Identity Theft is the fastest growing crime in the US according to the FBI
 

Cross Site Scripting (XSS) – It’s Bad For Your Financial Health

Written by OSAblog on Sunday, April 26th, 2009

Internet Rumors Can Be Damaging – Even If Unconfirmed

A woman working at HP sent an email to hundreds of co-workers that a snack made by Osem, one of the largest food manufacturers in Israel and a local subsidiary of Nestle, caused infant death.

This email quickly spread and the result was a 6% drop in Osem’s stock in just a few hours.
The email wasn’t very sophisticated. It wasn’t even remotely true. Still, Osem – one of the largest companies in Israel – had its stock damaged by a completely false email rumor.

Apple’s stock goes down when rumors are circulated that Apple’s CEO Steve Jobs has had a heart attack. The Apple stock takes a beating every time that rumor surfaces, and that happens regularly.

Stocks going up or down because of rumors is as old as the invention of the stock market. But the Internet makes it easier to fabricate a rumor and have it reach far and wide within hour. Just add one more component and a stock could be driven deeply into the ground: credibility. For maximum credibility, how about planting a confirming statement on the corporate web site!

How Damaging Could A Confirmed Rumor Be?

Imagine if you saw a news item on the corporate web site www.apple.com that actually confirmed the death of Steve Jobs. Imagine if you saw on Osem’s web site an admittance of guilt that their snack was indeed poisoning infants. What would happen to their stock then?

Here’s the scary part: it is not difficult to do this. Nobody even needs to break in or deface the corporate web site for this to happen. All that is needed are these two things:
1)    An unhandled Cross Site Scripting (XSS) vulnerability on the corporate site, and
2)    Inclusion of a carefully crafted link to the corporate site in the alarming email, on a social network page or included in a Twitter ‘tweet’ that takes advantage of the vulnerability

The link in the email will apparently take the alarmed person to the corporate site, but once they ‘arrive’ they will actually see a page that was created by the attacker and which confirms the alarming content. That link contains the XSS attack. When that link is then forwarded, every other person who uses it will also see this faked page. How far and how fast can such a link be spread? See the two examples at the beginning of this article again.

How Hard Is It To Do XSS?

Not hard at all. In fact, we made a quick proof of concept to the Tel Aviv Stock Exchange (TASE) a few years ago when we planted a false news item using a cross site scripting attack. The reaction from TASE was familiar to any computer security expert who ever reported a XSS vulnerability: “This is not really a problem as there was no change to any page on our site”. For something that is “not a problem” they sure fixed it within the hour, though.

We’ve experienced this same response almost every time our vulnerability scanning service (see http://www.beyondsecurity.com/vulnerability-scanner.html) finds a XSS vulnerability in a fortune 500 corporate or government site. We are often asked to explain why the report presents it as a serious issue. Using cross site scripting we have demonstrated the planting of false financial reports in the ‘investors’ section, altering news items and in almost all cases we have been met with the reaction: “this is not a real vulnerability” and “how can this really affect me?”

Who’s Damaged By A Cross Site Scripting Attack?

Most security researchers opt to explain XSS as an attack that steals cookies from site visitors. The damaged party in this case is ‘just’ the web site visitor who loses his account and any funds that maybe connected to it (setting aside how attackers may take that stolen account and use further explits to escalate permissions until they end up owning your serrver!).

While loss to the site visitor is a likely outcome, I think there’s a greater risk in the alteration of information on a ‘trusted’ page which could be useful in a phishing attack, or like the examples above, an attack intended to drive stock down that had been sold short.

I’m waiting for the first XSS attack that will tank a big company stock after is has been sold short by the attacker. If you are responsible for the security of your site, make sure your company won’t be the one.

Mr. Jenik has 17 years of experience in the Computer Security field. From the early days of computer viruses he was involved in the fields of encryption, security vulnerabilities detection and research. He worked in development, marketing and sales roles in several startups, and had 2 successful exits before co-founding Beyond Security in 1999.

Aviram has a Bsc. in Computer Science with a major in cryptography and an MBA from T.A. University with majors in strategy and entrepreneurship.

Beyond Security www.BeyondSecurity.com
US: 1-800-801-2821
UK: +44-203-006-3022
Israal: +972-9-8656850

Article Source:http://www.articlesbase.com/security-articles/cross-site-scripting-xss-its-bad-for-your-financial-health-886000.html

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • NewsVine
  • Reddit
  • StumbleUpon
  • Google Bookmarks
  • Yahoo! Buzz
  • Twitter
  • Technorati
  • Live
  • LinkedIn
  • MySpace
  • E-mail this story to a friend!
  • RSS
  • Turn this article into a PDF!

Welcome back! You may want to subscribe to my RSS feed. Thanks for visiting!

  • Share/Bookmark

If you enjoyed this post, make sure you subscribe to my RSS feed!

Blog Traffic Exchange Related Posts
  • Identity Theft in Web 2.0 Sites The popularity of social networking sites has made it hard for everyone not to join the bandwagon. MySpace and Facebook are just among the websites that require personal information. Some people actually decide to not include their birthdays for fear of identity theft but for others though, they are tempted......
  • Information Security Guidelines Information Security Policy Guidelines in your organization By Ki Grinsing In 1858, a telegram of 98 words from Queen Victoria to President James Buchanan of the United States opened a new era in global communication. The queen's message of congratulation took 16½ hours to transmit through the new transatlantic telegraph......
  • What You Must Understand Regarding Spyware Did you experience any issues connecting to the Net lately? Did a number of your software programs stop working? Have you ever been annoyed by advertisements that unexpectedly pop up in your laptop monitor? Have you ever puzzled how some unidentified individuals are in a position to know your e-mail......
  • Should the Software Antivirus & Internet Security? Computer virus is a small program that is designed to be spread from one computer to another and disrupt / prevent the operating system the computer infected. computer virus can also damage or delete data and files from a computer is infected. Then, using the email system computer computer virus......
  • What is a Firewall Since you are reading this article, I would venture a guess that you have gotten connected to the Internet.  If you aren't, please let me know your secrets. According to a Pew survey post in June of this year, 63% of all American households have broadband connections at home.  This......
Blog Traffic Exchange Related Websites
  • Vishing, SPITING, Eavesdropping - Security Threats to VoIP Primer If your business uses or is considering deploying out VoIP, you should be aware of the many ways your systems could be compromised. Orthus offers an overview of the new and old threats which could harm your IP telephony service.After spending years being the nearly man of communications technology,......
  • SEO Tips for Beginners SEO means search engine optimization a method that will improve the visibility of a website in the search engine listings, but you probably already know that. Then I should probably let you know what SEO is not: a magic wand that will bring your website a top 20 position......
  • Seven Tips for Securing Your Organization's Network from Spam and Email Viruses Providing security against email related threats has become a burden for most IT professionals in 2006. According to a recent study by Postini, spam and email viruses now make up to 80% of all emails sent out as compared to 50% in 2000. As a result, IT professionals now......
  • 10 Tips to Build a Website Using Search Engine Optimization 10 Tips to Build a Website Using Search Engine Optimization By Chris Cornell There are several search engine optimization techniques to improve the web traffic of your website. Not all the search engine solutions that you find online can help you, so you need to be very careful. It is......
  • Internet Marketing Tweets 2009-05-25 Sorry to all my #feedburner subscribers #twitter tools was creating a daily blog post and feedburner was sending it out. Problem corrected # @randfish I had a similar experience when I spoke in Norway last year, a rebooking cost me $800 USD. Unbelievable. in reply to randfish # Jean......
 

Leave a Comment

CommentLuv Enabled

« Stop Win PC Defender with SpyZooka | Home | Software Downloads For Spyware Removal Review »