Tag: Security

False Alarm, Go Back To Bed

Post date 2/10/2008
1 Comment on False Alarm, Go Back To Bed

The other night I was reading about this new security flaw, and for some reason I couldn’t figure out why it was a security flaw. Why couldn’t you just download Firefox and open the file yourself? I presumed I was just tired, and went to bed.

Ends up I wasn’t the only one who didn’t think it was a vulnerability. Mike Shaver has more info on it. If someone wanted to get that information, they don’t need to get people to visit a hacked server. They can just download Firefox and open the file itself. No big deal.

Theoretically a custom enterprise build made by a company for use on it’s network could be modified, but I doubt it. Even if it was, it wouldn’t really contain anything very useful.

Always take things posted on a tech site with a grain of salt, unless they are confirmed by multiple experts. Slashdot ran the story a little premature.

Tags directory traversal, firefox, hacking, Mozilla, Security

Networking Security Tech (General)

Hacking A Boeing 787?

Post date 1/5/2008
No Comments on Hacking A Boeing 787?

According to Wired the Boeing 787 Dreamliner connected the networks for passenger services to critical flight systems:

The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.

Here’s what a Boeing spokesperson had to say:

…it is employing a combination of solutions that involves some physical separation of the networks, known as “air gaps,” and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn’t want to discuss in public.

Would it really be that much more costly to create 2 networks. One for the important stuff like navigation and control systems, and another completely independent network for passengers to download porn? Networking gear isn’t that expensive. Internet access at 35,000 feet is high latency anyway.

I’m really not so sure I’d feel comfortable knowing that the same network that’s carrying a Rob Schneider movie to the guy in 11F is also carrying packets intended for the horizontal stabilizer.

Maybe I’m just paranoid. After all, I’m not to comfortable with the Airbus A380 apparently running windows in the cockpit.

Hopefully they get it all figured out quickly.

Tags airbus, airbus a380, boeing, boeing 787, dreamliner, firewall, internet access, Security

Apple Security

Calculator Phoning Home? Not Really

Post date 11/17/2007
4 Comments on Calculator Phoning Home? Not Really

Wasn’t sure what this is all about, but according to Little Snitch 2.0 (which is awesome by the way) the Calculator in Mac OS X 10.5 (Leopard) apparently phones home. Based on the url http://wu-calculator.apple.com one would assume that’s checking for updates (wu typically stands for web update). Though I find this somewhat odd considering Mac OS X has an update system that’s all encompassing. I decided to take a closer look. Earlier it was said that 10.5 was phoning home, though that turned out to not be the case.

So I did a little sniffing around (literally packet sniffing), and here’s what I found. On load it sends the following (seemingly blank) request to apple for currency conversion info. The response is the exchange rate. I’ve got a copy for reference below for anyone who wants to see. Calculator seems to use CFNetwork to communicate (not surprising). What’s interesting is that this info doesn’t seem to be cached, every time you load calculator it’s requested.

So yes, it does technically ping the mothership, but no it doesn’t seem to send back any data worth being concerned about. The only thing noteworthy is the cookie. The cookie itself is characteristic of Omniture, an analytics company (who provides analytics services to Apple among many of the largest sites on the web). This seems like a side effect of the implementation (likely sharing stuff from webkit). I don’t think Omniture is pinged during this transaction, so unless Apple were recording that cookie and matching it against web analytics data. I’d consider that extremely unlike even if I put a tin foil hat on my head. I guess Apple could further neutralize any privacy concerns by modifying the implementation to not send a cookie. At that point they would only have your IP to go by (which could be behind a proxy and therefore isn’t very reliable). I don’t think think this is a privacy risk, but also don’t think it would be so bad for Apple to modify and drop the cookie to make it more anonymous. Or at least give the option to not request data every time.

Tags Apple, calculator, cfnetwork, currency conversion, leopard, little snitch, mac-os-x, mac-os-x-10.5, packet sniffing, phone home, Security

Mozilla

The Shape Of Firefox 3.0

Post date 11/15/2007
3 Comments on The Shape Of Firefox 3.0

Alex Faaborg has an awesome post on UI changes for Firefox 3.0. It’s a little lengthy, and most pics are wireframes but it’s a rewarding read for anyone in the browser space, or has an interest in user interface.

Overall I like most of the changes. I’ve been ranting about a need for a better bookmarking interface since 2005. Not sure if I was ahead of my time, or just impatient (likely the ladder), but it’s finally becoming a reality which I’m thrilled about. I’ve got some ideas on where it could go from here to make it even better, but that’s another post I hope to get to sometime.

One change that caught my eye is this:

-The lock is being removed from primary UI, and Firefox will now use a metaphor based on identity, rather than security, which will appear on the site button if an SSL or EV certificate is available. The super short explanation for this change is that the user might have an encrypted connection to criminals, so telling them that they are safe is a false cue. For an in-depth discussion of why we are moving away from the metaphor of a lock, watch Johnathan Nightingale’s Mozilla24 presentation Beyond the Padlock.

I’m not sure if this is really the best solution. I’d personally like to see the lock stay in the UI, but it’s meaning redefined. For a decade or more, the public has been told that the best way to tell if your information is safe is to look for the lock. I’d venture 99% of the general population doesn’t really know it symbolizes the use of SSL. They just know that it means your information is “safe”. My thinking is that it would be the most graceful transition to map that to the new identity system. Essentially the information it reveals would be the new identity information, but it provides backwards compatibility with previous versions, and other browsers. One less learning curve. Still in regards to safety, look for the lock.

Regarding the iconic form:

Image from Alex Faaborg The Shape of Things.

I could make a rather infantile joke, but I’ll leave that as an exercise for the reader.

Overall it’s some great progress. I think these changes allow for a much more functional user interface with added features and less UI. The native appearance will also be excellent for Mac and Linux users who have longed for a UI that looked “right” on their systems.

Tags bookmarking, design, firefox, Mozilla, Security, software-development, usability, user-interface

Hardware Security

Improving Storage And Backups

Post date 11/8/2007
No Comments on Improving Storage And Backups

I work on multiple computers (Mac/PC) and have various assets online including this blog and quite a bit of code lying around in svn, and just on the file system. My backup solutions so far have been pretty ad hoc but rather effective. Everything important is replicated somewhere else at varying frequencies. The downside is that it’s not very efficient and even partially manual. I’ve decided over the next several weeks I’m going to re-evaluate how I do all my data storage and backups. Here’s the list of goals:

Improve how data is organized and stored both primary storage and in backups. Organizing and clean up.
Make sure all data has at least 1 backup (I pretty much do this already and have for a long time).
Automate as much as possible.
Keep costs low. Backup more for less.
Use tertiary offsite backups for most critical data.
Maintain solid encryption practices where necessary for transmission and storage (already do this).
Decrease time to restore from backups.
Backup more often, so time between backups is minimal for frequently updated data.
Give myself room to grow.

At $0.15/GB Amazon’s S3 is very affordable for my needs. A dollar or so a month gets you a fair amount of storage considering most data doesn’t get touched that often (it’s data transfer that gets a little more costly). I’ve been using Amazon with a few backup scripts for a few months to see how it works and how I can best use it. I’m planning to ramp that up a little more. I also want to do more with incremental backups (perhaps use rsync more) to save time and disk.

Ironically I kick off this little project when reports indicated hard drive prices have been dropping (obvious right?). I’m not sure if would make sense to purchase additional storage, or if I can get by with just better utilizing what I already have.

I’m doing this for a few reasons. Considering the cost of storage, there’s no excuse to not have solid backups, or to even waste your time with data loss. I also want to improve my use of offsite backups for more important things to make sure that I keep costs low and keep backups fresh. Accident, fire, flood, theft, are always possibilities no matter how careful you are in life. The great thing about digital vs. paper is that it’s easier to have several copies.

I believe my practices are pretty good, and likely better than the vast majority of the population, but I think I can still do better. I think I can make better use of what I have and maybe for a slight cost add another layer of protection if necessary. I’ll post again with my findings.

Tags backup, Security

Security

Bank Security Sucks

Post date 9/24/2007
No Comments on Bank Security Sucks

Why is it, I can get a security key fob from PayPal for a mere $5, but not from my credit card company or bank? PassMark seems to be the latest craze of banks in an attempt to look more secure. It doesn’t work. Online security still seriously sucks. 96.66% fell for phishing according to Harvard and MIT just a few months ago. Interestingly both of those links reference the same bank (Bank of America), though they aren’t the only ones.

And I’m supposed to believe RFID enabled credit cards aren’t trouble? I think not. I’ll wait until the technology has been proven a bit more. Swiping the card really isn’t that hard. I find it to be a good workout. For the security of knowing my wallet is a good security device, I don’t mind the inconvenience. When they can prove it’s secure I’ll switch. I doubt that will be for a while.

I wonder how long until financial institutions start taking security to the next level. I’m confident they will be pushed to do so at some point. I’m just wondering what the catalyst for change will be. I’m guessing some more alarming statistics. I really want to see hardware based two-factor authentication the defacto standard in all banking systems. If PayPal can do it for $5 per user, I think the rest can manage to offer it. It’s not perfect, it doesn’t cover every type of attack, but it’s the single best enhancement over a good password. You do have a good password right?

[Hat Tip: The Consumerist]

Tags bank, credit-card, key-fob, passmark, paypal, rfid, Security, two-factor-authentication

Mozilla Security

Email Image Protection

Post date 9/12/2007
3 Comments on Email Image Protection

Many people think that making an image out of an email is a good way to protect it from being harvested by spam bots. It’s now possible to convert it from an image to email link via a Firefox extension. Guess what, an email harvester can do this just as well. What’s a better solution against email harvesters? Don’t put any trace of an email address online, use a form. Yes you could distort the image a bit to make it more difficult, but using a CAPTCHA as an email isn’t going to make you any friends. JavaScript can also be done, but no reason why it can’t be interpreted (though that may be more difficult in some cases, since a JS engine isn’t the easiest thing to work with, and implementing anything less can easily be defeated by throwing some extra JS in there. Some discussion on the Firefox Extension implementation can also be found on Gerv’s blog where he proposed the idea.

Tags captcha, email, facebook, firefox, firefox-extension, javascript, Security, Spam, Web Development

Google Security Spam

Google Used For Spam

Post date 6/20/2007
6 Comments on Google Used For Spam

This happened a few weeks ago. I kept it quiet and reported it. Hasn’t happened again, and I haven’t heard anything, so I presume it’s fixed.

It appears spammers have learned to hijack Google Alerts for spamming purposes. By setting up an alert with a spam text, the email is sent through Google’s mail servers. Because it’s plain text, most Email clients will parse the link in an email to make it clickable. Effectively Google is running an open mail server. Here’s what I saw when I visited Google’s site to see if it really was in my account:

Google Spam

So apparently a spammer was smart enough to realize they could hijack this functionality to send spam through Google. I emailed Google a few week ago about this problem, and didn’t hear back. I haven’t seen another, so I presume they fixed this problem by now. From what I’ve read Google is pretty prompt with this stuff.

This just shows how careful you need to be with security of web forms. Even something innocent sounding like this can be hijacked to send nasty payloads. A spammer could have used this to send links to infected files, etc. All looking like legitimate Google emails (because they are from Google).

Here’s what the email looks like (slightly sanitized by me):

Tags email, Google, Security, Spam

Apple Mozilla Security

Safari Redux

Post date 6/12/2007
1 Comment on Safari Redux

I said yesterday:

Security – I have a feeling this will make it much more of a target to hackers. So far Safari has fared pretty well. I guess we’ll see.

Well, that didn’t take long.

The bottom line is: web browsers are complicated pieces of software that deal with a ton of different technologies and render code written by people you shouldn’t trust. While countless security measures are taken, nothing short of floating a hard drive in outer space will be secure, and even then… you never know.

Security is partially about preventing problems, and largely about dealing with them.

Tags Apple, safari, Security, web browsers

Mozilla Security

96.66% Fell For Phishing

Post date 6/5/2007
1 Comment on 96.66% Fell For Phishing

Kiplinger has a great story on phishing and security. The bottom line: while progress has been made there’s still a long way to go. Here was a very concerning piece:

When researchers at Harvard University and the Massachusetts Institute of Technology studied the anti-fraud image system used by Bank of America, they found that 58 out of 60 users still logged on to a phony Web site that did not display the images that the users had selected.

I doubt any anti-phishing protection was enabled on those browsers. Not sure if it would have helped or not. Regardless it’s still a concern. Users didn’t pay attention to the images they selected. I guess it’s human nature to ignore things we don’t think are important.

[Hat tip: The Consumerist]

Tags Fraud, Phishing, Security