Posted on December 13th, 2008 by jbrown
Filed under: Commentary, Corporate Security, Full Disclosure, Networking, Privacy, Spam, Web | 1 Comment »
Well your favorite website’s, favorite way to see if your human or not has a problem — their ‘protection’ has been ‘broken’. Who knew that asking a user to read and type the contents of a distorted image of text would be so easy for a computer/code to do as well? CAPTCHA’s have never even looked secure to anyone with a open security mind, and those swimming in the unconscious thoughts that some day this ‘protection’ would see its core cracked… well today is your lucky day.
But never fear! There is hope (really..?)! The Carnegie-Mellon University team behind CAPTCHA’s big brother, reCAPTCHA, is for some reason continuing research towards the “effort to mix basic security and useful work”. While the reCAPTCHA service seems like a step in the right direction, I have my doubts. Actually, I think it won’t be too long until the next article at YOURFAVORITETECHNEWSSITE is about this new ‘improvement’ being ‘broken’. Oh internet, have mercy on the little people, and send your spam bots to wreck havoc on another interNET.
Posted on December 9th, 2008 by jbrown
Filed under: Commentary, Corporate Security, Culture, Insider Threat, Phishing, Privacy, Spam, Web | 1 Comment »
Recently Kaspersky, the company who makes your favorite, or not-so-favorite anti-malicious software, called upon government and banking institutions to be more secure. But is it really up to these agencies to make draw the perfect picture of security, or should the end users stop making such bad decisions, both on and offline?
If these ‘safety nets’ are deployed, it won’t going to make the best out of security situation, but it will help. On the other side of the packet, using outdated software or insecure browsers (cough!*IE*cough!) that do little or nothing to protect the web surfers, directly and indirectly, should also be of major concern. Wouldn’t it be something if, when accessing one of these websites running INSECUREBROWSER, it suggested you use MORESECUREBROWSER, FOR SECURITY REASONS IF NOTHING ELSE? Woah, wouldn’t that be a different color light bulb. Especially if it was something like, say, Internet Explorer VS Firefox (Yes, I am saying that Firefox’s security is better than Internet Explorer. I believe both core and rendering engines are better, too).
Now, if they try to regulate the internet with security laws and cyber architecture boundaries, its just going to be one big mess. If you’d like one reason it wouldn’t work, just think about how outlawish the internet already is, and has been, since its inception. Then take a break and elaborate on it. I’m sure you’ll find more than one reason we can’t import some crazy set of regulations and actually believe they are going to work and/or solve our problems.
Here is some more fuel for thought: How about separating the internet for low and high bandwidth data flow. Interconnected, but bridged. Not a good idea? Well why not? As long as we are on the same network, there will be fighting over who owns what (more than just headers and footers). But as long as we put the big with the small, there is going to be controversy. There are going to be debates. This last part may have been a little off topic, but I feel like it needed to be said. Security isn’t made, its planned and implemented before regulation begins.
Posted on December 8th, 2008 by jbrown
Filed under: Ask the Expert, Commentary, Corporate Security, Encryption, Gadgets, Insider Threat, Law, Physical Security, Privacy | No Comments »
Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?
Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.
Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).
Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.
Posted on December 7th, 2008 by jbrown
Filed under: Commentary, Corporate Security, Law, Linux, Microsoft, Networking, Privacy, Rootkits, Sec Tools, Web | 1 Comment »
For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.
Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.
If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m’:
“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”
As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.
Posted on December 6th, 2008 by jbrown
Filed under: Commentary, Corporate Security, Full Disclosure, InSecurity, Memory Leak, Networking, Phishing, Privacy, Sec Tools, Web | No Comments »
Opera the web browser is apparently now great at one thing: following the standards.
Yesterday, Opera 10 Alpha was released and flaunted its 100/100 score on the Acid3 test, passing with all the colors of the rainbow this time. But honestly, Opera, like several other ‘alternative’ browsers (and if your a hardcore fan/follower, excuse me), is just trying to catch up with the old dogs.
Firefox in particular has had many of Opera’s ‘new’ features and ‘improvements’ for quite a while. Security issues in Opera, often simple and totally trivial bugs, have been found and released. Not saying more than other browsers; both Firefox and Internet Explorer have them doubled to say the least, but I just never could bring myself to trust this unique web browser.
Auto-update has just been put in place, and I feel, as a security researcher, that it is an extremely valuable mitigation tool when new exploits spring up. Thank God the development team FINALLY put this sub-standard feature in place. Presto 2.2 has taken things to the next level with most of these improvements, more details of which you can find for windows, mac, and ‘linux/unix‘.
Has security been incorporated into Opera recently more than ever? Maybe. Has Opera been built with security from the ground up? Certainly not. Pay attention to your favorite XYZ exploit/advisory feed for inevitable updates.
Posted on December 6th, 2008 by Aviram
Filed under: Encryption, Networking, Privacy | 1 Comment »
CNet has a nice article about a Vietnamese company called BKIS that was able to login to the reporter’s laptop by simply recording him in a video chat and then using the blurry printout to authenticate with the face-recognition software.
I like to make fun of biometric authentication, mainly because it was overhyped in the 90′s as the authentication that will make remembering passwords obsolete. But it’s not useless technology – you just have to know how to use it.
Using a biometric system (this, or another) in a public place with a guard watching is good enough to make it difficult to hack. I imagine even a minimum-wage rentacop will notice when someone looking like Tom Cruise comes up to the biometric system with someone’s eyeballs in his hand. They should even notice if I come with a printout of someone else’s face. The same is true for passwods: a 50-character long password can be practically as strong as a 4 digit PIN if the proper lock out procedures are in place. Likewise, if I can try billions of password combinations per second then the difference between guessing a 8 character password and a 10 character password is just a few hours.
Posted on December 5th, 2008 by xyberpix
Filed under: Commentary, Privacy, Web | 5 Comments »
As cloud computing seems to be the latest hot topic, getting about the same, if not more heat than virtualization, I thought that it would be a good idea to post about a blog that I found a few days ago.
It has some really decent points, and good advice for anyone wondering about security in the cloud, take a look, and please post more links in the comments section if you have any of your own, and I will add them to the post, you’ll also get the credit for posting the link
Here’s the link:
Posted on December 5th, 2008 by p1
Filed under: Commentary, Corporate Security, Culture, Insider Threat, Physical Security, Privacy | 2 Comments »
My wife happened to go and pick up the book parcel today. My wife knows about security and privacy. (Not only does she have to listen to me at the dinner table, but she does her own research.) One of the things I found out from her, was that it’s legal, in Canada, to ask for and look at a driver’s licence as ID, but it’s illegal, in Canada, for retailers to write down and keep that information.
So when the Purolator staff asked for her driver’s licence, she gave it to them, but made a point to ask them not to write it down. The Purolator staff member then took the licence and input the details into their computer system. When my wife complained, the Purolator staff member’s response was insulting and sarcastic.
So, Purolator, is that corporate policy?
Or maybe your need a little more staff training?
(Oh, and Purolator also uses those boxes to collect a digitized sample of your signature.)
Posted on November 20th, 2008 by Aviram
Filed under: Corporate Security, Networking, Privacy | 8 Comments »
In a hotel in Beijing, using their wifi in the lobby. Everything goes fine until Noam tells me my email headers are weird.
Received: (qmail 9613 invoked from network); 19 Nov 2008 13:26:43 -0000
Received: from mail.hsia.com.cn (HELO hsia.com.cn) (220.127.116.11)
by 0 with SMTP; 19 Nov 2008 13:26:43 -0000
Received: from FBH.hsia.com.cn ([18.104.22.168])
by hsia.com.cn (8.13.1/8.13.1) with ESMTP id mAJDTJlY005475;
Wed, 19 Nov 2008 21:29:20 +0800
Received: from beat.local (unknown [172.31.8.65])
by FBH.hsia.com.cn (Postfix) with ESMTP id 8AFEB520B0;
Wed, 19 Nov 2008 21:13:54 +0800 (CST)
Clearly I’m sending through another SMTP server, who goes as far as mangling my ‘Return-Path’ address header.
Only I’m not. My SMTP server is set (as always) to the corporate SMTP who is accessible through the VPN, in an encrypted connection that should not allow anyone to change fields. Just in case, I check it again. Yup, the SMTP server is there. So what’s up?
A quick investigation shows the following: The hotel’s network blocks my VPN (as some of them do) but happily resolves any unresolvable host name (such as my SMTP server’s hostname). This is resolved to a catch-all server that proxies everything. Transparently. (well, almost)
Lesson learned. Changed the hostname to the IP, and will soon switch to SSL based SMTP who will authenticate the server. In the meanwhile – be careful from helpful Beijing wifi providers who are only too happy to forward your mail on! (with some changes, of course).
Posted on October 2nd, 2008 by Juha-Matti
Filed under: Commentary, Encryption, Physical Security, Privacy | No Comments »
The group using name The Hacker’s Choice has managed to clone a biometric passport with name Elvis Presley. Right – The King who died 31 years ago
Demonstration video and some technical information here.
Posted on July 15th, 2008 by Aviram
Filed under: Full Disclosure, Google, Privacy, Web | 49 Comments »
Ever wondered what name is behind some obscure gmail address? Maybe your preferred gmail address was taken and you’re wondering who took it?
Here’s a cute vulnerability in the gmail system that comes from the strong tie-ins between gmail, the google calendar and all the other services.
How to do it:
- Go to the ‘share this calendar’ tab
- Enter the email address in the ‘person’ box
- Click ‘add person’ and ‘save’
- When you return to this screen you will see the first and last name along with the gmail address
I always wondered who was behind firstname.lastname@example.org
Oh, I guess they figured people like me would be interested…
If you are getting personalized emails from spammers to your gmail account, here’s an idea on how they got your name.
Posted on June 18th, 2008 by Aviram
Filed under: Commentary, Culture, Privacy | No Comments »
Social networks mean different things to different people. Some people want the world to know what they are doing NOW. So they blog, update their facebook status, use twitter to tell friends and stalkers what they’re thinking and dopplr to make sure everybody knows where they’re going.
Other people think social networks are a danger to privacy. A friend of mine wrote back in response to a linkedin invitation:
i regret to inform you that i don’t do social networking in any form.
This is a man that was there when the Internet started (and in fact laid some of its corner stones), and yet he refuses to take part in the most important revolution on the Internet in the last 10 years?
I used to think there was a third way to look at it. Use social networking in moderation: write what you want people to know, like where you work or what zip code you’re in and do that only because you have a use for it and not because you’re invited (ok, the last part is horseshit. I join things early so that I can reserve aviram as a username to the service. This strategy earned me aviram at gmail.com). For me, privacy was not an issue as long as you know what kind of information you put there. But now, it seems, things are getting out of hand.
I got an email from one of my linkedin connections with a link to a video sharing site called vidjar.com. This link was to videos tagged with his first name – not too uncommon, and you can probably imagine there were a few videos there with that tag.
But his problem was that on the sidebar, was the sentence:
[his full name] is now connected to Aviram Jenik
A deeper investigation showed that the sidebar included a widget that had an RSS feed into linkedin. This RSS feed somehow recorded the fact that he and I had connected. I’m not an expert in linkedin’s new API platform, so I’m not sure how that works – but I can understand how he was not happy to see that everybody on vidjar could see that he and I were connected via linkedin. This is information that only people directly connected to him or me should be able to see, and only when logged into linkedin. Here, it was viewable to the world – we verified it by looking at the flattened google cache.
An API issue? Maybe. But it definitely demonstrates the old saying that information you give, is no longer yours.
Posted on June 15th, 2008 by p1
Filed under: Commentary, Corporate Security, Culture, Encryption, Law, OT, Physical Security, Privacy | 5 Comments »
The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures. Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets. It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.
Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption. Leaving aside privacy and legality concerns, Schneier is for encryption.
Now, I don’t fly as much as some, but more than many. Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags. I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames. (I’ve got a rather extensive virus zoo in one directory.) Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop. (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)
I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons. However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.
Posted on June 5th, 2008 by noam
Filed under: Corporate Security, Gadgets, Privacy | No Comments »
I recently added a contact to my BlackBerry PIN network. The contact was informed of this via an email, and then went on to reply (accept) to this email based invitation.
The response sent from his blackberry was not visible in his “sent” folder, nor was it visible in my “inbox” as apparently BlackBerry has the ability to secretly delete emails as soon as they are processed – thus making it do things a bit “under the radar”.
It’s not yet clear to me how difficult it is to do this manually – adding of a contact to your BlackBerry PIN list – but here are some clues on the email mechanism. Apparently, you need to include in the subject and in the beginning of the message body (subject works in most cases – html appears to behave differently) the following string:
You can combine the above in the subject line with confirm, which will cause BlackBerry to send back a delivery confirmation, combined with the deletion and suppression of saving the item:
< $confirm, RemoveOnDelivery,SuppressSaveInSentItems>
Posted on May 19th, 2008 by Aviram
Filed under: Commentary, Culture, Privacy | 1 Comment »
As far as facebook is concerned, your email is your identification. This is true for other social networks like linkedin, and is slowly catching on to many other Web 2.0 services. It actually makes a lot of sense that your unique identifier (your “ID”) would be your email – it’s unique by definition, it’s easy to remember and most services need the email information anyway (for example, to send you a password reset). So combining the ‘email’ and ‘username’ fields makes a lot of sense.
Unlike in the past where users switched emails frequently, we now have hotmail and gmail and personalized accounts that we can take with us as we switch jobs or ISPs. Email is private (at least, as private as snail mail) and if my bank feels comfortable sending me alerts and other information over email, than it is definitely secure enough for the rest of us.
So if email is destined to become the equivalent of your social security number or identification number (depending on which country you live in) how do we proof check that the email address we typed does not contain any typos? Most identification numbers have a controlling digit that acts like a checksum to make sure the ID was typed correctly. With email, we don’t have that and so you’re sending an email with the newest Vista joke to your coworker friend Bill Howards over at the Vista team and your finger slips and the mail goes to email@example.com.
Or worse – with gmail I’ve been receiving emails that belonged to some other Aviram that was too slow to catch aviram@gmail before I did. Most of this misguided email ranges from boring to funny, but today I got a purchase confirmation with the order number, amount and last 4 digits of the CC number. Since I “own” the email that is associated with this account, what prevents me from logging in to this guy’s account (have the e-commerce site send the password to “my” email due to my temporary amnesia) and redirecting the order to another zip code that happens to be my house?
Sure, I would never do that to a fellow Aviram. But what happens when our possible-future-Internet ID, our email, is typed wrong into some government database and all our IRS information, special Internet-voting code and who-knows-what-else is sent to our alternate identity, the guy that lives right by us on the keyboard? Not good.
My receiving another person’s order information is an obvious lesson for web sites: Make sure you verify the email address. Sending a test email and waiting for confirmation is good security practice since you’re not only confirming the person typed his email address correctly but you’re also confirming he did not sign up his mother in law to your wonderful daily adult joke service as pay back for last thanksgiving.
Posted on April 19th, 2008 by Aviram
Filed under: Commentary, Culture, Law, Privacy | 10 Comments »
Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to kiddie porn. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.
I’m sometimes asked if we ever get ‘tempted’ to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding an SQL injections that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.
But not everyone understands that, and that’s scary. A member of the THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating. My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences – while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.
If you think the previous paragraph is a paranoid conspiracy theory, lets talk about kiddie porn links. These pop up whenever we deal with botnets, phishing and malware. The police is trying to demonstrate zero tolerance for kiddie porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o’clock news arrested for kiddie porn charges, that you are not a dangerous paedophile but you had no idea the link you clicked was to a kiddie porn site?
There will be more incidents like the THC one. We can all tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can’t, and often don’t seem to care about the difference. Some of the time it’s not even law officials: Fyodor had his site shut down to prevent spreading his nmap ‘hacking tool’. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.
I wouldn’t want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) – I’ve seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a ‘get out of jail’ card?