« August 2008 | Main | October 2008 »
September 30, 2008
Cross-Site Request Forgeries Targeting Some Major Sites
“Underscoring the severity of of an exotic form of website bug, security researchers from Princeton University have cataloged four cross-site request forgeries in some of the world’s most popular sites.
“The most serious vulnerability by far was in the website of global financial services company ING Direct. The flaw could have allowed an attacker to transfer funds out of a user’s account, or to create additional accounts of behalf of a victim, according to this post from Freedom to Tinker blogger Bill Zeller.
“The vulnerabilities were confirmed for users of Firefox and Internet Explorer browsers, and ING’s use of the secure sockets layer protocol did nothing to prevent the attack. ING plugged the hole after Zeller and colleague Ed Felton reported it privately.”
The New York Times has yet to fix its problem, but MeFi MetaFilter has.
(Link)
Posted by mhall at 7:29 PM | Add Comment
September 26, 2008
.ORG Leading by Example on DNSSEC
Post-Kaminsky, .ORG is trying to push more widespread adoption of DNSSEC along by using its own migration as a teaching moment:
“The .ORG, Public Interest Registry (PIR) gTLD (generic top level domain) is perhaps best known as the non-profit registry for millions of organizations. It could also soon be known as a more secure domain space too, as .ORG adopts the DNSSEC (DNS Security Extensions), a set of extensions used to add an additional layer of security to the Domain Name System (DNS).
“The move by .ORG to improve security for its DNS (which usually stands for Domain Name System, or Service or Server, the service that translates domain names into IP addresses) comes at a critical time for the world’s DNS infrastructure.
“Security researcher Dan Kaminsky recently exposed a critical flaw in the DNS system, for which DNSSEC may well be the best long term solution for protecting the integrity of Internet and its traffic flow.
“‘The argument we’re trying to make is that there is a very real problem that DNSSEC solves and once we implement it within .org, it will be secure,’ .ORG’s CEO Alexa Raad told InternetNews.com. ’ There are other security issues, but DNSSEC solves a very specific problem which is highjacking traffic that could be unknown to the user.’
(Link)
Previously:
- DNS Exploit “Weaponized,” Major ISPs Still Flapping
- Secrecy About the Next iPod? Fine. A Major Vulnerability? No.
- Apple DNS Patch Lands
- About That Apple DNS Patch …
Posted by mhall at 1:49 PM | Add Comment
September 25, 2008
Privacy Drives Google Chrome Fork
A German software company has released a browser derived from Google’s “Chromium” code minus some privacy concerns.
“Iron” removes a few features from Chrome, including:
- alternative error messages
- crash report transmissions
- use of the Google updater
(Link)
Previously:
Posted by mhall at 4:56 PM | Add Comment
September 24, 2008
Network Security: Five Lists You Need to Read
The latest from Charlie Schluting:
“Keeping up on security isn’t something you can afford to do lackadaisically. Everyone does, in the beginning, until that fateful day when important servers are compromised. More often than not, it could have been prevented if the server managers read the most important security mailing lists daily.
“In this article we’ll tell you about five security-related mailing lists you cannot afford to miss. You’ll also learn why these lists are important, controversial as some may be.”
Network Security: Five Lists You Need to Read
Posted by mhall at 8:11 PM | Add Comment
September 22, 2008
Palin Yahoo! Mail Hack Suspect Visited by FBI
The son of a Tennessee state representative was the subject of a search warrant in connection with the hack of Alaska Governor Sarah Palin’s private Yahoo account:
“According to a witness, two FBI agents arrived at Kernell’s Knoxville apartment in The Commons student housing complex shortly after midnight on Sunday morning, interrupting a party.
“Kernell and some of his friends reportedly fled when agents arrived, though the local TV station that reported the raid is a bit unclear about this detail. Other reports suggest he may have simply been upstairs with friends when the agents came. FBI agents asked partygoers who did not live in the apartment to wait outside while they photographed the residence.
“Kernell’s three roommates have been subpoenaed to appear in court in Chattanooga this week, though no charges have been filed against Kernell or anyone else in relation to the Palin incident. A grand jury is reportedly set to convene in Chattanooga on Tuesday.
(Link)
And Ed Felten has some interesting suggestions on how Yahoo! can protect the next public servant using its service to conduct government business out of reach of pesky sunshine laws and the like.
With that, I think I’m done with Palin’s Yahoo! account.
Posted by mhall at 7:42 PM | Add Comment
September 19, 2008
EFF Launches Suit Against NSA
“Broadening its fight against the government’s ‘unconstitutional and illegal dragnet surveillance’ of millions of Americans, a watchdog group today filed a lawsuit against the National Security Agency, the president, vice president and other government agencies and officials involved in the domestic surveillance program.
“The Electronic Frontier Foundation (EFF) already has a pending case against AT&T for its role in supplying the government with its subscribers’ phone records. The new lawsuit, Jewel vs. NSA, was filed on behalf of five AT&T customers seeking to shut down the surveillance program and hold those who authorized it accountable in the form of civil damages.
“‘The suit alleges that the spying violates the constitution, as well as a variety of federal privacy laws,’ Kevin Bankston, a senior attorney with the EFF, said on a conference call with reporters.
(Link)
Posted by mhall at 1:59 PM | Add Comment
September 18, 2008
Gov. Palin's Yahoo Account Hacked
The State of Alaska’s webmail must suck, too:
“Sometime on Tuesday, an unknown hacker gained access to gov.palin@yahoo.com, an e-mail account that Sarah Palin has used for personal and possibly also state business in Alaska. The hacker posted the e-mail password to the /b/ group of 4Chan, a discussion site known as a haven for Web ‘trolls,’ and for a brief while, Palin was an open book. 4Chan readers trudged through her inbox, saving screen shots of her correspondence with friends and supporters, a list of her frequent contacts, and pictures of her family. Then, a good Samaritan reset Palin’s password, triggering a Yahoo security measure that alerted Palin to the breach. Soon after, gov.palin@yahoo.com and another account Palin has reportedly used to conduct official business—gov.sarah@yahoo.com—were deleted from Yahoo.
“Gawker has posted a few screen shots of the messages found in Palin’s account; they reveal nothing damaging about Palin, other than that she has a penchant for typing in ALL CAPS when exercised. (‘Does he want someone OPPOSED to the life issue in Congress?’ Palin wrote to Lieutenant Gov. Sean Parnell.) In a statement sent to reporters on Wednesday, the McCain campaign called the incident ‘a shocking invasion of the Governor’s privacy and a violation of law.’”
I kid about Alaska’s webmail sucking. Part of the reason for using a personal account like that appears to be circumvention of official records archiving. That’s one of those things that keeps me from being a privacy in the workplace absolutist. Sometimes things we’d like to be private or secret simply shouldn’t be. Like when you’re in government and you have a responsibility to other citizens and, not to be too dramatic about it, history.
Of course, if I wanted to conduct executive business without risking exposure, I think Yahoo is the last service I’d trust.
(Link)
Posted by mhall at 1:07 AM | Add Comment
September 12, 2008
Apple Specifies Security Updates in iPhone 2.1
The app sandbox is sandboxier, that passcode lock thing is fixed and The Kaminsky Bug no longer menaces. And so much for OpenClip*, which didn’t seem like a very durable option to begin with.
(Link)
*By which I mean “So much for inter-app copy/paste via OpenClip,” which was the interesting part.
Posted by mhall at 12:59 PM | Add Comment
September 10, 2008
Google Cuts IP Anonymization Time Further
“Yesterday, Google announced a revised log retention policy, saying ‘we’ll anonymize IP addresses on our server logs after 9 months,’ instead of the previous 18-24 months. Other information, like cookies, will stay on the longer retention plan. The announcement was in conjunction with Google’s response to the European Union’s Article 29 Working Party. The Working Party had previously said ‘In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.’
“Google’s original 18 month log retention policy was a good first step, and the 9 month policy is an excellent second step towards bring their policy in line with EFF’s Best Practices for Online Service Providers, which recommends a combination of obfuscation, aggregation and deletion.”
(Link)
Posted by mhall at 2:20 PM | Add Comment
September 9, 2008
Anti-DRM Riot Sweeps Through Amazon Spore Reviews
I’ve been waiting around for Spore for a while, same as everybody. I’ve slowed down on game-playing over the past few years, and I really don’t like to buy games for computers, but Spore strikes me as the fulfillment of what I was hoping for but didn’t get when SimEarth and SimLife came out. So if I’m going to buy one full-price computer game anywhere close to launch time this year, Spore’s the likely candidate.
I paid a visit to Amazon last night, not sure I was quite ready to order a copy but wanting to double-check the required specs. It was hard to miss the review summary:
Zoiks! An average rating of one star? 1,600+ reviews? I thought it was a bug until I looked more closely.
Most of the low reviews are coming from people protesting the DRM scheme Spore’s publisher’s using. It limits the number of copies a user can have installed at one time, evidently has some unfortunate behaviors on multi-user systems that make playing in the same setting difficult or impossible, and people claim that hardware changes can trigger a need to reactivate the game. If a user goes through the three allotted installations, then a call to Electronic Arts is required for a new activation.
There are a number of other claims I’m not repeating here because I can’t confirm them on short notice and would tend to move EA out of the realm of “overzealous” and into the territory of “malware distributor.”
There’s a lot of complaining back and forth among Amazon’s reviewers over whether the presence of a restrictive, potentially harmful DRM scheme should factor into a review, and whether or not people who don’t even own the game should be crapping all over reviews of it over that issue alone.
Having lost multiple hours of my life to Adobe’s crummy copy protection, I’m inclined to say DRM matters, and it affects the way I think about software.
Being on deadline and staring at a copy of Adobe CS3 that won’t work because its copy protection is responding to something its support technicians won’t even admit to as a potential problem is really, really frustrating. Heck, it’s irritating to deal with the known issue, which is making sure no other users are logged into the machine before trying to run anything in CS3. If I’d known it was that persnickety, I might have taken a pass and figured out something less feature-packed but also less twitchy.
That doesn’t even take us into the issues surrounding the way DRM is commonly practiced, which seems to involve making sure that some part of your computer is placed out of your control and hidden from you. Some products leave stuff behind when they’re uninstalled, which opens up the possibility of users ignoring security advisories for things they thought they got rid of that are vulnerable through whatever the uninstall process left behind.
So I’d say the riot currently going on in the Spore reviews performed a useful service for me. I want to read more about how Spore’s DRM works, whether people are reporting problems elsewhere on their computers after installing it, and how obvious it is to get rid of all the software it installs if need be.
And none of that addresses how efficacious the protest going on even was. We can look to Amazon for answers on that, too:
Oh.
Well, they tried.
(Link)
Posted by mhall at 3:59 PM | Add Comment
September 8, 2008
Microsoft Proposes Online Digital ID for Kids
“A Microsoft white paper [suggests] that children get digital identity cards to verify their age and better protect them online. But not everyone is convinced it’s the right approach.
“‘It’s not 100 percent clear to me that there’s a compelling reason to validate the age of kids going to a social networking site,’ Larry Magid, a technology journalist, child safety advocate and member of the Internet Safety Task Force (ISTF), told InternetNews.com. ‘Is the solution going to be worse than the problem?’
“Microsoft’s suggestion (available here in PDF format) came in July in response to the ISTF’s call for solutions. The plan would require that government, schools, or private companies certify children’s identities and ages based on personal documents like birth certificates.”
Microsoft’s brief white paper focuses less on social networking sites as we tend to think of them now (e.g. MySpace or Facebook) and more on online communities created specifically for children.
It proposes its own Windows CardSpace as an underlying framework for identity creation and management, which is enough to warrant a skeptical reading, since the paper also calls for the involvement of large institutional bodies to handle the process.
CardSpace is made available by Microsoft under its Open Specification Promise, which was recently updated to make it useful even for developers licensing their work under the GPL.
Personally, I’m less concerned with Microsoft’s involvement than I am with the broader implications of any national identity database.
(Link)
Posted by mhall at 1:31 PM | Add Comment
September 5, 2008
O.k. Maybe NebuAd IS Close to the Brink
O.k. Maybe Bob Dykes’ departure from NebuAd was a harbinger of more bad times to come:
“In an e-mail to InternetNews.com, NebuAd spokeswoman Janet McGraw wrote that ‘plans for wide spread deployment via the Internet service provider channel are delayed to allow time for Congress to spend additional time addressing the privacy issues and policies associated with online behavioral advertising.’
“McGraw added that NebuAd was pursuing other advertising formats as part of a multi-channel strategy, but declined to elaborate on the company’s plans.”
(Link)
Posted by mhall at 12:36 PM | Add Comment
September 4, 2008
Older Webkit Confers Vulnerability on Chrome
Google’s new browser uses an older version of Webkit that includes a disagreeable vulnerability. Colleague Andy Patrizio noted it last night:
“The security site SecuriTeam has found a serious weakness in Chrome’s handling of malicious code. Chrome uses an older version of WebKit, the open-source browser technology also used in Apple’s Safari browser, that includes the vulnerability.
“Chrome has a download progress bar that, when clicked, will execute the file that has just been downloaded. If it’s an executable, a window will pop up, warning the user about downloading malicious code. But if it’s a Java archive file, a .JAR, it will run it with no warning.
“Another vulnerability, which has a proof of concept on the site Evil Fingers, makes it possible to craft a specific link to crash the browser.”
(Link)
Posted by mhall at 11:43 AM | Add Comment
September 3, 2008
NebuAd's CEO Packs His Bags
Kenneth Corbin at InternetNews notes that NebuAd’s CEO is quitting and wonders if it’s the beginning of the end for NebuAd itself:
“The company that tracks people’s Web surfing habits from Internet service providers to serve targeted ads has lost its CEO, Bob Dykes, who stepped down today in favor of a position as CFO with payment-services provider Verifone.
“NebuAd, which declined to comment on Dykes’ departure, has taken a beating this summer, beginning with the announcement by Charter Communications that it was shelving plans to trial NebuAd’s service in response to privacy concerns raised by lawmakers.”
Dykes didn’t make NebuAd’s corporate life any easier. You might remember him as the guy who self-pityingly likened himself to Galileo when he testified in front of a congressional committee. Most news reports painted his testimony as alternately condescending or snide. That’s a bad person to put in front of Congress when it’s in a legislating mood.
In fact, I’d suggest that Dykes moving out could signal retrenchment, not impending failure. As I noted in May, the company preferred to operate quietly prior to the Charter debacle that thrust it into the limelight:
“A search of the news archives shows NebuAd had been enjoying a quiet period of VC love and media tolerance for vague answers about who the company was working with. Maybe it was inevitable that taking a client as large as Charter (ISP Planet says it’s number 8 in the U.S.) would expose the company to more scrutiny.
“NebuAd also relied on simple corporate opacity on the part of its ISP clients to operate with such a low profile for so long. The NebuAd appliance that works the surveillance magic sounds like a turnkey, plug-n-play box, so the ISP’s support personnel don’t really need to know anything about it. The ISPs don’t care to describe the business relationship they’re using to ‘enhance the user’s browsing experience,’ as they euphemize the surveillance, which means even if they do much to disclose the surveillance, its mechanisms remain largely obscured, sometimes requiring users to carefully sift through their own network traffic to understand why something is strange about their Internet connection’s behavior.”
Losing a CEO who seemed intent on antagonizing lawmakers befits a company looking to find its way back out of the limelight.
Posted by mhall at 3:55 PM | Add Comment
September 2, 2008
Security & Privacy in Google Chrome
Google’s new browser has its own privacy mode along with architectural changes designed to make the browser less of a security liability.
Scott “Understanding Comics” wrote a comic book explaining some of Chrome’s features and design considerations. Pages 22 & 23 of the comic offer a little detail on what Google calls Chrome’s “privacy mode.” Pages 25 to 33 get into the security considerations.
The privacy mode isn’t explained in very much detail.
The comic says that by entering privacy mode, “you can create an ‘incognito’ window and nothing that occurs in that window is ever logged on your computer. It’s a read-only mode: You can still access your bookmarks, but none of your history is saved in the browser — and when you close the window, the cookies from that session are wiped out.”
The terms deserving examination would seem to be “logged,” “history,” and “cookies,” which, as Microsoft’s IE8 “privacy mode” has taught us, do not include the browser’s cache.
That’ll be easy enough to figure out once Google makes the browser available.
The security section of the comic is beefier, delving into the permissions model Google’s using with Chrome, and mentioning some interesting possibilities where plugins are concerned:
“Plugins have capabilities that aren’t public standards, so we can’t sandbox these yet.
“Though with some small changes on the part of the plugin makers, we can get them to run at a lower privilege, which would be much safer.”
Nothing specific beyond that, but when you stop to think about stuff like the Clipboard of Doom, it’s an interesting idea. On the other hand, some of the plugin makers have ambitions of becoming their own platform no less grand than Google’s. I’d like to see a Google/Adobe showdown over Flash’s privilege model.
Anyhow, the Chrome download became available while I was working on this, so I guess it’s time to go fire up VMWare and answer a few of my questions.
Posted by mhall at 4:00 PM | Add Comment
