[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: [Owasp-dotnet] [Fwd: Hackers take aim at web-based apps]
From: Dinis Cruz <dinis () ddplus ! net>
Date: 2005-10-05 20:22:08
Message-ID: 434435F0.3050707 () ddplus ! net
[Download RAW message or body]
<irony rant>
See Bellow an amazing discovery by the VnuNet team :)
The good news is that if the application compromised is an Asp.Net
website, then the damage will be very limited since most (about 1%) run
in a solid Partial Trust Asp.Net sandbox, and when compromised there is
not a lot a malicious attacker can do.
What I am a little bit worried about is the few Asp.Net websites out
there (the other 99%) that are running with Full Trust (or are co-hosted
in servers also hosting Full Trust websites) since they (and their
websites) are toasted once one of those applications gets compromised.
But since I am saying this for almost two years now, I am confident that
all Asp.Net websites who handle confidential data (namely user's
personal and financial information) have migrated from Full Trust
Asp.Net to Partial Trust Asp.Net and the only ones that will be affected
(once exploitation of this attack vector (insecure co-hosting
environments) begins) will be the mom-and-pop websites (of which recent
backups exist and can be easily restored)
</irony rant>
:)
Dinis Cruz
Owasp .Net Project Leader (in Connecticut, NY, USA)
-------- Original Message --------
Subject: Hackers take aim at web-based apps
Date: Wed, 05 Oct 2005 16:27:11 +0100 (IST)
From: vnunet.com breaking tech news <btn_newsletter@mail.vnunet.com>
To: dinis@ddplus.net
Dear Dinis
Welcome to the Daily Technology Newsletter from vnunet.com:
**************************** Advertisement ***************************
At LSI, we think it's your responsibility to make sure that IT
responds smoothly to the changing needs of the business, and our role
to give you the tools, the support, and the capability you need to
meet your objectives - from purchase, through implementation to
management.
LSI. Managed IT services, without the fuss:
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0Cnny0Er
**********************************************************************
The good news is that increased IT security awareness and better
technology are winning the battle against hackers. It is now much
harder to break into your average corporate network than it was even a
couple of years ago.
But now for the bad news. It's all about the path of least resistance.
Just as plugging up one hole in a leaky roof just redirects the water
to another hole, making networks safer just means that hackers are
turning their attacks against business applications on the web.
And it would appear that these applications are the new leaky roof in
corporate IT infrastructures. According to a report from Frost &
Sullivan, companies are leaving themselves wide open to a drenching
because many newly deployed web-based applications are shoddily coded
with scant regard for security. Plus ca change.
mailto:newseditor@vnunet.com
**************************** Advertisement ***************************
At LSI, we think it's your responsibility to make sure that IT
responds smoothly to the changing needs of the business, and our role
to give you the tools, the support, and the capability you need to
meet your objectives - from purchase, through implementation to
management.
LSI. Managed IT services, without the fuss:
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CnAo0Ew
**********************************************************************
News:
Hackers take aim at web-based apps
Poorly designed software leaving many firms wide open
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKM0EZ
Web attack extorts by encryption
Pay up or you'll never see your data again
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKh0E1
Firefox community website hacked again
Second time in three months
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKi0E2
New battery to last 12 years
May last longer than you do
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKj0E3
ARM flexes fastest ever mobile chip
Processor firm claims desktop speeds on a handheld
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKk0E4
Campaign tackles UK's digital divide
Microsoft and Toshiba among backers of Equity initiative
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKY0El
Kaspersky admits to antivirus flaw
Patch on the way today
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKl0E5
Gartner heralds second internet revolution
'Global-class computing' on the way, says analyst
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKL0EY
Sun/Google pact sets stage for Java innovations
Google toolbar bundling with JRE has widespread implications, say
analysts
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKm0E6
Hurricane Katrina to dampen IT market
Oil shortage could further affect technology investments, warns IDC
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKn0E7
Sun and Google team up for web domination
Collaboration pushes Java and the Google Toolbar
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKX0Ek
Confusion reigns over Xbox360 games
Microsoft unveils console launch games, but which ones?
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKo0E8
HP to ship Netscape browser
Consumer desktops and notebooks to have IE rival preloaded
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKp0EA
Microsoft joins new anti-piracy alliance
Group to publish index of risk areas
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKq0EB
********************** vnunet.com Personal Blogs *********************
Fancy being a writer? A blog is an easy way to publish your own views,
thoughts or photographs, and receive feedback from your friends,
family and other web users. With a blog you can:
* Publish information instantly
* Find and meet other bloggers
* Become an expert in your area of interest
Register now and set up your own blog in just two minutes:
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CQ4J0Ed
**********************************************************************
Blogs from VNU
The i-Kew
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0Chwf0Eb
Silicon Valley Sleuth
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CbZm0E8
InterActive Home
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CiOR0Ec
More blogs
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CQ4J0Ed
***************************** White Papers ***************************
vnunet.com has partnered with leading technology and business
information providers to bring you the best and most-relevant IT
business intelligence and white papers available. Browse the tech and
business reports by publisher, subject or industry sector to find
reports in your area.
The white papers are available in a variety of formats - including
HTML and PDF - and many of the technology briefings are available
without charge. Click here for more details:
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CjmG0Ew
**********************************************************************
RSS from vnunet.com
The information you want - and no spam. Register for a free NewsGator
account today:
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CcIF0EE
**********************************************************************
For more stories plus an in-depth look behind the headlines, downloads
and more, visit our website at:
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0BRs30EJ
To comment on one of these stories email us at:
mailto:newseditor@vnunet.com
**********************************************************************
Change your profile:
Please do not reply to this email as you will not get a response. If
you want to change the number or nature of the newsletters you
receive, or you wish to stop receiving this newsletter, you can do so
easily by entering your email and password at the following location:
http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CCbl0Ej
You are subscribed to this newsletter with the following email
address: dinis@ddplus.net
If you have any problems with logging in or unsubscribing from this
service you can contact our customer services team at
mailto:help@vnuservices.co.uk
[Attachment #3 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<irony rant><br>
See Bellow an amazing discovery by the VnuNet team :)<br>
<br>
The good news is that if the application compromised is an Asp.Net
website, then the damage will be very limited since most (about 1%) run
in a solid Partial Trust Asp.Net sandbox, and when compromised there is
not a lot a malicious attacker can do.<br>
<br>
What I am a little bit worried about is the few Asp.Net websites out
there (the other 99%) that are running with Full Trust (or are
co-hosted in servers also hosting Full Trust websites) since they (and
their websites) are toasted once one of those applications gets
compromised. <br>
<br>
But since I am saying this for almost two years now, I am confident
that all Asp.Net websites who handle confidential data (namely user's
personal and financial information) have migrated from Full Trust
Asp.Net to Partial Trust Asp.Net and the only ones that will be
affected (once exploitation of this attack vector (insecure co-hosting
environments) begins) will be the mom-and-pop websites (of which recent
backups exist and can be easily restored)<br>
<br>
</irony rant><br>
<br>
> )<br>
<br>
Dinis Cruz<br>
Owasp .Net Project Leader (in Connecticut, NY, USA)<br>
<br>
<br>
<br>
<br>
-------- Original Message --------
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<th align="right" nowrap="nowrap" valign="baseline">Subject: </th>
<td>Hackers take aim at web-based apps</td>
</tr>
<tr>
<th align="right" nowrap="nowrap" valign="baseline">Date: </th>
<td>Wed, 05 Oct 2005 16:27:11 +0100 (IST)</td>
</tr>
<tr>
<th align="right" nowrap="nowrap" valign="baseline">From: </th>
<td>vnunet.com breaking tech news
<a class="moz-txt-link-rfc2396E" \
href="mailto:btn_newsletter@mail.vnunet.com"><btn_newsletter@mail.vnunet.com></a></td>
</tr>
<tr>
<th align="right" nowrap="nowrap" valign="baseline">To: </th>
<td><a class="moz-txt-link-abbreviated" \
href="mailto:dinis@ddplus.net">dinis@ddplus.net</a></td> </tr>
</tbody>
</table>
<br>
<br>
<pre>Dear Dinis
Welcome to the Daily Technology Newsletter from vnunet.com:
**************************** Advertisement ***************************
At LSI, we think it's your responsibility to make sure that IT
responds smoothly to the changing needs of the business, and our role
to give you the tools, the support, and the capability you need to
meet your objectives - from purchase, through implementation to
management.
LSI. Managed IT services, without the fuss:
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0Cnny0Er">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0Cnny0Er</a>
**********************************************************************
The good news is that increased IT security awareness and better
technology are winning the battle against hackers. It is now much
harder to break into your average corporate network than it was even a
couple of years ago.
But now for the bad news. It's all about the path of least resistance.
Just as plugging up one hole in a leaky roof just redirects the water
to another hole, making networks safer just means that hackers are
turning their attacks against business applications on the web.
And it would appear that these applications are the new leaky roof in
corporate IT infrastructures. According to a report from Frost &
Sullivan, companies are leaving themselves wide open to a drenching
because many newly deployed web-based applications are shoddily coded
with scant regard for security. Plus ca change.
<a class="moz-txt-link-freetext" \
href="mailto:newseditor@vnunet.com">mailto:newseditor@vnunet.com</a>
**************************** Advertisement ***************************
At LSI, we think it's your responsibility to make sure that IT
responds smoothly to the changing needs of the business, and our role
to give you the tools, the support, and the capability you need to
meet your objectives - from purchase, through implementation to
management.
LSI. Managed IT services, without the fuss:
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CnAo0Ew">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CnAo0Ew</a>
**********************************************************************
News:
Hackers take aim at web-based apps
Poorly designed software leaving many firms wide open
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKM0EZ">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKM0EZ</a>
Web attack extorts by encryption
Pay up or you'll never see your data again
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKh0E1">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKh0E1</a>
Firefox community website hacked again
Second time in three months
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKi0E2">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKi0E2</a>
New battery to last 12 years
May last longer than you do
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKj0E3">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKj0E3</a>
ARM flexes fastest ever mobile chip
Processor firm claims desktop speeds on a handheld
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKk0E4">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKk0E4</a>
Campaign tackles UK's digital divide
Microsoft and Toshiba among backers of Equity initiative
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKY0El">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKY0El</a>
Kaspersky admits to antivirus flaw
Patch on the way today
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKl0E5">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKl0E5</a>
Gartner heralds second internet revolution
'Global-class computing' on the way, says analyst
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKL0EY">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKL0EY</a>
Sun/Google pact sets stage for Java innovations
Google toolbar bundling with JRE has widespread implications, say
analysts
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKm0E6">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKm0E6</a>
Hurricane Katrina to dampen IT market
Oil shortage could further affect technology investments, warns IDC
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKn0E7">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKn0E7</a>
Sun and Google team up for web domination
Collaboration pushes Java and the Google Toolbar
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKX0Ek">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKX0Ek</a>
Confusion reigns over Xbox360 games
Microsoft unveils console launch games, but which ones?
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKo0E8">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKo0E8</a>
HP to ship Netscape browser
Consumer desktops and notebooks to have IE rival preloaded
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKp0EA">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKp0EA</a>
Microsoft joins new anti-piracy alliance
Group to publish index of risk areas
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKq0EB">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CoKq0EB</a>
********************** vnunet.com Personal Blogs *********************
Fancy being a writer? A blog is an easy way to publish your own views,
thoughts or photographs, and receive feedback from your friends,
family and other web users. With a blog you can:
* Publish information instantly
* Find and meet other bloggers
* Become an expert in your area of interest
Register now and set up your own blog in just two minutes:
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CQ4J0Ed">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CQ4J0Ed</a>
**********************************************************************
Blogs from VNU
The i-Kew
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0Chwf0Eb">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0Chwf0Eb</a>
Silicon Valley Sleuth
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CbZm0E8">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CbZm0E8</a>
InterActive Home
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CiOR0Ec">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CiOR0Ec</a>
More blogs
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CQ4J0Ed">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CQ4J0Ed</a>
***************************** White Papers ***************************
vnunet.com has partnered with leading technology and business
information providers to bring you the best and most-relevant IT
business intelligence and white papers available. Browse the tech and
business reports by publisher, subject or industry sector to find
reports in your area.
The white papers are available in a variety of formats - including
HTML and PDF - and many of the technology briefings are available
without charge. Click here for more details:
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CjmG0Ew">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CjmG0Ew</a>
**********************************************************************
RSS from vnunet.com
The information you want - and no spam. Register for a free NewsGator
account today:
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CcIF0EE">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CcIF0EE</a>
**********************************************************************
For more stories plus an in-depth look behind the headlines, downloads
and more, visit our website at:
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0BRs30EJ">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0BRs30EJ</a>
To comment on one of these stories email us at:
<a class="moz-txt-link-freetext" \
href="mailto:newseditor@vnunet.com">mailto:newseditor@vnunet.com</a>
**********************************************************************
Change your profile:
Please do not reply to this email as you will not get a response. If
you want to change the number or nature of the newsletters you
receive, or you wish to stop receiving this newsletter, you can do so
easily by entering your email and password at the following location:
<a class="moz-txt-link-freetext" \
href="http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CCbl0Ej">http://mail.vnunet.com/cgi-bin1/flo/y/eiad0CB2HH0Mzj0CCbl0Ej</a>
You are subscribed to this newsletter with the following email
address: <a class="moz-txt-link-abbreviated" \
href="mailto:dinis@ddplus.net">dinis@ddplus.net</a>
If you have any problems with logging in or unsubscribing from this
service you can contact our customer services team at
<a class="moz-txt-link-freetext" \
href="mailto:help@vnuservices.co.uk">mailto:help@vnuservices.co.uk</a>
</pre>
</body>
</html>
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic