Banking details can be stolen through a new JavaScript exploit

Discussion in 'other security issues & news' started by tlu, Jan 15, 2009.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    As long as I can remember, the proper procedure taught is to close out all windows, then open a new window and connect to the bank site using your bookmarked link.

    When finished, log out, close the window, then proceed.

    ----
    rich
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Only thing I would add Rich is to clear the browser cache.
     
  4. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Pharming or DNS cache poisoning can still nail you even if you use your bookmark, in other words, even though you've done everything right. :doubt:

    Acadia
     
  5. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    How about OpenDNS ? ;)
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the reminder, Pete. I usually do emphasize that.

    Well, pharming, or DSN poisoning, isn't related to the exploit in question, but if you are concerned about that -- which is when a user thinks she/he is accessing the legitimate site's page, but instead is actually accessing the IP of a spoofed site -- one way of insuring that you are going to the correct IP is

    1) to create a Custom Address Group of IPs in your Firewall configuration and include the IPs of your secure sites (HTTPS) which use Port 443

    2) then create a separate outbound rule for Port 443, designating addresses in that Group.

    When going to a secure site, first disable your Port 80 rule. If DNS cache poisoning has occurred (intercepting the connection and directing it to a different IP) your Firewall will alert:

    pharm-googlemail.gif

    Others are using the Open DNS Servers instead of their ISP's DNS servers, as Huupi suggests.

    ----
    rich
     
  7. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I do two things to prevent being pharmed out: one was mentioned by Huupi, OpenDNS.

    Second, I add my financial sites to my host file that way I jump straight to them without using ANY dns servers.

    Acadia
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That's an interesting solution!

    ----
    rich
     
  9. tlu

    tlu Guest

    Another thing is disabling Javascript by default and allowing it only for trusted sites as often recommended because this is truly not the first Javascript exploit. This can easily be done in Firefox (with Noscript) and Opera but not in IE - here you would have to disable scripting in the Internet Zone and add all trusted sites to the Trusted Zone. That's not only very cumbersome - it also means that for all sites where you allow Javascript (or in IE actually Jscript which is even more dangerous than Javascript in other browsers) you also allow ActiveX which you need for the windowsupdate sites. There is no way to distinguish between these sites - either you block everything (in the Internet Zone) or you allow everything (in the Trusted Zone) as there is nothing like a "Particularly Trusted Zone".

    This is one major reason why one should NOT use IE.
     
Loading...
Thread Status:
Not open for further replies.