6:10 PM -- The Web is a tricky thing for me. I not only interact with it, but I write about it, break it, and study it. I have to configure my personal equipment so I can communicate with it, but there is little to no trust relationship between my desktop and my servers. Why? Because of what happened a week ago.
A week ago, two individuals known as Sirdarckcat and Kuza55 attempted to compromise one of the sites that I operate, ha.ckers.org. We later discovered that they did so without malice in their hearts -- but at the time, it was as real as any malicious defacement crew. And these two were trickier than most.
First, they analyzed our security from the outside. They knew that I and my colleagues had built certain trust relationships with the site, and that I am the one who writes the blog. They knew the blog's structure, because I use open-source software. Most importantly, they knew that I ran NoScript, indicating that I don't trust most of the Web, but I do trust a few sites.
Armed with this information, they launched a clever attack. First, they posted a link to another site on ha.ckers.org, accompanied by an interesting description. The site was actually a decoy, and it performed several functions. Inside of an iframe, it attempted to detect whether I had been to the administration pages on the site.
Then they performed an XMLHTTPRequest POST, to get their payload (a long writeup that they thought would be funny to see on ha.ckers.org), injected into the site. Their assumptions were almost all correct. However, I had anticipated that exact attack -- despite the zero day exploit in NoScript and the flash file I had hosted -- and made corrective measures to protect myself from the attack. I'm not going to tell you exactly how I did it, for obvious reasons.
The moral of the story is you really cannot be too paranoid with your security. Even the smallest holes in your site could allow for fairly nasty exploitation. Had I been less careful, I have every confidence that their exploit would have succeeded. Pretty scary, when you think about it.
RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading