Re: Apple IOS security issue pre-advisory record

[Dave <mrx () propergander org uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24/03/2012 05:44, Valdis.Kletnieks () vt edu wrote:
> On Sat, 24 Mar 2012 00:52:45 -0000, Dave said:
> > I am not an expert so please, for my education, correct me if I am wrong.
> > Is it not so much the request, but what the request is made with?
>
> It's a pretty safe bet that most of the 300 clicky-clicky types did *not* use
> wget to test what it was.
>
> > Would not requesting with wget mitigate any attack?
>
> Well, assuming that the perpetrator doesn't have a 0-day for wget. ;)
>
> > The source of the page and any scripts called by the page should be enough to
> > ascertain whether the page is malicious or not.
>
> "should" is the operative term.  But that only works if the miscreant is lazy
> enough to point their link directly at the malicious content.  If they're
> smart, they'll point at a page that looks legit, but loads Javascript from some
> 3rd party that loads more Javascript from a 4th party that that loads more crud
> from a server you've pwned. I've hit pages on mainstream websites with noscript
> enabled, and had 25+ different sites' Javascript blocked, and as you enable
> sites you just get *more* sites in the list.
>
> I just hit http://www.msnbc.msn.com, and NoScript blocked something from
> 2011.wimbleton.com. Malicious? Out of date?  What *other* domains will that
> site end up loading *more* crud from?  Who knows?
>
> Trying to sort this type of stuff out is part of the reason why drive-by pwning
> is so common - the fact that the page came from someplace reasonably trustable
> like the BBC or similar tells you *nothing* about where alll the content on the
> page came from.

Pretty much as I thought. I investigate some, (when not too busy) of the links in the unsolicited mails I receive and 
concur with what you have
written here. I always browse with NoScript/adblock/cookie monster/Ref control enabled regardless of whether I think I 
can trust the site or
not. I learned a long time ago to ditch Outlook/IE and only view email in plain text.

I am curious and I do like to play with malware on a VM. I am also a novice, so perhaps I am over cautious. Then again, 
I think there is no such
thing as over cautious when a great deal of the miscreants trying to own systems or phish for credentials are more 
knowledgeable than I.

I just wish I had more time to study and research.

Doesn't the the -e, robots=off, --page-requisites and -H wget directives enable one to collect all the necessary files 
that are called from a page?

Cheers
Dave



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBT22haLIvn8UFHWSmAQK0+Qf/ZnrC052vEWDlHGMT3bDt8RJiiGlVd7E1
IwnzmlnI549Ojw89vwxkcKsZDlMLmcEJ13peVfLYpanKEyau/3BW3zx/3ulfhvli
ab0EdJfj0I3vlrEZgXLY7jmNOiJ50Fkm7IwC/9CjR7LSGFC5o9K9OWojc1gb6eN3
04wXMM588SX8njiSGx4Mtc+/VVNif1Jskkfgl58CvcA8DmFA3fyPMx7DtgxeiY08
XoEK6xJ41mQ9shFjkIkbeFGhHtWjunbQmcgGJixFcsBQvJrZF418XhRp7hAqdEhw
BnQj2T4BixTdzHJzIeWEsn8nPId1n8V4hH3jW+h//+ev6U21+KCgpw==
=DLjT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/