- Email: [email protected]
CERT issues ‘cross-site scripting’ warning
reports
CERT issues ‘cross-site scripting’ warning Barbara Gengler Several US computer security experts have issued a joint warning about a security threat that allows hackers to launch malicious programs on a Web site or capture information a person volunteers on a Web site, without the user’s knowledge. The programs are being distributed by special links embedded on sites, according to an advisory issued by the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh. The threat, called ‘cross-site scripting’, involves dangerous computer code that can be hidden within harmlesslooking links to popular Internet sites. The links can be E-mailed to victims or published to online discussion groups and Web pages. CERT said Web developers and users should be aware that the scripts could be used to expose restricted parts of a company’s local networks, such as their intranets, to attackers from the Internet. According to CERT, what you receive from a Web site may not be what that site meant to send. If you click on a specially designed link, the site may unknowingly
send you bad data, unwanted pictures and programs (malicious scripts) to compromise the data. “We haven’t had any direct reports to CERT because it would be difficult to detect”, said Bill Pollack, team leader for technical communication at CERT. “But we’ve been working to understand the problem and give people information as a proactive measure to mitigate the risk.” CERT pointed out that among the ways users can potentially expose Web browsers to malicious scripts include following untrusted links in Web pages, Email messages or newsgroup postings; using interactive forms on an untrustworthy site and by viewing dynamically generated pages that contain content developed by anyone but yourself. Pollack pointed out the most significant impact of the vulnerability can be
avoided by disabling all scripting languages. But he added that even with the scripting disabled, attackers may still be able to influence the appearance of content provided by a legitimate site by embedding other HTML tags. CERT is working with technology vendors such as Cisco Systems, AT&T, Network Solutions, NASA and other security experts on a long-term, comprehensive solution. The group has published an advisory containing more details about the problem, its impact and ways to handle it. CA-2000-02 is available from www.cert.org/advisories/CA-200002.html. The advisory has been published jointly by the CERT Coordination Center, DoD-CERT, the Department of Defense Task Force for Computer Network Defense ( JTF-CND), the Federal Computer Incident Response Capability (FedCIRC) and the National Infrastructure Protection Center (NIPC). CERT has also posted a document describing short-term solutions. ‘Understanding Malicious Content Mitigation for Web Developers’, provides a technical overview of the problem and describes steps that Web developers can take to protect their Web pages from being used by developers of malicious scripts.
RealNames warns customers of hack attack
working from China. He also said creditcard companies have been notified of the security breach and, so far, noone has reported any fraud associated with the RealNames break-in.
Barbara Gengler
“It was just a wake-up call saying, hey, I’m here.”
A company that provides a service that converts complex Web addresses into simple keywords has warned users that a recent hacking attack into one of its databases may have compromised credit-card information belonging to as many as 15 000 customers. RealNames CEO Keith Teare said the company discovered the intruder when user searches for company names were suddenly all routed to www.188.net, a site written entirely in Chinese. “I think it’s probably just random”, Teare said. “It was just a wake-up call saying, hey, I’m here.” The company sent Emails to customers with this message: 6
“Within the first 24 hours we have identified a situation that may have resulted in our customer information database being compromised, including customer credit card information.” Teare said a security audit showed someone has gained access to the frontend of the company’s system and admitted the intruder, who is believed to be
The company said although there was no evidence of any adverse effects on customers, as a precaution, it has assigned new password and login information to each of its members and added new firewall security. Furthermore, RealNetworks has notified federal authorities of the breach and enlisted security firm Internet Security Systems (ISS) to conduct an audit. The intrusion appears unrelated to a series of denial-of-service attacks
CERT issues ‘cross-site scripting’ warning Barbara Gengler Several US computer security experts have issued a joint warning about a security threat that allows hackers to launch malicious programs on a Web site or capture information a person volunteers on a Web site, without the user’s knowledge. The programs are being distributed by special links embedded on sites, according to an advisory issued by the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh. The threat, called ‘cross-site scripting’, involves dangerous computer code that can be hidden within harmlesslooking links to popular Internet sites. The links can be E-mailed to victims or published to online discussion groups and Web pages. CERT said Web developers and users should be aware that the scripts could be used to expose restricted parts of a company’s local networks, such as their intranets, to attackers from the Internet. According to CERT, what you receive from a Web site may not be what that site meant to send. If you click on a specially designed link, the site may unknowingly
send you bad data, unwanted pictures and programs (malicious scripts) to compromise the data. “We haven’t had any direct reports to CERT because it would be difficult to detect”, said Bill Pollack, team leader for technical communication at CERT. “But we’ve been working to understand the problem and give people information as a proactive measure to mitigate the risk.” CERT pointed out that among the ways users can potentially expose Web browsers to malicious scripts include following untrusted links in Web pages, Email messages or newsgroup postings; using interactive forms on an untrustworthy site and by viewing dynamically generated pages that contain content developed by anyone but yourself. Pollack pointed out the most significant impact of the vulnerability can be
avoided by disabling all scripting languages. But he added that even with the scripting disabled, attackers may still be able to influence the appearance of content provided by a legitimate site by embedding other HTML tags. CERT is working with technology vendors such as Cisco Systems, AT&T, Network Solutions, NASA and other security experts on a long-term, comprehensive solution. The group has published an advisory containing more details about the problem, its impact and ways to handle it. CA-2000-02 is available from www.cert.org/advisories/CA-200002.html. The advisory has been published jointly by the CERT Coordination Center, DoD-CERT, the Department of Defense Task Force for Computer Network Defense ( JTF-CND), the Federal Computer Incident Response Capability (FedCIRC) and the National Infrastructure Protection Center (NIPC). CERT has also posted a document describing short-term solutions. ‘Understanding Malicious Content Mitigation for Web Developers’, provides a technical overview of the problem and describes steps that Web developers can take to protect their Web pages from being used by developers of malicious scripts.
RealNames warns customers of hack attack
working from China. He also said creditcard companies have been notified of the security breach and, so far, noone has reported any fraud associated with the RealNames break-in.
Barbara Gengler
“It was just a wake-up call saying, hey, I’m here.”
A company that provides a service that converts complex Web addresses into simple keywords has warned users that a recent hacking attack into one of its databases may have compromised credit-card information belonging to as many as 15 000 customers. RealNames CEO Keith Teare said the company discovered the intruder when user searches for company names were suddenly all routed to www.188.net, a site written entirely in Chinese. “I think it’s probably just random”, Teare said. “It was just a wake-up call saying, hey, I’m here.” The company sent Emails to customers with this message: 6
“Within the first 24 hours we have identified a situation that may have resulted in our customer information database being compromised, including customer credit card information.” Teare said a security audit showed someone has gained access to the frontend of the company’s system and admitted the intruder, who is believed to be
The company said although there was no evidence of any adverse effects on customers, as a precaution, it has assigned new password and login information to each of its members and added new firewall security. Furthermore, RealNetworks has notified federal authorities of the breach and enlisted security firm Internet Security Systems (ISS) to conduct an audit. The intrusion appears unrelated to a series of denial-of-service attacks