Slashdot Mirror
JavaScript Malware Open The Door to the Intranet
An anonymous reader writes "C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"
Look folks, this isn't rocket science. Given the current state of Computer Technology, downloading obscure programs from a remote source outside your control and running them can't possibly be a good idea. It may occasionally be necessary, but it's something that should be done as rarely as possible. If you don't even know the programs are there because they are buried in web pages, that just exacerbates the problem.
The answer: Turn off Javascript, and let the web site designers find some other way to entertain themselves. Forcing web sites to use HTML and server side scripting may limit their style and the coolness of your user experience, but if you want your computer(s) and network to be somewhat secure then you better forget Javascript. Personally, I have only one Javascript enabled browser (Firefox) and I try to use it only with sites like Google and a handful of others that I consider to be trustworthy.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey