Jeremiah Grossman: Don't trust server-side security

Friday, February 02, 2007

Don't trust server-side security

This morning I got a heads up about a Websense alert about the Super Bowl XLI / Dolphin Stadium website. Apparently the popular website was siliently defaced to include a hidden snippet of JavaScript that exploits MS06-014 and MS07-004, loading the NsPack-packed Trojan keylogger/backdoor. Very bad for any unpatched IE browsers that hit the website.

We've all seen this kind of thing happens before, and I'm sure it'll happen again and again and again, etc. What got thinking was a piece of conventional wisdom we often hear, "Don't Trust Client-Side Security". Fair enough, but in this case the opposite is true. This was a popular and trusted website, not some hacker/warez/pr0n/serialz hang out spot. I think we need to start designing web browsers and safe-surfing habits around this concept:

Don't Trust Server-Side Security

No comments:

Post a Comment

BIO

Jeremiah Grossman brings 20+ years of experience in Computer Security and has become one of the most recognizable and world-renowned cybersecurity experts in the industry, coining several of the original hacking terms commonly used around the world today. Early in his career, Jeremiah was known as “The Hacker Yahoo” which led to his role as the company’s Information Security Officer. Jeremiah founded WhiteHat Security (now Synopsis), and served as Chief of Security Strategy for SentinelOne which was the highest-valued cybersecurity IPO in history. Most recently, Jeremiah was the founder & CEO of Bit Discovery, which was acquired by Tenable in 2022. He also serves as a company advisor and board member to several tech startups. In his spare time, Jeremiah does Brazilian Jiu-Jitsu and is passionate about classic cars. He recently opened Toybox, a luxury car club in Boise, Idaho.