Simon Willison’s Weblog

Items tagged security in 2004

Filters: Year: 2004 × security ×

The Register hit by XSS

Here’s a nasty one: popular tech news site The Register was hit on Saturday by the Bofra exploit, a nasty worm which uses an iframe vulnerability in (you guessed it) Internet Explorer to install nasty things on the victim’s PC. Where it gets interesting is that the attack wasn’t against the Register themselves; it came through their third party ad serving company, Falk AG.

[... 262 words]

User Education Is Not the Answer to Security Problems. Smart thinking on security from Jakob Nielsen. # 1st November 2004, 1:22 pm

Net security threats growing fast. 30,000+ PCs a day are being compromised for botnets. # 20th September 2004, 6:44 pm

OS X Security Update 2004-09-07 (via) Plenty of important fixes; a must-have. # 8th September 2004, 3:45 pm

The bookmarklet solution to the password problem

Anyone who makes heavy use of the internet has run in to the password problem: dozens of user accounts on sites with varying degrees of trustability, leading to an unmanageable proliferation of username and password combinations. The temptation is to use the same combination on multiple sites, but doing so opens you up to the horrifying prospect of a security flaw in one site compromising al of your other accounts.

[... 366 words]

IE in Windows XP SP2. An overview of the new security changes. # 10th August 2004, 7:39 pm

Race conditions in security UI. A vulnerability that is even more effective against advanced users (i.e. fast typists). # 2nd July 2004, 4:14 pm

Bruce vs. Bruce (via) Schneier and Sterling discuss security and technology. # 15th June 2004, 10:04 pm

Daring Fireball: Security Cannot Be Spun. Apple’s communication handling of the recent security problem was atrocious. # 31st May 2004, 4 am

Background Images Security Flaw? Styling :visited links can reveal a user’s browser history. # 24th May 2004, 8:24 pm

Mac OS X helpviewer security flaw fixed. Hit Software Update. Not sure if this fixes the telnet: variety though. # 22nd May 2004, 5:08 am

Defending against the OS X help: vulnerability

There’s a nasty OS X vulnerability under discussion at the moment which lets a web page execute code on your machine by taking advantage of a flaw in the “help:” protocol. There’s a non-malicious demonstration of the exploit on this page, and Jay Allen is hosting a discussion on the exploit and ways to avoid it.

[... 253 words]

Mac OS X URI Handler Arbitrary Code Execution (via) Very nasty: affects all web browsers, allows compromise by malicious web sites. # 18th May 2004, 3:39 pm

Why Windows is a Security Nightmare. The pain of Windows Update over a 56K modem. # 18th May 2004, 5:50 am

Bruce Schneier: We are all security customers. How can the US get the best return on investment for homeland security? # 4th May 2004, 6:34 pm

M.I.T Card Information (via) Who’s bright idea was it to introduce a poorly secured swipe card system in a school full of hard-core techies? # 25th April 2004, 8:58 pm

Will Trade Passwords For Chocolate (via) I’m not at all surprised. Most people see passwords as more of an annoyance than a security measure. # 20th April 2004, 4:27 am

It’s only going to get worse

This analysis of the spread of the witty worm is fascinating for a whole bunch of different reasons.

[... 395 words]

XP Service Pack 2 Review. Several welcome security improvements for those still suffering on Windows ;) # 21st March 2004, 9:14 pm


I’m going to try not to turn this in to a blog about Windows security exploits but this one is genuinely interesting in that it actively tries to steal financial information and important passwords. Bizex spreads itself by spamming messages over ICQ advising the recipient to visit a specific URL. When they visit it, Internet Explorer exploits are used to download and execute the main payload which then infects their ICQ program and uses it to message their contacts. The worm also scans their hard drive for information relating to a number of well known financial services which it then uploads to a server via FTP, and it apparently snoops on their browser for any passwords travelling over HTTPS connections as well.

[... 216 words]

Novel security measures

An article on SecurityFocus led me to this site about Port Knocking. Port Knocking is an interesting security technique in which a box sits online with no ports open to connections and awaits a specific sequence of connection attempts. A user wishing to connect to the box must first attempt to initiate connections to ports in a specific, secret order. Once they do, the box starts up the required service (such as an SSH daemon) on a designated port and allows the user to connect properly.

[... 145 words]

“I’m Brian and so’s my wife”

I’m subscribed to a whole bunch of mailing lists, mostly as a lurker as I have a hard enough time just keeping up with some of them. One of those lists is Bugtraq, which is pretty much required reading for anyone with sysadmin responsibilities for a server connected to the public internet. Bugtraq is the central hub of the “public disclosure” security community and is actually surprisingly low traffic with only twenty or so messages a day. It’s fascinating to watch the latest exploits for all manner of popular software packages tick by on an hourly basis.

[... 285 words]

Slouching toward Big Brother (via) Security is a trade-off # 30th January 2004, 7:18 pm

Election boxes easy to mess with (via) More on Diebold’s ludicrous security # 30th January 2004, 7:11 pm

Defending web applications against dictionary attacks

Over at Reflective Surface, Ronaldo M. Ferraz discusses the usability of an authentication system that locks down an account for a certain period of time after three failed login attempts. Ronaldo sees this as a trade off between usability and security, but I see it more as an added security issue in that it allows malicious third parties to lock other user’s accounts armed only with their username.

[... 398 words]

non-consensual http user tracking using caches. Interesting security issue involving HTTP caching headers # 20th January 2004, 10:37 pm