July 28, 2006 12:44 PM PDT
- Related Stories
The security risk in Web 2.0July 28, 2006
Worm lurks behind MySpace profilesJuly 18, 2006
Browser bugs hit IEJune 29, 2006
PayPal fixes phishing holeJune 16, 2006
Here come the 'Family 2.0' sitesJune 2, 2006
Hijacking MySpace for fame and fortuneMay 10, 2006
Google deal highlights Web 2.0 boomMarch 13, 2006
"We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks."
A successful attack could have significant impact. For example, it could scan your home network, detect a router model and then send it commands to enable wireless networking and turn off all encryption, Hoffman said. Or it could map a corporate network and launch attacks against servers that will appear to come from the inside, he said.
"There has been little motivation to explore side-channel attacks such as this one," Vaskovich said. "But a key advantage of the SPI Dynamics vulnerability is that it is difficult to fix without breaking many Web applications. So it may be around for years to come."
"Everything has a Web server these days," Grossman said.
Pings from the host
At BlackHat, Grossman is slated to demonstrate one attack. "We will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers," he said. "As we're attacking the intranet using the browser, we're taking complete control over the browser."
29 commentsJoin the conversation! Add your comment