next »

[isthisthingon]

http://www.networkworld.com/news/2010/050410-us-treasury-web-sites-hacked.html?source=NWWNLE_nlt_daily_pm_2010-05-04

According to Thompson, hackers had added a small snippet of virtually undetectable iframe HTML code that redirected visitors to a Web site in the Ukraine that then launched a variety of Web-based attacks based on a commercially available attack-kit called the Eleonore Exploit pack.

 

[vsloathe]

Meh.

Simple XSS, possibly session jacking from a Confused Deputy vector (Barney Fife?!)

No one was really "hacked". Further, there's not a whole lot you can do to prevent it. XSS holes exist all over the web, it is SO DAMNED HARD to sanitize everything. You'll invariably not think of some clever vector of attack on a site that large.


EDIT: I said "not really news", when in fact it quite is news.

[isthisthingon]

I fall for that crap all the time.  Why in the world would anyone question a conflict of interest between the likes of AVG and elevating concerns for security   http://thompson.blog.avg.com/2010/05/treasury-website-hacked.html

His blog sig says it all:

For a short while today a couple of treas.gov websites were hacked, and were reaching out to an attack site in Ukraine.

...
Keep safe folks,
Roger

Boo