Don't believe for a moment SSL, firewalls, patching, anti-virus, anti-spam, anti-phishing solutions, two-factor auth, or anything else like that helps. Clicking on the wrong link or visiting a website at the wrong time (especially popular websites) and you could be infected. The fact that 9 out of 10 websites has a cross-site scripting (XSS) vulnerability make the situation just that much worse!
- Hack someone else website
- Port scan and hack intranet websites
- Access illegal content on the Web
- Transfer money out of my bank account
- Display a fake login page to steal my passwords
- Steal my keystrokes
Fortunately the black hat community has not yet begun wide-scale exploitation, YET. But they are researching, communicating, experimenting and fine tuning their own code. Don't believe me? Just have a look at who's most interested in XSS. New malicious attacks will happen, its just a matter of time and a question of how bad.
So now what?
As for myself, I periodically switch between researching new attack and defense techniques. Attack research has surged forward and we have a good idea of where the edge is. I'll be going back to researching defense strategies and seeing what new effective approaches will mitigate today's risk.
Is it possible to write a browser plugin that scans JS for malware (ignoring obfuscation for now) and blocks it?
Post a Comment