HTML5 is good at replacing Flash and Java, but it's not that secure
April 27, 2012
In fact, during a recent presentation at the B-Sides Conference in London this week, Robert McArdle, a senior internet security researcher at Trend Micro, outlined how the revamped markup language could be used to launch browser-based botnets and other attacks.
The new features in HTML5-- from WebSockets to cross-origin requests, could send tremors through the information security community and turn the likes of Internet Explorer, Chrome, Firefox and even Opera into complete cybercrime toolkits.
And creating multiple botnets by luring users into visiting a malicious web page, as opposed to having them open up a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.
And then of course, you have HTTP-based attacks that pass easily through most routers and firewalls. Additional threats involve social engineering using HTML5's easily customizable pop-ups that appear outside the browser to fool users into believing the specific wording on an alert box.
And to make matters even worse, more convincing phishing attacks can be created using the technique, McArdle said.
"But make no mistake: the good elements in HTML5 still outweighs the bad," he added. "We haven't seen the bad guys doing anything bad with HTML5, but nonetheless it's good to think ahead and develop defences since attacks will most likely happen one day."
Web developers should make sure that their sites aren't vulnerable to Cross-Origin Resource sharing, cross-domain messaging or local storage attacks, McArdle advises. Utilities such as NoScript can also help users.
More details on HTML5 attack scenarios and possible defences can be found on html5security.org, a website devoted to better and improved internet security as it relates specifically to HTML5 technology.
In other internet security news
Two suspected Taiwanese drug smugglers have now been accused of an even more ambitious plot, this time to smuggle serious military technology, including no less than a U.S. drone out of the country and into China.
Hui Sheng Shen and Huan Ling Chang, who have both been in custody since February for allegedly smuggling methamphetamine into the U.S., will be formally charged with conspiracy to violate the Arms Export Control Act, according to an AP report.
The two were caught in an undercover FBI sting which captured them on tape claiming that their clients in the Chinese government were keen on acquiring U.S. drones as well as stealth technology, anti-aircraft systems and even an E-2 Hawkeye early warning aircraft.
The two suspects reportedly ignored the undercover Feds’ repeated cautioning that they would not like to profit from any equipment which would harm U.S. interests, with Shen saying, “I think that all items would hurt America.”
"The people we met, they come from Beijing. They work for the Chinese government-- some kind of intelligence company for the government, a bit like the C.I.A I guess," Shen reportedly told the agents. "They are spies."
Shen also boasted that he could use scuba divers to transport parts of the equipment underwater from the Port Newark-Elizabeth Marine Terminal to a ship awaiting offshore-– a similar technique to that which he allegedly used to smuggle drugs.
The two individuals had been under surveillance for a whole year and then were subsequently arrested a couple of months back for a rather less headline-grabbing investigation into counterfeit 'UGG' boots being smuggled into New Jersey.
The news will be of minor embarrassment to the Chinese authorities given that, as usual, there is apparently no concrete proof linking any official involvement in the plot.
But it does come just a few days after a Pentagon report accused the People’s Republic of China of “economic espionage” facilitated by widespread hacking and designed to accelerate the development of its military and space technology.
For its part, China was forced to strongly deny the allegations in the report, which claimed to have identified no less than 26 separate occasions since 2006 on which China tried to get ahold of space launch data and sensitive info on U.S. cruise missiles and other critical military equipment.
In other internet security news
For the second time in less than two months, hundreds of thousands of web sites have been hit again by an unexplained outage at DNS services provider ZoneEdit, with users seeing from five to six full days of downtime on their email messages and their web infrastructure.
While the 603,000 customer domains ZoneEdit looks after were all apparently still resolving during the outage, users were unable to log into their accounts to make updates to their zones since last Friday.
"I have a static IP being changed by my service provider this week," one loyal customer blogged. "With only two days left before the change and potentially 500 to 1000 users being affected, I am left with very tough choices.
"I will give ZoneEdit until tomorrow morning before I find an alternative service or host the DNS myself."
Two days ago, the company's website went offline completely, again without explanation. This morning, however, the site returned and users reported that they could once again log in and use their services.
ZoneEdit, which is owned by the domain name registrar Dotster, has provided updates on Twitter, albeit only once or twice a day and without any insight into what the problem is or how long it will take to resolve.
In its most recent tweet, it states: "We understand the seriousness of this issue and its effect on you. We are truly sorry. We have every person possible working to resolve it, and as fast as possible."
Even with the problem apparently resolved, customers still do not know what happened. Users have also predictably taken to Twitter to vent their frustration-– not only regarding the downtime but also about the lack of communication from the company.
Some have even speculated that the website may have been the victim of an attack or a DoS (denial of service) attack from the outside.
ZoneEdit has been providing low-cost DNS resolution services since 2000. According to HosterStats, 150,000 domain names use its DNS to make their websites and email work.
The company did not respond to a request for comment. It's not the first time ZoneEdit has similar issues. About seven weeks ago, ZoneEdit was hit with a similar DoS attack that crippled its DNS services for a number of hours, and rendered 500 to 600 websites unavailable.
In other internet security news
Internet highjacking and pirating today isn't just a threat to your bank account or personal computer-- it's a serious problem of national security, says Congress, and now it wants to take immediate action while it still can.
To be sure, spies from other countries and organized criminals are already inside of virtually every U.S. company's network, and some firms don't even know about it. The U.S. government's top cybersecurity advisors widely agree that cyber criminals and internet terrorists already have the capability to take down the country's critical financial, energy and communications infrastructure.
"The reality is that our current infrastructure is being colonized, whether we like it or not" says Tom Kellerman, former commissioner of President Obama's cyber security council.
"Worse, is the fact that governments no longer have a monopoly on this capability, and that's really the frightening element here. There is code out there that puts it in anyone's hands," added Kellerman.
Using the web to take over our infrastructure, turn off our electricity or release dangerous toxins would amount to a full-fledged war against the country or countries who initiated such an action.
Much of America's critical infrastructure is currently owned by businesses. Gaining intelligence on cyber threats-- both in advance and after an attack has been launched, requires strong cooperation from companies and, often, from private individuals.
That's why Congress is taking up as many as six different new cyber bills this week that deal with that issue: improving the overall security of our core infrastructure, but without infringing on the privacy of corporations and the people that work in those companies. And it won't be easy, since we all know how privacy is a strong subject in the U.S.
There are some key differences between the bills, and lawmakers are furiously trying to merge them together. The bill most policy analysts focus on right now and is the likeliest to pass is the Cyber Intelligence Sharing and Protection Act (CISPA), introduced by Representative Mike Rogers, chairman of the House Intelligence Committee.
It passed his committee with strong bipartisan support (a 17-1 vote) in December 2011, and it has more than 100 co-sponsors on both sides of the aisle.
At the bill's core are direct incentives for private businesses that control core, critical infrastructure, particularly in the finance and energy sectors. Those businesses would receive some compelling tax breaks if they share related data with one another and the U.S. government about potential attacks.
To be specific, there are rules that would force them to strip out any non-crucial information from customers or business partners. A rival Senate bill, sponsored by Senator Joseph Lieberman, would instead mandate information sharing through government regulation.
Not surprisingly, that bill is also supported by President Barack Obama, but most speakers at the conference thought it had little chance of passing, nevertheless.
Critics have attacked all six bills both for being too lenient on privacy and for being too rigorous at the same time. The bills have been blasted by both civil liberties organizations, and, interestingly, those in the intelligence community.
"All six bills on the Hill are grossly insufficient," said Mike McConnell, formerly President Bush's national intelligence director. "We say we don't want to infringe on privacy rights or burden industry in any way, so the result is we don't do anything."
At a corporate security conference in March, FBI Director Robert Mueller warned attendees: "There are only two types of companies: those that have already been hacked, and those that will be soon."
McConnell thinks it will take a "catastrophic event" to force changes. "We are incredibly vulnerable," he said. "If we don't make our policy makers think about this seriously, we'll be dealing with something like 9/11."
Other countries and organized crime have more and better intelligence on U.S. citizens and businesses than the U.S. government itself does, in McConnell's view. That's a major policy dilemma, and something that all U.S. citizens should take very seriously.
Privacy advocates like the American Civil Liberties Union counter that the Rogers bill would kick off a free-for-all in sharing of customer records. The bill would "create a cybersecurity exception to all privacy laws and allow companies to share the private and personal data they hold on their American customers with the government," the ACLU wrote in a December letter to Rogers and others in Congress.
Source: B-Sides Conference.
You can link to the Internet Security web site as much as you like.