Category: web

Dec 21 2015

Google considers following Mozilla, Microsoft, and dropping SHA-1 certificates early

Last month Microsoft said that it was considering ending support for TLS and SSL certificates that used the SHA-1 hashing algorithm, after Mozilla previously described a plan to do the same. Google is now thinking about joining those two companies and ending Chrome's support for SHA-1 certificates in the middle of next year too.

The underlying problem is that it has become too cost-effective to create forged certificates that use the SHA-1 hashing algorithm. As computers get faster, the cost of creating a fraudulent certificate goes down. Based on 2012 estimates, it was expected that criminals would be able to readily create such certificates by 2018. This declining cost led all three browser vendors to plan to end supporting any SHA-1 certificates issued after January 1, 2016, and all SHA-1 certificates after January 1, 2017.

Newer estimates have brought the cost of certificate fraud down further still. Through the use of cloud services such as Amazon's EC2, the compute power to create bogus SHA-1 certificates both costs less and is more accessible, such that SHA-1 certificates are arguably unsafe already. This led to reconsideration of the 2017 timetable. Mozilla and Microsoft are now contemplating bringing that January 1, 2017 date forward, to July 1, 2016, as long as the impact in-the-wild is not too serious.

Read 2 remaining paragraphs | Comments

Feb 28 2013

Exploit lets websites bombard visitors’ PCs with gigabytes of data

A Web developer has demonstrated a simple-to-execute exploit that allows websites to surreptitiously bombard visitors' storage devices with gigabytes of junk data.

As its name suggests, loads an almost unlimited amount of data onto hard drives of people who access the site. It requires no user interaction and works with the Google Chrome, Microsoft Internet Explorer, and Apple Safari browsers. It adds 1GB of data every 16 seconds on a MacBook Pro Retina equipped with a solid state drive, according to Feross Aboukhadijeh, the Web developer and computer science grad student who created the proof-of-concept site. manipulates the Web Storage standard included in the HTML5 specification. This standard is designed to make websites easier to use by allowing them to store data on visitors' hard drives. The functionality can be useful when end users are filling out long forms; if the browser crashes before the form has been completed, the data that's already been entered will be available when the person visits the site later. The creators of the standard specifically warn that browser developers should take steps to ensure websites can't abuse the feature by writing unlimited amounts of data.

Read 3 remaining paragraphs | Comments

May 26 2011

Blackhat SEO poisoning topping the charts

With the wealth of information we have published concerning blackhat search engine optimisation (SEO), hopefully the bulk of Naked Security readers are more than familiar with the perils of searching for what may be considered ‘hot’ keywords. (* For a quick background on SEO, and how it is used by malware authors, see the quick guide at the foot of this post!)

Yes, that’s right readers. Anyone keen to find leaked videos of Miley Cyrus, pictures of Jennifer Lopez or Kim Kardashian or investigate ‘if Justin Bieber really is black’ is just asking for trouble. (Actual search terms extracted from data received whilst writing this post.)

As we revealed last year, it is straightforward for the bad guys to keep up with hot, trending items, thanks to services such as Google Trends. However, it is important to remember that this is not the end of the story. SEO poisoning is not limited to just the hot or risque topics.

Back in October 2009, we wrote about how the attackers were using topics of an educational theme, designed to trap students and teachers searching for information and resources. These very same subtle tactics are still working today.

As it happens, our own product line has reached the heady heights of being SEO-worthy.

Yesterday afternoon I noticed a poisoned term which made me chuckle. Incoming data revealed a Mal/SEORed-A detection on an SEO pages constructed by one of the recent kits we have been tracking. Looking at the URL reveals the topic the user was searching for:


The ‘WS1000 appliance’ search term refers to one of the Sophos web appliance (SWA) models! So a user searching for information on our web appliances was thankfully sitting behind one of them, enabling us to thwart the attack by blocking the initial redirect as Mal/SEORed-A. Were they not already a Sophos customer, they would have been subjected to the usual scareware onslaught, courtesy of a redirect to:


Irony aside, this simply reflects how effective blackhat SEO attacks actually are. This is evident from the chart below which summarises the top malware detections we have blocked on our customer web appliances (May 20th – May 25th). As you can see, blackhat SEO accounts for over 30% of all detections.

So what can users do to protect themselves? Clearly, being sensible or careful with what you search for is no use.

  • Users need to take care to review the links provided by the search engines, and think before they click.
  • Ensure the filtering options provided by your chosen search engine are enabled.
  • Most importantly, ensure you have layered protection in place, with effective content scanning and URL filtering focused on blocking such attacks at multiple levels.

Of course, there are other tricks and tools users may use (for example, browser plug-ins that mask the HTTP referrer), but the above tips provide some simple, common sense measures to help ensure your networks are better defended against SEO driven attacks.

* Quick guide to Search Engine Optimisation

Blackhat search engine optimisation (SEO) techniques describe the process by which individuals trick the search engines into ranking one of their malicious web pages high up in the search engine result listings.

These techniques have been used aggressively by malware authors because they provide a very effective way of controlling user web traffic:

  • use a kit to create the keyword-rich web SEO pages on popular topics
  • search engine bots then index these pages
  • users searching for these topics end up with links to the rogue SEO pages high up in the search engine results
  • user clicks on one of the rogue links
  • the SEO kit immediately redirects the user to the malicious web site

For more details, take a look at the technical paper we published last year.

Alternatively, you can watch a YouTube video illustrating an SEO attack in action:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)