SecurityFeed.info » Jeremiah Grossman

Feeds

57036 items (57036 unread) in 90 feeds

• Aviv Raff On .NET (29 unread)
• Bugtraq (bugtraq) Mailing List (2860 unread)
• CGISecurity.com: Your Web Site and Application Security Resource (415 unread)
• christian's weblog (25 unread)
• Irongeek's Security Site (344 unread)
• Jeremiah Grossman (191 unread)
• Heorot.net (19 unread)
• milw0rm.com (1332 unread)
• Nmap Hackers (nmap-hackers) Mailing List (27 unread)
• Rootsecure.net (3262 unread)
• SecuriTeam.com (645 unread)
• Security Vulnerability Research & Defense (147 unread)
• SecurityFocus News (435 unread)
• SecurityFocus Vulnerabilities (2707 unread)
• Securityvulns news channel (1735 unread)
• SecWatch - Latest Exploit Alerts (10 unread)
• Taking Network Security to the Streets (28 unread)
• The One And Only Matt Parnell.com (86 unread)
• The Register - Security (2360 unread)
• The Register - Software (2742 unread)
• VulnWatch (vulnwatch) Mailing List (19 unread)
• Web App Security (webappsec) Mailing List (433 unread)
• IceСμbeς (15 unread)
• Linmagazine (757 unread)
• ‫netcraft Bytes :) (130 unread)
• Blonde 2.0 (218 unread)
• The Microsoft Security Response Center (MSRC) (175 unread)
• (IN)SECURE Magazine Notifications RSS (45 unread)
• 0x000000 Security (95 unread)
• ----- Anti-Malware ----- Analysis and Defense (16 unread)
• Apple Fun (25 unread)
• Technorati Search for: aviv.raffon.net (368 unread)
• C.I.S.R.T. (25 unread)
• Determina Zero-Day Protection (6 unread)
• Didier Stevens (157 unread)
• eEye Digital Security - Research Blog (12 unread)
• Ryan Naraine's Security Watch (488 unread)
• Security - RSS Feeds (1100 unread)
• Exploit Prevention Labs (28 unread)
• Software Vulnerability Exploitation Blog (22 unread)
• F-Secure Antivirus Research Weblog (470 unread)
• Full Disclosure (1289 unread)
• George Ou (10 unread)
• GNUCITIZEN Media Portfolio (157 unread)
• ha.ckers.org web application security lab (135 unread)
• heise security (1864 unread)
• invisiblethings' blog (57 unread)
• Jeff Jones's blog (13 unread)
• JScript Blog (26 unread)
• Matasano Chargen (74 unread)
• McAfee Avert Labs (354 unread)
• Michael Howard's Web Log (46 unread)
• PandaLabs (227 unread)
• Zero Day (867 unread)
• SANS Internet Storm Center, InfoCON: green (1115 unread)
• Latest Secunia Security Watchdog Blog Entries (71 unread)
• SecuriTeam Blogs (248 unread)
• Security Fix (494 unread)
• HP ASC Portal (30 unread)
• Strike Center (12 unread)
• Sunbelt Blog (909 unread)
• Sunnet Beskerming Security Advisories (149 unread)
• Technobabylon
• The Recurity Lablog (34 unread)
• Wired: Threat Level (1460 unread)
• TrendLabs | Malware Blog - by Trend Micro (636 unread)
• Uninformed Journal (49 unread)
• WabiSabiLabi's blog (23 unread)
• WatchGuard Wire (134 unread)
• Latest Blog Entires From WebSense Security Labs (164 unread)
• Hackszine.com (664 unread)
• DVLabs: Blogs (145 unread)
• Errata Security (177 unread)
• Robert Hensing's Blog (93 unread)
• PaulDotCom Community Blog (14 unread)
• David LeBlanc's Web Log (34 unread)
• Billy (BK) Rios (29 unread)
• David Litchfield's blog (22 unread)
• Farfromr00tin (27 unread)
• aut disce, aut discede (17 unread)
• pwn* (26 unread)
• hackademix.net (106 unread)
• SecurityDot Vulnerabilities (1939 unread)
• Vulnerabilities & Exploits (87 unread)
• Malicious Code (100 unread)
• Security Risks (66 unread)
• Digg / Security / upcoming (17371 unread)
• digg.com: News / Security / Popular (395 unread)
• DarkReading - Security News (926 unread)
• DarkReading - All Stories (148 unread)

Jeremiah Grossman (10 unread)

• March 07, 2010
• 17:20

  Best of Application Security (Friday, Mar. 5)

   » ‎ Jeremiah Grossman
  Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
  

  • Verizon Incident Metrics Framework Released
  • Wiseguys net $25m in ticket scalping racket
  • State of Software Security Report
  • Internet Explorer 8 and the Security Development Lifecycle (SDL)
  • Top 10 Hacks of 2009 and WAF Mitigations
  • FTC alleges that ControlScan offered 'little or no verification' of site security or privacy
  • I’m in ur 4sq, snarfin ur password — Part I
  • Fifteen Common Activities from BSIMM2
  • Even if You Don’t Invent Your Own Crypto….It’s Still Hard
  • Facebook founder Mark Zuckerberg 'hacked into emails of rivals and journalists'

  
  
  WhiteHat Security is a leading provider of website security services.
  
• February 26, 2010
• 9:46

  Best of Application Security (Friday, Feb. 26)

   » ‎ Jeremiah Grossman
  Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
  

  • Hitler and Cloud Computing Security
  • Microsoft SDL Core Training Classes & Tools
  • A Big Case of ...OOPS...
  • Customer-Induced FUD
  • NT OBJECTives Response to the Larry Suto Report
  • Web Security Dojo v1.0 & Watcher 1.3.0 release
  • Online finance flaw: Ameriprise III
  • Banks, Businesses, Viruses and the UCC
  • Breaking Weak CAPTCHA in 26 Lines of Code
  • Finding Input Validations flaws with Taint Checking

  
  
  WhiteHat Security is a leading provider of website security services.
  
• February 19, 2010
• 14:08

  Compliance and Habit holding back Application Security

   » ‎ Jeremiah Grossman
  My "Infrastructure vs. Application Security Spending" post must have struck a nerve. I've received a number of comments and emails where it's clear many are grappling with the same organizational budgeting challenges. Sharing these individual experiences help us raise awareness and gain new perspective on things that might work to our advantage. I sought permission to share the content of such insightful email from a Director of Product Security for a large publicly-traded company.
  
  "Good post. It's something I've been preaching at *redacted* since day one. Our business relies on protecting our customers data. Why spend significantly more money on protecting our internal networks then on our product. I've won that battle, but given our security team started from network IT Security guys, that's where the money was spent.
  
  A couple things I thought I'd pass along which you didn't mention, but I'm sure you've though about:
  
  1. Service providers are going to spend money where their customers want them to. If their customer's security teams are all network guys, then the service provider is catering it's "security budget" to those guys. It still befuddles me in this day and age that we get predominantly more nCircle/Qualys/Nessus scans than we do application assessments from our customers. It shows though too in the compliance arena…if the people auditing your company have been baptized by compliance, then the service provider will cater to that. Unfortunately there's way more auditors who look at compliance and network security then application level security.
  
  2. I think the comparison of network/host security vs application security shouldn't equate (right now). Because of the maturity of the market, there are less tools that are practical to rely on. As such, the curve should focus more on people (training, processes, and security staff) then on tools. I'm not saying the tools can't /don't do a good job, I'm just saying that right now they're not sufficient and in general more staffing resources need to be involved. To use an internal example, the fact that all R&D staff at *redacted* go through security training, perform security work every sprint, use secure frameworks, tools, etc, isn't captured by the numbers…and frankly is more valuable than us spending another 100K on a few more licenses of AppScan or WebInspect.
  
  I think it would be really interesting to compare the costs of some of these products vs the benefit they provide. I just find it terribly funny that a Burp license costs ~$200, while running a product like DB Monitoring would costs hundreds of thousands or even millions of dollars in a large data center. That said, customers ask for things like DB Monitoring - because, you know, the five DBAs are more likely to steal their data then the thousands of malicious hackers out there ;-)
  
  I'm not old enough to know…but, I bet the network security guys cracked on how the physical security guys got all the budget way back when. Evolution…"
  
  
  If you got a story to share, please do!
  
  
  
  WhiteHat Security is a leading provider of website security services.
  
• 9:13

  Best of Application Security (Friday, Feb. 19)

   » ‎ Jeremiah Grossman
  Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
  

  • Microsoft’s Many Eyeballs and the Security Development Lifecycle
  • A Comparison of DBIR with UK breach report
  • Infrastructure vs. Application Security Spending
  • Idea for a Fondue Party
  • 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
  • Should Software Developers be Liable?
  • Directory traversal as a reconnaissance tool
  • Abusing WCF to Perform Remote Port Scans
  • The State of Web Security Issues
  • 3000 Small Dog Electronics customers' credit card details compromised

  
  
  WhiteHat Security is a leading provider of website security services.
  
• February 18, 2010
• 18:31

  Hey Massachusetts, where is your application security requirement?

   » ‎ Jeremiah Grossman
  This relates to my last post where Boaz Gelbord (Security Scoreboard), cited something very interesting about the Massachusetts data security regulation going into effect March 1. Their listed “Computer System Security Requirements” of their "risk-based approach" is pasted below. While I can’t say any one of these security controls is a bad idea, but can someone please tell me how any of this stuff is going to thwart Web-based attacks!? You know the kind of attack organizations and end-users are really dealing with!
  
  No mention at all of (Web) application security, the thing we desperately need, but sure enough more firewalls, SSL, and anti-malware is legally mandated.
  
  
  (1) Secure user authentication protocols including:
  (a) control of user IDs and other identifiers;
  (b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
  (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
  (d) restricting access to active users and active user accounts only; and
  (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
  (2) Secure access control measures that:
  (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
  (b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
  (3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
  (4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;
  (5) Encryption of all personal information stored on laptops or other portable devices;
  (6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
  (7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
  (8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
  
  WhiteHat Security is a leading provider of website security services.
  
• 15:32

  Infrastructure vs. Application Security Spending

   » ‎ Jeremiah Grossman
  A recent study published by 7Safe, UK Security Breach Investigations Report, analyzed 62 cybercrime breach investigation and states that in “86% of all attacks, a weakness in a web interface was exploited” (vs 14% infrastructure) and the attackers were predominately external (80%). These results are largely consistent with the US-based Verizon Data Breach Incident Report (2008) which tracks over 500 cases. Combine this knowledge with the targeted Web-related attacks against Google, Adobe, Yahoo, the US House of Representatives, TechCrunch, Twitter, Heartland Payment Systems, bank after bank, university after university, country after country -- the story is the same. It’s a Web security world.
  
  It has been said before and it’s worth repeating, adding more firewalls, SSL, and the same ol’ anti-malware products is not going to help solve this problem!
  
  The reason that Web security problems persist is not a lack of knowledgeable people (though we could use more), perfected security tools (they could be much better), or effective software development processes (still maturing). A fundamental reason is something myself and others have been harping on for a long while now. Organizations spend their IT security dollars protecting themselves from yesterday’s attacks, at the network/infrastructure layer, while overlooking today’s real threats. Furthermore, these dollars are typically spent counter to how businesses invest their resources in technology. To illustrate this point I’m going to borrow inspiration from Gunnar Peterson (Software Security Architect & CTO at Arctec Group).
  
  Let’s look at the approximate 2009 revenue from the largest corporations supplying a significant (most?) portion of IT infrastructure. Cisco $36B, Juniper $3.3B, Microsoft $58.5B, and F5 $653M. Total: $98.5B (USD). To protect this infrastructure from attacks security products are purchased. The approximate 2009 revenue of largest security vendors is Symantec $6B, Kaspersky $100M, McAfee $1.6B, Checkpoint $800M, SourceFire $75M, and IBM/ISS $500M (we think).
  
  We’re spending $9.1B (USD) to protect $98.5B (USD) in infrastructure. Perhaps a ~%10 security tax on infrastructure is acceptable.
  
  Now, let’s take a look at five of the top Web-based companies, which make all their money online, and by extension whose core technology value is rooted in Web code. In 2009 their revenues were: Google $23.6B, Yahoo $6.5B, eBay $8.7B, Amazon $24.5B, Salesforce.com $1.1B. $64.4B in total. Keep in mind that the 2009 eCommerce market is said to be about $130B. To protect these Web-enabled systems let’s use Gary McGraw’s (CTO of Cigital) 2007 software security revenue numbers of $500 million. He takes into account the bulk of white and black box testing tools, professional services consultancies, and web application firewall vendors. Since Gary hasn’t updated his numbers yet, lets adjust up to $750M to reflect market growth between then and 2009.
  
  So in effect ~$750M is being spent to protect $64.4B in eCommerce revenue.
  
  
  This is further supported by analyst findings. According to Gartner, 90 percent of IT security spending is on perimeter security such as firewalls. Plus to my mind that 1.20% figure is way aggressive. It is likely the percentage is much lower because the $750M is actually being spread out among financial, healthcare, insurance, education, energy, transportation, and government verticals. Perhaps this is also the reason why so many application security professionals wage holy wars over what solution is the best, worst, most important, or should be purchased first.
  
  For the last ten years, I’ve directly experienced application security professionals fighting amongst themselves for scraps off the Big-Security-Vendor’s table. Vulnerability scanners vs WAFs, black vs white box, pen-test vs source code review, certifications vs real world experience, developer training vs secure frameworks, and so on. FAIL! All these solutions are necessary and more! The only way I see to truly improve application security is for organizations to do one (or both) of the following:
  

  1. Reallocate a portion of current infrastructure security spend to application security.
  2. Grow overall IT security spending and increase application security to more than a rounding error.

  But, lets say you are unconvinced by the numbers above. They might be too shaky, that’s fair. Lets try another Gunnar-inspired exercise:
  
  Break the IT budget into the following categories:
  
  - Network: all the resources invested in Cisco, network admins, etc.
  - Host: all the resources invested in Unix, Windows, sys admins, etc.
  - Applications: all the resources invested in developers, CRM, ERP, etc.
  - Data: all the resources invested in databases, DBAs, etc.
  
  Tally up each layer. If you are like most business you will probably find that you spend most on Applications, then Data, then Host, then Network.
  
  Then do the same exercise for the Information Security budget:
  
  - Network: all the resources invested in network firewalls, firewall admins, etc.
  - Host: all the resources invested in Vulnerability management, patching, etc.
  - Applications: all the resources invested in static analysis, black box scanning etc.
  - Data: all the resources invested in database encryption, database monitoring, etc.
  
  Again, tally each up layer. If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!
  
  If security spending can be justified on areas where attacks no longer occur, then perhaps we can justify more time, money, and effort on application security in the areas where the attacks are being waged.
  
  WhiteHat Security is a leading provider of website security services.
  
• February 12, 2010
• 9:41

  Best of Application Security (Friday, Feb. 12)

   » ‎ Jeremiah Grossman
  Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
  

  • A Lazy Pen Tester’s Guide to Testing Flash Applications
  • Rock Beats Scissors, and People Beat Process
  • Hacker threat forces DoH to close appraisal site
  • Feds say dev's 'cookie-stuffer' app fleeced eBay
  • A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World
  • Death of Product Reviews
  • Are You Rugged?
  • Reducing Information Disclosure in ASP.NET Web Services
  • OWASP Broken Web Applications Project
  • Top 10 Targeted Passwords

  
  
  WhiteHat Security is a leading provider of website security services.
  
• February 09, 2010
• 12:29

  Where's WhiteHat? Re: Scanner Comparisons

   » ‎ Jeremiah Grossman
  Last week Larry Suto published, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners,” which reviewed desktop black box website vulnerability scanners: Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS (Software-as-a-Service). This research was meant to build upon Larry’s initial October 2007 study of the market. Several people have asked what I thought of the paper and why WhiteHat Security wasn’t covered. I’m happy to discuss both questions.
  
  First off, the website vulnerability management space is in desperate need of side-by-side comparisons as they are very few and far between. This represents a challenge for organizations building application security programs that want to create a product short-list to evaluate internally. For a variety of reasons, independent and publicly available detailed technical reviews of website vulnerability management products/solutions are unlikely to come from the expected sources, such trade magazines and industry analysts. One of the main inhibitors is that many of these firms do not have a Web application testbed that would allow for an accurate, fair comparison. Thankfully, researchers, such as Larry Suto, help fill the void by investing personal time and sharing their results. Others independents should be encouraged to do the same. I would recommend the “Web Application Security Scanner Evaluation Criteria (WASSEC)” if you wish to do so. Also, Larry confirmed he was not compensated by any vendor for his work.
  
  During the latter stages of Larry’s research, WhiteHat Security was offered the opportunity to be included. In order to take part, we were asked to assess six vendor hosted “test websites” with WhiteHat Sentinel, identify vulnerabilities and report our findings. The testing process was designed to evaluate desktop black box scanner technology using a “Point-and-Shoot” and “Trained” methodology -- something not well-suited for a SaaS offering like Sentinel. What we do and how we do it is very different from the scanning tools, but is still often seen as an alternative. After much consideration, we did not feel that the testing methodology would provide an apples-to-apples evaluation environment for Sentinel. Additionally, and equally important, finding vulnerabilities is only the first piece of the overall value our customers receive, so we politely declined to participate.
  
  *Not to mention, that as a strict rule, we never touch any website without express written authorization.*
  
  The report states, consistent with my expectations, that significant amounts of human/expert time are required for scanner configuration, vulnerability verification, scan monitoring, etc. to enable the aforementioned products to function proficiently. Behind the scenes, Sentinel is no different, except that we perform all of those activities and more for our customers as a standard part of the annual subscription. Doing so means our engineering time has a hard cost to us and staff resources are dedicated to serving customers.
  
  The report confirms that scanner performance varies wildly from site to site, so it’s best to test where they will be deployed. We agree and provide mechanisms for our customers to evaluate Sentinel first-hand for exactly that reason. We want customers to know exactly what they can expect from us on their production systems and not a generic test website. Finally, where Sentinel really excels, is in areas where the report did not (could not) focus. Scalability is one of these. Whether we are tasked with one site, 10, 100, 1,000 or more -- Sentinel is capable of handling the volume.
  
  Over the years I’ve written extensively about black box scanner efficiencies and deficiencies in depth: Automated Scanners vs. Low-Hanging Fruit, Automated Scanner vs. The OWASP Top Ten, shed light on duplication rates, what scanners are good at finding and what they are not -- with a scan-o-meter, discussed business logic flaws, why crawling matters a lot, how much essential human time is required, and even what it takes to make the best scanner. So obviously the scanners overall general poor showing came as no surprise. Most missed nearly half of the vulnerabilities, on test websites no less, where they are designed to be easily found. Imagine how they would perform in the real world! It gets much uglier and dangerous out there I assure you.
  
  I’d highly recommended everyone interested Web application security read Larry’s report for themselves and get familiar with what is the current state-of-the-art in black box scanning products. Much improvement could be made through additional R&D. Remember, keep an open mind, but at the same time take the results with a grain of salt until you test on your systems. Some vendors will say Larry’s work wasn’t perfectly scientific, possessed data errors, was misinterpreted, ran misconfigured, couldn’t reproduce the results, etc. All of that may be true, but so is the fact that it looks like Larry conducted a deeper and fairer analysis than the average would-be user does during typical evaluations.
  
  Here are the three takeaways:
  

  1. Scanner results will vary wildly from website to website. For best results, I highly recommend that you evaluate them on the sites where they are going to be deployed. Better still, if you know of vulnerabilities in those sites ahead of time, use that information for comparison purposes.
  2. The significant human/expert time required for proper scanner set-up, ongoing configuration, vulnerability verification, etc. must be taken into consideration. Which vulnerabilities you scan for is just as important as how you scan for them. Estimate about 20-40 man-hours per website scanned.
  3. Scanner vendors should take into consideration that Larry Suto is certainly more sophisticated than the average user. So if he couldn’t figure out how to run your tool “properly,” take that as constructive feedback.

  
  
  WhiteHat Security is a leading provider of website security services.
  
• February 05, 2010
• 11:27

  Best of Application Security (Friday, Feb. 5)

   » ‎ Jeremiah Grossman
  Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
  

  • Accuracy and Time Costs of Web Application Security Scanner Report
  • The Web won’t be safe, let alone secure, unless we break it
  • Why don't websites default to SSL/TLS?
  • RFI List in Burp Suite
  • Web 2.0 Pivot Attacks
  • Building Secure Applications with HTML 5: What is Happening and Where?
  • Mozilla Accepts Chinese CNNIC Root CA Certificate
  • SDL for dummies
  • XSS, SQL Injection and Fuzzing Barcode Cheat Sheet
  • Microsoft CAT.NET 2.0 - Beta

  
  
  WhiteHat Security is a leading provider of website security services.
  
• February 04, 2010
• 15:13

  Web 2.0 Pivot Attacks

   » ‎ Jeremiah Grossman
  Any penetration tester would agree that pivot attacks, designed to compromise a secondary host to more effectively attack primary targets, are incredibly powerful. Organizations tend to have difficulty protecting all hosts at all times, which is why proper network segmentation is vital should loss of control occur on any one node. Often it’s easier to compromise a host from behind rather than head on. Case in point, a hacker used a pivot attack to break into Heartland Payment Systems and pilfer 130 million CC#s. A SQL injection exploit was used to get a foothold in a non-payment-network-host leading to the eventual data compromise. Recently I had a thought that pivot attacks exist in a Web 2.0 world as well, they are just not typically viewed that way.
  
  Many websites automatically load in content from remote resources (JavaScript, Flash, more HTML, images, etc.), which are hosted by third-party providers. These resources normally embed advertisements (DoubleClick), traffic counters (StatCounter), user trackers (whos.amung.us), games (Pogo), videos (YouTube), and thousands of other forms of dynamic content. These are often generically called “Web page Widgets,” things Web page might want to include in their pages for their visitors. There are thousands, maybe tens of thousands of these types of providers. Let’s look at some top mainstream media websites to see what widget hostname they include:
  
  TechCrunch
  ad.doubleclick.net
  ads.undertone.com
  altfarm.mediaplex.com
  b.scorecardresearch.com
  bs.serving-sys.com
  button.topsy.com
  cdn.undertone.com
  edge.quantserve.com
  googleads.g.doubleclick.net
  img.mediaplex.com
  mp.apmebf.com
  network.realmedia.com
  partner.googleadservices.com
  pubads.g.doubleclick.net
  s0.2mdn.net
  services.crunchboard.com
  static.ak.connect.facebook.com
  widget.startups.com
  www.facebook.com
  www.google-analytics.com
  www.oracle.com
  www.sun.com
  www.tumri.net
  ytaahg.vo.llnwd.net
  
  NY Times
  ad.doubleclick.net
  admin.brightcove.com
  ads.pointroll.com
  at.amgdgt.com
  brightcove.vo.llnwd.net
  c.brightcove.com
  googleads.g.doubleclick.net
  graphics8.nytimes.com
  load.tubemogul.com
  markets.on.nytimes.com
  receive.inplay.tubemogul.com
  static.inplay.tubemogul.com
  timespeople.nytimes.com
  video2.nytimes.com
  64.191.193.124
  
  Wall Street Journal
  ac3.msn.com
  ad.doubleclick.net
  adsyndication.msn.com
  om.dowjoneson.com
  online.wsj.com
  s.wsj.net
  www.marketwatch.com
  
  CNN
  ads.cnn.com
  b.scorecardresearch.com
  edition.cnn.com
  i.cdn.turner.com
  i.cnn.net
  metrics.cnn.com
  svcs.cnn.com
  
  USA Today
  ad.doubleclick.net
  ads.adsonar.com
  ads.revsci.net
  altfarm.mediaplex.com
  b.scorecardresearch.com
  content.usatoday.com
  gannett.gcion.com
  i.usatoday.net
  img-cdn.mediaplex.com
  img.mediaplex.com
  js.revsci.net
  media.fastclick.net
  mp.apmebf.com
  optimized-by.rubiconproject.com
  pix04.revsci.net
  r1.ace.advertising.com
  rd.apmebf.com
  tap-cdn.rubiconproject.com
  usata1.gcion.com
  usatoday1.112.2o7.net
  
  Washington Post
  ad.bizo.com
  ad.doubleclick.net
  ads.adsonar.com
  ads.bluelithium.com
  ads.revsci.net
  altfarm.mediaplex.com
  bp.specificclick.net
  custom.marketwatch.com
  fls.doubleclick.net
  js.revsci.net
  media.washingtonpost.com
  mp.apmebf.com
  
  In a Web security context, these websites essentially allow arbitrary executable code, supplied by the third-party, complete access to the browser DOM and the user’s session information. *Exception being IMG SRC loads* That means they can hijack accounts by stealing authentication cookies; change the news or ask for passwords by altering what the user sees on the screen; redirect users to malware laden websites; force browsers to attack other systems, and more. By including Web widgets from an uncontrolled source on your pages, the third-party’s entire infrastructure must be included as part of the implicit trust model. These dangers have been previously discussed by Tom Stripling where the third-party service provider was assumed to be the potential nefarious source. I think the concern lies a bit deeper, where a malicious Web 2.0 pivot attack comes in.
  
  If a bad guy, APT or a less-skilled adversary, wants to surreptitiously compromise a (relatively) hardened Web presence (or its users), they don’t necessarily need go after the target directly, they could instead go after the aforementioned third-party providers. How many of these third-parties take security as seriously as their customers do? Assumed few, but we really don’t know for certain. Please comment below is you have experiences here to share? How many organizations really check up on the third-party’s security posture or even know enough take this risk into consideration? Again, some do, but very few in my personal experience. The organization might dismiss the concern by saying something like:
  
  "If X gets hacked we'll have bigger problems on our hands."
  
  Important to add is that during a Web 2.0 pivot attack no traffic is directly seen by the primary target, which basically makes it impossible for them to detect/thwart the attack before a compromise. Post third-party compromise, it might be nearly as hard to detect a Web widget code update unless you can somehow monitor the content changes in unexpected ways. This of course assumes the primary target knows how, when, or if the third-party changes the code (rare). Not to mention the inclusion of Web page widgets is almost always beyond the visibility of a security team, because this process is largely managed through marketing / product management (not so much application development) and can easily happen at any time with zero notice.
  
  Pen-testers to my knowledge can’t/don’t use this type of pivot attack because the third-party is usually another organization, unwilling to grant security testing authority, and therefore out of the scope of the engagement. Also important is that in a network pivot attack you may still be limited in what you can do on a host due to network secregation, ACLs etc. but in JavaScript space, you are basically God.
  
  Yes, the HTML 5 sandbox would be really nice to have.
  
  WhiteHat Security is a leading provider of website security services.