In order to hijack a web page and make it distribute malicious content, an attacker usually has to find a vulnerability in the respective web server or the employed scripts. As twitter user @Random_Robbie and Kevin Beaumont [1,4] noticed, sparking an online discussion, this cumbersome process is not always necessary!
This is not necessarily a security issue. But in this specific case the link was not simply broken but referenced a file in an Amazon S3-Bucket that had not been registered…. yet. All an attacker needs to do is simply register that bucket and deploy a script file that caters to his or her needs. This is an imminent threat and is not just limited to those who use Amazon S3. Likewise, the link might have referenced a yet unregistered domain, posing the exact same risk. Still, relying on S3 makes this a little more delicate. Even if the bucket already existed, chances are you might still be able to exchange content as buckets are commonly misconfigured and writable to the public as has been revealed within the last two weeks [2,3].
Although any kind of web space can be misconfigured, this case of publicly writable buckets is S3-specific. On the other hand, loading content from non-existing sources is obviously a risk in any scenario and not limited to Amazon. What is not obvious, though, is how and why such a scenario arises.
Possible explanations are manifold, ranging from human error to malicious intent. Either way, loading content from locations that one is not in control of is, in my humble opinion, a bad habit that unfortunately evolved to be common practice.
Malvertising – that is the spreading of malware or fraudulent content through malicious ads on otherwise trustworthy homepages – is not only persistent but also growing as recent articles from Motherboard  and Ars Technica  suggest, both refering to a report from Cyphort as their primary source. This increase in delivery of malicious ads poses an imminent threat to users on the Internet. Ars Technica emphasises that one consortium only, consisting of 28 fake ad agencies, was able to reach 62% of ad monetized websites on a weekly basis. Continue reading
There is hardly a week passing by, that is not dominated by some more or less serious IT security incident. Though a considerable number of these incidents is caused by the exploitation of specific vulnerabilities, be it zerodays or not, their impact is frequently dependent on the prevalent infrastructure of the systems in question. The spreading of WannaCry, for example, could have been – and in many cases probably was* – condemned by the proper employment and configuration of firewalls to separate networks or at least filter potentially illegitimate traffic. Continue reading
Anti virus software is probably one of the first things to be installed on a fresh system before any other software hits the harddisk. There seems to be consensus that a virus scanner is a must-have nowadays, the only thing that is not clear, is which one is supposedly the best when it comes to malware, ransomware, spyware, scareware, root-kit, spam, phishing, botnet, trojan or <place random word here> detection. No-one has ever been blamed for using AV, the opposite might be the case though. But in fact, there is an ongoing discussion about the usefulness of such software and it is as old as virus scanners themselves. Continue reading
Operating radio equipment in compliant modes is a reasonable thing to do. WiFi and GSM jammers are excellent examples of what might happen if radio equipment is not operated in compliant modes, rendering communication (based on GSM or WiFi in this case) impossible in a certain radius. Things can get even more delicate if GSM baseband firmware is modified so that it violates the GSM protocol in ways that allow for Denial of Service attacks on cell phone towers. Back in 2009, this was one of Apple’s claims on why it would need to take actions against jailbreaking iPhones (1), with a jailbreak being mandatory if users wanted to remove the built-in provider-lock. This unlock, in fact, tinkered with the baseband. Continue reading