, SecurityFocus 2007-08-06
LAS VEGAS -- On a summer day seven weeks ago, a small group of software architects and network engineers descended on Stanford University, worried.
To prove the danger, the Stanford students bought placement for a Flash advertisement on a marketing network and found that, for less than $100, an attacker could have hijacked as many as 100,0000 Internet addresses in three days.
"This turns out to be several orders of magnitude cheaper than renting a bot net," Collin Jackson, a PhD student in computer science at Stanford and a member of the Security Lab, said during an interview at the Black Hat Security Briefings.
The issue, which had been discussed only among experts in the area of browser security, came to prominence this week in Las Vegas. Two security experts -- David Byrne, security architect with EchoStar Satellite, and Dan Kaminsky, director of penetration testing at IOActive -- gave separate presentations on the subject at the Black Hat Security Briefings and then repeated their talks at the DEFCON hacking conference. Their warning: Corporate firewalls and virtual private networks (VPNs) could easily be penetrated using this technique, and any permanent fix will take time.
"If you came to my (hypothetical) Web site, I get to use -- not something like a VPN -- but your VPN into your network," Kaminsky told SecurityFocus after his presentation. "You come to my Web site and it lets me misuse your Web browser like a VPN concentrator."
The policy, while simple in concept, turns out to be difficult to implement correctly, said EchoStar's Byrne during his presentation.
"The same origin policy is a good idea ... but it is also terribly broken in most implementations," Byrne said.