Introducing the “I Know…” series

14 Replies

The “I Know…” series builds upon earlier work where I revealed relatively simple tricks [malicious] websites can use to coax a browser into revealing information that it probably should not. For example, I demonstrated how a website might learn what websites you’ve visited, how they can steal a browser’s auto-complete data, what sites you are logged in to, surreptitiously activate a computer’s video camera and microphone, list out what Firefox Add-Ons are installed, what you’ve previously watched on YouTube, who is listed in your Gmail contact list, etc. In every case, the only thing a would-be victim must do is visit the wrong website. Firewalls, anti-virus software, anti-phishing scam black lists, and even patching your browser was not going to help.

Fortunately, if you are using one of today’s latest and greatest browsers (Chrome, Firefox, Internet Explorer, Safari, etc.), these tricks, these attack techniques, mostly don’t work anymore. The unfortunate part is that they were by no means the only way to accomplish these feats. In the following sections I’ll be discussing many, many more attack techniques — tricks that reveal a person’s name, work place, physical location, online habits, what websites they log in to, the technology specifics about their computer and browser, and more. The fact is, unless you’ve taken a number of very particular precautions, essentially every website you visit has the ability to quickly acquire all the aforementioned information.

YouTube Preview Image

I’ll expose why the common assumption that people are relatively anonymous, that their online activities are private, as they surf the Web is wrong — from a personal security and privacy standpoint, dangerously wrong. Imagine if a young teen is pregnant, and hasn’t yet informed her parents. As she surfs the Web for information about her situation, websites glean this personal information about her condition, and begin mailing maternity content directly to her home. Imagine a divorcee trying to hide from her hostile ex-husband and her real-world address is revealed with nothing more than a link click. Imagine if somehow your religious, political, and adult entertainment preferences were discovered by a local congregation, employer, and friends.

As you read, what you should find interesting (and concerning) is that a large percentage of the techniques I’ll be leveraging are NOT new — they’ve already been publicly documented. On their own, each technique’s impact may not be terribly severe, which probably explains why they remain unaddressed. However, when these disparate techniques are wired together, they paint a highly problematic and largely misunderstood narrative that is the actual state of Web [browser] security.

From here we’ll progress slowly, building up our exploitation pyramid one blog post section at a time.

 

I Know…

This entry was posted in Web Application Security on by .

About Jeremiah Grossman

Jeremiah Grossman is the Founder and Chief Technology Officer of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, and UCLA. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!