Saturday 19 April 2014

The Heartbleed Bug


The Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

How to stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

Q&A

What is the CVE-2014-0160?

CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE. Due to co-incident discovery a duplicate CVE, CVE-2014-0346, which was assigned to us, should not be used, since others independently went public with the CVE-2014-0160 identifier.

Why it is called the Heartbleed Bug?

Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

What makes the Heartbleed Bug unique?

Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Is this a design flaw in SSL/TLS protocol specification?

No. This is implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.

What is being leaked?

Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories: 1) primary key material, 2) secondary key material and 3) protected content and 4) collateral.

What is leaked primary key material and how to recover?

These are the crown jewels, the encryption keys themselves. Leaked secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

What is leaked secondary key material and how to recover?

These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leak requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalidated and considered compromised.

What is leaked protected content and how to recover?

This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future.

What is leaked collateral and how to recover?

Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.

Recovery sounds laborious, is there a short cut?

After seeing what we saw by "attacking" ourselves, with ease, we decided to take this very seriously. We have gone laboriously through patching our own critical services and are dealing with possible compromise of our primary and secondary key material. All this just in case we were not first ones to discover this and this could have been exploited in the wild already.

How revocation and reissuing of certificates works in practice?

If you are a service provider you have signed your certificates with a Certificate Authority (CA). You need to check your CA how compromised keys can be revoked and new certificate reissued for the new keys. Some CAs do this for free, some may take a fee.

Am I affected by the bug?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

How widespread is this?

The most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.

What versions of the OpenSSL are affected?

Status of different versions:
  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

How common are the vulnerable OpenSSL versions?

The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems. A major contributing factor has been that TLS versions 1.1 and 1.2 came available with the first vulnerable OpenSSL version (1.0.1) and security community has been pushing the TLS 1.2 due to earlier attacks against TLS (such as the BEAST).

How about operating systems?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating system distribution with versions that are not vulnerable:
  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 10.0p1 - OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
  • FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

How can OpenSSL be fixed?

Even though the actual code fix may appear trivial, OpenSSL team is the expert in fixing it properly so fixed version 1.0.1g or newer should be used. If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS.

Should heartbeat be removed to aid in detection of vulnerable services?

Recovery from this bug might have benefitted if the new version of the OpenSSL would both have fixed the bug and disabled heartbeat temporarily until some future version. Majority, if not almost all, of TLS implementations that responded to the heartbeat request at the time of discovery were vulnerable versions of OpenSSL. If only vulnerable versions of OpenSSL would have continued to respond to the heartbeat for next few months then large scale coordinated response to reach owners of vulnerable services would become more feasible. However, swift response by the Internet community in developing online and standalone detection tools quickly surpassed the need for removing heartbeat altogether.

Can I detect if someone has exploited this against me?

Exploitation of this bug does not leave any trace of anything abnormal happening to the logs.

Can IDS/IPS detect or block this attack?

Although the heartbeat can appear in different phases of the connection setup, intrusion detection and prevention systems (IDS/IPS) rules to detect heartbeat have been developed. Due to encryption differentiating between legitimate use and attack cannot be based on the content of the request, but the attack may be detected by comparing the size of the request against the size of the reply. This implies that IDS/IPS can be programmed to detect the attack but not to block it unless heartbeat requests are blocked altogether.

Has this been abused in the wild?

We don't know. Security community should deploy TLS/DTLS honeypots that entrap attackers and to alert about exploitation attempts.

Can attacker access only 64k of the memory?

There is no total of 64 kilobytes limitation to the attack, that limit applies only to a single heartbeat. Attacker can either keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed.

Is this a MITM bug like Apple's goto fail bug was?

No, this does not require a man in the middle attack (MITM). Attacker can directly contact the vulnerable service or attack any user connecting to a malicious service. However in addition to direct threat the theft of the key material allows man in the middle attackers to impersonate compromised services.

Does TLS client certificate authentication mitigate this?

No, heartbeat request can be sent and is replied to during the handshake phase of the protocol. This occurs prior to client certificate authentication.

Does OpenSSL's FIPS mode mitigate this?

No, OpenSSL Federal Information Processing Standard (FIPS) mode has no effect on the vulnerable heartbeat functionality.

Does Perfect Forward Secrecy (PFS) mitigate this?

Use of Perfect Forward Secrecy (PFS), which is unfortunately rare but powerful, should protect past communications from retrospective decryption. Please see https://twitter.com/ivanristic/status/453280081897467905 how leaked tickets may affect this.

Can heartbeat extension be disabled during the TLS handshake?

No, vulnerable heartbeat extension code is activated regardless of the results of the handshake phase negotiations. Only way to protect yourself is to upgrade to fixed version of OpenSSL or to recompile OpenSSL with the handshake removed from the code.

Who found the Heartbleed Bug?

This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.

What is the Defensics SafeGuard?

The SafeGuard feature of the Codenomicon's Defensics security testtools automatically tests the target system for weaknesses that compromise the integrity, privacy or safety. The SafeGuard is systematic solution to expose failed cryptographic certificate checks, privacy leaks or authentication bypass weaknesses that have exposed the Internet users to man in the middle attacks and eavesdropping. In addition to the Heartbleed bug the new Defensics TLS Safeguard feature can detect for instance the exploitable security flaw in widely used GnuTLS open source software implementing SSL/TLS functionality and the "goto fail;" bug in Apple's TLS/SSL implementation that was patched in February 2014.

Who coordinates response to this vulnerability?

Immediately after our discovery of the bug on 3rd of April 2014, NCSC-FI took up the task of verifying it, analyzing it further and reaching out to the authors of OpenSSL, software, operating system and appliance vendors, which were potentially affected. However, this vulnerability had been found and details released independently by others before this work was completed. Vendors should be notifying their users and service providers. Internet service providers should be notifying their end users where and when potential action is required.

Is there a bright side to all this?

For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.

What can be done to prevent this from happening in future?

The security community, we included, must learn to find these inevitable human mistakes sooner. Please support the development effort of software you trust your privacy to. Donate money to the OpenSSL project.

Where to find more information?

This Q&A was published as a follow-up to the OpenSSL advisory, since this vulnerability became public on 7th of April 2014. The OpenSSL project has made a statement at https://www.openssl.org/news/secadv_20140407.txt. NCSC-FI published an advisory at https://www.cert.fi/en/reports/2014/vulnerability788210.html. Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may issue their own advisories.

References


Heartbleed logo is free to use, rights waived via CC0. [download logo in SVG format]
Page updated 2014-04-15 12:10 UTC.

Sunday 23 March 2014

How Hackers Capture Passwords Across The Air - Network Traffic Analysis

How Hackers Capture Passwords Across The Air - Network Traffic Analysis




ABSTRACT

     It is known that WireShark is a powerful tool that goes far beyond a simple sniffer. What many do not know is that there are several ways to harness the potential of this tool and this is what this article aims at introducing the readers. We will learn to sniff the network effectively, create filters to find only the information we want, see it as a black hat would use this tool to steal passwords, and finally how to use WireShark to diagnose network problems or if a firewall is blocking packets correctly.

INTRODUCTION

     Today it is very unlikely that your password will be brute forced. You use the internet regularly and one day you're surprised to receive allegations of an intrusion. Evidence indicates that the intruders third party accounts departed from your account, and you have no idea what is happening. Someone may have made use of your account and performed such acts as you. How could this have happened? A strong possibility is that you have become the victim of an attack via "sniffer".

UNDERSTAND THE MAIN CONCEPT

     What are "sniffers"? The main purpose of a sniffer is to capture network traffic. They are used for network analysis purposes, however they can also be used by malicious hackers to capture your passwords, and even IDS systems are based on network sniffers.

     These programs also allow you to monitor network activity recording data (usernames, passwords; ect.) each time they access other computers on the network.

     These programs aim at monitoring ("sniffing") network traffic to capture access to network services, such as remote mail service (IMAP, POP3), remote access (telnet, rlogin, etc.), file transfer (FTP) etc.. accesses made, capturing packets. Always aimed at getting the most relevant information.
When we called the HUB computer and send information from one computer to another, in reality this data is for all ports of the HUB, and therefore for all machines. It turns out that only the machine on which the information was intended to send the operating system.

     If a sniffer were running on other computers, even without these systems sending data it travels there for the operating system, the sniffer will intercept at the network layer, capturing the data and displaying them to the user, in an unfriendly way. Generally the data is organized by type of protocol (TCP, UDP, FTP, ICMP, etc...) and each package read may have show your content.


YOUR PASSWORD CAN BE CAPTURED BY SNIFFERS!

     Many local area networks (LANs) are configured sharing the same Ethernet segment. Virtually any computer of the network can run a "sniffer" program to "steal" users passwords. "Sniffers" work monitoring the flow of communication between computers on the network to find out when someone uses the network services previously mentioned. Each of these services uses a protocol that defines how a session is established, such as your account is identified and authenticated and how to use the service.
     To have access to these services, you first have to have a "log in". The login sequence - is part of the authentication protocol, which occurs at the beginning of each session - the "sniffers" are concerned about this, because it is this part that is your password. Therefore, it is only the filter "strings" keys that the password is obtained.


STEP BY STEP

     Currently, almost all environments use switches and not hubs, which makes sniffing a little more difficult because the switches do not send the data to all ports as a hub does, it sends directly to the port where the host destination is. So if you try to sniff a network switch you will only hear what is broadcast, or its own connection. To be able to hear everything without being the gateway of the network, an ARP spoof attack (aka ARP poisoning) is necessary, or burst the CAM table of the switch.

Basic Usage
     Now let's get our hands dirty: I'm assuming you already have the program (WireShark) installed, if you do not then download it. When starting WireShark, the displayed screen will look something like Figure 1:


Figure 1) Wireshark.

     Before you can start capturing packets, we have to define which interface will "listen" to the traffic. Click Capture > Interfaces


Figure 2) Interfaces.

     From there, a new window will appear with the list of automatically detected interfaces, simply select the desired interface by clicking the box next to the name of the interface, as in figure 3:


Figure 3) Capture Interfaces.

     If you click Start, it will begin automatically capturing packets. You can select the interface and only then it will start the capture if necessary.
     When the capture process starts, you will see several packets traversing the screen WireShark (varying according to the traffic of your machine / network). Will look something like the figure 4:


Figure 4) Capturing.

     To stop the capture, simply click the button, "Stop the running live capture".


Figure 5) Stop.

     It is important to remember that you must take care if your network is busy, the data stream may even lock your machine, then it is not advisable to leave the WireShark to capture for a long time, as we will see, we will leave it running only during the process to debug a connection. The greater the amount of packets, the longer it takes to apply a filter, find a package, etc.

     With this we have the basics of the program, we can set the capture interface, start and stop the capture. The next step is to identify what interests among many packages. For this, we will start using filters.

Using Filters

     There are a plethora of possible filters, but at this moment we will see just how to filter by IP address, port and protocol.
The filters can be constructed by clicking on "Filter", then selecting the desired filter (there is a short list of pre-defined filters), or by typing directly into the text box. After you create your filter, just click "Apply", if you wanted to see the entire list of packages again just click "Clear", this will remove the filter previously applied.


Figure 6) Filter.


     I will use a small filter list as an example:


Figure 7) Example by Rafael Souza (RHA Infosec).


     It is also possible to group the filters, for example:
ip.src == 10.10.10.1 && tcp.dstport==80 OR ip.src == 10.10.10.1 and tcp.dstport==80

Source address 10.10.10.1 
And destination port 80


CAPTURING PASSWORDS

     Now we will see how you can capture passwords easily, just by listening to traffic. For this example we will use the POP3 protocol, which sends the data in clear text over the network. To do this, start capturing packets normally and start a session with your POP3 email server. If you use a safer protocol like IMPAPS or POP3 and I just wanted to see the functioning of the mechanism, it is possible to connect via telnet to POP3 without having to add / modify your account, simply run the following:

telnet serveremail.com 110
user user@rhainfosec.com
pass rhainfosecpasswd

     Now stop the capture, filter and put "pop" and then click "Apply". now thats done, you see only the packets of POP3 connection. Now click on any of them right, and then click "Follow TCP Stream".


Figure POP3.
     With this we will open a new window with the entire contents of the ASCII connection. As the POP3 protocol sends everything in plain text, you can see all the commands executed, including the password.


Figure 9) Pass.

     This can be transported to any connection in plain text, such as FTP, Telnet, HTTP, etc.. Just to let you change the filter and examine the contents of the connection.

Importing External Captures

     Usually in servers, there is no graphical environment installed and with that you cannot use WireShark directly. If you want to analyze traffic on this server and you cannot install WireShark, so you have to capture this traffic elsewhere, the best one can do is write traffic with TCPdump locally and then copy this dump to a machine with WireShark from where a more detailed analysis is made.

     We will capture everything that comes and goes from the host 10.10.10.1 with destination port 80 and save content in capturerafaelsouzarhainfosec.pcap file from the local folder where the command was executed. Run the server:

tcpdump -i eth0 host 10.10.10.1 and dst 
port 80 -w 
capturerafaelsouzarhainfosec.pcap

     Once you're finished capturing, simply use CTRL + C to copy the file to the machine WireShark capture and import by clicking on File -> Import. Once imported, you can use the program normally as if the capture had occurred locally.


What TO DO:
Why steal your password?

     There are various reasons that lead people to steal passwords from simply to annoy someone (sending email as you) up to perform illegal activities (invasion on other computers, theft of information, etc.) An attraction to crackers is the ability to use the identity of others in these activities.

     One of the main reasons that attackers try to break systems and install "sniffers" is the ability to quickly capture the maximum number accounts. Thus, the more accounts this attacker has , the easier it is to hide your stash.

How can you protect yourself?

     Do not think that "sniffers" can make all the whole internet insecure. It is not so. You need to be aware of where the risk is , when you're at risk and what to do to be safe .

     When you have your credit card stolen or suspect that someone may be using it improperly, you cancel the card. Likewise, as passwords can be stolen, it's critical that you replace it regularly. This precaution limites the amount of time that a stolen password can be used by an attacker.

     Never share your password with others. This sharing makes it difficult to know where your password is being used (exposed) and is harder to detect unauthorized use. A password is like a tooth brush never share it and change it regularly.

     Never give your password to anyone that is claiming they need access to fix your account problem or wanting to investigate the breach of a system. This trick is one of the most effective methods of hacking, known as "social engineering."

Use networks you can trust

     Another aspect you should take into consideration is what network you can trust and which you cannot. If you are traveling and need to access an organizations computer remotely have a great level of assurance that the network is secure. For example, pick any file in your home directory that you share is it available to a "LanHouse" or network of another organization . Are you sure you can trust the network?

     If you have no alternative for secure remote access and only have available resources such as telnet, for example, you can "mitigate" this effect by changing the password at the end of each session. Remember that only the first packet (200-300 bytes)of each session carry information from your "login". Therefore, to always change your password before logging out, this will not be captured and password before it that were exposed to the network are no longer valid. Of course it is possible to capture everything going across the network, but the attacker has no intention of filling their file system quickly and becoming so easily discovered.

Why are networks so vulnerable to "sniffers"?

     There are several reasons and there is no quick solution to the problem.

     Part of the problem is that companies tend to invest in more new features rather than add security. New security features can create the most difficult systems to configure and less convenient to use. Remember companies try to adhere to the C.I.A. triangle (confidentiality, integrity, and availability). New features create unintended effects on availability when this happens policy is overlooked creating a new vulnerability in itself.

     Another part of the problem is related to added costs for Ethernet switches, hubs, network interfaces that do not support the particular "promiscuous" that sniffers can use.


CONCLUSION

     The question that remains is how can we protect ourselves from this threat...


i) Network cards that cannot be put into "promiscuous" mode. Thus, computers cannot be mastered and transformed into "sniffers".

ii) Typically, the Ethernet interface only passes packets to the highest level protocol that are intended for local machine. Switching this interface into promiscuous mode allows all packets that are accepted and passed to the higher layer of the protocol stack. This allows the selection you want.

iii) Packages that encrypt data in transit over the network, thus avoiding to flow passwords "in the clear".

     I would remind you that the safest thing to adopt and encourage the use of is software which enables remote access encrypted sessions, they help to make your environment much more secure.

     One fairly common encryption technology currently in secure communication between remote machines SSH (Secure Shell). SSH is available for different platforms. Its use does not prevent the password captured, but as this is not an encrypted service to the attacker. SSH negotiates connections using RSA algorithm. Once the service is authenticated, all subsequent traffic is encrypted using IDEA technology. This type of encryption is very strong.

     In the future, security will be increasingly intrinsic to the systems and infrastructure networks. No use having all the "apparatus" of security if you need, but do not use them. Security is not something that can be completely secure.
 Remember, no one is 100% secure.

Friday 21 March 2014

How Hackers Hack Paypal In some days ago

If you know something about javascript,jquery language and  html then you can understand this easily.

 Don't try it on paypal try on other site use jqurey knowledge and see what happens...

because of Rafay Baloch is an Independent security researcher, An Internet marketer, An Enterprenuer and a SEO consultant, Rafay got famous after finding a Remote Code Execution bug inside Paypal for which Paypal awarded him a sum of 10,000$, Along with it Paypal also offered him a job as a security Ninja. This story was published in multiple news papers such as Tribune, Brecorder and other internet security magazines.

Here is an Example:

Here is an attack that is used in this days rapidly by Hackers..

A Vulnerable Example from W3schools 

The worsed part about DOM Based xss apart from it's complexity is the fact that lots of learning references and guides teach developers to code things in an insecure way i.e. in a way that would introduce vulnerabilities automatically. The following screenshot is taken from the jquery learning section of w3schools. The website needs no introduction, it is the most commonly referred websites for beginners to learn various programming language.
The code uses the html() function inside of jquery to output html, however the problem is that html() is not a safe jquery function and is represented as a dangerous sink as per DOM Based XSS Wiki. In case, where a user controlled input outputted through html() sink without sanitization would lead to a DOM Based xss. The html() function inside of jquery is the equivalent to the innerHTML function inside of javascript. The fundamental problem is that the developers are not advised to use a safe function. Therefore, in my opinion w3schools shall be renamed to w3fools. 
 
How they do it: 
Here is an subdomain of paypal financing.paypal.com it is used in attack.
https://financing.paypal.com/ppfinportal/adGenerator/webcopy?460*80
The above will shows an output with 460*80 but when when we change it with the following code then what happened let's see.
Here is the code to put into that domain <svg/onload=prompt(1)>.
The code becomes
https://financing.paypal.com/ppfinportal/adGenerator/webcopy?<svg/onload=prompt(1)>
What happens when we goto this site it will show an dialog box that is DDOS XSS attack we do it and hackers also do it similarly.
 
 


Thursday 13 March 2014

The World's Richest Ex-Hackers

The World's Richest Ex-Hackers


Long before he was the two-hundred-and-second richest person on the planet, Jan Koum was just another curious kid with a wardialer.
Koum, whose net worth suddenly jumped to $6.8 billion last month when his startup WhatsApp was acquired by Facebook, began his tech career as a teenage immigrant from Ukraine and fan of the 1995 film ‘Hackers.’ From the privacy of his Mountain View, Calif. bedroom, he’d use his wardialer—a machine that cycles through phone numbers, dialing them on a modem to find open connections—to probe the global Internet and explore faraway networks.
“The Internet was so insecure back then,” he told my colleague Parmy Olson during her reporting for Forbes’ recent cover story on Koum’s $19 billion dollar startup. “Servers on the fringes of the Internet with root account and no passwords…The challenging part was finding these systems where you have to learn your way around. There were no manuals.”
Koum says his intentions were never malicious. He was careful not to delete anything and never participated in the distributed denial of service attacks that plagued websites in the late 90s by flooding them with junk traffic. “It was more curiosity, how can I figure it out, more of a challenge,” he says.
Once, Koum admits, he found his way onto the network of the computer graphics giant Silicon Graphics, a story that the 38-year-old CEO is careful to leave unfinished. “At some point I connected to the server,” he says. “And that’s as much as I’m going to say.”
Add Koum’s name to the growing list of ultra-successful entrepreneurs whose paths to billions started on the wilder side of the hacker frontier. In fact, founders of Apple , Microsoft , Facebook and Twitter all flirted with activities that might today be called illegal hacking before going on to found Silicon Valley’s most successful companies, a trend worth remembering as the tech world and Washington grapple over how to apply–or restrict–the controversial Computer Fraud and Abuse Act.
In the late 60s, a teenage Bill Gates and his Microsoft co-founder Paul Allen, for instance, were caught with unauthorized access to an administrator account at Computer Center Corporation and even rummaged through its Dumpster for printouts of source code, according to Allen’s memoir. In 2004, Zuckerberg used login records on TheFacebook.com to break into the email accounts of Harvard Crimson reporters, according to reporting by Business Insider’s Nicholas Carlson. Twitter co-founder Jack Dorsey got his first job by breaking into the network of the dispatch company he hoped would hire him to show the company its security vulnerabilities.
Jan Koum’s hacking adventures played a similar role in his unlikely rise from welfare to a top spot on the most recent Forbes billionaire list released earlier this month. Koum was a noted member of the 1990s hacker group w00w00, which also included Napster co-founder Sean Fanning and, occasionally Napster co-founder and Facebook investor Sean Parker. Gordon “Fyodor” Lyon remembers Koum as a vital contributor to the development of the Nmap security scanner, a tool used today by both attackers and defenders of networks to suss out vulnerabilities. “He was particularly helpful in training Nmap to recognize FreeBSD machines,” Lyon writes to me in an email, referring to a common open-source operating system. “We lived nearby and used to hang out from time to time. This tremendous WhatsApp success truly could not have happened to a nicer person!”
When Koum was working at Yahoo! years later, it was the same w00w00 crowd that he turned for advice in fending off an unprecedented denial of service attack hitting the company’s websites, according to Reuters’ Joseph Menn. And when his startup WhatsApp was acquired for a shocking $19 billion dollars in February, the same group of hackers assembled for a spontaneous celebration, Menn reports.
Career paths like Koum’s should be taken as evidence of how prosecuting harmless young hackers under the Computer Fraud and Abuse Act can hamper innovation, says Hanni Fakhoury, an attorney with the Electronic Frontier Foundation. “[The CFAA] is definitely creating a chilling effect on researchers, tinkerers and innovators,” says Fakhoury. “At the EFF, we get phone calls weekly from researchers who have an idea, have done some preliminary testing, and want to look deeper but are worried about CFAA liability. The volume of those calls has gone up.”
Fakhoury points to the case of Aaron Swartz, the coding prodigy, activist and early employee of the social news site Reddit. Swartz was prosecuted under the CFAA in 2011 after using an automated script to download millions of files from the academic journal website JSTOR. Facing seven-figure legal bills and decades in prison, the 26-year-old committed suicide. His story is told in a soon-to-be-released documentary titled “The Internet’s Own Boy.”
“Zuckerberg, Steve Jobs, Bill Gates, Wozniak, Paul Allen, all have told stories or written in autobiographies about how when were younger they engaged in legally questionable activities, and how they used those mostly harmless experiences to create the biggest tech companies in the world,” says Fakhoury. “They were fortunate that they were spared the fate of Aaron Swartz.”
No one, perhaps, has better captured the importance of hacker experimentation for innovation better than the late Steve Jobs, who once partnered with Apple co-founder Steve Wozniak to sell “Blue Boxes,” tools that skirted the phone companies’ security measures to allow free calls. “If it hadn’t been for the Blue Boxes,” Jobs told his biographer Walter Isaacson before his death, “There would have been no Apple.”
And if there had been no wardialer, there may have never been Whatsapp.
Here’s the full list of the world’s richest former hackers.

Tuesday 11 March 2014

DRDO, armed forces' computers hacked


hacked

In a major security breach, around 50 computers belonging to the armed forces and the DRDO were hacked sometime back and classified files could have been compromised.

Apparently in view of the development, an advisory has been issued to the Services that computers having internet facility should be kept at a distance from those on which classified work is conducted.

The security breach took place in December and was detected by the intelligence agencies after which a high-level probe was ordered, government sources said here.

The computers that were hacked are located in the South Block and belong mainly to the Army along with the other two forces, they said.

The security establishment fears that up to 30 files marked as classified could have been compromised in the process, the sources said.

National Security Advisor Shivshankar Menon sought to downplay the hacking incident saying there are "various forms of compromise" and "not every leaked password is a big threat to security.

"A mere fact that some computer is open in North Block and South Block and is accessible, does not mean that therefore there is big gap in security."

Insisting that "things are not in bad shape", he said, "We will deal with those computers which we feel are compromised."

An advisory issued to the Services said that it was found that a spyware was detected which could read the files of computers, which were not even connected to internet, the sources said.

Armed forces have suffered a lot due to the attempts of hacking by Chinese and Pakistani hackers as one Major posted in Andaman and Nicobar Islands was found to have leaked critical information from his computer.

Thursday 6 March 2014

Russia-Ukraine Standoff Going Online as Hackers Attack



Cyberspace is fast becoming a battlefield for Ukrainian and Russian partisans even as ground troops from the two countries continue their military standoff.
Hackers have launched attacks on the websites of state agencies and publications on both sides. A Russian government watchdog has ordered a shutdown of the social-network pages of Ukrainian nationalist groups. And a Ukrainian phone company said its network in parts of the Crimean peninsula was damaged as unidentified men took over communication centers.
“We’re going to see a very large cyber component to whatever happens” in Ukraine, said Rodney Joffe, senior vice president at Neustar Inc., a technology research firm near Washington, D.C. “The damage can be quite debilitating.”

U.S. intelligence analysts are closely watching the roles hackers are playing in the Ukraine conflict for clues to how Russia and others might employ cyber capabilities in future conflicts, said two U.S. officials who spoke on condition of anonymity to discuss intelligence issues. The officials said cyberspace is quickly rivaling traditional battlefields as a place where wars may be won or lost.
Russia Today, an English-language website backed by the government of President Vladimir Putin, said hackers on March 2 added the word “Nazi” to headlines. The sites of Russian newspaper Vedomosti, news agency RIA Novosti, and several TV and radio stations have been hit with attacks meant to block readers, though none have been pushed offline, according to Group-IB, a Russian online security company.

Anonymous Video

“There has definitely been an increase in malicious activity,” said Ilya Sachkov, Group-IB’s chief executive officer. “But the difference isn’t as intense as, for example, what we saw during the most recent elections for Moscow mayor or the Russian parliament.”
In Ukraine, newswires Unian and Gordon said they had been attacked by hackers, the latter asserting that the culprits were Russian. And a group claiming to be affiliated with Anonymous, a loose collection of Internet activists, posted a video on sharing site Vimeo that said it was targeting Russian websites due to the conflict in Ukraine.
Russia’s foreign ministry declined to immediately comment on preparations for cyber warfare. The defense ministry didn’t return phone calls. Ukraine’s computer security agency said it had registered attacks on websites and phone networks in the country. The security police didn’t answer repeated phone calls.

Hacked Phones

Russian state television channels yesterday reported a leaked phone call between EU Foreign Policy Chief Catherine Ashton and Estonian Foreign Minister Urmas Paet, who recently returned from Ukraine. In the hacked call, according to the reports, Paet said that snipers who killed protesters in Kiev had been working for the opposition, not now-deposed President Viktor Yanukovych. The Estonian Foreign Ministry said the call was authentic, but said Paet hadn’t blamed the opposition for the shootings.
And on Feb. 23, state-funded Voice of Russia published e-mails alleged to have been written by Vitali Klitschko, a pro-Western candidate for the Ukrainian presidency. The documents leaked by a hacker group calling itself Anonymous Ukraine included one in which Klitschko thanked an adviser to Lithuania’s president for funding the Ukrainian protests.
“The fact that this was published in the Russian media hints that the hackers may be linked to Russia,” said Andrei Soldatov, who runs a Russian computer security website called Agentura.ru.
While there has been a cyber component in many recent armed conflicts, it’s likely to be particularly intense in Ukraine because of the level of programming skills in both countries. Absent a crisis, Ukrainian and Russian Web wizards often deploy their skills against companies and consumers, aiming to profit from stolen bank data and corporate secrets.

Targeting Target

The theft of 40 million credit card numbers from Target Corp. at the height of Christmas shopping season last year has been linked by security experts to a hacker based in the Ukrainian city of Odessa, and the U.S. Justice Department last July indicted Russians and Ukrainians in the theft of at least 160 million credit card numbers from several companies.
The key to winning the cyber conflict largely depends on whether the political leaders on each side can rally the hackers to their cause, said Sean Sullivan, an adviser at F-Secure Oyj (FSC1V), a tech consultant in Helsinki.
“There’s quite a lot of cyber crime coming out of that region, so there are a lot of guys who know how to get around legitimate blockades,” Sullivan said. “There’s going to be a lot of cat and mouse, for sure.”

WWII Monument

Cyber warfare can include blocking websites with so-called distributed denial of service attacks, in which millions of computers bombard servers with communication requests, causing them to shut down. More sophisticated -- and damaging -- techniques include switching off a phone network or remotely damaging oil refineries, said Costin Raiu, director of research at Kaspersky Lab, a computer security company in Moscow.
Estonia was hit by attacks that disabled the websites of the president, parliament, ministries, banks and newspapers in 2007 during a dispute with Russia over the relocation of a World War II monument. Estonian authorities at the time said computers around the world were used to overload servers with a barrage of access requests coordinated in Russia.

Georgia Attacks

In 2008, hackers targeted the website of Georgia’s president in the weeks leading up to a military conflict with Russia. The attacks were more intense than those that hit Estonia, according to Internet security firm Arbor Networks. Russian officials at the time declined to comment on whether the government was involved.
On March 3, Roskomnadzor, Russia’s telecommunications watchdog, ordered social-networking site VKontakte to block access to the online communities of 13 Ukrainian nationalist organizations. The agency said the Ukrainian groups had called on Russians to participate in terrorist activities and illegal gatherings. VKontakte complied with the order in Russia, but the groups can still be accessed by users in Ukraine, according to the St. Petersburg-based social network.
Ukrainian phone carrier Ukrtelecom said yesterday that its operations in parts of Crimea have been limited since Feb. 28 because of takeovers at several switching centers. Though there have been no communications failures on the peninsula, the carrier said, some traffic had to be redirected.

DDOS Attack on Meetup


After a rocky week spent recovering from a massive attack by a hacker extortionist, the popular meetup organizing website Meetup is back to normal.
And Meetup co-founder and CEO Scott Heiferman is assuring users no personal data was accessed or stolen in the attack.
That should come as good news to consumers, who are an increasing number of apologetic emails from businesses ranging from Adobe to Target telling them that personal data including passwords and even credit card info has been compromised. It’s getting to be such a regular occurrence that the credit monitoring agencies must be seeing their business skyrocket.
In a message to Meetup users, Heiferman wrote:  ”You may have had trouble accessing Meetup in the past week, and you may have heard that we were hit by a massive attack on our servers — a DDoS attack, which is a barrage of traffic intended to make services unavailable.
“I’m happy to report that Meetup is up and running! And no personal data was accessed or stolen.”
Heiferman said it “was amazing to see how many people were rooting for Meetup.

 See for more details

Saturday 1 March 2014

Tips about How to Secure Your WebBrowser From Hackers

Securing Your Web Browser

Why Secure Your Browser

Today, web browsers such as Internet Explorer, Mozilla Firefox, and Apple Safari (to name a few), are installed on almost all computers. Because web browsers are used so frequently, it is vital to configure them securely. Often, the web browser that comes with an operating system is not set up in a secure default configuration. Not securing your web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer.
Ideally, computer users should evaluate the risks from the software they use. Many computers are sold with software already loaded. Whether installed by a computer manufacturer, operating system maker, Internet Service Provider, or by a retail store, the first step in assessing the vulnerability of your computer is to find out what software is installed and how one program will interact with another. Unfortunately, it is not practical for most people to perform this level of analysis.
There is an increasing threat from software attacks that take advantage of vulnerable web browsers. We have observed a trend whereby new software vulnerabilities are exploited and directed at web browsers through use of compromised or malicious websites. This problem is made worse by a number of factors, including the following:
  • Many users have a tendency to click on links without considering the risks of their actions.
  • Web page addresses can be disguised or take you to an unexpected site.
  • Many web browsers are configured to provide increased functionality at the cost of decreased security.
  • New security vulnerabilities may have been discovered since the software was configured and packaged by the manufacturer.
  • Computer systems and software packages may be bundled with additional software, which increases the number of vulnerabilities that may be attacked.
  • Third-party software may not have a mechanism for receiving security updates.
  • Many websites require that users enable certain features or install more software, putting the computer at additional risk.
  • Many users do not know how to configure their web browsers securely.
  • Many users are unwilling to enable or disable functionality as required to secure their web browser.
As a result, exploiting vulnerabilities in web browsers has become a popular way for attackers to compromise computer systems.

Web Browser Features and Risks

It is important to understand the functionality and features of the web browser you use. Enabling some web browser features may lower security. Often, vendors will enable features by default to improve the computing experience, but these features may end up increasing the risk to the computer.
Attackers focus on exploiting client-side systems (your computer) through various vulnerabilities. They use these vulnerabilities to take control of your computer, steal your information, destroy your files, and use your computer to attack other computers. A low-cost way attackers do this is by exploiting vulnerabilities in web browsers. An attacker can create a malicious web page that will install Trojan software or spyware that will steal your information. Additional information about spyware is available in the following document: http://www.cert.org/archive/pdf/spyware2005.pdf. Rather than actively targeting and attacking vulnerable systems, a malicious website can passively compromise systems as the site is visited. A malicious HTML document can also be emailed to victims. In these cases, the act of opening the email or attachment can compromise the system.
Some specific web browser features and associated risks are briefly described below. Understanding what different features do will help you understand how they affect your web browser's functionality and the security of your computer.
ActiveX is a technology used by Microsoft Internet Explorer on Microsoft Windows systems. ActiveX allows applications or parts of applications to be utilized by the web browser. A web page can use ActiveX components that may already reside on a Windows system, or a site may provide the component as a downloadable object. This gives extra functionality to traditional web browsing, but may also introduce more severe vulnerabilities if not properly implemented.
ActiveX has been plagued with various vulnerabilities and implementation issues. One problem with using ActiveX in a web browser is that it greatly increases the attack surface, or “attackability,” of a system. Installing any Windows application introduces the possibility of new ActiveX controls being installed. Vulnerabilities in ActiveX objects may be exploited via Internet Explorer, even if the object was never designed to be used in a web browser (VU#680526). In 2000, the CERT/CC held a workshop to analyze security in ActiveX. The results from that workshop may be viewed at http://www.cert.org/reports/activeX_report.pdf. Many vulnerabilities with respect to ActiveX controls lead to severe impacts. Often an attacker can take control of the computer. You can search the Vulnerability Notes Database for ActiveX vulnerabilities at http://www.kb.cert.org/vuls/byid?searchview&query=activex.
Java is an object-oriented programming language that can be used to develop active content for websites. A Java Virtual Machine, or JVM, is used to execute the Java code, or “applet,” provided by the website. Some operating systems come with a JVM, while others require a JVM to be installed before Java can be used. Java applets are operating system independent.
Java applets usually execute within a “sandbox” where the interaction with the rest of the system is limited. However, various implementations of the JVM contain vulnerabilities that allow an applet to bypass these restrictions. Signed Java applets can also bypass sandbox restrictions, but they generally prompt the user before they can execute. You can search the Vulnerability Notes Database for Java vulnerabilities at http://www.kb.cert.org/vuls/byid?searchview&query=java.
Plug-ins are applications intended for use in the web browser. Netscape has developed the NPAPI standard for developing plug-ins, but this standard is used by multiple web browsers, including Mozilla Firefox and Safari. Plug-ins are similar to ActiveX controls but cannot be executed outside of a web browser. Adobe Flash is an example of an application that is available as a plug-in.
Plug-ins can contain programming flaws such as buffer overflows, or they may contain design flaws such as cross-domain violations, which arises when the same origin policy is not followed.
Cookies are files placed on your system to store data for specific websites. A cookie can contain any information that a website is designed to place in it. Cookies may contain information about the sites you visited, or may even contain credentials for accessing the site. Cookies are designed to be readable only by the website that created the cookie. Session cookies are cleared when the browser is closed, and persistent cookies will remain on the computer until the specified expiration date is reached.
Cookies can be used to uniquely identify visitors of a website, which some people consider a violation of privacy. If a website uses cookies for authentication, then an attacker may be able to acquire unauthorized access to that site by obtaining the cookie. Persistent cookies pose a higher risk than session cookies because they remain on the computer longer.
JavaScript, also known as ECMAScript, is a scripting language that is used to make websites more interactive. There are specifications in the JavaScript standard that restrict certain features such as accessing local files.
VBScript is another scripting language that is unique to Microsoft Windows Internet Explorer. VBScript is similar to JavaScript, but it is not as widely used in websites because of limited compatibility with other browsers.
The ability to run a scripting language such as JavaScript or VBScript allows web page authors to add a significant amount of features and interactivity to a web page. However, this same capability can be abused by attackers. The default configuration for most web browsers enables scripting support, which can introduce multiple vulnerabilities, such as the following:
  • Cross-Site Scripting Cross-Site Scripting, often referred to as XSS, is a vulnerability in a website that permits an attacker to leverage the trust relationship that you have with that site. For a high-level description of XSS attacks, please see the whitepaper published at http://www.cert.org/archive/pdf/cross_site_scripting.pdf. Note that Cross-Site Scripting is not usually caused by a failure in the web browser. You can search the Vulnerability Notes Database for Cross-Site Scripting vulnerabilities at http://www.kb.cert.org/vuls/byid?searchview&query=cross-site+scripting.
  • Cross-Zone and Cross-Domain VulnerabilitiesMost web browsers employ security models to prevent script in a website from accessing data in a different domain. These security models are primarily based on the Netscape Same Origin Policy: http://www.mozilla.org/projects/security/components/same-origin.html. Internet Explorer also has a policy to enforce security zone separation: http://www.microsoft.com/windows/ie/ie6/using/howto/security/setup.mspx.
    Vulnerabilities that violate these security models can be used to perform actions that a site could not normally perform. The impact can be similar to a cross-site scripting vulnerability. However, if a vulnerability allows for an attacker to cross into the local machine zone or other protected areas, the attacker may be able to execute arbitrary commands on the vulnerable system. You can search the Vulnerability Notes Database for cross-zone and cross-domain vulnerabilities at http://www.kb.cert.org/vuls/byid?searchview&query=cross-domain.
  • Detection Evasion Anti-virus, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) generally work by looking for specific patterns in content. If a “known bad” pattern is detected, then the appropriate actions can take place to protect the user. But because of the dynamic nature of programming languages, scripting in web pages can be used to evade such protective systems.

How to Secure Your Web Browser

Some software features that provide functionality to a web browser, such as ActiveX, Java, Scripting (JavaScript, VBScript, etc.), may also introduce vulnerabilities to the computer system. These may stem from poor implementation, poor design, or an insecure configuration. For these reasons, you should understand which browsers support which features and the risks they could introduce. Some web browsers permit you to fully disable the use of these technologies, while others may permit you to enable features on a per-site basis.
This section shows you how to securely configure a few of the most popular web browsers and how to disable features that can cause vulnerabilities. We encourage you to visit the vendor's website for the browser you use to learn more. If a vendor does not provide documentation on how to secure the browser, we encourage you to contact them and request more information.
Multiple web browsers may be installed on your computer. Other software applications on your computer, such as email clients or document viewers, may use a different browser than the one you normally use to access the web. Also, certain file types may be configured to open with a different web browser. Using one web browser for manually interacting with websites does not mean other applications will automatically use the same browser. For this reason, it is important to securely configure each web browser that may be installed on your computer. One advantage to having multiple web browsers is that one browser can be used for only sensitive activities such as online banking, and the other can be used for general purpose web browsing. This can minimize the chances that a vulnerability in a web browser, website, or related software can be used to compromise sensitive information.
Web browsers are frequently updated. Depending on the version of your software, the features and options may move or change.

Microsoft Internet Explorer

Microsoft Internet Explorer (IE) is a web browser integrated into the Microsoft Windows operating system. Removal of this application is not practical.
In addition to supporting Java, scripting and other forms of active content, Internet Explorer implements ActiveX technology. While any application is potentially vulnerable to attack, it is possible to mitigate a number of serious vulnerabilities by using a web browser that does not support ActiveX controls. However, using an alternate browser may affect the functionality of some sites that require the use of ActiveX controls. Note that using a different web browser will not remove IE, or other Windows components from the system. Other software, such as email clients, may use IE, the WebBrowser ActiveX control (WebOC), or the IE HTML rendering engine (MSHTML). Results from the CERT/CC ActiveX workshop in 2000 are available at http://www.cert.org/reports/activeX_report.pdf.
Here are steps to disable various features in Internet Explorer 7. Note that menu options may vary between versions of IE, so you should adapt the steps below as appropriate.
In order to change settings for Internet Explorer, select Tools then Internet Options…
Screen shot of Internet Explorer Tools menu
Select the Security tab. On this tab you will find a section at the top that lists the various security zones that Internet Explorer uses. More information about Internet Explorer security zones is available in the Microsoft document Setting Up Security Zones. For each of these zones, you can select a Custom Level of protection. By clicking the Custom Level button, you will see a second window open that permits you to select various security settings for that zone. The Internet zone is where all sites initially start out. The security settings for this zone apply to all the websites that are not listed in the other security zones. We recommend the High security setting be applied for this zone. By selecting the High security setting, several features including ActiveX, Active scripting, and Java will be disabled. With these features disabled, the browser will be more secure. Click the Default Level button and then drag the slider control up to High.
Screen shot of Internet Explorer Internet Options dialog with security level set to High
For a more fine-grained control over what features are allowed in the zone, click the Custom Level button. Here you can control the specific security options that apply to the current zone. For example ActiveX can be disabled by selecting Disable for Run ActiveX controls and plug-ins. Default values for the High security setting can be selected by choosing High and clicking the Reset button to apply the changes.
Screen shot of Internet Explorer Security Settings dialog with Run ActiveX controls and plug-ins disabled and Reset custom settings set to High
The Trusted sites zone is a security zone for sites that you think are safe to visit. You believe that the site is designed with security in mind and that it can be trusted not to contain malicious content. To add or remove sites from this zone, you can click the Sites… button. This will open a secondary window listing the sites that you trust and permitting you to add or remove them. You may also require that only verified sites (HTTPS) can be included in this zone. This gives you greater assurance that the site you are visiting is the site that it claims to be.
Screen shot of Internet Explorer Internet Options dialog with Trusted sites highlighted, Security level set to medium-high, and the Default level button highlighted
Screen shot of Internet Explorer Trusted sites dialog with Websites list highlighted
We recommend setting the security level for the Trusted sites zone to Medium-high (or Medium for Internet Explorer 6 and earlier). When the Internet Zone is set to High, you may encounter websites that do not function properly due to one or more of the associated security settings. This is where the Trusted sites zone can help. If you trust that the site will not contain malicious content, you can add it to the list of sites in the Trusted sites zone. Once a site is added to this zone, features such as ActiveX and Active scripting will be enabled for the site. The benefit of this type of configuration is that IE will be more secure by default, and sites can be “whitelisted” in the Trusted sites zone to gain extra functionality.
The Privacy tab contains settings for cookies. Cookies are text files placed on your computer by various sites that you visit either directly (first-party) or indirectly (third-party) through ad banners, for example. A cookie can contain any data that a site wishes to store. It is often used to track your computer as you move through a website and store information such as preferences or credentials. We recommend that you select the Advanced button and select Override automatic cookie handling. Then select Prompt for both first and third-party cookies. This will prompt you each time a site tries to place a cookie on your machine. If the number of cookie prompts is too excessive, the option to Always allow session cookies can be enabled. This will allow non-persistent cookies to be accepted without user interaction. Session cookies have less risk than persistent cookies.
Screen shot of Internet Explorer Internet Options dialog with Sites button and Advanced button highlighted
Screen shot of Internet Explorer Advanced Privacy Settings dialog with Override automatic cookie handling option checked, First-party Cookies prompt option selected, and Third-party Cookies prompt option selected
You can then evaluate the originating site, whether you wish to accept or deny the cookie, and what action to take (allow or block, with the option to remember the decision for all future cookies from that website). For example, if visiting a website causes a cookie prompt from a web domain that is associated with advertising, you may wish to click Block Cookie to prevent that domain from being able to set cookies on your computer, for privacy reasons.
Screen shot of Internet Explorer Privacy Alert dialog
By selecting the Sites... button, you can manage the cookie settings for specific sites. You can add or remove sites, and you can change the current settings for existing sites. The bottom section of this window will specify the domain of the site and the action to take when that site wants to place a cookie on your machine. You can use the upper section of this window to change these settings.
Screen shot of Internet Explorer Per Site Privacy Actions dialog with Address of Web site area highlighted and Managed Web sites selection highlighted
Alternatively, if you do not wish to receive warning dialogs when a site attempts to set a cookie, you can use Internet Explorer's pre-set privacy rules. Click the Default button and then drag the slider up to High. Note that some websites may fail to function properly with the High setting. In such cases, you may add the site to the list of sites for which cookies are allowed, as described above.
Screen shot of Internet Explorer Internet Options dialog with high Internet zone privacy selected and the Default button highlighted
The Advanced tab contains settings that apply to all of the security zones. We recommend that you disable the Enable third-party browser extensions option. This option includes tool bars and Browser Helper Objects (BHOs). While some add-ons can be useful, they also have the ability to violate your privacy. For example, a browser add-on may monitor your web browsing habits, or even change the contents of web pages in an attempt to gather personal information.
Screen shot of Internet Explorer Internet Options dialog with Enable third-party browser extensions unchecked
Internationalized Domain Names (IDN) can be abused to allow spoofing of web page addresses. This can allow phishing attacks to be more convincing. More details about IDN spoofing can be found in Vulnerability Note VU#273262.  To protect against IDN spoofing in Internet Explorer, enable the Always show encoded addresses option. This will cause IDN addresses to be displayed in an encoded form in the Internet Explorer address bar and status bar, which will remove the visual similarity to the spoofing target address.
We also recommend that you disable the Play sounds in webpages option.  Sounds in web pages are rarely integral to web page content, and may also introduce security risks by having the browser process additional untrusted data. This option is for Internet Explorer's ability to natively handle sounds. It will not interfere with other software, such as Adobe Flash or Apple QuickTime.
Screen shot of Internet Explorer Internet Options dialog with Always show encoded addresses checked and Play sounds in webpages unchecked
Under the Programs tab, you can specify your default applications for viewing websites, email messages and various other network related tasks. You can also disable Internet Explorer from asking you if you would like it to be your default web browser here.
Screen shot of Internet Explorer Internet Options dialog with Internet programs area and Default web browser area highlighted

Mozilla Firefox

Mozilla Firefox supports many features of the same features as Internet Explorer, with the exception of ActiveX and the Security Zone model. Mozilla Firefox does have the underlying support for configurable security policies (CAPS), which is similar to Internet Explorer's Security Zone model, however there is no graphical user interface for setting these options. We recommend looking in the Help, For Internet Explorer Users menu to help users understand how terminology differs between the two applications.
The following are some steps to disable various features in Mozilla Firefox. Note that some menu options may change between versions or may appear in different locations depending on the host operating system. You should adapt the steps below as appropriate.
To edit the settings for Mozilla Firefox, select Tools, then Options.
Screen shot of Mozilla Firefox Tools menu with Options highlighted
You will then see an Options window that has a Category row at the top and the features for that category below. The first category of interest is the General category. Under this section, you can set Firefox as your default browser. Also select the option Always ask me where to save files. This will make it more obvious when a web page attempts to save a file to your computer.
Screen shot of Mozilla Firefox Options dialog with the Always ask me where to save files option selected and the Check Now button highlighted
Under the Privacy category, you will find options for browser History and Cookies. In the History section, disable the option to Remember what I enter in forms and the search bar. If the browser remembers these options, it can be a privacy violation, especially if the browser is used in a shared environment. Visited page and download history can be disabled here too.
In the Cookie section, select ask me every time. This will help make it clear when a website is attempting to set a cookie.
Screen shot of Mozilla Firefox Options dialog with the Remember what I enter in forms and the search bar option unchecked and the Cookies Keep until option set at ask me every time
When the user is prompted, the contents of the cookie can be viewed and the user can select whether to Deny, Allow for Session, or Allow the cookie. This gives the user more information about what sites are using cookies and also gives more granular control of cookies as opposed to globally enabling them. Select Use my choice for all cookies from this site to have the browser remember your decision so that you will not be prompted each time you return to the site. Clicking the Allow for Session button will cause the cookie to be cleared when the browser is restarted. If prompting for each cookie is too excessive, the user may wish to select the Keep until: I close Firefox option. This will prevent websites from being able to set persistent cookies.
Screen shot of Mozilla Firefox Confirm setting cookie dialog with Allow for Session button highlighted
Many web browsers will offer the ability to store login information. In general, we recommend against using such features. Should you decide to use the feature, ensure that you use the measures available to protect the password data on your computer. Under the Security category, the Passwords section contains various options to manage stored passwords, and a Master Password feature to encrypt the data on your system. We encourage you to use this option if you decide to let Mozilla Firefox manage your passwords.
The Warn me when sites try to install add-ons option will display a warning bar at the top of the browser when a website attempts to take such an action.
Screen shot of Mozilla Firefox Options dialog with the Warn me when sites try to install add-ons option checked and the Use a master password option checked
The Content category contains an option to Enable Java. Java is a programming language that permits website designers to run applications on your computer. We recommend disabling this feature unless required by the trusted site you wish to visit. Again, you should determine if this site is trustworthy and whether you want to enable Java to view the site’s content. After you are finished visiting the site, we recommend disabling Java until needed again.
Press the Advanced button to disable specific JavaScript features. We recommend disabling all of the options displayed in this dialog.
Screen shot of Mozilla Firefox Options menu with the Enable JavaScript option checked, the Enable Java option unchecked, and the Advanced button highlighted
Screen shot of Mozilla Firefox Advanced JavaScript Settings dialog with all options unchecked
The Content section has an option to modify actions taken when files are downloaded. Any time a file type is configured to automatically open with an associated application, this can make the browser more dangerous to use. Vulnerabilities in these associated applications can be exploited more easily when they are configured to automatically open. Click the Manage button to view the current download settings and modify them if necessary.
Screen shot of Mozilla Firefox Options dialog with the Manage button highlighted
The Download Actions dialog will show the file types and the currently configured actions to take when the browser encounters such a file. For all listed file types, either select Remove Action or Change Action... to modify the action to save the file to the computer. This increases the amount of user action required to launch the associated applications, and will therefore help prevent automated exploitation of vulnerabilities that may exist in these applications.
Screen shot of Mozilla Firefox Download Actions dialog with the disabled Remove Action button and enabled Change Action button highlighted
Screen shot of Mozilla Firefox Change Action dialog with the Save them on my computer option selected
Firefox 1.5 and later include a feature to Clear Private Data. This option will remove potentially sensitive information from the web browser. Select Clear Private Data... from the Tools menu to use this privacy feature.
Screen shot of Mozilla Firefox Tools menu with the Clear private data option highlighted
Screen shot of Mozilla Firefox Clear Private Data dialog with the Browsing History, Download History, Cache, and Authenticated sessions options checked and the Cookies option unchecked
Because Firefox does not have easily-configured security zones like Internet Explorer, it can be difficult to configure the web browser options on a per-site basis. For example, a user may wish to enable JavaScript for a specific, trusted site, but have it disabled for all other sites.  This functionality can be added to Firefox with an add-on, such as NoScript.
With NoScript installed, JavaScript will be disabled for sites by default. The user can allow scripts for a website by using the NoScript icon menu. Scripts can be allowed for a site on a temporary or a more permanent basis. If Temporarily allow is selected, then scripts are enabled for that site until the browser is closed.
Screen shot of Mozilla Firefox NoScript menu with the options for allowing websites and temporarily allowing websites highlighted
Because many web browser vulnerabilities require scripting, configuring the browser to have scripting disabled by default greatly reduces the chances of exploitation. To extend this protection even further, NoScript can be configured to also block Java, Flash, and other plug-ins by default. This can help to mitigate any vulnerabilities in these plug-in technologies. NoScript will replace these elements with a placeholder icon, which can be clicked to enable the element. Click the NoScript icon and then click Options... to get to the NoScript configuration screen.
Screen shot of Mozilla Firefox NoScript menu with the Options option highlighted
On the Plugins tab, select the options as follows:
Screen shot of Mozilla Firefox NoScript dialog with the options for Forbid Java, Forbid Adobe Flash, Forbid Microsoft Silverlight, Forbid other plugins, Forbid IFRAME, Apply these restrictions to trusted sites too, Show placeholder icon, and Ask for confirmation before temporarily unlocking an object all selected.
Aside from visiting websites that are inherently malicious, users can also be put at risk when a legitimate, trusted site is compromised. For this reason, we recommend enabling the option to Apply these restrictions to trusted sites too. If this option is too intrusive, it can be turned off at the cost of increased risk.

Apple Safari

The Safari web browser supports many of the same features as Mozilla Firefox. The following are some steps to disable various features in Safari on Mac OS X. The options for Safari for Microsoft Windows may differ slightly. Also note that some menu options may change over time, and you should adapt the steps below as appropriate.
In order to change settings for Safari, select Safari then Preferences…
Note that on the Safari menu, you can also select the option “Block Pop-up Windows”. This option will prevent sites from opening another window through the use of scripting or active content. Be aware that while Pop-up Windows are often associated with advertisements, some sites may attempt to display relevant content in a new window. Therefore, setting this option may disable the functionality of some sites.
Screen shot of Apple Safari's Safari menu with Preferences option highlighted
Once you select the Preferences menu, the window below will open. The first tab to look at is the General tab. On this tab you can set up many options such as Save downloaded files to: and Open “safe” files after downloading.  We recommend that you download files to a folder that you create for that purpose. We also recommend that you deselect the Open “safe” files after downloading option.
Screen shot of Apple Safari General dialog with the Save downloaded files to selection area highlighted and the Open safe files after downloading option unchecked
The next section of interest is the AutoFill tab. On this tab, you can select what types of forms your browser will fill in automatically. In general, we recommend against using AutoFill features. If someone can gain access to your machine, or the AutoFill data files, then the AutoFill feature may allow them to use the stored credentials to access to other sites that they would not otherwise have the ability to access. However, if used with appropriate protective measures, it may be acceptable to enable AutoFill. We recommend using filesystem encryption software such as OS X FileVault along with the Use secure virtual memory option to provide additional security for files that reside in a user's home directory.
Screen shot of Apple Safari AutoFill dialog
The Security tab provides several options. The Web Content section permits you to enable or disable various forms of scripting and active content. We recommend disabling the first three options in this section, and only enabling them based on site-specific cases. We recommend selecting the Block Pop-up Windows option. Remember that this option will prevent sites from opening another window through the use of scripting, or active content. Again, be aware that while Pop-up Windows are often associated with advertisements, some sites may attempt to display relevant content in a new window. Therefore, setting this option may disable the functionality of some sites.
It is safer to use Safari without plug-ins and Java, so we recommend disabling the options Enable plug-ins and Enable Java. It is also safer to disable JavaScript. However, many websites require JavaScript for proper operation.
In this dialog you can disable cookies and also view or remove cookies that have been set. In general we recommend disabling cookies, and enabling them only when you visit a site that requires their use. At this point, you should determine if the site is trustworthy and whether you want to enable cookies to view the site’s content. After you are finished visiting the site, we recommend disabling cookies until needed again. You can choose to only accept cookies from the sites that you visit by selecting the Only from sites you navigate to option. This will permit sites that you visit to set cookies, but not third-party sites. Finally, we recommend selecting the Ask before sending a non-secure form to a secure website option. This will prompt you before sending unencrypted form data when viewing an HTTPS-secured website.
Screen shot of Apple Safari Security dialog with the options for Enable plug-ins, Enable Java, and Enable JavaScript all unchecked; the Accept Cookies option set to Only from sites you navigate to; and the option for Ask before sending a non-secure form to a secure website checked

Other Browsers

Other web browsers may have similar options to those described above. Please refer to the browser documentation to determine which options are available and how to make the necessary changes. For example, the links below show where to find information for four popular web browsers:
Note that official support for Netscape has ended on February 1st, 2008. If you are using Netscape, we strongly recommend switching to a browser that is still supported.

Keeping Your Computer Secure

In addition to selecting and securing your web browser, you can take measures to increase protection to your computer in general. The following are steps and links to information resources that will help you secure your computer.
  1. Read the Home Network Security and Home Computer Security documents

  2. Enable automatic software updates if available

    Vendors will usually release patches for their software when a vulnerability has been discovered. Most product documentation offers a method to get updates and patches. You should be able to obtain updates from the vendor's website. Read the manuals or browse the vendor's website for more information.
    Some applications will automatically check for available updates, and many vendors offer automatic notification of updates via a mailing list. Look on your vendor's website for information about automatic notification. If no mailing list or other automated notification mechanism is offered, you may need to check the vendor's website periodically for updates.
  3. Install and use antivirus software

    While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks. Many antivirus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. A partial list of antivirus vendors is available is available on the CERT/CC website.
  4. Avoid unsafe behavior

    Additional information on this topic can be found in the Home Network Security document.
    • Use caution when opening email attachments or when using peer-to-peerfile sharing, instant messaging, or chat rooms.
    • Don't enable file sharing on network interfaces exposed directly to the Internet.
  5. Follow the principle of least privilege — don't enable it if you don't need it

    Consider creating and using an account with limited privileges instead of an 'administrator' or 'root' level account for everyday tasks. Depending on the operating system, you only need to use administrator level access when installing new software, changing system configurations, etc. Many vulnerability exploits (e.g., viruses, Trojan horses) are executed with the privileges of the user that runs them — making it far more risky to be logged in as an administrator all the time.