Hacker Newsnew | comments | show | ask | jobs | submit login

... and thousands of HN readers get infected by a zero-day exploit. Maybe. If you're thinking of submitting a known compromised site to HN, consider instead submitting a third-party site which explains/documents the compromise. Ideally from a respected security research company. This has several benefits:

1. You're not subjecting HN readers to a site under the control of a malicious party who may have done more than just deface it. Even if you verify that you only receive plain boring text with no scripts, iframes, plugins, etc. it's impossible to verify that someone else won't get served different content. For example, malware that only gets served to people in Israel.

2. Once the compromised site is restored, people visiting the link won't see what happened. When you link to a third-party article, that article will persist even after the hack is long since gone.

3. Linking to a security research company will probably give better insight into the technical details how the attack happened, gratifying our intellectual curiosity, instead of just being a dumbed-down piece from some mass-market tech blog.




I agree with your point, but 0-day exploits aren't tossed around like candy corn. They're multi-million dollar munitions.

-----


> 0-day exploits aren't tossed around like candy corn

They are if the zero-day isn't what you're after.

Something like this is like candy corn to a site like HN. You need an exploit and a reason to get your targets to visit your hacked site. When something like this hits HN's front page, if your target is in the tech world, odds are very good that you'll catch someone in the company/companies you're after. This is not theoretical. See, for instance, the Java exploits employed in those hacked iOS dev forums that successfully compromised computers at Facebook, Twitter, Apple, and Microsoft[1].

[1] http://arstechnica.com/security/2013/02/web-forum-for-iphone...

-----


These are both really excellent points.

While DNS-hijacking Google.ps as a watering hole for HN seems like a bit of a long shot of a vector to get access to HN users, it would be a pretty logical vector for Palestinian Authority systems. And is likely a lot of other users would get unintentionally caught in the net.

Flash/Java vulnerabilities are also quite a bit cheaper (100k range), and well within the price range of most criminal APTs, let alone nation-states. But I imagine most, if not all, HN users have those extensions disabled by default.

So the only way to compromise the systems of most users here would be a 0-day javascript vulnerability in Chrome/Firefox. These are the 0-days to which I was referring, which are massively expensive.

But overall the point is valid. The risk, even if not that large that anyone here would be targeted, makes it a good idea not to post directly to compromised websites. I'm not exactly wild about a random workstation at any US company being compromised, even though they weren't explicitly targeted, by random Israeli hackers or even Unit 8200.

-----


There are tons of 0-days out there, maybe not in Chrome proper but in Java, in extensions, in flash... Multi-million is a huge exaggeration. I think market is 20k - 50k for many areas.

-----


Now you've got me paranoid.

-----


You don't know paranoia until you've worked in the network security industry for a government contractor....

-----


You're not subjecting HN readers to a site under the control of a malicious party who may have done more than just deface it.

I don't see any malicious action here.

-----


How is defacing a page not "malicious"?

-----


I think they meant there was no malware being delivered from visiting the page.

-----


The parent comment covered this very point:

>1. You're not subjecting HN readers to a site under the control of a malicious party who may have done more than just deface it. Even if you verify that you only receive plain boring text with no scripts, iframes, plugins, etc. it's impossible to verify that someone else won't get served different content. For example, malware that only gets served to people in Israel.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: