Cookie Grabber

**Twey** · 08-07-2006, 04:11 AM

That pretty much sums it up, although I don't entirely agree with:

This isn't entirely MS's fault.

If Microsoft's software is only the most often cracked because it's the most popular, how do you explain the fact that Apache is by far the most popular webserver package -- and yet IIS is still the most frequently compromised?

Also, with regards to #4, Firefox 2.0 plans to implement some revolutionary new anti-phishing technology. Just how good it actually is remains to be seen -- I don't think it's been added to the version on the build tree yet.

**blm126** · 08-07-2006, 04:24 AM

Originally Posted by Twey

Also, with regards to #4, Firefox 2.0 plans to implement some revolutionary new anti-phishing technology. Just how good it actually is remains to be seen -- I don't think it's been added to the version on the build tree yet.

It might have been, or at least I remember reading a review somewhere. Though anti-phishing is a standard feature for quite a few newer browsers(ex.IE7), which is always good.

**Zombihunter** · 08-07-2006, 04:44 AM

That does help a lot. I have my mother on a mac so she's not using IE, she's using Safari and Firefox. I am more concern with her computer than mine because my little brother plays Neopets, which is where I first heard about this thing when he called me asking me what one of those things actually were.

I was concerned about his NP account because he spends so much time on it, but more concerned about my mother's banking account and things like that. Why I asked if the coder had to specify the cookie it wanted or had to be on that domain. So all I really had to worry about was my little bro's account and not my mother's.

I do have them cleaning cookies before he goes near the site or any NP related site. I also have required him to go to sites that are largely 'known' and not questionable.

Being mainly a Commercial Artist coding is something I do on the side so other coding I'm not much into, but I figured someone here would help me... So thank for not letting me down. Also thanks for all the information.

Oh and it's she for those who were referring

**jscheuer1** · 08-07-2006, 05:13 AM

Originally Posted by Twey

If Microsoft's software is only the most often cracked because it's the most popular, how do you explain the fact that Apache is by far the most popular webserver package -- and yet IIS is still the most frequently compromised?

It's a love/hate relationship for most hackers. They love to hack MS because they hate them.

I didn't mean to imply that the MS software is the industry leader in all categories, just that its overall prominence and its (deserved I think) reputation for shoot from the hip business practices (something I didn't mention before) has made it a bit of a favorite target.

**Twey** · 08-07-2006, 05:21 AM

For an XSS attack to take place, the site whose account of yours the attacker wishes to steal must be vulnerable. Let's face it, that's probably not going to happen on a bank website, which probably employs the best security experts around and keeps user interaction to a minimum possible for just such a reason

Of course, if you run an ActiveX control by clicking the little "yes" box when it asks permission, or IE is "persuaded" to run one without your knowledge, all the cookies from any site available can be taken. In fact, your entire computer can be taken over, keyloggers installed, all sorts of digital unpleasantries watching your every move.

Which is why you should avoid Internet Explorer.

He shouldn't be in too much trouble so long as he stays off IE (or at least disables ActiveX, although this includes more innocent components like XMLHttpRequest which could add functionality to a website) doesn't download programs except from those trusted sites you mentioned. If possible, I'd advise you to use the Mac for any business or financial work where sensitive data is being handled.

Originally Posted by jscheuer1

I didn't mean to imply that the MS software is the industry leader in all categories

Oh no, I didn't mean to imply you did. According to Netcraft, Apache has over twice the market share of IIS. Even factoring in the let's-all-kill-Microsoft aspect, statistically Apache should receive at least the same number of security hits. However, looking at data for Apache 2.0 and IIS5 (there isn't a lot of data on either IIS6 or Apache 2.2 yet; two holes for Apache, three for IIS) we see can see that IIS has fewer actual advisories than Apache, a pretty sure sign that people haven't been searching for them so much, but also that what vulnerabilities were disclosed are considerably higher in criticality than those for Apache, which says to me, especially coupled with the relative lack of advisories, that either the security researchers got really lucky, or IIS is full of holes and the only reason so few were found is that most people were concentrating on Apache.