Category: Security

Various Tin-Foil-Hat stuff.

96.66% Fell For Phishing

Post date 6/5/2007
1 Comment on 96.66% Fell For Phishing

Kiplinger has a great story on phishing and security. The bottom line: while progress has been made there’s still a long way to go. Here was a very concerning piece:

When researchers at Harvard University and the Massachusetts Institute of Technology studied the anti-fraud image system used by Bank of America, they found that 58 out of 60 users still logged on to a phony Web site that did not display the images that the users had selected.

I doubt any anti-phishing protection was enabled on those browsers. Not sure if it would have helped or not. Regardless it’s still a concern. Users didn’t pay attention to the images they selected. I guess it’s human nature to ignore things we don’t think are important.

[Hat tip: The Consumerist]

Tags Fraud, Phishing, Security

Blog SafePasswd.com Security

SafePasswd Secure Edition + Blog

Post date 4/15/2007
No Comments on SafePasswd Secure Edition + Blog

As of yesterday SafePasswd.com is now suggesting passwords over SSL for better security. Seems like a good idea right?

In other news, there is now a SafePasswd.com blog. The focus is quite simple. Bring better security to the masses.

Check it out, add the feed to your favorite RSS reader, bookmark it.

Tags Blog, SafePasswd.com, Security, ssl

Mozilla Security

WebApp as Desktop App Security Model?

Post date 4/5/2007
7 Comments on WebApp as Desktop App Security Model?

Recently there has been a fair amount of talk about bringing web applications off of the web and onto your desktop, or to put it in really simple terms: providing a bare-browser that has no UI but the site you visit. It sounds good, but I’m not convinced it’s quite workable, at least at this point. A few example of these attempts are:

The first two are somewhat generic in purpose, while FullerScreen is intended more for the task of using a web page as a presentation medium. Making it a potential replacement for something like PowerPoint.

I’m not quite sure this is really a workable model for the “average user”. Take for example the following scenario:

Say you use this as a way to make your Gmail (or Yahoo) account feel more like a client-size application. You receive an email to visit a site. You click the link and visit the site. You think you are using Firefox. In reality you’re really viewing a spoofed window. Even if remote XUL is disabled you can still do a fair job with just a bunch of cut up GIF’s. Enough to fool a casual user. Firefox has some basic countermeasures to help prevent this, such as keeping some UI.

This could be prevented if a “windowless” browser always prompts or provides some other sort of notification before connecting to an unprivileged host. Or better yet: Simply launches the real browser rather than handling untrusted URL’s. That would be better and less Vista-like.

So that leaves me with the question: how should such an application behave? A true desktop application typically launches the default browser on the computer. Notable exceptions being things like Real Player, Google Earth, etc who embed a browser. How do you give a desktop like feel to an application, yet still provide the UI feedback to the user that a browser’s chrome provides?

My suggestion is simply limiting by a hostname. You have a Gmail app, you trust Gmail and nobody else. In my mind an application does 1 task and does it well. If it was intended to feel like a Gmail client, then it should do that, and that only. Want to visit that website with the monkey that sniffs his own butt? Cool, but do it in your own browser.

I’d be curious what others thought of this potential problem. I think with XULRunner looking more stable, WebKit being available to Mac developers and the merging of the web and OS, things like this are a potential problem. We are getting more and more ways to embed browsers into things (widgets, extensions, etc.). This is going to be more of an issue moving forward.

This isn’t to say I don’t like the above products (I actually really like them). I just haven’t figured out exactly how they fit into the current security model of local:safe, web:devils-playground. I don’t think they do. I think they potentially break the barrier between the web and desktop applications. We’ve all been hoping would be broken. The question is: are we ready?

The higher level question is: How do you distinguish between trusted and untrusted data when it all looks like it’s local?

Tags firefox, full-screen, Internet, Mozilla, Security, UI, web-applications, WebKit, webrunner

Security Tech (General)

Getting A Non-RFID Credit Card

Post date 4/2/2007
26 Comments on Getting A Non-RFID Credit Card

Chase Freedom Visa The Chase Freedom credit card isn’t bad (1% cash back, 3% on certain items). There is an unadvertised downside. While Chase doesn’t promote it very well, the card contains a tiny RFID chip. This allows you to pay for something using a contact-less terminal (no swiping). Just put your card near the reader and it registers. Is it really any quicker than swiping? Who knows, but likely not by much.

It looks like a regular credit card, same thickness, size, and shape. Just a tiny emblem exists on the upper right hand side to distinguish the onboard cargo. You can see it in the image above. A larger version of it is below:

Blink Logo (sm) Chase

For those wondering, the actual RFID chip seems to be on the left side, opposite the Blink logo.

Chase brands the technology Blink, American Express calls it ExpressPay, MasterCard calls it PayPass. They are all pretty much the same thing.

RFID doesn’t have a great reputation right now. There are some privacy and security concerns, such as an unauthorized party reading your credit card without you knowing. Think this is a tin-foil-hat mentality? It’s been done already. I haven’t found anything online to indicate criminal exploitation yet, but it’s possible and will happen.

Chase Flexible Rewards Visa Chase doesn’t advertise this, but if you contact them by phone or email, they will send you a replacement card, without the “Blink” capability. The actual plastic card is their “Rewards Visa” though the paper it’s attached to clearly says “Chase Freedom”. It’s just plastic, the credit plan is in the account not the card. So there you have it, you can get a secure credit card if your concerned about security.

Chase claims “Blink” it’s very secure, but I’m still not personally comfortable with the technology. According to their FAQ (in PDF format):

10. Are blink purchases secure?

Yes. As always, you are 100% protected against any unauthorized purchases. These transactions are safe because they are protected by an additional level of encrypted security. You must deliberately use the Chase card with blink at the point-of-sale to make a transaction. The Chase card with blink needs to be within an inch of the special reader and correctly oriented to be read. In addition, blink transactions use specific data that is protected by the highest level of security.

Judging from the speed in which it can be swiped (as demonstrated on the Chase blink website) one could technically walk by with a bag containing a reader and just brush by the victim to read the card in their pants pocket, sit next to you on the bus/train, etc. Easier than pickpocketing since no actual contact needed (such as digging a hand into someone’s pocket).

We already know they can clone RFID passports. What stops someone from reproducing the credit card, then using it? With regular cards, my wallet is an effective firewall. No way to read the magnetic strip or copy the numbers off of it without the actual card visible. And if my card is missing, I know I have a problem. I always keep it in my wallet so nobody can just look at it. This is a pretty secure way to handle a credit card. With this potential crime, I wouldn’t even know right away, and by the time I do realize I wouldn’t have any idea when/where it was compromised. It could potentially be months between the theft and usage of stolen data.

I’d like to see this tech a little more proven in the “real world” before I jump on board. For now it’s just good to know you don’t have to live with it, you can get a non-RFID card. I didn’t find this advertised anywhere on the Chase website. I guess they realized us tin-foil-hat people would ask for a blink-free card, so they made sure to have an alternative. I must give them credit for that (no pun intended).

Just call/email Chase and ask for a non-blink version of the card. They told me 5-7 days for delivery. No hassle. I was very pleased how painlessly they made it. It arrived in about 5 days.

Tags chase, credit-card, finance, rfid, Security

In The News Security Spam

Coming Soon: Bluejacking

Post date 1/28/2007
1 Comment on Coming Soon: Bluejacking

If you have bluetooth on your phone, there’s yet another reason to turn it off when you don’t use it. Besides saving battery life (which is always a good thing), and just general security you’ll be seeing more and more spam as time goes on if you keep it on. It’s already a problem in some places. Here’s an auto translated version of the linked article in English.

It’s to easy to just spam cell phones with phone book entries, video’s, text messages, pictures, etc. Even if you don’t accept them, your phone will still go off to let you know you have an incoming request. I would bet it won’t take long befor apps exist for PDA’s to automatically spam any bluetooth device in range. Then a spammer can just walk through the streets, malls or stores to send spam. Talk about discrete marketing.

What a mess, and I doubt it will be fixed anytime soon. We’re still getting email spam with no end in site.

Tags bluejacking, bluetooth, cell-phones, Security, Spam

Open Source Security Software

Using Norton AntiVirus With POP3 Over SSL

Post date 1/28/2007
1 Comment on Using Norton AntiVirus With POP3 Over SSL

I didn’t find this anywhere online, so I thought I’d post it. Norton AntiVirus up to and including 2007 doesn’t support POP3 over SSL. That’s a problem since sending mail without SSL is insecure, and sending mail over SSL with no virus scanning is also insecure. There is a fix.

Please note these directions, and intended to be a casual guide for experienced individuals. I’m not providing assistance or support.

Tags antivirus, email, norton, Security, ssl, stunnel, symantec

Security Software

Is Vista For Me?

Post date 1/24/2007
No Comments on Is Vista For Me?

CNet’s review pretty much sums up my feelings on Vista after playing around with it for a little while:

The bottom line: Windows Vista is essentially warmed-over Windows XP. If you’re currently happy with Windows XP SP2, we see no compelling reason to upgrade. On the other hand, if you need a new computer right now, Windows Vista is stable enough for everyday use.

I don’t see a reason to upgrade. There’s nothing I really want/need in Vista that I’ve seen. Aero is a giant waste of battery life on laptops, not to mention it’s GPU hungry. So I don’t see my laptop enjoying that. Then there is the issue of all the DRM, and “security” (aka annoyances) they built in. Not to mention the added cost of upgrading older software to work with Vista. XP seems to do the job just as well as Vista does. Oh yea, it’s not exactly priced to sell.

Perhaps by Vista SP1 there will be some compelling feature or benefit. At least for now I don’t see what the big deal is.

On the other hand, I’m somewhat impressed by the Office 2007 release. In my opinion it’s much more polished than past releases. I’m still using Microsoft Office XP (2002) since there was nothing in subsequent versions worth upgrading for. This one may be worth getting, though I’ll likely wait until they shake the remaining bugs out and it’s a bit more used in the real world. I have a feeling corporate adoption may be a little slower due to the UI changes. This upgrade may require some retraining of employees, and I’m sure many companies won’t be into that.

Tags microsoft, Software, windows-vista

Around The Web Internet Security

PayPal Security Enhancement

Post date 1/15/2007
No Comments on PayPal Security Enhancement

For $5 you will be able to get a little better security with a PayPal SecurID. That’s not a bad idea. I very rarely use PayPal (mainly when some sort of discount/promotion is available), but I’d still get one, just for the added safety.

I wish banks would hurry up and make it standard across the board. A good password is still important, but two-factor authentication like this is a big step in defeating Phishing.

Tags keyfob, paypal, SafePasswd.com, securid, Security

Apple Security

QuickTime Security Flaw

Post date 12/7/2006
No Comments on QuickTime Security Flaw

Interesting turn of events regarding that MySpace security problem. Plugins add an interesting perspective to security on the web. Web site code, browser code, and (often forgotten) plugin code. That’s a lot of hands in the pot. One mistake is all it takes.

Tags Apple, quicktime, Security

Around The Web Politics Security

Hacking The TSA

Post date 9/24/2006
No Comments on Hacking The TSA

Everyone’s favorite security guru has a great blog post on how to prevent loss of an expensive camera that must be checked luggage rather than carry on. To summarize, you can pack it with a starter pistol so that the TSA takes extra precautions to prevent it’s loss (they don’t want to loose a gun, but don’t mind losing your expensive possessions).

This is really quite brilliant. Here’s some info on requirements. According to this you could also just carry a replica, or even bullet, or a piece of a gun.

That’s got to be the most clever solution to the problem. Finally we can all carry our laptops and expensive equipment around without fear of loss. You know the TSA won’t loose a gun, since that would spark a major controversy.

I must admit this solution is beyond clever, it’s outright brilliant.

Tags Security, terrorism, travel, tsa