Entries tagged as ‘security’
The thing about computer security is, the more you learn, the more you realize the Internet is essentially patched together with duct tape and butcher’s twine:
Security researchers today unveiled details about a little-known but ubiquitous class of vulnerabilities that may reside in a range of Internet components, from Web applications to mobile and cloud computing platforms to documents, images and instant messaging products.
…Researchers at Codenomicon Ltd., a security testing company out of Oulu, Finland, say they found multiple critical flaws in XML “libraries,” chunks of code that are typically used and re-used in software applications to process XML data.
…XML is used in a variety of document formats (docx, openoffice, playlists, configuration files and RSS feeds, to name a few). As a result, there are numerous vectors for attacking XML flaws remotely, such as sending malicious documents or network requests, said Jussi Eronen, an information security adviser for CERT-FI, the Finnish Computer Emergency Response Team.
Um, yay?
Categories: security · technology
Tagged: security, technology
The biggest story about Iran, besides the protestors themselves, is the protesters’ use of social networking sites, especially Twitter, to help perpetuate the images and stories of what is happening on the ground.
But these same sites that can fuel a revolution can also be misused, as noted here in a recent SANS ISC diary:
From an information security perspective, the threat is leading people to malicious websites. Set up a blog with an archive of posts on the issue, “borrow” a few pictures of the conflict and post them. Tweet a message that says “live images of protestors being shot at” and point to your blog that also includes pre-tested malware that is known to be not detected by AV vendors. Twitter and social networking tools provide another mechanism to lead people to the cyber-threat where only e-mail was used before. Twitter has no “anti-spam” features, everyone talking about a subject shows up.
So while the use of twitter and other tools provide for a means to breach censorship rules of foreign regimes, it does not come without risks. Is the information valid? Is it leading you to malware infecting your machine?
Simple precautions should be taken when viewing these sites — at the very least, make sure your AV is up to date, and use Firefox with the NoScript add-on.
We’re only at the early stages of this kind of political “hacktivism,” and as our lives turn increasingly digital, the tools and technologies we use are simultaneously connecting us to others as well as putting us at risk.
Categories: security · technology
Tagged: security, technology
A new security hole has been found in utility smart meters:
New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid, according to a security researcher who plans to demonstrate several attacks at a security conference next month.
The so-called smart meters for the first time provide two-way communications between electricity users and the power plants that serve them…There’s just one problem: The newfangled meters needed to make the smart grid work are built on buggy software that’s easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse.
What perhaps adds a more dangerous element to this story is Google’s recent plans to hook into the power grid, via free software that customers run:
In a move to connect the emerging smart energy grid with the Internet, Google on Wednesday announced partnerships with eight national and international energy companies to allow consumers to access data about their energy usage through Google’s PowerMeter gadget.
Google PowerMeter is a software application that can be embedded on the company’s iGoogle personal home pages. It displays data about home energy usage, data provided by the new generation of network-ready smart power meters that are being installed by various utilities around the world.
While the vulnerabilities aren’t related to Google’s software, the fact that they are in this game, using the same free software model that made their other gazillion products popular, means there is a good chance this type of smart metering will take off. Under the guise of “informing the consumer,” the cool factor of monitoring your electricity bills over the net might cause the underlying software risks to be ignored, or pushed to the side.
Categories: 1 · security · technology
Tagged: security, technology
Yesterday, an interesting worm spread its way through Twitter. Thousands of people started tweeting “Don’t Click:” with a link attached. Click on that link, and it posted a tweet from your account to all your friends, with the same message.
Sunlight Labs did the initial analysis:
Huzzah! the first twitter social virus!
It seems mostly harmless, just perpetuating itself and breeding. You can check out the graph of its use here:
Here’s how it works:
You can actually link to twitter and auto-fill a message box quite easily. All you have to do is write a link like this:
“http://twitter.com/home?status=Sunlight Labs post on Don’t Click:http://bit.ly/kj1z9″. What this “virus” does is, it creates an iframe of the page, hides it, and when you click that button and you’re logged into Twitter, it makes you post that message (even though you don’t see it). There’s not a bit of javascript involved. The only javascript on the page is their Google Analytics code.
So, this “social virus” simply created an invisible page that overlaid the page you *thought* you were clicking, and it essentially forces your browser to push out a link.
That fact that no scripting was involved, and your password wasn’t at all needed for this little trick means it was basically harmless, from a security and privacy perspective.
Many people on twitter remarked how the way this “virus” spread demonstrated the “power of social networking.” But that’s not true — just the opposite.
It demonstrated the frailty of social networking. It has exposed what is always the weakest link in any system — the human factor.
The spread of this “social virus” relied on the trust we all place on our online friends. When someone you know and trust says “Don’t Click,” you assume it’s a joke they are playing (like you going to get rickrolled), and so you go ahead and click on it. The fact that many of your friends started posting the “don’t click” message on Twitter simply meant that everyone else was in on the joke, and you had to find out what it was all about.
Social networking sites and programs rely on the fact that we all trust each other. This same trust we place in each other is also the way social networking site and programs can be exploited.
Categories: security · web2.0
Tagged: security, socialnetworking, web2.0
I’ve been following the news on Downadup/Conficker, the largest botnet ever created/perpetuated to date. If you’re not familiar with it, Conficker is a computer “worm” that has infected an estimated 9 million Windows computers to date. It is essentially a large computer network, at the direction of *someone*, and no one knows at this point who that someone is, and what he or she (or them) may want to do with it. This botnet may end up being nothing; it may be the largest spam headache we’ve ever experience; it may be worse.
You can chart developments on sites like Symantec, or follow the SANS Internet Storm Center. The latest news on this botnet is a number of IT companies have decide to put up a stronger front in the fight:
Firms, including Microsoft Corp., Symantec Corp. and VeriSign Inc., have joined ICANN, the nonprofit group that manages the Internet Domain Name System, to preemptively register and remove from circulation the Internet addresses that the worm’s controllers use to maintain their hold on infected machines, said Gerry Egan, director of product management in Symantec’s security response group.
Separately, Microsoft has offered a $250,000 reward for information that results in the arrest and conviction of the hackers who created and launched the worm.
In any case, I’ve been trying to think of how to correlate this into something related to media theory. I’m not there yet, but certainly Galloway and Thacker’s The Exploit is an obvious starting point. Their thesis is essentially “the network” has become the dominant cultural paradigm, and we seen this in both positive and negative ways. So that the same mechanisms and forces that make, for example, music file-sharing or Facebook or online politics so powerful are the same forces that can perpetuate terror networks or things like the Conficker botnet.
The fact is that Conficker is endemic to our cyber-lives; it, and the no doubt larger, more pervasive, and more dangerous botnets that will eventually come along in the future, are a by-product of the connectedness we share, both online and off.
Categories: security · technology
Tagged: security, technology
An update on my previous post, about Portableapps.
I’ve been using this for a few weeks now, and have updated my setup, with TrueCrypt. Basically, I’ve set a USB flash drive with an encrypted TrueCrypt partition, and within that, I’ve installed portableapps.
So, with this setup, anything I want to bring with me gets encrypted — my browser settings, bookmarks, documents, etc. It’s secure, in case I lose the drive. I have a browser with me all the time, as well as a PDF viewer, and an IM client (Pidgin).
I have two drives, actually. One is 256MB, the other 8GB. Because of FAT limitations, the Truecrypt partition is limited to 2GB, but that’s more than enough space. The only difference between the two drives is the smaller one does not have room to install OpenOffice, but the larger one has that, too.
A very nice, secure, opensource, portable setup.
Categories: security · technology
Tagged: security, technology
Recent news of a worm working its way through social networking sites:
The Koobface worm spreads over social networking sites such as Facebook and MySpace and has been circulating on Facebook since the summer. There are currently over two dozen variants of the worm, Craig Schmugar threat research manager for McAfee Avert Labs, told SCMagazineUS.com on Friday.
In this newest variant, users are being spammed Facebook messages with a link to a video in which they are supposedly featured. After following the link, users are redirected to a compromised host and they see an error message requesting that they download an update for Flash Player to view the video. The download is not a Flash Player update but really the Koobface variant, according to a recent McAfee Avert Labs blog post.
Expect things like this to increase in the future. Facebook is attempting to position itself as a social operating system. If Facebook really does represent a higher-level abstraction layer, as more applications become active within it (and the same goes for other social networking sites) it will become more of a target for security threats.
For now, this is more of a distraction:
Once a user is infected, the first goal of the virus is to spread to a users’ friends. The virus then installs a component that watches infected users HTTP traffic with the intention of hijacking a users’ internet search results.
“When you follow a search result link you are not taken where you want to go or expected to go, you are directed where the attacker wants you to go,” Schmugar said.
This is mostly just an annoyance for the user, but typically this type of behavior creates revenue for the attackers, who could be paid depending on the amount of traffic they direct to certain sites, Schmugar said.
But as the networked world becomes even more interconnected, the complexity factor rises. For example, with technologies like Facebook Connect, which move identity information between sites, attacks from within one site can expand out to others.
It’s not hard to imagine how attacks like this can become more intrusive, and more dangerous.
Categories: security · technology
Tagged: security, technology
I rec’vd an email from the “IRS” today:
Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.
The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.
Please follow the link and fill out the form and submit
before May 10th, 2008 to ensure that your refund will be
processed as soon as possible.
Of course, the link given doesn’t quite go to the IRS, despite that it came from a “.gov” email address. A quick whois search on the IP in the link revealed a server registered to an ISP that, from what I could tell with a few more google searches, seems pretty notorious for spam, etc.
If you google the text above, you’ll find it’s a well-known scam that the U.S. Attorney’s Office and the IRS began warning people about a few days ago.
These types of attacks, a phishing attempt at grabbing your bank account information, are increasingly becoming “commodities” in the world of cybercrime, as the economics are shifting to more profitable targets. From the NY Times:
Pilfered credit card numbers and bank account PIN numbers have become commodities on shadowy Web sites where stolen digital information is bought and sold. Company e-mail, business documents and personal health information are the new targets of choice for illegal hackers…
…A couple of years ago, credit card numbers and bank account PINs sold for $100 or more on sites selling stolen information…Now, the price is down to $10 or $20, compared to $150 to $200 for some of the newer documents.
Commodity or not, the phishing scam remains a tried and true way to get access to your money.
Categories: technology
Tagged: security, technology
