Slashdot Mirror
Jamie Oliver's Website Serving Malware
jones_supa writes While routinely checking the latest exploited websites, Malwarebytes came across a strange infection pattern that seemed to start from the official site of British chef Jamie Oliver. Contrary to most web-borne exploits we see lately, this one was not the result of malicious advertising but rather carefully placed malicious JavaScript injection in the site itself. This, in turn, has been used to serve visitors a delicious meal consisting an exploit kit downloading the Dorkbot trojan. Malwarebytes has contacted the administrators immediately upon discovery of this infection.
While, always, 11, ... ?
Slashdot, fix the reply notifications... You won't get away with it...
Javascript is not dangerous in itself. Functions (APIs) access is very limited (in a browser where JS engine is not compromised), and JS cannot directly impact your disk (or slightly, cookies, swap, ...) or other programs (maybe DoS to some extent). However, being able to change some JS in a page makes you able to change the site behavior. And, for example, when it comes to downloading something initially safe, in a supposedly well known safe website, the bad JS may have you download something dangerous. Or steal a session cookie that makes the attacker login to the site on your behalf, or have you perform some administrative tasks on your behalf etc... But, the real difficulty for the attacker is to inject some JS into a page in the first place. This is (usually) not easy!
Slashdot, fix the reply notifications... You won't get away with it...
yes I am bitter because at 36 I applied and was told I was too old for *any* position within Jamies Italian Kitchen.
Cooks read Slashdot, that's good news!
Slashdot, fix the reply notifications... You won't get away with it...
That should be familiar to any Oliver fans and hardcore critics alike. For those in neither camp, Barbecoa was Oliver's butchery that was shut down last June after receiving an "A Hazardous" rating from the Food Standards Agency following complaints of food poisoning form several of his restaurants that also received poor FSA ratings for general hygiene. Oliver was also fined £17,000 over this scandal, consisting of just one specimen charge of violating the Food Safety Act, which is pretty fucking disgusting after his ironically calling the US fast food industry out for unsafe kitchen practices. He should have been shut down altogether. Oh, semi-insider info: I have it on very good authority that his restaurants have a higher staff turnover than practically every other sector. They are hellish places to work in. Certainly not worth the wage slavery. The management expect new staff to already know how it all works (in Oliver's eclectic kitchen system!?), training is not only nonexistent it's an inside joke that "training" is a curse word. Most of his staff are school leavers. The only ones over the age of 18 are upper management.
[ citation needed ]
Slashdot, fix the reply notifications... You won't get away with it...
That should be familiar to any Oliver fans and hardcore critics alike. For those in neither camp, Barbecoa was Oliver's butchery that was shut down last June after receiving an "A Hazardous" rating from the Food Standards Agency following complaints of food poisoning form several of his restaurants that also received poor FSA ratings for general hygiene. Oliver was also fined £17,000 over this scandal, consisting of just one specimen charge of violating the Food Safety Act, which is pretty fucking disgusting after his ironically calling the US fast food industry out for unsafe kitchen practices. He should have been shut down altogether. Oh, semi-insider info: I have it on very good authority that his restaurants have a higher staff turnover than practically every other sector. They are hellish places to work in. Certainly not worth the wage slavery. The management expect new staff to already know how it all works (in Oliver's eclectic kitchen system!?), training is not only nonexistent it's an inside joke that "training" is a curse word. Most of his staff are school leavers. The only ones over the age of 18 are upper management.
[ citation needed ]
http://www.dailymail.co.uk/new...
I gave up with the idea of an useful sig...
Ah, yes, that gospel of truth, The Daily Mail.
http://www.thetimes.co.uk/tto/...
http://www.independent.co.uk/n...
http://www.telegraph.co.uk/foo...
http://www.standard.co.uk/news...
http://www.theguardian.com/lif...
http://www.news.com.au/enterta...
I gave up with the idea of an useful sig...
"Once executed, Worm:Win32/Dorkbot.A .. modifies the certain registry entry to execute the malicious file every time Windows is started" ref
Shouldn't be up to the Javascript website developers to make sure it's safe (OBVIOUSLY!)
It's up to those implementing the browsers with Javascript engines. It should be no more dangerous than any basic HTML if they got the security right.
Your post is a hot mess.
So, you want Javascript to be secure, but not allow the user downloading it to be able to see what they are running? Do you even understand how Javascript works in a browser beyond "hitting F12?" For the love of WTF, they are not "seeing the Javascript on your site", you are letting them DOWNLOAD the Javascript to their computer and then run it.
How, precisely, do you expect an interpreted text file to be hidden from a web browser that downloads and executes an interpreted text file? And more importantly, WHY would a browser want to let you do that, unless to obscure what you are trying to run on a user's computer?!?
The sum total of Javascript exploits is a browser that allows Javascript exploits. If they were implemented correctly there would be no problem.
Why, always, 11, ... ?
Because most ordinary news goes to 10, our news goes to 11.
Calling someone a "hater" only means you can not rationally rebut their argument.
Oh and I even have a car analogy: the GPS guidance system [JS] in your car [OS] has no much power - it cannot impact directly your speed, wheel direction, breaks, etc... However if someone happens to inject some code into your GPS, and have it give wrong directions, your car is still not directly impacted by that hacking. However, the system may change your itinerary and guide you to a dangerous place you were not supposed to go would the GPS work normally.
Slashdot, fix the reply notifications... You won't get away with it...
Browser Javascript is already limited in what it can do and access.
And in this case even if you had NoScript installed (which is different from turning Javascript off entirely in your browser) and the main Jamie Oliver website whitelisted you'd still have been protected because what the JS was doing was creating an iframe to another site and loading Flash/Silverlight/Java exploits inside of that.
And note that even with a compromised site where they were able to inject their own JS that they still had to rely on Flash/Silverlight/Java rather than just Javascript to download and run the trojan.
So to answer your question: No, Javascript isn't really dangerous. Poorly written browser plugins are.
Jamie Oliver's butcher's forced to close after hygiene inspection
Key bits from the article: "the score for the January 8 inspection is listed as of 1 out of five with the comment: 'major improvement necessary'." and "one of only 19 out of 1,659 food outlets in the City to receive an 'A hazardous' rating".
This sounds pretty damning and pretty embarrassing. That said, there are some odd things. One of the complaints was mold on aging beef, but - depending on what you are doing - mold is part-and-parcel of the process (and the butchery claims that this was the case). Another funny point: the butchery voluntarily closed following the inspection to fix the issues mentioned. It reopened "several hours" later. If the issues could be fixed in a few hours, they were pretty much cosmetic problems.
So what to think? I figure it's 50/50 whether there were real problems, or whether this was a politically motivated inspection. Or maybe the inspector didn't get his free steak.
Enjoy life! This is not a dress rehearsal.
No, what's dangerous is software that doesn't silently auto update.
JavaScript vs Java vs ActionScript is largely irrelevant. Web browsers routinely ship fixes for dozens of JS sandbox escapes in every update they release. Web sandboxes aren't made of magic that is unavailable to other technologies. The reason most exploit kits still target Flash and Java is that modern web browsers keep themselves up to date a lot more aggressively than those plugins do/did - typically not asking for permission any more. If you dig in you'll usually find these exploit kits are exploiting bugs that were found and patched years ago. But they still work because some non-trivial fraction of the userbase always dismisses auto update requests.
In case you don't believe me, consider that in 2014 Java had no zero day exploits at all. But some people are still vulnerable to bugs from 2012. The ask forgiveness not permission auto update policy was pioneered by Google and unfortunately took a long time to become accepted as the standard due to the old mindset, especially amongst tech geeks, of "my computer is my castle".
Why, always, 11, ... ?
In the US, the traditional time for networks to show their nightly news is 11pm, after the 'prime time' entertainment and kids have gone to bed. Any unsold prime-time commercial slots are filled with teasers for these news programs, generally of the form "Shocking ways that Foo can kill you! Details at 11," or "Weird tricks to save you money! News at 11."
[citation not needed]
The citation isn't needed not because that rant-with-a-personal-slant didn't require citation, but because it's off-topic. I'm not sure how his comment got modded 'Informative' - unless this is not Slashdot, but Buzzfeed, or Us magazine or some other gossip rag.
Without defending whatever nastiness went on in his restaurants, how does that relate to malware being on a website? It's highly unlikely that he personally oversees the restaurants, and even less likely that he personally oversees the website. At best one can fault him for having certain ideas about how to run things, that in turn lead to both restaurateurs and webmasters cutting corners and dropping the ball.
What's next? A report comes out about Forbes being hacked ( http://www.forbes.com/sites/th... ) and we point out how they let an article that was then vastly criticized by its subject ( The Oatmeal - http://theoatmeal.com/blog/tes... ) through as some sort of 'goes to character and general reputation'?
Actually, no it isn't illegal. Not in the US at least, though Jamies Italian Kitchen is probably in the UK.
People over forty are a protected class in the US, and can't be legally discriminated against (there are exceptions to this, like the military). But a thirty six year old person can be openly discriminated against without legal repercussion.
That's a good one! ;-)
I am a French chef from France and it dates back to around 1500; we used to say that all an English chef could cook was oxtail and the like.
Since we're here in the offensive zone.......
In an ideal world ...
the policemen would be English
the car mechanics would be German
the cooks would be French
the innkeepers would be Swiss,
and the lovers would be Italian
In a living hell ...
the policemen would be German
the car mechanics would be French
the cooks would be English
the innkeepers would be Italian
and the lovers would be Swiss
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
" you are letting them DOWNLOAD the Javascript to their computer and then run it"
In a simple form, yes. Sometimes, however, that involves a rats-nest of includes, "minified" files (all whitespace stripped, sometimes variables stripped of any useful naming as well), etc.
It wouldn't be hidden from the browser, but obscuring Javascript isn't exactly hard, and "exploit" could just mean something that's a useful situation in situation X but bad in situation Y (accessing a microphone/camera, for instance).
It's a fucking recipe for a pork roast.
It doesn't need to be anything more than HTML and images.
What if I want to convert to/from metric units? With Javascript I can click a button and have the page change all the values. Without Javascript I'd have to click a link instead!
What if I want to adjust the number of servings? With Javascript I can type in a value for servings and have the page tell me I need 2 and a half eggs. Without Javascript I'd have to type in a value and then hit the Enter key or click a Submit button!
What if I want to read user comments about the recipe? With Javascript, I can click a "Show Comments" "link" and just wait for the page to load comments. Without Javascript I'd have to click a "Show Comments" link and wait for the page to load comments!
What if I want to rate the recipe? With Javascript, I can give it a thumbs up or thumbs down, or give it 3.5/5 stars or little chef hats or whatever cutesy icon they want. Without Javascript, I'd have to click a button or use a drop down!