What is a Cross-Site Request Forgery? Quoting from the Cross-Site Request Forgery FAQ:

Cross Site Request Forgery (also known as XSRF, CSRF, and Cross Site Reference Forgery) works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls (Example: http://site/stocks?buy=100&stock=ebay) allowing specific actions to be performed when requested. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically an attacker will embed malicious HTML or JavaScript code into an email or website to request a specific 'task url' which executes without the users knowledge, either directly or by utilizing a Cross-site Scripting Flaw. Injection via light markup languages such as BBCode is also entirely possible. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before was initiated by the user after the price plummeted.

The bottom line: if you visit a malicious web site and you are authenticated with a "trusted" web site, the malicious web site can essentially impersonate you, assuming you are already logged into the site or you are using an easily guessable password, for example the default password on your Linksys router. How does this happen? This attack stems from the fact that within a typical web browser program, any web session can easily access any other session or simply spawn a new one. For example, if in Firefox you were browsing a malicious site and also maintaining your MySpace page, the malicious site could perform actions on MySpace as if you did them.

Some more examples of things that Cross-Site Request Forgery can accomplish:

  • Reconfigure your Linksys router to permit an attacker to reach your PC.
  • Submit a bid on your behalf for an item on eBay.
  • Post a message "as you" on a particular forum site, your MySpace page, or whatever.

The attacks go beyond just web sites, as I alluded to with the Linksys router comment. Just about every piece of residential or commercial networking gear has some kind of web interface associated with it. Accessing a carefully crafted malicious website in the right environment could lead to opening your entire network up to hackers. And they are coming in through a "trusted" service: HTTP.

There are steps web sites and web interfaces for networking equipment can do. Most of them relate to correcting cross-site scripting (XSS) issues in the web interface. The web browser may have its own XSS issues, further exacerbating the problem. While it's good to fix these issues, there's no promise those issues won't show up again later. There are a few other countermeasures, but these countermeasures can likely be defeated by other exploits. The end result is that, at least with the current browser architecture, there is little that can be done to eliminate these kinds of attacks.

There are several things you can do to reduce the risk from these attacks affecting you. They include, but are not limited to:

  • Not caching your login passwords in the browser.
  • If possible, set a 5 minute (or thereabouts) inactivity timer on your sensitive web sessions.
  • Running the web interface for your device on a non-standard port.
  • Explicitly logging out of the session on the web page in question.

The safest option is to use a completely different web browser program to administer your sensitive web pages and site than you use to browse the Internet. For example, if you use Internet Explorer to browse the Internet, use Firefox to administer your routers. Do not use Internet Explorer along with other Internet Explorer-based browsers as they may all share the same session information.

If you're a Firefox user, another thing you can download is a copy of NoScript.  NoScript disabled JavaScript for web sites you don't explicitly trust. In addition, NoScript has a number of XSS-related checks in it to thwart XSS-related attacks on well-known websites.

Here is the email from (ISC)2:

Candidate Id: xxxxxx

This is to advise you that your documents have been processed in the system as of today.

We are now printing certificates every day, therefore your certificate should be printed within a day following processing.

Your package will be mailed out within a couple days after the certificate is printed. Stateside delivery usually takes 10 days to 2 weeks; overseas delivery is 4-6 weeks.

Your official designation date will be the date your certificate is printed. You may NOT use the designation until your certificate is printed.

If you do not receive your package within your specified time frame, please contact [address deleted] as she handles the certificate printing and mailings.

(ISC)² Services

Do I have to wait until I receive my certificate or can I call myself a CISSP tomorrow or the next day? ;)

Today I got word that I passed my CISSP exam. The next phase in the process is getting endorsed by another CISSP. Currently, they also permit being endorsed by holders of other, related credentials, though on 1 October 2007, that will no longer be allowed. Since I'm in the Nokia office this week and one of my co-workers is a CISSP, getting him to fill out the endorsement form and email it along with my resume back to ISC2 was not a big deal.

In theory, I should be a CISSP in the next few weeks.

This is one of the most crackpot ideas I've seen: create a .bank top-level domain and restrict it only to banks. Will that make phishing for bank information less possible? I don't think so. The problem is very simple: most people aren't observant of where they are connecting to or what might be showing in their browser's URL field. They also most certainly don't check the SSL Certificate to validate who signed it, or even to see if they are using SSL mode.

There's a reason companies like Verisign charge a lot of money for an SSL certificate: because they actually do some work to validate that the company signing up for an SSL certificate is actually who they say they are. If you check the SSL certificate for a secure site and it says Verisign signed it, you can be fairly certain you are talking to a company you think you are talking to.

Most phishing issues would go away if people were to simply be observant of where they connect. That means making sure the link you think you are clicking on is going to site it says. "Mouse over" the link and look at the lower part of the browser window. Does it match? Or better yet: don't click on a link that you received over email.

I never thought in my life I would spend almost the entire allowed 6 hour time on the CISSP exam, but I did. And I was oddly zen about the whole experience. Sure, I was a little nervous when I first walked into the testing room as I had no idea what to expect. One of the proctors, whom I met in a CISSP class nearly 6 years ago, checked my ID and paperwork and another proctor led me to a seat, which was to be mine for the course of the exam.

The usual electronic gadgets and gizmos were not allowed at your desk, and if they were present, they were to be switched off or set to vibrate mode and preferably up with the desk where you were permitted to put your snacks and the like (it was a 6 hour test with no lunch break). I left all my gear in the car, though I brought food and water in.

At 8:30, one of the proctors began reading the instructions, which involved filling out a scantron form with specific information. Once that was done and all the other instructions and the like were done, we broke the seal on our test and began. Nothing like filling out over 250 little bubbles.

Bathroom breaks, which I took at least 3 of, involved signing out, one of the proctors escorting you to the restroom (he didn't come inside), and him escorting you back and you signing back in. I guess they want to make sure you don't "cheat" in the bathroom. Fair enough.

And while the confidentiality agreement I signed as part of the CISSP exam process forbids me from getting into specifics about what was on the exam, I can say that I felt oddly zen about the experience. Once the test was underway, I stopped stressing about it. I took frequent breaks. I used earplugs. I was methodical and deliberate. I only made one "transcription" mistake (from book to scantron).

I took two passes through the material. The first pass was to answer the questions I was pretty sure about. On the second pass, I double-checked my answers both making sure I transcribed the write answer but that I actually chose the right answer. The ones I didn't know, and there were a few, I was able to make a semi-educated guess on most of them, the rest I just threw out a guess. It's not like the SAT's where you lose points for a wrong answer.

I walked out of the test feeling pretty comfortable with my performance. I'm sure I answered a few questions wrong, but that's life. Now I just need to wait for ISC2 to come back with my certification results so I can jump through the remaining hoops to be certified.

Meanwhile, I am exhausted after all that. Early bedtime for me.