Hackers NOT oblivious to Firefox - Read!!

Discussion in 'Tech Talk' started by nickg, Feb 8, 2005.

  1. nickg

    nickg

    Messages:
    640
    Likes Received:
    0
    Joined:
    Jan 16, 2002
    http://www.msnbc.msn.com/id/6930868/

    Browser feature could make scams easier
    Flaw present not in IE this time, but in rivals
    The Associated Press
    Updated: 10:26 p.m. ET Feb. 7, 2005

    NEW YORK - An Internet browser feature meant to permit Web addresses in Chinese, Arabic and other languages could encourage online fraudsters by making scam Web sites look legitimate to visitors

    For once, the affected browser is not the industry-leading Internet Explorer from Microsoft Corp. but rather several of its more robust competitors.

    That's because the aging IE lacks support for internationalized domain names -- at least without a plug-in, which would then make IE vulnerable.

    "It's kind of ironic that it affects some of the supposedly safer browsers," said Neel Mehta, a research engineer at the Internet Security Systems Inc.

    A fix won't be easy because the vulnerability, publicized at a weekend hacker conference, that enables so-called "phishing" scams involves a feature, not a coding error.

    Engineers at the Mozilla Foundation, developer of the No. 2. Firefox browser, said they were reviewing options and should have more to say within a few days.

    The maker of the Opera browser said in a statement that although a fix is possible, "it's extremely hard to find a balance between making the fix too comprehensive or too limited. Even though you limit yourself you can create problems for valid domains."

    Character flaw
    Officially, the Internet's Domain Name System supports only 37 characters -- the 26 letters, 10 numerals and a hyphen.

    But in recent years, in response to a growing Internet population worldwide, engineers have been working on ways to trick the system into understanding other languages.

    Engineers have rallied around a character system called Unicode. The newly discovered exploit takes advantage of the fact that characters that look alike can have two separate codes in Unicode and thus appear to the computer as different. For example, Unicode for "a" is 97 under the Latin alphabet, but 1072 in Cyrillic.

    Subbing one for the other can allow a scammer to register a domain name that looks to the human as "paypal.com," tricking users into giving passwords and other sensitive information at what looks like a legitimate site.

    Some browsers, including Firefox, let users deactivate the other character sets but doing so is complicated and would cut off access to the relatively few sites that use non-English characters in their addresses.

    A better solution is to always manually type Web address directly into a browser rather than clicking on a link sent via e-mail or even copying and pasting that link.

    The potential for the vulnerability has been known for awhile, but it has only recently gained the attention of security experts as non-English domain names become a reality

    Eric Johanson, an independent security consultant in Seattle, publicized it on Sunday, saying he wanted to pressure vendors to act.

    Dan Hubbard, director of security at Websense Inc., which monitors phishing scams, said he knew of no e-mails circulating on the Internet that take advantage of the vulnerability, but he expects scammers to start using it soon to target non-IE browsers.

    Hubbard said plenty of flaws already exist with IE because users don't keep up with security updates.

    "Attackers will check to see what browser you're using and then use vulnerability A if it's Internet Explorer and B if it's Mozilla Firefox," Hubbard said.

    But Johannes Ullrich, chief technology office with the SANS Institute's Internet Storm Center, said scammers may focus on exploiting other flaws because IE remains dominant.

    "Right now the one thing that will likely prevent them from using it is that Internet Explorer users will not be able to see the page at all," he said.
     
  2. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    hackers? phishing isn't really hacking, is it?
     

  3. fastvfr

    fastvfr Ancient Tech

    Messages:
    2,344
    Likes Received:
    0
    Joined:
    Mar 28, 2001
    Location:
    SW Oregon
    Sort of...if you consider a hoax virus as a High threat, I suppose it is!!

    Just verify the URL, folks. Phishing preys on ignorance, just as 95% of the other Web attacks do.

    So you either arm yourself with knowledge or resign yourself to paying tech fees...easy as that.
     
  4. Dandapani

    Dandapani

    Messages:
    8,216
    Likes Received:
    13
    Joined:
    Mar 24, 2004
    Location:
    Gulf side Florida
    in URL bar, type "about:config"

    scroll down and click on

    network.enableIDN

    making the value false.

    that turns off displaying the international domain names.
     
  5. troyboy30

    troyboy30

    Messages:
    164
    Likes Received:
    0
    Joined:
    Aug 6, 2003
    Location:
    Smyrna, GA
    According to the mozilla forums, this fix does not work. Any news on another?
     
  6. CranialCrusader

    CranialCrusader

    Messages:
    528
    Likes Received:
    0
    Joined:
    May 7, 2000
    Location:
    TX
    The only reason ie is not vulnerable is because it is not complient to the standard. An additional plugin is required to make it complient. You can tell if the address is being spoofed in firefox because the address text will be lowered by a few pixels.

    CranialCrusader
     
  7. Jtemple

    Jtemple Geek

    Messages:
    788
    Likes Received:
    0
    Joined:
    Jan 13, 2002
    Location:
    NE
    I have enough common sense that I don't fall for "phishing" scams in the first place.

    Too many people expect their technology to have the common sense for them. Bad idea.