Did he give them a chance to rectify this before going public? if not then he should be locked up.
A hacker has published code for potent cross-site scripting attacks that he claims go beyond the usual cookie stealing and phishing for users' private details. Cross-site scripting (XSS) flaws allow attackers to present content under their control in the context of a vulnerable yet trusted site, thus tricking marks into …
Saturday 17th December 2011 11:17 GMT Keith T
Locked up for years for consipiracy to steal
Locked up for years for consipiracy to steal. Even if he doesn't use the code himself, he has clearly conspired to support those who will.
*Assuming* his claims to have discovered something remotely original are true, and are not mere vanity, he has discovered a vital element that the other blackhats did not know, he has given them vital help.
And with no suggestion on how to close the hole, he published it openly for no purpose other than to help robbers and gain publicity for himself.
Even personal injury lawyers don't push people into traffic in order to gain clients -- computer security has the lowest professional ethics of any occupation, barring perhaps New Orleans police officer.
Sunday 18th December 2011 18:19 GMT Destroy All Monsters
You two utter failheads up there may want to ask for jobs on the Bachmann/Newt/Romney presidential bandwagons because you capacity to spew outrageous B.S. that identifies Bad Guys To Punish with scant reasoning would fit right in.
Apart from that, guy's right about the money printing thing. Bank are the only economic actor legally allowed to "print" their own money and then pull in interest on it. They are then bitching endlessly about how hard off they are and how they can't invest into security because of thin margins. You then get so-called "secure banking access" software that runs *only* on certain kinds of Windows (for which you must confirm that you have bought and are running antivirus software like that's gonna help), uses standard browers and the Java plugin ... NGHHH.
Monday 19th December 2011 10:40 GMT Stuart Castle
Punish with scant reasoning? He has published a tool that could be used to break into a bank. It may only be a website, but it's still part of the bank.
Would you feel the same if (say) someone reverse engineered the lock on your front door and published the schematics of the key required to open it?
Whether you agree with the bank's practices or not is irrelevant. It does not give you the right to advocate breaking in I'll tell you why. SImple. Someone breaks in to the bank electronically. Siphons off money from customer accounts. The bank will often refund the money, and claim it back from their own insurance. Come renewal time, the insurance company ups the bank's repayments. Who pays the increase? You can bet it's not the bank. No. They pass it on to their customers.
In short, if you have a genuine grievance with the banks, complain and protest, but do so through official channels, or organise a protest outside a branch or office. Don't publish code that enables potentially thousands of innocent customers to be ripped off.
Even if your interest is purely hacking, why not develop the code, then help the banks secure their websites rather than just publishing it.
Sunday 25th December 2011 09:17 GMT Anonymous Coward
Funny thing 'bout them locks
If you waste any decent amount of time on the 'net, you'll find all kinds of guides on lockpicking and tools for the job - much the same spirit as how this person's just gone and thrown their 'schematic' for this tool out there. The difference is merely what protects what. One being more critical when it's shortcomings are overlooked than the other.
Friday 16th December 2011 16:56 GMT zen1
Friday 16th December 2011 21:38 GMT Surreal
Quick! Shoot the messenger!
Oi... Shirley, and I hope I can call you that, Nobody Else in the Whole Wide World would ever have thought of that flavor of exploit*. Now we are collectively doomed. Doooomed, I tell ye!!!
* like, you know, the other project listed in the article. Best castrate him too, lest his Evil Genes be passed on to doom future generations.
Friday 16th December 2011 21:50 GMT Anonymous Coward
Friday 23rd December 2011 13:16 GMT Charles 9
A drink for you...
...for recognizing Boxleitner's titular role in a certain 1984 Disney flick about computers. Since I was just a kid at the time, I never made the connection until much later, after I recognized the actor better for his role in a TV series about a certain space station (love both, incidentally).
Friday 16th December 2011 22:11 GMT Anonymous Coward
Saturday 17th December 2011 11:00 GMT amanfromMars 1
For Virtual Action Impunity Operations
And what of AIMaster ProgramMING Pilot that would be deploying and/or beta testing SMART APT Apps ....... with Sophisticated Novel Combat Immune ZerodDay CodeXSSXXXX in Systems where the World Wide Web and ITs Entangled InterNetworking Networks are the CPGPU and Computerised Machines and Global Operating Devices their Source Input Core Output Vehicles?
Would that be a Quantum Colossus of a Virtual Computing Machine and an HyperRadioPproActive Clone and SMART Mirror Parallel Dimension of Present Real Systems ......... which would cause one to ponder on the true nature of reality and existence of matters invented for media propagation and to be considered and chronicled/pimped and pumped as hard core fact whenever just soft cored fiction.
amfM posits IT is so ....... and does challenge you to disprove it as the System with Others Anonymous and Legion would prove it with IT Commanding Controls in Creative CyberSpace for Computers and Communications.
Choose the side you would be most comfortable rooting for. Mayhem or CHAOS? Madness or Order with Clouds Hosting Advanced Operating Systems?
Great Game ON.
And Merry Xmas, El Reg. When and where's the party to celebrate last year's success and plot next year's future?
Saturday 17th December 2011 11:02 GMT Keith T
It must be self aware, he's had arguments with it, and it has won many of those arguments
His code is "self aware". What a joke eh?
It is easy to vandalize something, if you don't have to worry about being caught and sent to prison.
Making something as vandal proof as possible, something that only a few dozen somewhat easily tracked people can break into, that is the intellectual challenge.
Saturday 17th December 2011 11:02 GMT Keith T
Defect in bank website security is lack of police and justice system
The main defect in bank website security is a lack of police and courts to jail hackers for lengthy periods of time.
Never has bank security -- or any other security -- been absolute. Security has always depended on merely slowing an attacker down, while raising an alarm and giving police time to respond.
An standard 18" steel re-enforced bank vault has a heat detector, an explosion detector, but must be within 15 minutes travel time of a police station, because such a vault can be penetrated in less than 20 minutes with a thermic lance.
Even security-at-any-price objects like battle tanks and nuclear missile silos depend on guards and police forces to respond to attackers, and the courts to punish attackers. Detect those conspiring in the attacks and give them lengthy prison sentences.
There is no vandal proof security in the physical world without police and criminal justice.
There is no hacker proof security in the cyber world without police and criminal justice.
Saturday 17th December 2011 13:56 GMT Charles 9
But enforcement is impossible.
Because of the global nature of the Internet, some of the infiltrators can be located in countries hostile or at the least indifferent to Western thinking: countries who actually wouldn't mind a western bank or three getting some egg on the face. More of the pie for them, after all. So going back to your silo problem: how do you secure a tank when they can take remote control of it, say, FROM ORBIT? How do you go after infiltrators who never cross into your jurisdiction and aren't willing to let you in?
Sunday 18th December 2011 00:50 GMT Fred Flintstone
OK, who let the idiots out of their cage?
"The public sees the PCI DSS standard and believes that the banks are doing a great job, but in the end of the day the only practical thing coming out of those standards are 'verified by ourselves' stamps of approval and 4 digit numeric PIN codes."
Wowie. That's actually nothing *banks* impose, but the VISA and Mastercard networks of this world. To call this security theatre is a tad over the top, but it is correct that sod all is done to secure it properly, and there is a very simple reason for it: the entities that actually could do something about it don't actually suffer the loss..
Sunday 18th December 2011 00:50 GMT Anonymous Coward
Sunday 18th December 2011 18:23 GMT kb 2
Sunday 18th December 2011 18:30 GMT Anonymous Coward
Bank website security
Agreed there is no absolute security and there will always be hackers.
However, many banks do little to improve website security since, provided the overall level of fraud is low enough, they can - and do - just pass on the costs of fraud to all their customers.
The external devices that enable customers to "sign" transactions with their chip'n'pin card can improve bank website security considerably, a) because the transaction is far more difficult to replay or subvert; b) because the device itself is not connected to the internet and therefore far less likely to be compromised.
However, (at least) one of the banks that (commendably) issues these devices to its customers, also sends them emails with convenient buttons enabling them to log on to their internet banking accounts. Just like phishing? Quite!
The banks really don't care as long as they can get away with passing the costs of their complacency on to their customers.
Sunday 18th December 2011 23:01 GMT MaXe
More than stealing cookie and phishing user's private details
After I read this the following, I wondered if I had somehow travelled into the future:
Quote: "A hacker has published code for potent cross-site scripting attacks that he claims go beyond the usual cookie stealing and phishing for users' private details."
Almost one year ago, I published this demonstration on The Exploit Database: http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ , which also goes beyond cookie stealing and phishing, in fact, it goes so far beyond that it will attempt to inject a PHP shell allowing remote code execution on the target server.
It will even, bypass a few classif Web Application Firewalls and most filters. Why? Because the attacker him- or herself, is not injecting any code directly. Instead, the server is actually requesting the title of the target page he or she is serving, which contains the main XSS payload, which then upon activation, silently injects PHP code using the logged in administrators cookie session and any CSRF tokens it encounters.
That I would say, is going beyond cookie stealing and phishing. If it's just about being persistent, then I'd like to point out as .mario did as well, that there's a technique developed by FortConsult called Site-Wide XSS a couple of years ago, which also goes beyond the classic XSS attack approach.
Saturday 24th December 2011 04:17 GMT heyrick
Is he a criminal? Is he helping bad guys break into banks? Possibly.
But on the other hand, banks *need* to step up their game. The "verified by ourselves" is crap. The fact that I have to turn off script blocking to make an on-line order (because resubmits cause it to go screwy, and I don't know how the hell many domains - some known only by IP address - will be necessary to place said order). I've backed out of some online transactions for that very reason. There's a bank service here in France that embeds itself (and only itself) in an [I]FRAME, that's all it needs. Once given permission (it comes with page reload), It Just Works. Why do some other banks find it so hard?
Don't get me started with the piss-poor four digit PIN. "Oh, it's too hard to remember..." Oh BALLS. You wanna know how long my mobile number is? My landline? The one I had when I lived in England? The one before that? The one before *that*? I can tell you them all, with area code, pre-and-post PhoneDay. I'm sure everybody reading has a subset of numbers they know by heart - mother, wife, girlfriend, kids, etc etc, all of which are many more digits than a stupid little four digit so-called protection. Stand long enough in supermarket queues, you can get a reasonable idea of the PINs of random strangers just by watching their hards. You don't even need to see the keys, just know the size/layout of the machine.
I am not even going to contemplate that crap software my mother's bank told her she HAD to install on her computer. I Googled it. It adds little security, messes up most antivirus packages (by linking deep in a similar sort of way) and has a 40:60 chance of killing the computer. Oddly enough, they backed down when I told them I was recording the call and I was hereby giving notice that any errors or downtime as a result of installation will be billed at thirty quid per hour or part hour. Oh, and they couldn't put me through to anybody who could explain in technical terms (like, at API level) what actual benefit the package had. Just a lot of hot air about "hijacking" and "trojans" and the odd reference to "identity theft".
And you know WHY the banks are making the noise about this "enhanced security" stuff? It's because if something goes wrong, your money gets lifted, well, the bank did its part. The rest must surely have been you - you didn't write down your password, did you?
It is smoke and mirrors. We need to see beyond this charade.