend Google Chrome supports HTML 5. Not that incorporates more advanced tags upon the browser flexibility and extensibility. Thus, the advanced web attacks that can be executed success- fully in a specific environment may prove ineffectual in other browsers. For example, Internet Explorer uses the ‘restricted’ attribute in iframes in order to execute all the content in an iframe in a restricted manner.6 The attack that is presented here works only on Google Chrome due to Figure 3: X-Frame-Option detection add-on for Firefox. its support for advanced technologies. 9 October 2011 Network Security FEATURE Listing 3: Frametrap code using sandbox attribute in iframe. <html> <body> <center><h1>FrameTrapping – Platform</h1></center> <b>Dethroning Framebusting using Sandbox Attribute in HTML 5. You should know how to tap it appropriately.</b><br /> 1. sandbox=“allow-same-origin” <br /> 2. sandbox=“allow-scripts” <br /> 3. sandbox=“allow-top-navigation” <br /> 4. sandbox=“allow-forms” </br> Figure 4: Google Chrome support for HTML 5. <hr></hr> <center> based on the developments taking place ‘sandbox’ that has greatly enhanced and <iframe src=“http://www.secniche. in the web technologies.8 HTML 5 is changed the functionality of iframes. It org/framebusting.html” width=“700” still in development but some browsers has introduced four new values: allow- height=“300” sandbox=“allow- have started rendering the advanced tags. same-origin, allow-top-navigation, allow- same-origin allow-scripts allow-forms As discussed in the last section, Google forms and allow-scripts. The enhanced seamless=‘seamless’”></iframe></ Chrome is running way ahead of the iframe is one of the major changes that center> other browsers in providing support for have been incorporated into HTML 5 <hr></hr> HTML 5. At the same time, HTML 5 compared to HTML 4. There are more <center>(C) SecNiche Security (http:// provides a fresh opportunity for attacks. details about the workings of the HTML 5 www.secniche.org)</center> HTML 5 supports different uses for iframe at w3schools.com.9 iframes by introducing a new set of This advanced functionality can be used sandbox attribute allows the framing of a iframe attributes. HTML 5 has created a to bypass the framebusting code, as the website that has framebusting code ena- bled. Listing 3 shows the code to bypass framebusting in Google Chrome. The attacker can frame the web page even after the framebusting code is applied at the website, as presented in Figure 7 which shows the framebusting page displayed in a frame. In Listing 3, the attacker has not used the attribute value allow-top-navigation in the code because this attribute allows the framed page to navigate itself as a parent web page. As a result, this allow- top-navigation value effectively allows busting the iframe – something the malicious page developer wants to avoid. On the other hand, an attacker typically uses the other three values to allow script communication and to treat the content in the iframe as being from the same domain as the legitimate web page. This attack using HTML 5 advanced features results in the bypass of the framebusting code. This attack is currently not successful in Figure 5: Internet Explorer 9 support for HTML 5. Internet Explorer and Mozilla Firefox, 10 Network Security October 2011

Description:
the move to a cloud-based model, ask Richard Morrell and Akash 2. Network Security. October 2011. Editorial Office: Elsevier Ltd. The Boulevard, Langford
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.