Old Unwanted Internet Accounts are a Pain

  • Thread starter anorlunda
  • Start date
  • #36
pbuk
Science Advisor
Gold Member
3,655
2,099
You referred to "evidence for the second part of that sentence", which was "keyloggers that log every key you enter are more and more common" − it was not regarding the first part of @harborsparrow 's sentence, which made reference to JavaScript libraries as a source of keyloggers, that I was responding; it was regarding only the second part.
There seems to be a misunderstanding and I am sorry for my part in this. The context of @harborsparrow 's sentence, was javascript running in browsers when users visit web pages, and all of my posts in this thread have assumed the same context.

I think that this qualifies as a "dependency compromise" − from https://snyk.io/vuln/SNYK-JS-JQUERY-565129:
No, a dependency compromise is specifically the injection of malicious code into the dependency chain, not simply a vulnerabilty of another kind (in this case an XSS vulnerability) in a dependency. See https://attack.mitre.org/techniques/T1195/001/
 
  • #37
pbuk
Science Advisor
Gold Member
3,655
2,099
... jQuery 2.0, which is provably a compromised dependency
In general usage the word 'compromised' can be synonymous with 'flawed' however in computer security 'compromised' means 'made vulnerable by unauthorized access' and so this statement is not true in the conxtext of computer security.
 
  • #38
BillTre
Science Advisor
Gold Member
2,143
6,643
Do keyloggers only pick-up data coming from the keyboard?
Would they pick up automated entries or voice recognized words turned into text?
 
  • #39
pbuk
Science Advisor
Gold Member
3,655
2,099
Do keyloggers only pick-up data coming from the keyboard?
Would they pick up automated entries or voice recognized words turned into text?
Are we still talking about web sites? If someone can inject has injected JavaScript into a site, or use has used typosquatting and/or phishing to create a malicious site which wraps or mimics a target site then it is basically 'game over' for the security of any data that is entered by any method or provided in any form on that site by anyone using it.

It would be good if we could get away from discussing keyloggers on web sites, they are not really a problem.
 
Last edited:
  • #40
sysprog
2,613
1,782
pbuk said:
sysprog said:
... jQuery 2.0, which is provably a compromised dependency
In general usage the word 'compromised' can be synonymous with 'flawed' however in computer security 'compromised' means 'made vulnerable by unauthorized access' and so this statement is not true in the conxtext of computer security.
That looks to me like a false dichotomy ##-## jQuery 2.0 is 'compromised', in that it is known that it can be used for purpose of facilition of XSS attacks. I didn't use 'compromised' to mean 'flawed'; I used it to mean 'demonstrated to be untrustworthy'. Your definition, while it appears to me to be not incorrect, is not the only meaning that the term has, including when it is used within a context of data security.

For example, from https://auth0.com/blog/sha-1-collision-attack/:
SHA-1 Has Been Compromised In Practice
##\cdots##​
Additionally, since the published attack vector has only been proven with PDF files, the team created a website, shattered.io, which allows you to test your PDF files and see if they could have been compromised.​
From http://www.redbooks.ibm.com/redbooks/pdfs/sg248100.pdf:
Exploitation might also be because of the usage of a function within a system in an unintended way that compromises the system or underlying data.​

And, from https://www.tomshardware.com/news/researchers-reveal-new-sha-1-attack:

New 'Shambles' Attack Against SHA-1 Shows It’s Finally Time to Ditch It
A new collision attack against the SHA-1 hash function shows that SHA-1 attacks are getting significantly cheaper with each passing year and that it should no longer be used for software security. The new attack puts PGP and other software that uses SHA-1 in their authentication schemes at risk of being compromised.​

Apparently, including in a context of data security, 'compromised' can mean something like 'demonstrated to be untrustworthy'.
pbuk said:
If someone can inject JavaScript into a site, or use typosquatting and/or phishing to create a malicious site which wraps or mimics a target site then it is basically 'game over' for the security of any data that is entered by any method or provided in any form on that site by anyone using it.
I think that this is an oversimplified, overly absolutist, and possibly rather defeatist position ##-## the fact that some exploits succeed should not deter us from persisting in our data security mission.
pbuk said:
It would be good if we could get away from discussing keyloggers on web sites, they are not really a problem.
Sometimes keyloggers are a critical part of a comprehensive attack strategy.
 
Last edited:
  • #41
BillTre
Science Advisor
Gold Member
2,143
6,643
Thanks for answering my simple question @pbuk, it was most helpful. :bow:
 
  • Like
Likes sysprog
  • #42
pbuk
Science Advisor
Gold Member
3,655
2,099
That looks to me like a false dichotomy

...

Apparently, including in a context of data security, 'compromised' can mean something like 'demonstrated to be untrustworthy'.
No, the fallacy is yours. 'Compromised' (= C) is a subset of 'demonstrated to be untrustworthy' (= D). The statements you quote are of the form 'x∈C' and so we can infer in each case x∈D however this does not mean that C = D.

I think that this is an oversimplified, overly absolutist, and possibly rather defeatist position
The post to which you referred was not as clear as it could have been: I have corrected it.

The fact that some exploits succeed should not deter us from persisting in our data security mission.
Absolutely!

Sometimes keyloggers are a critical part of a comprehensive attack strategy.
Maybe, but often they are not. In order to improve security you need to focus on the attack vector, not the payload.
 
  • #43
sysprog
2,613
1,782
No, the fallacy is yours. 'Compromised' (= C) is a subset of 'demonstrated to be untrustworthy' (= D). The statements you quote are of the form 'x∈C' and so we can infer in each case x∈D however this does not mean that C = D.
I said that 'demonstrated to be untrustworthy' was one of the meanings of 'compromised' ##-## that would make C a superset of D; not a subset.

You contended that although outside of a data security context,
'compromised' could mean 'flawed', within such a context, it means 'made vulnerable by unauthorized access', and if you meant by that contention to hold that to be the only meaing of 'compromised' in such a context, then that is in my view a false dichotomy.

I think that that, for example, 'demonstrated to be untrustworthy is another legitimate meaning for 'compromised', including within a data security context.
 
Last edited by a moderator:
  • #44
berkeman
Mentor
63,242
14,195
Thread closed temporarily for Moderation...
 
  • #45
berkeman
Mentor
63,242
14,195
After a Mentor discussion, the thread will remain closed. Thanks everybody for an interesting thread.
 

Suggested for: Old Unwanted Internet Accounts are a Pain

Replies
27
Views
1K
  • Last Post
Replies
6
Views
410
Replies
11
Views
822
  • Last Post
2
Replies
39
Views
549
Replies
10
Views
494
Replies
15
Views
2K
  • Last Post
Replies
1
Views
976
  • Last Post
Replies
9
Views
808
Replies
52
Views
2K
  • Last Post
Replies
6
Views
2K
Top