Not scared about Cross-Site Request Forgery? You should be... you're scared of jail aren't you?

Not scared about Cross-Site Request Forgery? You should be... you're scared of jail aren't you?

Summary: Robert Hansen aka R-Snake has posted a very interesting article today over at his blog. As R-Snake states:Whelp, we’ve talked about it, but now it’s finally possible.

SHARE:

RSnakeRobert Hansen aka R-Snake has posted a very interesting article today over at his blog. As R-Snake states:

Whelp, we’ve talked about it, but now it’s finally possible. CSRF can now cause jail time. The FBI has begun arresting people who click on links to supposed child pornography. Now, I understand the noble pursuit, but there’s a fairly huge flaw in the old logic. I can force users to click on links anytime I want. Now here comes some interesting CSRF technology grey area. The authorities might, reasonably say, “The referrer doesn’t match.” Okay, well that’s what our good friend META refresh is for. I can force you to click on things without leaving a referring URL at all.

So now the real question is would a user with no referring URL be worthy of investigation?

I agree completely with R-Snake on this topic. While I would love taking down those trying to view child pornography, I think we should all be scared of a world where someone can simply force you to view a page through CSRF and possibly get you arrested for a very serious crime. It seems like with each new law related to technology, I get more and more scared of even using the internet. You have laws come up like this that just put people at risk of being wrongly implicated, and then you have regulatory laws and standards like PCI that are just so ambiguous it really gives companies an out to say "We did everything you told us to!" and leave their web applications grossly insecure (specifically here I'm talking about the pentesting clause which is so ambiguous, who knows if the company has actually met the mark or not).

Thanks to R-Snake for jumping on top of this and pointing this out, this is hugely important. At some point, law enforcement and the government is going to HAVE TO START TALKING TO THE SECURITY PROFESSIONALS because they are making such poor decisions with regards to laws, none of us are safe.

-Nate

Topics: Government US, Government

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • NoScript is essential.

    I can't imagine not using it anymore. I happen on a blog site, and NoScript tells me of 19-15 other sites wanting to run javascript on the page. Even here, why should I allow

    bnet.com
    com.com
    questionmarket.com?

    Unless it directly affects something I want to do on the specific site, I won't even allow the hosting page to run javascript.

    No user, not a single one, that I support doesn't have NoScript installed and auto-updating. It isn't obtrusive, I allowed ZDNet the first time here, and that's it. It mitigates the above, tons and tons of malware and speeds up my sisters web surfing immensely (dialup).

    TripleII

    TripleII
    TripleII-21189418044173169409978279405827
    • 10-15 (NT)

      (NT)
      TripleII-21189418044173169409978279405827
    • RE:

      I do most of my testing in IE, so I'm not sure if NoScript now prevents CSRF in all cases or not, but I found the following snippet from Google that suggests it doesn't prevent CSRF against GET requests:

      "This is a great solution, but it is not completely secure. Some CSRF attacks allow GET-requests, which NoScript will not protect you against. Also, you will have to wait for an update to be protected against special XSS or CSRF-bugs (like the jar bug) in the browsers. How about an even more secure (but slightly less convenient) solution?"

      Again, I've not verified this, I'd just say let's not fall into the trap of blindly believing NoScript keeps us completely secure, eventhough it does a great job.

      -Nate
      nmcfeters
      • You are right.

        I see it updating a few times per month so there are more and more problems found. I will never tell anyone they are absolutely secure (ok, not networked, you are pretty secure :D ) but it helps.

        Are there any other tools that exist to prevent this type of thing?

        TripleII
        TripleII-21189418044173169409978279405827
        • RE:

          There's other signature based tools for prevention of issues, but NoScript is pretty good. I don't think there's anything I know of that has a great handle on preventing cross-site request forgery at this point.

          -Nate
          nmcfeters
    • I like NoScript but...

      I'm not sure I would recommend to people who weren't comfortable with computers and troubleshooting. Some sites will clearly say: "Please enable Javascript to continue..." but others don't, they just kind of halfway work, sort of, perhaps. You know and I know by looking through the list of sites blocked in NoScript that sites 2 and 5 are probably good to let through but most people wouldn't. There have also been some sites (not many but they exist) that seem to detect Javascript isn't enabled and return a page where you don't even get the option of unblocking the right site. They seem to fall back to a non-javascript mode and so you can't use the site to its full potential.
      NonZealot
      • RE: It's a trade off

        Personally, I'd much rather deal with the tech support calls from my Mom and Dad then with having them get pwned.

        -Nate
        nmcfeters
      • I train users.

        After activating, I will walk them through 30 or so sites. I show them that enabling the actual site they are visiting is generally ok, but if they don't recognize any other site, don't bother.

        Some sites are pro-actively checking to see if it is running, then redirecting to another page that sometimes doesn't show any blocked entries, but I tell users if they are working that hard to defeat NoScript, you probably don't want to enable them.

        TripleII
        TripleII-21189418044173169409978279405827
  • Published instructions for framing your boss?

    This article worries me for several reasons, not the least of which is that the idea of "proven guilty beyond a reasonable doubt" has been destroyed by the authorities and the courts.

    What's been published is a cookbook for revenge against bosses, ex-husbands, and even total strangers. Want to send somebody to prison for life? Just get access to their computer (not even physical access) and make a few clicks. It's done.

    I can also see the botnet operators taking their extortion activities to new heights with this. As they now extort people by threatening to erase data, the new threat will be to DEPOSIT data on your systems in ways you can't find, but the FBI can. It's easy enough to create files on the computer, then delete them. You will never find the evidence using any commercial security tool, but forensics tools used by police would find them in a heartbeat.

    And off to jail you go. The Feds have gone so far as to protect the real perpetrator by denying that the possibility of being framed even exists.


    Personally, I believe that the guy mentioned in the article was guilty of something, especially if he tried to destroy evidence. But to be convicted because of a hyperlink being accessed by an IP address without PROOF that a human is even present is a disturbing denial of basic rules of evidence and law.

    For the common people, the need for security has never been greater. Personal security, like controlling access to your PC and your home network. Data security to protect your PC from malware. And Internet security to avoid any site that could be compromised in even the slightest way.

    In fact, we must now consider the Internet as a VERY dangerous swamp where even the most innocuous site could harbor a lethal disease able to instantly destroy your life. And you won't know until it's far too late ...
    terry flores
    • it's the legal part...

      What you said is an excellent exposure of whats wrong with many recent computer related laws... as was also stated in the article. But maybe this law is fixable. Discovery of [erased] evidence of clicking on a child porn link, should be grounds for further investigation - granting a legal request for in depth monitoring. Hidden video cam to watch what/who actually does perhaps?

      Asking lawmakers to talk to security professionals... HAHAHAHA. That would be like expecting CIO's to talk to their own in-house security folks before they mandate dumb security policies that make more work but don't actually do anything to provide additional security...

      Come on, you seen this happen!
      ridingthewind
      • Think Again

        I would really expect something to have been proven before I submit to the kind of monitoring you are proposing. I cannot condone opening millions of Americans to this Big Brother style of Civil Rights violations to catch a statistically few people who are actually performing the infraction. Child Porn is very serious, I have four kids I adore and want protected, but trading Civil Liberties away en mass for protection is a very, very, very bad idea.
        philpenn
        • It's done, get used to it.

          "but trading Civil Liberties away en mass for protection is a very, very, very bad idea."

          It's already done, you have almost no rights left in federal courts. The feds can do anything they want to you because there are no penalties left for misconduct. No evidence is excluded under new rules, no police activity is entrapment or harassment, and the seizure laws allow them to take all your assets and you have to prove your innocence to get them back. In fact, the seizure laws are probably the most damaging and pernicious of all. If the feds so choose, they can make you homeless, jobless and penniless without a trial, and you don't have a hope of getting through the process to reclaim your life unless you have a rich relative to pay your legal fees. It happens a many times every day, but no media covers these cases or talks to the thousands of innocent people who have had their businesses, homes, cars, and bank accounts seized because the feds SUSPECTED a crime. Not proved, SUSPECTED. O

          ne case locally, a poor woman ended up with $60,000 legal fees to get back her house and car which were seized by the Feds because her ex-husband was SUSPECTED of selling cocaine to a buddy while playing poker at the house. She lost her job when the car was seized and her bank account was emptied by the Feds so that she couldn't buy even an old junker to get to work. Even from the 10-line news story, you could tell that the Feds were doing it entirely from spite, since they knew the ex-wife wasn't involved in the alleged crime.
          terry flores
          • I disagree

            While I am as troubled by this crap as you are, if you think this is as bad as it can get, you have another thing coming. I will fight, rail, and scream from the roof tops to at least try to slow this erosion.
            philpenn
          • RE: It's done get used to

            This is exactly the kind of complacency that they are hoping for. We can't ever let ourselves fall in line with the loss of civil liberties.

            Being someone who has had uncles and a grandfater fight in wars to secure our civil liberties and those of others, it sickens me when our government so readily takes those liberties away and no one is educated enough to realize.

            -Nate
            nmcfeters
        • and back...

          I'm not saying bypass the existing process of getting court permission to do further monitoring. But isn't using some electronic trace evidence as a support for getting the court order to monitor, better than letting it stand alone as complete proof that someone actually did the indicated surfing?
          ridingthewind
    • Nothing needs to be proven.

      terry flores wrote:

      [i]This article worries me for several reasons, not the least of which is that the idea of "proven guilty beyond a reasonable doubt" has been destroyed by the authorities and the courts.[/i]

      The mere allegation that someone has been involved in something illegal is enough to trigger an avalanche of expenses, hassles and misery just to clear one's name. And the fact that the person who plants the trap may well be untraceable only adds insult to injury.
      JDThompson
    • The Internet is a swamp.

      Quote; [i]In fact, we must now consider the Internet as a VERY dangerous swamp where even the most innocuous site could harbor a lethal disease able to instantly destroy your life. And you won't know until it's far too late ...[/i]

      Just keep in mind, that when you "surf the 'net"; you [b]are surfing amongst alligators and sharks![/b] And they will eat you alive.
      fatman65535
      • But even sites like the NYT and ZDNET could be dangerous

        One of the best ways to deliver malware and bot trojans is to hack a respected website and use it as the way to hook and disseminate the hack to victims. There are have many incidents in the last year, and probably most of them were downplayed or covered up. Even some of the most-trafficked site on the web don't have the discipline of security needed to avoid these attacks. And of course the ultimate diversion attacks happen on routers, then you could type in "ebay.com" and end up on some rogue site being used to drive-by download crap to your PC.

        So it's not just a risk to "surf" dodgy sites, it's a risk to access ANY site because it could be a security breach. And any security breach could expose you to a new level of damage and pain, courtesy of the US government. Those are the people who are supposed to protect us, in case you forgot ...
        terry flores
  • RE: Not scared about Cross-Site Request Forgery? You should be... you're

    Never thought I would be terrified to be an American, but now it is a different story.
    bdeforde73@...
    • RE:

      And the fear doesn't come from an outside source.
      nmcfeters