Think you have a gift for writing compact code that replicates using one of the web's most vexing classes of security vulnerabilities? Then Security researcher RSnake (aka Robert Hansen) would like to hear from you. He has set up a contest to see who can write a self-propagating cross-site scripting (XSS) worm using the fewest …
Who is this moron?
Respectable security researchers don't encourage the creation of malware by running contests for it!
XSSXXXX Files ....... Need 42 Know Secret Trades in Virtual Trojans.
"Respectable security researchers don't encourage the creation of malware by running contests for it!" .... You can't fault the Speculative Phish though, Doc.
Although in the world of Ethical Crackers and Hackers Evolving Living Organic Networks, the bait would need to irresistible and forever gratifying....... two elements which are singularly missing.
I thought the basic idea was that one remains "unknown" as a crack hack so even the prize of bragging rights is a ego/super-ego trip wasted.
But with a Zero Day XSS Facility so easily XXXXPloitable, and with such Catastrophic Performance Potential to Critical InfraStructure Systems, one can fully understand the Panic. There is only one Practical Perfect Solution ....... Pay such a Potent Potential Attacker to Change the System which so easily Invites Attack..... for once released XSSXXXX Codes have AI Programmed and Program Led Hive Mind of their Own.
Let's be clear, if a I were a respectable hacker able to write a self replicant XSS exploit in less than 292 chars why should I send my best work to the slaughter house when I could get some bank details instead.
And just what he hopes to prove with this?
Thats nice, NOT
So basically they are creating new XSS replicators for any script kiddie to copy and insert payload.
Not sure if developers care about your idea of respectable security research anymore, or to be honest if they ever did.
I must admit things like this do encourage me to get the latest books on website security though, so the industry does seem to be funding itself.
The amusing thing is the search for the signature premise, https is going to knobble that a bit, forcing the check to happen at the client, and even then obfuscation is getting well known in the web field, so not quite sure of the value. And I am fairly sure the browser makers are aware of the basic signatures already, as they keep plugging the holes.
I have seen some good ideas, to increase web security, but really we need an overhaul of the entire premise that the internet as it stands is ideal for secure transactions. I would suggest that the banks and payment gateway services all invest in diverse technologies, requiring the users to download software that is bullet proof to enable transactions. It is the lack of investment in IT that is causing this problem, along with dull diatribes about reinventing wheels and standards. If there is a panacea, then diversity is its mother.
From my research, it takes about a month for someone who is familiar with IT to create a setup where they can fuzz away for vulnerabilities in browsers, then perhaps a couple of hours a day to get an exploit. If the IT industry was proactive these people would be employed in jobs that helped the IT community, instead they are just creating market demand for their skillset in the future, at considerable risk to themselves, but hey at least they are living.
Security thru diversity is a useful mantra for the IT sector. As long as IT delivers productivity at an increase of one penny more on profit over a manual system, it is a viable solution for business. Diversity requires more people to operate, maintain and develop systems, and it increases security. Sure it is more expensive, but it does make the IT sector rich. In some ways these virus writers are doing us all a favour, but hey it remains illegal in most countries. Though this goes some way to explain why IT on the whole tends to give a degree of freedom to the writers, and the number of IT vigilantes is not great, in fact there is probably more of a dislike about animated gifs than there is viruses :)
@ Mr B
Because you are honest perhaps?
Yes I know, just like common sense and altruism. Honesty is very rare these days.
In the Pursuit of Excellence ...
"Yes I know, just like common sense and altruism. Honesty is very rare these days."
And all three found together in the one package, adnim, makes for a priceless purchase.
Aren't there universities to be contacted, to let the students have a competition? Perhaps he could share his knowledge with some of the tutors? Actually use his skills to train students to become security experts? Oh, I forgot: he probably isn't part of the solution that _prevents_ these sorts of mayhem, he earns a living cleaning up.
"I would suggest that the banks and payment gateway services all invest in diverse technologies, requiring the users to download software that is bullet proof to enable transactions."
Interesting idea, it would probably improve security, but I think you would also lose
most of the benefits of online banking. My first objection is that the software would probably only be available for one operating system (read microshaft windoze). Also, you'd probably only be able to access your online bank/payment service from your own computer -- even if you were allowed to install the software from your bank at work, chances are there'd be a firewall blocking your banks protocol. Finally, any software more complex than "hello world" is extremely unlikely to be truly bullet proof.
Yeah, it's a good idea (for the security pros)
They're gonna get a sh*tload of code, for free. It's not just the winning entry they're gonna be able to dissect and figure out, but *every* entry they receive.
especially amongst hackers ;o)