inb4 front page news 2010/1/21 <bugt...@cgisecurity.net>
> > Well, that's exactly what I'm saying. Pretending that this is some kind > new > > exploit class simply because Google Wave is used is stupid. This is the > > logical extension of e-mail and instant message and social network > attacks > > to the next potential platform. > > Following in the history of the security community, we should coin a > buzzword on this old issue with a new spin. > WaveJacking sounds like a perfect fit. > </sarcasm> > > > > On Tue, Jan 19, 2010 at 8:10 PM, <valdis.kletni...@vt.edu> wrote: > > > > > On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: > > > > Yeah, no kidding. Surprise! Untrusted files can be malicious. If > you > > > > accept files from those whom you do not trust, whether its via > e-mail, > > > > instant message, Google Wave, or physical media, you well and truly > > > deserve > > > > the virus that'll eventually infect your machine. > > > > > > Let's see.. *HOW* many years ago did we first see e-mail based viruses > that > > > depended on people opening them because they came from people they > already > > > knew? 'CHRISTMA EXEC' in 1984 comes to mind. > > > > > > The problem here is that Google Wave is for *collaboration* - which > means > > > that you're communicating with people you already know, and presumably > > > trust to some degree or other. "Hey Joe, look at this PDF and tell me > > > what you think" is something reasonable when the request comes from > > > somebody > > > who Joe knows and who has sent Joe PDF's in the past. > > > > > > I guarantee that if every time you receive a document that appears to > be > > > from > > > your boss, you call back and ask if they really intended to send a > document > > > or > > > if it's a virus, your boss will get very cranky with you very fast. > > > > > > Let's look at that original advisory again: > > > > > > >> An attacker could upload his malware to a wave and share it to his > > > >> Google Wave contacts. > > > > > > Now change that to "An attacker could trick/pwn some poor victim into > > > uploading > > > the malware to a wave...." Hilarity ensues. > > > > > > > > > > > > > > > > --000e0cd2e002580025047da0b22e > > Content-Type: text/html; charset=ISO-8859-1 > > Content-Transfer-Encoding: quoted-printable > > > > Well, that's exactly what I'm saying.=A0 Pretending that this is > so= > > me kind new exploit class simply because Google Wave is used is > stupid.=A0 = > > This is the logical extension of e-mail and instant message and social > netw= > > ork attacks to the next potential platform.<br> > > <br>-- Rohit Patnaik<br><br><div class=3D"gmail_quote">On Tue, Jan 19, > 2010= > > at 8:10 PM, <span dir=3D"ltr"><<a href=3D"mailto: > valdis.kletni...@vt.e= > > du">valdis.kletni...@vt.edu</a>></span> wrote:<br><blockquote > class=3D"g= > > mail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: > 0pt= > > 0pt 0pt 0.8ex; padding-left: 1ex;"> > > <div class=3D"im">On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik > said:<br> > > > Yeah, no kidding. =A0Surprise! Untrusted files can be malicious. > =A0If= > > you<br> > > > accept files from those whom you do not trust, whether its via > e-mail,= > > <br> > > > instant message, Google Wave, or physical media, you well and truly > de= > > serve<br> > > > the virus that'll eventually infect your machine.<br> > > <br> > > </div>Let's see.. *HOW* many years ago did we first see e-mail based > vi= > > ruses that<br> > > depended on people opening them because they came from people they > already<= > > br> > > knew? =A0'CHRISTMA EXEC' in 1984 comes to mind.<br> > > <br> > > The problem here is that Google Wave is for *collaboration* - which > means<b= > > r> > > that you're communicating with people you already know, and > presumably<= > > br> > > trust to some degree or other. "Hey Joe, look at this PDF and tell > me<= > > br> > > what you think" is something reasonable when the request comes from > so= > > mebody<br> > > who Joe knows and who has sent Joe PDF's in the past.<br> > > <br> > > I guarantee that if every time you receive a document that appears to be > fr= > > om<br> > > your boss, you call back and ask if they really intended to send a > document= > > or<br> > > if it's a virus, your boss will get very cranky with you very > fast.<br> > > <br> > > Let's look at that original advisory again:<br> > > <div class=3D"im"><br> > > >> An attacker could upload his malware to a wave and share it to > his= > > <br> > > >> Google Wave contacts.<br> > > <br> > > </div>Now change that to "An attacker could trick/pwn some poor > victim= > > into uploading<br> > > the malware to a wave...." =A0Hilarity ensues.<br> > > <br> > > <br> > > <br> > > </blockquote></div><br> > > > > --000e0cd2e002580025047da0b22e-- > > > > > > --===============1022691582== > > Content-Type: text/plain; charset="us-ascii" > > MIME-Version: 1.0 > > Content-Transfer-Encoding: 7bit > > Content-Disposition: inline > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > --===============1022691582==-- > > > > > http://www.cgisecurity.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/