Hacking the Internet user:Malicious mobile code

• Java basic security: (a) strong typing enforced at compile and execution time, (b) built in JVM bytecode verifier controls memory space (buffer overflows are difficult to happen), (c) no memory pointers (making difficult to insert commands in running code), (d) security manager (control access to computer resources), and (e) code signing similar to Authenticode. Recommendations: update and use security zones.

• JavaScript: most frequently used client-side scripting. MS executes JavaScript using Active Scripting. Again use security zones to restrict the use of JavaScript.

• Beware of the “cookie monster”: cookies can be per session or persistent.

  • Settings in Firefox and Internet Explorer .(IE 7 )
  • Cookie sniffing: capturing cookies using packet sniffing tools (SpyNet/PeepNet).
  • Countermeasures: Cookie cutters, Firefox and IE cookie controls.

• IE HTML frame vulnerabilities. The IE's cross-domain security model (a domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot).

  • IFRAME ExecCommand: iframe is a IE tag to create a floating frame on the middle of a nonframed page. A hacker wrote a JavaScript to read a local file.
  • Countermeasure in IE: Tools, security, disable Navigate sub-frames across different domains.

Previous slide

Next slide

Back to first slide

View graphic version