Isaac.Eiland-Hall.com

From hackademix.net:
hackademix.net » Pure Java™, Pure Evil™ Popups
Imagine you’re a web advertiser.
Imagine you can open a popup window from a web page defeating any popup blocker.
Imagine this popup can invade the whole desktop, full screen.
Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Imagine user can’t move or minimize this popup. It will go away only when the browser is killed or your show is done…

Now imagine you’re a phisher.
Imagine you can use this almighty popup to draw anything you want. A fake browser or — why not? — a whole fake desktop to collect user’s data.

Impossible wet dreams of clueless evildoers?
No, it’s just 100% Pure Java™ Reality.

---

I haven’t heard of any active exploits, but it’s only a matter of time. But if not this, then the next that’s found… Javascript is a constant problem.It may sound like it’s just a Firefox problem, but it’s not. You’ll notice that the applet ‘solution’ covers any browser.

In fact, I highly recommend using Firefox, with the NoScript extension running. The NoScript extension is so easy to use – when you load a webpage, you’ll have an icon in the status bar. You can click, and it’ll show a list of domains, from which the current page wants to load scripts. You can temporarily or permanently whitelist domains you trust with a click – or de-whitelist them (unlike other solutions that make it easy to mark something, but hard to un-mark it).

I browse this way daily – and it didn’t take me long to have all my regular sites whitelisted – first time I visited them, it was easy. Tip: You’ll notice a lot of sites load scripts from several sources. You’ll notice that, say, a video site might not play the video until you figure out which of those external scripts power the video. So temporarily whitelist the ones that look plausible until the video works; then de-whitelist it (because it was a temporary whitelist) and re-whitelist it (permanently).