RE: Is this a hoax?

[Blanchard_Michael () emc com]

Yup, XSS ceretainly had to get old to some of them....

 This part of the article had me thinking it is a hoax...

"In Check Point's case, CSRF was possible when a user was logged onto
 https://my.firewall at the same time he or she was connected to a 
malicious Website, according to the company's patch release information."

  Now, this piece sounds ok, but the word "patch" is a link over to:

http://koti.mbnet.fi/wdd/dickcurless.jpg

  interesting :-) 

Michael P. Blanchard 
Antivirus / Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Office of Information Security & Risk Management 
EMC ² Corporation 
4400 Computer Dr. 
Westboro, MA 01580 


-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Thursday, June 28, 2007 4:39 PM
To: Blanchard, Michael (InfoSec)
Cc: funsec () linuxbox org
Subject: Re: [funsec] Is this a hoax?

On Thu, 28 Jun 2007 15:57:21 EDT, Blanchard_Michael () emc com said:
> Sure seems like a hoax or other baddie to me.

Looks more like a wake-up call to me.  Another DarkReading link:

http://www.darkreading.com/document.asp?doc_id=126560

"The most famous CSRF attack was the Samy worm that crippled MySpace last year.
The attacker used a toxic combination of XSS and CSRF exploits to wreak havoc
on the social networking site."

I cant comment on whether this *current* one is for real, but the concept that
'they got bored with XSS and went looking for CSRF" certainly strikes me as
a *plausible* event.  

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.