Comments on: Dynamic Linking: ELF vs. Mach-O

By: Dynamic symbol table duel: ELF vs Mach-O, round 2 at time to bleed by Joe Damato

Dynamic symbol table duel: ELF vs Mach-O, round 2 at time to bleed by Joe Damato — Tue, 01 Jun 2010 13:02:46 +0000

[...] The intention of this post is to continue highlighting some of the similarities and differences between ELF and Mach-O that I encountered while building memprof. The previous post in this series can be found here. [...]

By: Florin Andrei

Florin Andrei — Thu, 27 May 2010 07:05:08 +0000

That explains the otherwise unexplainable “event” last year, when we had our AmEx card hijacked during a trip to Eastern Europe. All they needed was one attempt to login to the AmEx site.

By: Vojislav Stojkovic

Vojislav Stojkovic — Wed, 26 May 2010 19:12:30 +0000

You're all heart, Brad. Let's see, your contribution was to flame me and then add nothing useful to what I said.

I'm not going to discuss my personal shopping and banking habits with you, or the security precautions I might take under either normal or exceptional circumstances. I will, however, point out why your reply was a completely useless flame: if a public location is not safe due to factors that have to do with the customer or the location itself, it's not an excuse for a bank or a merchant to fail at their end of the security. That's what we were all criticizing here, in case you forgot.

By: Sergey Shepelev

Sergey Shepelev — Wed, 26 May 2010 18:01:07 +0000

Sure, SSL is easy and why not. Probably, it's just much less important for me than for you. My intent was rather sarcastic, not trolling actually.

By: Website Design

Website Design — Wed, 26 May 2010 17:13:12 +0000

Wow… that's amazing! What a screw up, somebody is getting fired…

By: skhan

skhan — Wed, 26 May 2010 08:16:56 +0000

This is the cost of outsourcing…I could care less what they say!

By: sswam

sswam — Wed, 26 May 2010 07:22:19 +0000

given that AMEX and other credit card companies (usury companies) steal your money as fast as they can, why should they care if other people steal it too? They still make their cut when someone steals your money.

By: Jason

Jason — Wed, 26 May 2010 06:39:29 +0000

Great point, seems like just a temporary “technical” fix rather than a comprehensive solution.

If I don't see that lock up there and special treatment of the url box, I'm not putting in my CC info. Even then, I'm fairly certain that if they have the page and the iframe on HTTPS, those 3rd party scripts can then access all the data in the iframe. Ironic that adding HTTPS to the parent page reduces security!

By: George

George — Wed, 26 May 2010 06:08:06 +0000

The unfortunate thing is that iframe jails do very little to secure anything & the fact that the form now submits via HTTPS means nothing so long as the page loaded via HTTP. How would my mom for instance know it's safe to provide her card information since there's no https: and lock for her to check? Should she fire up Wireshark and do a test transaction? LOL!

It gets worse. In the "old days" of http based MitM it took a skilled person to do anything more than sniff the connection. Now days there are plenty of freely available packages, including some "point and click" ones that allow attackers to insert their own markup and scripts into a an HTTP delivered page to then deliver whatever they'd like.

The only way for AMEX to fix this is to turn the entire site to HTTPS & stop loading third-party JavaScript which they have zero control over.

By: Joe Damato (ice799)

Joe Damato (ice799) — Wed, 26 May 2010 05:34:18 +0000

wireshark output is proof that the post went back over cleartext.