Securing Cross Site XMLHttpRequest

As I mentioned in my post on Cross Document Messaging, client side cross domain request is an important area of interest for AJAX developers looking for ways to avoid expensive server side proxying calls. While Cross Document Messaging is useful for allowing third party components or gadgets embedded in a page to communicate/converse using script on both sides, other cross domain scenarios like web services require access to cross domain content using network requests from a client side web application. For example, you may want to use your client side map based mashup to pinpoint Chinese restaurants for your current neighborhood. This could require the mashup to request a text file from Zagat.com with the locations of Zagat rated restaurants in the area which can then be superimposed on the map.

Along those lines, a few proposals and implementations exist like XDomainRequest in IE8, JSONRequest and the W3C’s Web Applications Working Group’s Cross Site XMLHttpRequest (CS-XHR) draft specification, which combines an Access control framework with XMLHttpRequest or other features. While XDomainRequest is focused on enabling anonymous access of third party public data, Cross Site XMLHttpRequest has added functionality and consequently enables a broader set of scenarios that may appeal to the developer who may choose to use cross domain authentication and access control among other features.  As can be expected with securing a large cross section of cross domain scenarios, a number of concerns have been identified with the CS-XHR draft by the web development community, the IE team members and members of the Web Apps Working Group. For a list of our recent feedback on security on CS-XHR and our take on important security principles in cross domain, please read our Security Whitepaper on Cross Domain. The paper also covers best practices and guidance for developers who will choose to build on the current draft if it’s supported by a future browser. Note that issues here are currently being discussed and some concerns may be mitigated as the draft evolves.

Read the rest of the story…

Posted in Coding, Internet, Privacy, Security, Software | No Comments

Endpoint security holes an open door for attackers

Everyone knows that there’s no such thing as 100% security, but it’s unlikely that most businesses realize how insecure they really are. New research on endpoint security shows just how vulnerable corporate networks are.

Eighty-one percent of corporate endpoints probed by IT security and control product vendor Sophos failed basic security tests: They either lacked Microsoft security patches, their client firewalls were disabled, or they missed endpoint security software updates.

For 40 days, Sophos ran its Endpoint Assessment Test, a free online scanning service that checks for endpoint security vulnerabilities. The Endpoint Assessment Test was performed against 583 corporate endpoints from around the world. North America represented 39% of the sample base, while the U.K. made up 36%, and Australia and Germany were 11% and nine percent respectively (5% were from other countries).

Test results showed that 63% were missing at least one Microsoft security patch; more than half (51%) of endpoints tested had their client firewalls disabled, and 15% had out-of-date or disabled endpoint security software.

Read the rest of the story…

Posted in Hardware, Internet, Networking, Privacy, Security, Software | No Comments

Firefox 3 Hits 17.3 Million Downloads

Since launch last week in excess of 17.3 million downloads of Firefox 3 have taken place.

The browser saw 8 million downloads within the first 24-hours of its release, more than ever downloaded in a single day before and a statistic currently being considered for inclusion within the Guinness Book of Records.

Firefox 2 was downloaded 1.6 million times in its first 24 hours of release; to date, it has been downloaded more than half a billion times, according to Mozilla.

New features in the web browser include one-click bookmarking, the smart location bar and lightning fast performance. It also includes phishing and malware protection, built-in spell checking, session restore and full zoom.

The developers claim 15,000 new tweaks, features and improvements in the software, which is rapidly building market share at the expense of Internet Explorer.

Source:
http://www.pcworld.com/article/id,147422-pg,1/article.html

Posted in Internet, Software | No Comments

Best Security Tools: Free online Web utilities

Have you ever needed to PING a host, run trace a Web route, or see what information you’re exposing to Internet without having to reconfigure the security on your perimeter devices? Have you tired of having to call your managed security services provider to let them know it’s you creating the anomalous behavior, not an attacker? Then maybe you should check out one of the free, online Web services providers.

Web services providers, for the purpose of this post, are organizations that make available a collection of network utilities for acquiring information about hosts, checking domain names, and even converting a spammer’s attempt at obfuscating a URL to an actual domain name and IP address.

I found these services at a site called TraceRoute.org. The site’s apparent purpose is to provide links to sites with traceroute capability. However, I found one site that does much more.

I started with a site at the top of the list of U.S. locations, Carnegie Mellon. The user interface is straightforward. You can PING a host by domain name or IP address, or you can run traceroute from the university to the target domain.

Read the rest of the story…

Posted in Internet, Linux, Networking, Privacy, Security, Windows | No Comments

New breed of worm steals gaming passwords

A new generation of malware alware that looks for passwords to online games has emerged – and its success rates are stunning. Last patch Tuesday, Microsoft added special detection functions for two contaminants called Taterf and Frethog to its Malicious Software Removal Tool (MSRT). The results sent back to Redmond surprised even Microsoft’s malware specialists, who thought they had already seen it all.

On the first day alone, MSRT removed Taterf from 700,000 systems. In comparison, in the entire first month after the signatures for the Storm worm were added to the tool, only half that number of computers were found to be infected with the infamous bot network client. Online games such as Lineage Online and Legend of Mir are especially popular in the Far East. According to MSRT statistics, half a million systems in China alone were infected. But World of Warcraft and the Valves Steam client are also quite popular in the Western Hemisphere, where 230,000 Spanish systems ended up in third place.

Microsoft says that worms such as Taterf spread quite slowly by copying themselves onto all drives found and storing an autorun.inf file there. But contrary to the description in Microsoft’s Threat Research & Response Blog, you cannot be infected simply by inserting an infected USB stick into a Windows system. USB sticks and MP3 players generally log into the system as DRIVE_REMOVABLE, for which autorun is disabled by default in XP. Autorun may however be available via an arbitrarily titled default entry such as “Show me these awesome pictures” in the automatically displayed autoplay dialogue. The user does have to confirm this action manually, though that seems not to have presented much of an obstacle to the spread of the worms so far.

Microsoft describes on its support web site how you can disable autorun from CDs under XP – a change has to be made in the registry. Vista allows you to make the change from the control panel. To disable autoplay as well for even greater safety, a group policy is needed as well as a registry change.

Source:
http://www.heise-online.co.uk/news/New-breed-of-worm-steals-gaming-passwords–/110980

Posted in Internet, Privacy, Security | No Comments