<![CDATA[[SecurityRatty] tag: trusty]]>

<![CDATA[[SecurityRatty] tag: trusty]]> http://securityratty.com/tag/trusty Fri, 28 Mar 2008 11:28:30 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[XSS Comedy at McAfee Secure's Expense]]> http://securityratty.com/article/415bc504c211b5ee78ee15ea0a533277 http://securityratty.com/article/415bc504c211b5ee78ee15ea0a533277 As well you should know by know, the existence of XSS vulnerabilities in a site that is required to meet PCI DSS standards means that the site IS NOT PCI COMPLIANT. Very simple, right?
Let's consider the McAfee Secure/Hacker Safe-branded site for Organize-It.
A seemingly handy site, perfect for your HGTV types, likely with healthy credit card limits. Uh-oh, here it comes. Oh yes, Organize-It handles credit cards and is thus beholden to PCI DSS.
Organize-It is also proudly displaying a current McAfee Secure badge, indicating that it's tested daily.
Given the focus of many a recent discussion it shouldn't shock you that Organize-It is vulnerable to XSS.
What's funny is what Organize-It does with regard to "handling" malformed requests.
Where a typical test string for XSS might be " script payload /script (characters removed or Blogger will let me XSS myself), you won't get much use from such a string via either direct form submittal or URL encoding. But when the site barfed up '; // LEAVE THIS VALUE var sli_cId = 90;, while under investigation, my ruh-roh meter went off.
I decided to play with my trusty marquee test and found interesting results. The actual search form field is limited to 41 characters (er?). So my complete string of " marquee message /marquee didn't fit for direct submittal BUT THE MARQUEE RENDERED ANYWAY! Basically, half the test string worked: " marquee h1 This_site_is_NOT_McAfee_S
Forget the marquee tag on the blacklist, did we?
But here's the real icing on the cake. The uber-intuitive search index reinterpreted my message with what I can only imagine are index keywords. Thus "This site is NOT McAfee Secure" scrolls across the Organize-It site as "this sit is not coffee secure".
OMG! My daily quad shot Americano has been pwn3d to the core!
Here's the URL if you don't believe me, or the video if you prefer.
Forget PCI compliance, bring on the Gong Show hook, Chuck!
Cheers.

del.icio.us | digg]]> Mon, 30 Jun 2008 17:10:00 +0000 site seemingly handy site mcafee secure mcafee test trusty marquee test organize-it site marquee xss XSS Comedy at McAfee Secure's Expense <![CDATA[To be liberated, you need to be educated in the facts]]> http://securityratty.com/article/4f8accdfe2729a3a297f7983e04e293a http://securityratty.com/article/4f8accdfe2729a3a297f7983e04e293a Online safety 101. When will it happen? Sadly, never.
Uninformed users will continue to fall for scams and allow their computer and others to be infected and give the malware marketeers lots of profit.
Ok, Im done ranting, Im fine now, really.

clipped from www.download.com

Spyware Horror Story: Debugging for newbies

As liberating as computers are, it’s terrifying when things go wrong. You’re left abandoned, even mocked!, by the tools on which you’ve come so heavily to rely. It’s like having your trusty accountant wipe a stack of forms to the floor, storm out of the office, and leave you to sort out your own taxes.

]]> Fri, 28 Mar 2008 11:28:30 +0000 malware marketeers lots trusty accountant wipe spyware horror story online safety taxes sadly floor heavily users To be liberated, you need to be educated in the facts