[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Apple IOS security issue pre-advisory record
- To: Valdis.Kletnieks@xxxxxx
- Subject: Re: [Full-disclosure] Apple IOS security issue pre-advisory record
- From: Dave <mrx@xxxxxxxxxxxxxxxxxxx>
- Date: Sat, 24 Mar 2012 10:26:48 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 24/03/2012 05:44, Valdis.Kletnieks@xxxxxx wrote:
> On Sat, 24 Mar 2012 00:52:45 -0000, Dave said:
>> I am not an expert so please, for my education, correct me if I am wrong.
>> Is it not so much the request, but what the request is made with?
>
> It's a pretty safe bet that most of the 300 clicky-clicky types did *not* use
> wget to test what it was.
>
>> Would not requesting with wget mitigate any attack?
>
> Well, assuming that the perpetrator doesn't have a 0-day for wget. ;)
>
>> The source of the page and any scripts called by the page should be enough to
>> ascertain whether the page is malicious or not.
>
> "should" is the operative term. But that only works if the miscreant is lazy
> enough to point their link directly at the malicious content. If they're
> smart, they'll point at a page that looks legit, but loads Javascript from
> some
> 3rd party that loads more Javascript from a 4th party that that loads more
> crud
> from a server you've pwned. I've hit pages on mainstream websites with
> noscript
> enabled, and had 25+ different sites' Javascript blocked, and as you enable
> sites you just get *more* sites in the list.
>
> I just hit http://www.msnbc.msn.com, and NoScript blocked something from
> 2011.wimbleton.com. Malicious? Out of date? What *other* domains will that
> site end up loading *more* crud from? Who knows?
>
> Trying to sort this type of stuff out is part of the reason why drive-by
> pwning
> is so common - the fact that the page came from someplace reasonably trustable
> like the BBC or similar tells you *nothing* about where alll the content on
> the
> page came from.
Pretty much as I thought. I investigate some, (when not too busy) of the links
in the unsolicited mails I receive and concur with what you have
written here. I always browse with NoScript/adblock/cookie monster/Ref control
enabled regardless of whether I think I can trust the site or
not. I learned a long time ago to ditch Outlook/IE and only view email in plain
text.
I am curious and I do like to play with malware on a VM. I am also a novice, so
perhaps I am over cautious. Then again, I think there is no such
thing as over cautious when a great deal of the miscreants trying to own
systems or phish for credentials are more knowledgeable than I.
I just wish I had more time to study and research.
Doesn't the the -e, robots=off, --page-requisites and -H wget directives enable
one to collect all the necessary files that are called from a page?
Cheers
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEVAwUBT22haLIvn8UFHWSmAQK0+Qf/ZnrC052vEWDlHGMT3bDt8RJiiGlVd7E1
IwnzmlnI549Ojw89vwxkcKsZDlMLmcEJ13peVfLYpanKEyau/3BW3zx/3ulfhvli
ab0EdJfj0I3vlrEZgXLY7jmNOiJ50Fkm7IwC/9CjR7LSGFC5o9K9OWojc1gb6eN3
04wXMM588SX8njiSGx4Mtc+/VVNif1Jskkfgl58CvcA8DmFA3fyPMx7DtgxeiY08
XoEK6xJ41mQ9shFjkIkbeFGhHtWjunbQmcgGJixFcsBQvJrZF418XhRp7hAqdEhw
BnQj2T4BixTdzHJzIeWEsn8nPId1n8V4hH3jW+h//+ev6U21+KCgpw==
=DLjT
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/