Security News

Loosening US grip on the internet.

Firefox feature looks to foil XSS attacks

As we mentioned earlier we’ve been working for the past few months on turning the Content Security Policy specification into working Firefox code. (You’ll remember that CSP is a framework to protect websites from XSS and related attacks). We are happy to report that the work is nearly finished, and we have some preview builds available for you to try out.

We’re thrilled to have received so much great feedback from other browser vendors, web site administrators, and security researchers and we’re very proud of the design that has come out of that discussion. We would like to encourage any server administrators or web app security researchers who are interested in this project to grab a preview Firefox build and help us test the new features. Please be aware that there are still a few rough spots. The implementation is not quite complete so you may notice some small gaps between the preview builds and the spec. Most notably, HTTP redirects are not fully handled by CSP (but will be soon).

I posted a demo page where you can see the basic features of CSP in action, though we’re all much more excited to see all the tests and proof points our friends in the security research community are sure to turn up. Please grab a preview build and start testing!

Brandon Sterne
Security Program Manager

Currently, the H1N1 virus is running rampant (46,000+ cases) throughout the nation and the “official” flu season doesn’t start until Oct 4th. Like all viruses, H1N1 is made up of a DNA sequence, or code. The most amazing part is that it only takes about 3.2 Kbytes of data to code itself. A worm like Conficker takes over 112 Kbytes! Always striving for ultimate efficiency, it looks like Mother Nature…

In the first half of 2009, 77 percent of websites with malicious code were legitimate sites that had been compromised, according to a new report from Websense.

Comments On Blogs Likely To Be Spam

The high percentage was maintained over the past six months due in part to widespread attacks including Gumblar, Beladen, and Nine Ball which aimed to compromise trusted and known properties with massive injection campaigns.

Web 2.0 sites allowing user-generated content are a top target for cybercriminals and spammers. The report found that 95 percent of user-generated comments to blogs, chat rooms and message boards are spam or malicious.

“The last six months have shown that malicious hackers and fraudsters go where the people are on the Web — and have heightened their attacks on popular Web 2.0 sites and continued to compromise established, trusted Web sites in the hope of infecting unsuspecting users,” said Dan Hubbard, Chief Technology Officer, Websense.

“From malicious Twitter spam campaigns and blog comment spam to the massive injection attacks, those perpetrating fraud are exploiting the inherent trust users have of known Web properties and other users.”

In addition, 69 percent of Web pages with content classified as objectionable also had at least one malicious link. This is becoming more widespread, as 78 percent of new web pages discovered in the first half of 2009 with objectionable content had at least one malicious link.

The convergence of blended web and email threats continues to increase. The report found that 85.6 percent of all unwanted emails in circulation during this period contained links to spam sites or malicious websites.

New experiment demonstrates what we already knew: That’s because people tend to view their immediate emotions, such as their perceptions of threats or risks, as more intense and important than their previous emotions. In one part of the study focusing on terrorist threats, using materials adapted from the U.S. Department of Homeland Security, Van Boven and his research colleagues presented…

Google searches on terms related to its new collaboration and communications platform, Google Wave, are leading to a rogue anti-virus programs, according to the Websense Security Labs. Users seeking information on how to sign up for Wave, which currently is by invite-only, have been victimized by manipulated search results that lead to sites designed to trick victims into paying for a security solution that doesn’t work. Searches for Microsoft’s new Security Essentials consumer anti-virus product also have led to “poisoned” results. — CAM

The trojan not only retrieves banking credentials but also is directed to steal money from compromised accounts, often making it appear to the victim that it took less than it actually did.

An industry built on serving adware has become a full-fledged malware distribution channel.