* Posts by William

2 posts • joined 14 Aug 2008

Security researchers' accounts ransacked in embarrasing hacklash


Outsourced email doesn't need to imply lax security

Dave Hall pointed out that using a email service violated the possession/control principal. The thing is, this doesn't necessarily imply a bad security decision. Rarely is there perfect security, and even if the researcher were to have managed their own mail server, he likely would be sacrificing on the Availability and possibly even the Utility of their mail solution. It'd be rare for any individual to be able to fund the redundancy and bandwidth required to withstand a concerted DoS effort against a botnet's attack against infrastructural elements of a home network (or even a small consulting business). By insisting on a 'do-it-yourself' mentality for things like mail, you could expose more surface area for attack.

Also, frankly, gmail (along with gcalendar and other g-goodies) are a lot more *useful* than most mail-only solutions out there. The trade off between utility and security isn't always a cut and dry question.


XSS *can* provide full access to account

The article seemed to imply the Cross Site Scripting (XSS) attacks generally only provide a single transaction vector for attack. It surprising that the register would make this mistake as the canonical example of a XSS attack is to demonstrate the mapping of the DOM element 'document.cookies' into a web request to an attacker's website. This attack provides an attacker all the session credentials needed to login to a web application without requiring a password (and thus allowing full access to all archived mail). I'm not saying this is what was done in this case, but to dismiss this vector as impractical would be a mistake.


Biting the hand that feeds IT © 1998–2021