Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

["Rafal @ IsHackingYou" <rafal@xxxxxxxxxxxxxxxx>]

Bil,
   I honestly couldn't have put it better myself, sir.  You're exactly, 
100% completely correct.  I run into the same problem - developers simply 
don't feel like they're going to be the target.  Then they learn the hard 
lesson of the BusinessWeek (I think?) social-network site developers.  They 
get nailed with a SQLi bug that injects malware and passes it out as a 
drive-by install to anyone "trying to check it out" (it being their new 
site)... after some bad press the site goes down and they realize that it's 
not necessarily just credit card numbers that "Bad guys" go after - but it's 
the publicity (and thus, the clicks) of the site! (in that case they were 
simply doing adware installs, which is insanely lucrative I hear...).

Preach on.

__
Rafal M. Los
IT Security - Response | Mitigation | Strategy

E-mail:  rafal@xxxxxxxxxxxxxxxx
Direct:  +1 (404) 606-6056
- gPGP:      0xFFC63B33
- Blog:         http://preachsecurity.blogspot.com
- LinkedIn:  http://www.linkedin.com/in/rmlos

--------------------------------------------------
From: "Bil Corry" <bil@xxxxxxxxx>
Sent: Monday, October 06, 2008 9:15 PM
To: <websecurity@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking 
attack

> Martin O'Neal wrote on 10/6/2008 11:06 AM:
> > Many of us aren't sitting on our wobbly corporate arses.  We are
> > diligently working away to help organisations fix their problems at
> > source; in the applications.
>
> Rafal's point of becoming "fix it" people was calling out to organizations 
> on a budget; which presumably means those that can't afford the services 
> of Corsaire.  Given the magnitude of the number of sites compromised by 
> some recent SQLi attacks, clearly there is a huge gaping hole between "how 
> to exploit" and "how to protect."
>
> Last year, I was in a position where I needed to hire a handful of web 
> developers and as part of my interview process, I asked each one to 
> describe XSS, CSRF, and SQLi and the ways to mitigate them within a 
> webapp.  Out of the thirty or so interviewees, only one could describe 
> SQLi, and no one could discuss XSS and CSRF.  I got a lot of comments such 
> as, "I've heard of that before, but I'm not sure exactly what it is."  I 
> had to shift my original hiring criteria (and expectations) and do 
> training for all the new hires.
>
> Beyond that though is an even more fundamental problem -- many small sites 
> believe they are not a target because they don't store credit card 
> information or other private data.  I recently spoke at a webapp dev 
> conference and spent the first 10 minutes discussing why developers should 
> even care about webappsec before I could even get into XSS, CSRF, etc. 
> Clearly there are a lot of resources available for anyone so inclined to 
> learn, but if the small sites don't believe they're a target, then they're 
> not going to pay attention to anything security-related.
>
>
> - Bil
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA