[Discussion] new thread: biggest threats
Martin Holste
mcholste at gmail.com
Wed Oct 22 14:11:01 UTC 2008
Right, just like a network is a means, not an end. You inspect the network
because you know the threats have to traverse it, and I would argue that
similarly, there is value in inspecting Javascript because like the network,
it is ubiquitously involved in malicious activity. I'm suggesting a JIDS as
a plugin to a NIDS.
On Wed, Oct 22, 2008 at 8:59 AM, Andre Ludwig <aludwig at packetspy.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> JS is a means, not an end.
>
> Andre
>
> Martin Holste wrote:
> > I would agree that for the server arena, SQL injection is probably the
> > biggest current threat for most as far as potential damage to their
> > organization.
> >
> > For client side, I think that malicious Javascript has got to be near
> > the top. I was picking apart an attack last week in which the
> > attackers had gotten an ad banner on a major ad syndicate which was
> > iframing to a particularly nasty bit of Javascript. This script
> > created two Java classes by binary packing the entire object as a
> > Javascript string, then referring to that object in the same
> > Javascript. The next thing the client did was to make a malware
> > download with "Java 1.5" in the user agent. While browser plugin and
> > client-side app vulnerabilities rotate, the attack vectors and payload
> > delivery framework usually rely on Javascript.
> >
> > Brainstorm: Create an IP/domain blacklist that the NoScript guys can
> > have their plugin point at?
> >
> > --Martin
> >
> > On Wed, Oct 22, 2008 at 6:37 AM, David Glosser
> > <david.glosser at gmail.com <mailto:david.glosser at gmail.com>> wrote:
> >
> > What are the biggest threats out there (and tomorrow?) today that
> > this new project may be of benefit?
> >
> > I'm voting for:
> > asprox/sql injection - website owners having their sites infected,
> > which means, for granny, it's no longer possible just to tell granny
> > to only go to safe sites... And When adobe's site is infected (1) ,
> > it's a corporate issue as well
> > fake security sites - so many domains, fast flux, double-fast flux,
> > etc. very low initial detection, sigs are always playing catchup
> > future - continuing infection of web sites running unpatched
> software,
> > dns or bgp-related attacks/exploits
> >
> > As this is brainstorming, if you don't think it's a good thread,
> > don't criticize, just don't respond ;)
> >
> > (1)http://blogs.zdnet.com/security/?p=2039
> > _______________________________________________
> > Discussion mailing list
> > Discussion at openinfosecfoundation.org
> > <mailto:Discussion at openinfosecfoundation.org>
> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Discussion mailing list
> > Discussion at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> >
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.9.0 (Build 397)
> Charset: ISO-8859-1
>
> wsBVAwUBSP8xusjAfVnRK9hXAQjwswf/aN0WNBJYYAgrKv9q2gHSpKT/N4ittxIY
> 2/iImQHxftwNfgic1YY6GWKIe1mNz66JjPSAqVQqAo0Yf0D5gE3jNHuVPMG4AxGw
> mGtvvjQFFTXNiY3QTuaRiWFAGnTaGTI50hApqOLs5kmvVRodSGqlNgdc96RqLF3R
> lEbU8AUcMQXn4TWQWK8hSkDNYOdcXhqg9FlXb2U0xwadrsSbS1zjcJ6rdbtsQLPk
> V1vgw/f3Eu2ZNeWGu4Q5ZkIHjL+iHj8+kHFfT92fbWjhsaklkdKfT9owZZTGVl/Z
> etBMNvt18gi6IosqVWWDdniFRw/byjsBqYiUFnqejkzJkylQy/vn2A==
> =bJtL
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081022/716253d3/attachment-0002.html>
More information about the Discussion
mailing list