NoScript and hijacked trustworthy websites (such as TechCrunch and SongLyrics)
Last week, Qualys’ CTO Wolfgang Kandek told me that the “modern attacker has decided that the easiest thing to do is to attack the website that the user is going to visit rather than setting up special malicious sites and trying to drive users to them.” (The Top Cyber Security Risks Report) I found this quite disturbing because it makes me wonder if I am actually as safe on the internet as I had always thought I am.
You see, I use Firefox and NoScript. And NoScript will stop any script at all, whether benign or malicious, running in Firefox – unless I temporarily or permanently whitelist the page in question. This has to be a good thing. It means that when I visit a site and nothing much happens, I am forced to ask myself: do I trust this site? If I do, I can whitelist it and get the full experience. If I don’t, I can just move on confident that nothing untoward has happened.
But that was before Kandek’s comment. This sounds like a game-changer. If the bad guys compromise a good site, when I ask myself ‘do I trust this site’ I will probably say yes. And if the site in question was either TechCrunch or SongLyrics (two good sites recently hacked), I might have whitelisted a site that had been compromised.
Does this mean, I had to ask myself, that NoScript is no longer as useful as I thought? Well, who better to really ask than NoScript’s developer, Giorgio Maone. “Had I visited TechCrunch a couple of weeks ago, even with NoScript, would I now be infected?” I asked him.
In other words, even when TechCrunch was compromised, it was not TC that was dangerous, it was the site that was linked – let’s call it GetHackedHere.ru – that was dangerous. And so long as you don’t whitelist GetHackedHere.ru, then NoScript will continue to keep you pretty safe.
But Maone didn’t stop there. Did you know, he asked, “that middle-clicking on site names shown in the NoScript menu opens a tab where a few tools are linked, giving information on that site?” I didn’t, so I tried it on TechCrunch. It gave me four options: the WOT Scorecard, the McAfee SiteAdvisor Rating, the Webmaster Tips Site Information, and Google’s Safe Browsing Diagnostic.
I clicked the last.
In the last 90 days, 58 pages on techcrunch.com have been compromised – although nothing since 6 September. But note that, confirming Maone’s comments, the actual malware was hosted on virtuellvorun.org, not on TechCrunch. So NoScript users would have remained protected even if they had whitelisted the compromised TechCrunch because NoScript would have disallowed any scripts from the still blacklisted virtuellvorun site.
I’m not quite as smug as I used to be – but I’m just as well protected by NoScript as I ever was. And I can and do wholeheartedly still recommend Firefox and NoScript to anyone who wants to stay safe on the Internet.
NoScript download (for Firefox users)