This system has had some discussion in the forensics world over the past few days.  Here’s an extract from Science Daily:

“Computers have made it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview. A lost cell phone can expose personal photos or text messages. A legal investigation can subpoena the entire contents of a home or work computer. The University of Washington has developed a way to make such information expire. After a set time period, electronic communications such as e-mail, Facebook posts and chat messages would automatically self-destruct, becoming irretrievable from all Web sites, inboxes, outboxes, backup sites and home computers. Not even the sender could retrieve them.

“The team of UW computer scientists developed a prototype system called Vanish that can place a time limit on text uploaded to any Web service through a Web browser.

[Perhaps a bit narrower focus than the original promise, but it is a prototype - rms]

“After a set time text written using Vanish will, in essence, self-destruct.  The Vanish prototype washes away data using the natural turnover, called “churn,” on large file-sharing systems known as peer-to-peer networks. For each message that it sends, Vanish creates a secret key, which it never reveals to the user, and then encrypts the message with that key. It then divides the key into dozens of pieces and sprinkles those pieces on random computers that belong to worldwide file-sharing networks. The file-sharing system constantly changes as computers join or leave the network, meaning that over time parts of the key become permanently inaccessible. Once enough key parts are lost, the original message can no longer be deciphered.”

However, given the promise to clean up social networking sites, and as I started to read the paper, an immediate problem occurred to me.  And, lo and hehold, the authors admit it:

“We therefore focus our threat model and subsequent analyses on attackers who wish to compromise data privacy. Two key properties of our threat model are:
1. Trusted data owners. Users with legitimate access to the same VDOs trust each other.
2. Retroactive attacks on privacy. Attackers do not know which VDOs they wish to access until after the VDOs expire.
The former aspect of the threat model is straightforward, and in fact is a shared assumption with traditional encryption schemes: it would be impossible for our system to protect against a user who chooses to leak or permanently preserve the cleartext contents of a VDO-encapsulated file through out-of-band means. For example, if Ann sends Carla a VDO-encapsulated email, Ann must trust Carla not to print and store a hard-copy of the email in cleartext.”

So, this system works perfectly.  If you only communicate with people you trust (both in terms of intent, and competence), and who only use the system properly, and never use any of the information in any program that is not part of the system, it’s completely secure.

How often have we heard that said?

The default to privacy aspect is interesting, and the automatic transparency for the user as well, but this simply moves the problem one step back, as it were.  In terms of utility to social networking, the social networks would have to be completely rewritten to adher to the system, and even then it would be pretty much impossible to ensure that nobody would have the ability to scrape data and keep or publish it elsewhere.

(Plus, the data is still there, and so is Moore’s Law …)

God bless the law that forces companies to disclose when they are hacked and customer information is compromised. Not only do we get a chance to protect ourselves but it also reminds us that this apparently happens more often then we would think.

This time it’s elance.com:

Dear (my account name),
We recently learned that certain Elance user information was accessed without authorization, including potentially yours. The data accessed was contact information — specifically name, email address, telephone number, city location and Elance login information (passwords were protected with encryption). This incident did NOT involve any credit card, bank account, social security or tax ID numbers.
We have remedied the cause of the breach and are working with appropriate authorities. We have also implemented additional security measures and have strengthened password requirements to protect all of our users.
We sincerely regret any inconvenience or disruption this may cause.
If you have any unanswered questions and for ongoing information about this matter, please visit this page in our Trust & Safety center: http://www.elance.com/p/trust/account_security.html
For information on re-setting your password, visit: http://help.elance.com/forums/30969/entries/47262
Thank you for your understanding,
Michael Culver
Vice President
Elance

What I would like to see, is what “additional security measures” are they really taking. Also (and I’ll admit I have a one-track-mind) did they do a proper security scan to ensure the servers don’t have any holes? What were the results?

Comerica bank seems to think disclosing cross site scripting vulnerabilities in the bank’s web site is illegal:

“Comerica hereby demands that the above-referenced Subject Site be shut down immediately and that the identity of the account holder be provided to the undersigned.

Comerica’s demand is based upon the fact that the Subject Site is designed to enable that subscriber and anyone else viewing the site to take actions to attempt to impersonate Comerica to its customers”

(full document here)

No Comerica, it’s not the “how to use Comerica com to phish their customers” that enables that, it’s comerica.com that enables that. But at least I finally know why I’m receiving a flood of Comerica phishing emails in the last few weeks (I haven’t even heard of the bank before then).

Needless to say, they haven’t fixed the problem. Of course, for them the problem is not that phishers can attack Comerica bank customers but that somebody is saying it out loud.

(more pictures here)

(via @lancejssc)

Gloria pointed out an article in the Vancouver Sun and, just in case it disappears in a few days, I found the author’s blog.

The main thrust of the article is on the risk/benefit of a lack of privacy, as practiced in social networking.  This (absent the social networking) reminded me of David Brin’s “The Transparent Society,” and if you haven’t read it, I recommend it.

It’s nice to have milw0rm around: http://www.milw0rm.com/exploits/9137.

Be careful out there, firefox 3.5 users.

Seems like milw0rm will stay up for the near future. In an email from Str0ke, he wrote:

Way to[o] many people unhappy with me over the
idea of closing shop.  I just needed help which I have alot of people to choose from now

So the good news, is that we’ll still see milw0rm posting information. But for all of you who were disappointed by milw0rm almost closing: if you want to see it stay open, here’s your chance to help. Just write to str0ke and offer him help – managing a vulnerability database is one of the best ways to gain expertise and learn the field. Plus, you’ll be helping a valuable resource, and making friends along the way.

From a personal experience, I can very much recommend it. We started our own vulnerabilities database much like milw0rm a while back, and it gave us the expertise to build a vulnerability scanner, a fuzzer, and build a profitable business while having fun doing it. So much so, that the original SecuriTeam team is still actively working on editing and posting information.

So whether you are looking to sharpen your skills for fun or want to give a boost to your professional career, I highly recommend joining milw0rm (do it now, while str0ke is still accepting applications!)

Just thought I’d bring it up since there has been prolific chatter on the lists lately…

I saw a message from Jericho giving his goodbyes to str0ke, and had to see it for myself. Indeed:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t . For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

We all hope it’s just temporary and str0ke will bounce back. And  if that doesn’t happen, hopefully someone else will pick it up and continue. It’s a thankless job of tedious work but it gives “the good guys” a fighting chance by putting together in an organized manner things that are already know to the bad people out there.

Hopefully this is not a farewell, but if it is, milw0rm will be missed.

Readers: If you have suggestions for good exploit archives (other than this exploit archive, of course) that should go on the bookmark list where milw0rm was, please post in the comments below.

Update: Good news. As several of you noted, str0ke decided to keep on going. More information here.

Update 2: As of October 2009 they seem to be down again.

Somebody had to do it, and I’m glad it’s Aviv Raff who finally went for it. This is just the first of what I’m sure will be many twitter-related vulnerabilities.
There’s a lot to check in twitter, and I’m sure this will be an interesting month. While Aviv is bringing home the meat, here’s a question to ask yourself in the meantime: How many web services have your twitter password? More than 5? More than 10? How many of them are still active and what happens if one of them goes bankrupt and sells the list to someone?

Update: apparently this was fixed after a few hours. The power of “Month of Bugs” I guess.

A few years ago, the personal blog of the Iran president Ahmadinejad included a special piece of malware code that would only be displayed for Israeli IP addresses, attempting to infect Israeli machines visiting the site while preserving a seemingly harmless appearance for any western visitor that is not an Israeli. I thought that was quite a clever attack at the time.
But now the Iraqis are flexing their cyber-muscles too. According to a Hebrew article in law.co.il (this is not yet available on their English site, but may be soon), several domain names of Israeli government entities and large Israeli institutions have been registered by users outside Israel, some users having addresses in Iraq.

These domains use names with Hebrew characters, which are now available under the IDN. However, the method of typing Hebrew domain names is not in wide use and companies still prefer the English domains with the .il or .com suffix, which is why those Hebrew domains were available for purchase. Some of the domain names that were purchased include the Mossad, the Shabak (the “Shin Bet”), the IDF, Israel Police, Knesset, and several major banks.

Since the domain name is in Hebrew and contains the full name of the company or institution, it is incredibly useful for phishing attacks. law.co.il traced many of the domain names, particularly those of major ministries and public service names to a company called “ICU Agency” with a registered address in Baghdad. I’m sure there are other clever uses for such domains in war time that exceed simple phishing. With the speed in which news travel on the Internet these days, it shouldn’t be difficult to do some psychological warefare if you own “credible” domain names.

I saw a demo of Green SQL today, and during the demo Yuli showed me a cute sql-injection method for mysql that I’ve never seen before.

This will evade some IDS’s and is also a good reply for the web development if they tell you filtering the words “OR” and “AND” is enough as a generic SQL-injection protection.
It’s not “new”, but it was new to me. The idea is to place two equal signs inside the query so that the query becomes:

SELECT * FROM users WHERE column=’b’=’c’

More information and a very detailed explanation here. It seems to be specific to mysql.

Over the past few days, both the Vancouver Sun and the Ottawa Citizen have published (basically the same) story about “Toronto-based Ancestry.ca.”  From the articles, this appears to be related to such public institutions as the national archive and Library and Archives Canada.  And the price is right: “A two-week free trial period that began June 10 allows users to search for and download documents at no charge.”

I tried it out.  Giving minimal information about him brought up over 6,000 hits, the second of which was my grandparent’s marriage certificate.  Pretty good.

Unfortunately, that is not the whole story.  If you want to actually see anything that the search finds, you have to register.  And, if you pay attention, and actually read the “Terms and Conditions” (and look at the full screen, not the portion that shows when the box first pops up), you find that you are registering with “an Internet service (the “Service”) owned and operated by The Generations Network, Inc, an American company incorporated in Delaware, USA, and whose registered address is 360 W 4800 N Provo, UT 84604, USA.”  In order to register you have to provide a credit card.  After 14 days (and it isn’t clear whether that is 14 days after June 10, or 14 days after you register) “[i]f you wish to terminate your subscription you must notify us at least two (2) days before the Renewal Date by calling (800) 958-9073 Member service is available from Monday to Friday 7:00 am to 4:00 pm MST, or by sending an email to cancel@ancestry.ca providing the following information: Given name and surname, Username, Subscription type (UK/Ireland collection, etc.), Email address used when subscribing, Phone number including country code, Country.  If you fail to respond to the notice, your subscription will be automatically renewed,” and, of course, your credit card will be charged.

So, read carefully, people.  Are you dealing with a public institution, or a private company?  Are you dealing with a company in your country, or another?  And, is your “free trial” an “opt-out” contract for the company to start billing your credit card?

The T-mobile data breach that jbrown wrote about has been confirmed by T-Mobile.
I guess not everything you read on Full Disclosure is fake after all…

Open Security Foundation’s DataLossDB has announced the winners of oldest incident contest.

One of the oldest documented issue is TRW incident from 1984, when the database of credit history of 90 million American citizen was breached.
Link here.

Update: The winner is an incident from August 1953, when SSN’s were lost.

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.

It seems I get this IN MY INBOX everytime I post…

We have received your request to join the puitika
group hosted by Yahoo! Groups, a free, easy-to-use community service.

This request will expire in 7 days.

TO BECOME A MEMBER OF THE GROUP:

1) Go to the Yahoo! Groups site by clicking on this link:
http://groups.yahoo.com/i?i=oyhn042ed3ckqjsszqpggnyd5xxe0l1b&e=0xjbrown41%40gmail%2Ecom

(If clicking doesn’t work, “Cut” and “Paste” the line above into your
Web browser’s address bar.)

-OR-

2) REPLY to this email by clicking “Reply” and then “Send”
in your email program

If you did not request, or do not want, a membership in the
puitika group, please accept our apologies
and ignore this message.

Regards,

Yahoo! Groups Customer Care

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/