Taken from the article “To take the Alice and Bob on the forum example a step further, consider what happens when Alice views a forum posting by Bob that includes a link to an off-site image hosted at a site controlled by Bob. That image, when loaded by Alice’s browser, will automatically send Bob’s site a referrer URL that includes the full token that is unique to Alice’s browser session with that forum. Armed with the referring URL’s token, Bob can then respond to the image request from Alice’s browser with a request to silently take action on that forum in Alice’s name.”

This interesting attack has been around since 2001. The two researchers brought the CSRF concept a bit farther by systematically packaging payloads based on the referring site.. so essentially, they can have attacks ready for particular websites. “We’ve come up with a way to take those tokens and repackage them on a payload-per-domain basis, with different types of payloads based on the referring site,” Hamiel said. “So, if it’s linked off of Twitter, the tool might respond one way, or if it’s linked off of something like LinkedIn, it might respond another way.”

This also gives attackers the ability to scale up attacks in a modular fashion so updates can be made to payloads on fly when referring websites make changes.

Just something to keep your eye on..

Scientists working at Cern, the organisation that runs the vast smasher, were worried about what the hackers could do because they were “one step away” from the computer control system of one of the huge detectors of the machine, a vast magnet that weighs 12,500 tons, measuring around 21 metres in length and 15 metres wide/high.

If they had hacked into a second computer network, they could have turned off parts of the vast detector and, said the insider, “it is hard enough to make these things work if no one is messing with it.”

Check out the bottom of the page -”Hacker Safe - Tested Daily”

 ”China has long regarded cyberwarfare as a critical component of asymmetrical warfare in any future conflict with the U.S. From China’s perspective, it makes sense to use any means possible to counter America’s huge technological advantage. “

Anti-virus vendor F-Secure added 250,000 new signatures to its malware database this year — as many as the company added in its first 20 years combined.

“Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets,” said FBI Director Robert S. Mueller. “Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users.”If you understand what botnets are, well, even if you don’t, this direct quote should be an eye opener -“Botnets are considered the Swiss Army knives of cyber crime. You name it, they can do it,” Mueller said during a speech at Penn State University. “A botnet could shut down a power grid, flood an emergency call center with millions of spam messages or disable a military command post.”+8 for the good guys

If you haven’t seen mobile device “hacking” then this should be an eye opener for you. I hope everyone is up to speed on personal device security.  Sshould you feel the need to “refresh your memory”, this book is a good start. Happy reading.

Was the backbone network outage  on 11/8/2008  because of a “data migration” or was it a “test run”?