Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.

Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.

If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m’:

“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”

As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.

Opera the web browser is apparently now great at one thing: following the standards.

Yesterday, Opera 10 Alpha was released and flaunted its 100/100 score on the Acid3 test, passing with all the colors of the rainbow this time. But honestly, Opera, like several other ‘alternative’ browsers (and if your a hardcore fan/follower, excuse me), is just trying to catch up with the old dogs.

Firefox in particular has had many of Opera’s ‘new’ features and ‘improvements’ for quite a while. Security issues in Opera, often simple and totally trivial bugs, have been found and released. Not saying more than other browsers; both Firefox and Internet Explorer have them doubled to say the least, but I just never could bring myself to trust this unique web browser.

Auto-update has just been put in place, and I feel, as a security researcher, that it is an extremely valuable mitigation tool when new exploits spring up. Thank God the development team FINALLY put this sub-standard feature in place. Presto 2.2 has taken things to the next level with most of these improvements, more details of which you can find for windows, mac, and ‘linux/unix‘.

Has security been incorporated into Opera recently more than ever? Maybe. Has Opera been built with security from the ground up? Certainly not. Pay attention to your favorite XYZ exploit/advisory feed for inevitable updates.

CNet has a nice article about a Vietnamese company called BKIS that was able to login to the reporter’s laptop by simply recording him in a video chat and then using the blurry printout to authenticate with the face-recognition software.

I like to make fun of biometric authentication, mainly because it was overhyped in the 90′s as the authentication that will make remembering passwords obsolete. But it’s not useless technology – you just have to know how to use it.

Using a biometric system (this, or another) in a public place with a guard watching is good enough to make it difficult to hack. I imagine even a minimum-wage rentacop will notice when someone looking like Tom Cruise comes up to the biometric system with someone’s eyeballs in his hand. They should even notice if I come with a printout of someone else’s face. The same is true for passwods: a 50-character long password can be practically as strong as a 4 digit PIN if the proper lock out procedures are in place. Likewise, if I can try billions of password combinations per second then the difference between guessing a 8 character password and a 10 character password is just a few hours.

As cloud computing seems to be the latest hot topic, getting about the same, if not more heat than virtualization, I thought that it would be a good idea to post about a blog that I found a few days ago.

It has some really decent points, and good advice for anyone wondering about security in the cloud, take a look, and please post more links in the comments section if you have any of your own, and I will add them to the post, you’ll also get the credit for posting the link
Here’s the link:

http://cloudsecurity.org/

My wife happened to go and pick up the book parcel today.  My wife knows about security and privacy.  (Not only does she have to listen to me at the dinner table, but she does her own research.)  One of the things I found out from her, was that it’s legal, in Canada, to ask for and look at a driver’s licence as ID, but it’s illegal, in Canada, for retailers to write down and keep that information.

So when the Purolator staff asked for her driver’s licence, she gave it to them, but made a point to ask them not to write it down.  The Purolator staff member then took the licence and input the details into their computer system.  When my wife complained, the Purolator staff member’s response was insulting and sarcastic.

So, Purolator, is that corporate policy?

Or maybe your need a little more staff training?
(Oh, and Purolator also uses those boxes to collect a digitized sample of your signature.)

In a hotel in Beijing, using their wifi in the lobby. Everything goes fine until Noam tells me my email headers are weird.

Return-Path: aviram@hsia.com.cn
[...]
Received: (qmail 9613 invoked from network); 19 Nov 2008 13:26:43 -0000
Received: from mail.hsia.com.cn (HELO hsia.com.cn) (61.152.154.60)
by 0 with SMTP; 19 Nov 2008 13:26:43 -0000
Received: from FBH.hsia.com.cn ([123.124.225.63])
by hsia.com.cn (8.13.1/8.13.1) with ESMTP id mAJDTJlY005475;
Wed, 19 Nov 2008 21:29:20 +0800
Received: from beat.local (unknown [172.31.8.65])
by FBH.hsia.com.cn (Postfix) with ESMTP id 8AFEB520B0;
Wed, 19 Nov 2008 21:13:54 +0800 (CST)

Clearly I’m sending through another SMTP server, who goes as far as mangling my ‘Return-Path’ address header.

Only I’m not. My SMTP server is set (as always) to the corporate SMTP who is accessible through the VPN, in an encrypted connection that should not allow anyone to change fields. Just in case, I check it again. Yup, the SMTP server is there. So what’s up?
A quick investigation shows the following: The hotel’s network blocks my VPN (as some of them do) but happily resolves any unresolvable host name (such as my SMTP server’s hostname). This is resolved to a catch-all server that proxies everything. Transparently. (well, almost)

Lesson learned. Changed the hostname to the IP, and will soon switch to SSL based SMTP who will authenticate the server. In the meanwhile – be careful from helpful Beijing wifi providers who are only too happy to forward your mail on! (with some changes, of course).

The group using name The Hacker’s Choice has managed to clone a biometric passport with name Elvis Presley. Right – The King who died 31 years ago
Demonstration video and some technical information here.

Ever wondered what name is behind some obscure gmail address? Maybe your preferred gmail address was taken and you’re wondering who took it?
Here’s a cute vulnerability in the gmail system that comes from the strong tie-ins between gmail, the google calendar and all the other services.

How to do it:

- Go to the ‘share this calendar’ tab

- Enter the email address in the ‘person’ box

- Click ‘add person’ and ‘save’

- When you return to this screen you will see the first and last name along with the gmail address

Screenshots:

I always wondered who was behind admin@gmail.com

Oh, I guess they figured people like me would be interested…

If you are getting personalized emails from spammers to your gmail account, here’s an idea on how they got your name.

Social networks mean different things to different people. Some people want the world to know what they are doing NOW. So they blog, update their facebook status, use twitter to tell friends and stalkers what they’re thinking and dopplr to make sure everybody knows where they’re going.

Other people think social networks are a danger to privacy. A friend of mine wrote back in response to a linkedin invitation:

i regret to inform you that i don’t do social networking in any form.

This is a man that was there when the Internet started (and in fact laid some of its corner stones), and yet he refuses to take part in the most important revolution on the Internet in the last 10 years?

I used to think there was a third way to look at it. Use social networking in moderation: write what you want people to know, like where you work or what zip code you’re in and do that only because you have a use for it and not because you’re invited (ok, the last part is horseshit. I join things early so that I can reserve aviram as a username to the service. This strategy earned me aviram at gmail.com). For me, privacy was not an issue as long as you know what kind of information you put there. But now, it seems, things are getting out of hand.

I got an email from one of my linkedin connections with a link to a video sharing site called vidjar.com. This link was to videos tagged with his first name – not too uncommon, and you can probably imagine there were a few videos there with that tag.

But his problem was that on the sidebar, was the sentence:

[his full name] is now connected to Aviram Jenik

A deeper investigation showed that the sidebar included a widget that had an RSS feed into linkedin. This RSS feed somehow recorded the fact that he and I had connected. I’m not an expert in linkedin’s new API platform, so I’m not sure how that works – but I can understand how he was not happy to see that everybody on vidjar could see that he and I were connected via linkedin. This is information that only people directly connected to him or me should be able to see, and only when logged into linkedin. Here, it was viewable to the world – we verified it by looking at the flattened google cache.

An API issue? Maybe. But it definitely demonstrates the old saying that information you give, is no longer yours.

The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures.  Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets.  It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.

Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption.  Leaving aside privacy and legality concerns, Schneier is for encryption.

Now, I don’t fly as much as some, but more than many.  Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags.  I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames.  (I’ve got a rather extensive virus zoo in one directory.)  Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop.  (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)

I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons.  However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.

I recently added a contact to my BlackBerry PIN network. The contact was informed of this via an email, and then went on to reply (accept) to this email based invitation.

The response sent from his blackberry was not visible in his “sent” folder, nor was it visible in my “inbox” as apparently BlackBerry has the ability to secretly delete emails as soon as they are processed – thus making it do things a bit “under the radar”.

It’s not yet clear to me how difficult it is to do this manually – adding of a contact to your BlackBerry PIN list – but here are some clues on the email mechanism. Apparently, you need to include in the subject and in the beginning of the message body (subject works in most cases – html appears to behave differently) the following string:

< $RemoveOnDelivery,SuppressSaveInSentItems>

You can combine the above in the subject line with confirm, which will cause BlackBerry to send back a delivery confirmation, combined with the deletion and suppression of saving the item:

< $confirm, RemoveOnDelivery,SuppressSaveInSentItems>

As far as facebook is concerned, your email is your identification. This is true for other social networks like linkedin, and is slowly catching on to many other Web 2.0 services. It actually makes a lot of sense that your unique identifier (your “ID”) would be your email – it’s unique by definition, it’s easy to remember and most services need the email information anyway (for example, to send you a password reset). So combining the ‘email’ and ‘username’ fields makes a lot of sense.

Unlike in the past where users switched emails frequently, we now have hotmail and gmail and personalized accounts that we can take with us as we switch jobs or ISPs. Email is private (at least, as private as snail mail) and if my bank feels comfortable sending me alerts and other information over email, than it is definitely secure enough for the rest of us.
So if email is destined to become the equivalent of your social security number or identification number (depending on which country you live in) how do we proof check that the email address we typed does not contain any typos? Most identification numbers have a controlling digit that acts like a checksum to make sure the ID was typed correctly. With email, we don’t have that and so you’re sending an email with the newest Vista joke to your coworker friend Bill Howards over at the Vista team and your finger slips and the mail goes to billg@microsoft.com.

Or worse – with gmail I’ve been receiving emails that belonged to some other Aviram that was too slow to catch aviram@gmail before I did. Most of this misguided email ranges from boring to funny, but today I got a purchase confirmation with the order number, amount and last 4 digits of the CC number. Since I “own” the email that is associated with this account, what prevents me from logging in to this guy’s account (have the e-commerce site send the password to “my” email due to my temporary amnesia) and redirecting the order to another zip code that happens to be my house?

Sure, I would never do that to a fellow Aviram. But what happens when our possible-future-Internet ID,  our email, is typed wrong into some government database and all our IRS information, special Internet-voting code and who-knows-what-else is sent to our alternate identity, the guy that lives right by us on the keyboard? Not good.

My receiving another person’s order information is an obvious lesson for web sites: Make sure you verify the email address. Sending a test email and waiting for confirmation is good security practice since you’re not only confirming the person typed his email address correctly but you’re also confirming he did not sign up his mother in law to your wonderful daily adult joke service as pay back for last thanksgiving.

Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to kiddie porn. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.

I’m sometimes asked if we ever get ‘tempted’ to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding an SQL injections that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.

But not everyone understands that, and that’s scary. A member of the THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating. My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences – while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.

If you think the previous paragraph is a paranoid conspiracy theory, lets talk about kiddie porn links. These pop up whenever we deal with botnets, phishing and malware. The police is trying to demonstrate zero tolerance for kiddie porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o’clock news arrested for kiddie porn charges, that you are not a dangerous paedophile but you had no idea the link you clicked was to a kiddie porn site?

There will be more incidents like the THC one. We can all tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can’t, and often don’t seem to care about the difference. Some of the time it’s not even law officials: Fyodor had his site shut down to prevent spreading his nmap ‘hacking tool’. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.

I wouldn’t want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) – I’ve seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a ‘get out of jail’ card?

I remember hearing a lecture circa 1995-6 about Ipv6 and how the Internet world will come to an end if we don’t adopt it soon. The crisis was a dwindling allocation of IP’s (the early Internet version of a carbon footprint). The fear was that “In 10 years, every man on the planet will have between 10 to 20 IP addresses on him”. But when I heard that, I didn’t really think about the poor IP forests that are taken down every year to accommodate the greedy globalization economy, I thought of privacy.

The end of that discussion is now clear: shortly after I heard the lecture Network Address Translation (NAT) became popular, and IP allocation was no longer a problem. Not only that, but IPv6 went from a “must have” to “we’ll get around to it some day” and is still in the process of being rolled out (slowly) to this day. But the privacy issue still remains.

If every person has an IP (or more than one IP, although that seems less likely nowadays) then we know everything about him. Unlike the virtual world, where we no longer can connect a person with an IP address without correlating half a dozen logs, in the physical world an IP will likely be more like a phone number – something unique and personal.

I thought about this when I read about a Nokia experiment where people transmitted their location to a Nokia center to enable traffic monitoring. Nokia says data is sent anonymously, and I believe them; but even if not, every Nokia device has a private (NAT’ed) address changed almost randomly by DHCP. So tracking again requires long and tedious log correlation and privacy is difficult to compromise.

What, then, will happen with IPv6? If DHCP and NAT increase privacy, is IPv6 a threat? Not an imminent threat, of course, but it is definitely ‘creeping’ in, and some day if there are enough addresses and NAT is not necessary, perhaps every blackberry in the world will have a unique IP address that will be with it forever. That’s a scary thought – if you comment in this blog post using your real name, I can take this information with me and give it to a friend of mine that works in Nokia who will tell me where you are right now. Think about the scene in “Jay and Silent Bob” where they go and beat up the people who posted bad comments about their movie; it suddenly becomes a whole lot easier to do…

The first spyware spreading with Facebook application has been discovered. Security company Fortinet reports that application called Secret Crush is installing Zango (aka AdWare.Win32.180Solution) with Iframe, technically from ZangoCash.com.

Shortly, this is the spreading mechanism:

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using “Secret Crush” (this happens frequently with Facebook’s Platform Application). [Figure 2] exhibits the social engineering speech employed by the malicious widget to get the user to install it.

The text included to the request entry is “One of Your Friends Might Have a Crush on You!”. Additionally, the buttons are ‘Find Out Who!’ and typical ‘Ignore’.
It appears that Secret Crush is not included to Facebook Application Directory (no log-in needed) any more. Reportedly FortiGuard Team has informed Facebook guys and probably the application has been disabled already.

Update 4th Jan: The application mentioned is located here (renamed to My Admirer), still accessible and has “50,708 daily active users i.e. 4% of total”.

The exact number of affected users is not available.