XSS Vulnerabilities in E-banking Sites

The other day I came across to this summary with direct examples of various XSS vulnerabilities at E-banking sites, and I wonder why the results still haven't gotten the necessary attention from the affected parties :

"First of all you should realize, that this is not the first time, that we are doing such a website. The last time we hit a vast number of sites, mostly german banks. We have shown, that those sites, that should be most secure are not! Many visitors saw the site and also the banks seemed quite upset, nevertheless they fixed the problems, that we pointed at. You can check out the archive at: [English version] and [German version]. This project has been done as a direct reaction to the poll done in austria not long ago and which was reported at [this article] from Heise. For the english readers of you, this article basically says, that 9 of 10 people using online banking in austria trust the security, that their banks offer."

The best phishing attack at least from a technical perspective is the one that's using a vulnerability in the targeted's brand site to further improve its truthfulness, and believe it or not, certain phishing attacks are actually loading images directly from the victim's sites instead of coming up with the phish creative on their own.

Fake Terror SMS Sent to 10,000 People

This is serious, and while it was a hoax, it could have had much more devastating results acting as a propagation vector for malware, a phishing attack as the social engineering potential here for anything offline or online is huge :

"About 10,000 commuters who subscribe to the train operator's timetable messaging service received the threatening text message on Friday night after hackers broke into the system. The message, sent after 9.30pm (AEDT), reads: ALLAHU AKBR FROM CONNEX! our inspectorS Love Killing people - if you see one coming, run. Want to bomb a train? they will gladly help. See you in hell!"

ALLAHU AKBR means "God is the Greatest". Now which God is the greatest I'll leave up to your religious beliefs, though the Muslim motives are spooky and the attack directly undermines the citizens' confidence in their government's ability to protect them -- what I anticipate next are articles on how terrorists take control over the trains. I'm very interested in who's having acccess to the company's feature, and most importantly to what extend are they outsourcing, or was it an insider that used someone else's terminal to send the message? Here's a related post on the interest of various governments into developing an SMS disaster alert and warning systems and the related security/impersonation problems to consider.

A Review of SiteAdvisor Pro

During 2006, the company popped out like a mushroom in front of my desktop as you can read in a previous post, and on its acquisition two months later. In the typical detailed and extensive CNET Reviews style, here's what they have to say about SiteAdvisor Plus :

"SiteAdvisor Plus includes the ability to report suspicious links within IM and e-mail and can automatically block access to flagged sites. However, SiteAdvisor Plus lacks additional configuration options and doesn't work with Firefox or Opera, or with branded browsers from AOL and other services. In addition, the paid version on Internet Explorer appears to conflict with the free version installed on Firefox. Overall, we experienced greater flexibility and fewer hassles when using the free Netcraft toolbar, and we also liked the proactive nature of Linkscanner Pro better."

The niche filling competition is also reviewed, namely LinkScanner Pro. Niche filling in respect to the real-time sandboxing of results, a concept I'm sure is on its way at SiteAdvisor, or else the community has a lot to contribute as always. SiteAdvisor are however truly embracing a Web 2.0 business model on all fronts, and it's perhaps my favorite case study on commercializing an academic idea during the last year.

Characteristics of Islamist Websites

Excellent and recent analysis of the most common characteristics of islamist websites published by the Middle East Media Research Institute :

"The media platform favored by the Islamist organizations is the Internet, which they prefer for several reasons: firstly, for the anonymity it allows - anyone can enter and post to a site without divulging personal information; secondly, due to the medium's availability and low cost - all that is required is a PC and an Internet connection; and thirdly, due to the ability to distribute material to a great number of people over a wide geographic area in a matter of seconds.

The organizations use the Internet mainly for propaganda and indoctrination, but also for operational military needs.

This paper will discuss the distinguishing characteristics of the websites of Islamist organizations and their supporters; the various online activities through which terrorist organizations assist the mujahideen on the ground, both militarily and, especially, with propaganda; and the Internet polemics that these organizations conduct vis-à-vis their enemies."

The majority of articles you've probably read are doing nothing more than scratching the surface of the topic. Fundraising, propaganda, communications within steganographic images and the use of plain simple encryption, or the thriller type of scenarious where entire food supply chains get remotely controlled or where your next dose of Prozac may be a little bit more dangerous than it actually is, of course because terrorists may have the capacity to do so. In the post 9/11 world terrorist experts started emerging from all over the globe, universities realizied the potential and opened up educational courses, even degrees, security companies started pitching their offers with cyberterrorism in mind, and last but not least the mainstream media doesn't seem to stop piggybacking on historical events while actually doing terrorists the biggest marketing favour of them all - the media echo effect. Someone blows him or herself up in the Western world, and everyone forgets about all those little things people die from if you are to go through you local statistical institute and see the death rates, but starts requesting more information on what is your government doing to prevent this from happening. But compared to the same situation in the Middle East - it's part of the daily life, nothing ground-breaking besides a bunch of low lifes radicalizing online, looking for masters of brainwashing mentors, and most importantly looking for a mighty excuse for their pathetic existence. A terrorist organization uploads a video of shooting a soldier or anything that will shock someone's who's still getting shocked by the The Texas Chainsaw Massacre -- boring try the Evil Dead series -- and people become so outraged and get this feeling of being helpness in the situation that fear compared to reality drives the entire model of terrorism.

Terrorism is successful as both, a government's doctrine for re-election, and as a term mainly because it's a very open topic term these days. In some countries glorifying terrorism is illegal, but if you let you government convince you that it's not terrorizing you to protect you from an event that from a statistical point of view doesn't happen that very often, I think I will lose you as a reader of this blog. The world is losing the war on terrorism because it's rational, and terrorists aren't rational. In the very same fashion that companies don't compete with companies but with networks, a network that's anything but irrational isn't going to be beated by a network that's too bureaucratic and still waging departamental wars.

Go through many of my previous posts on cyberterrorism, a relevant collection of cases, and through the research which as a matter of fact is full with practical examples of various sites.