Facebook’s New Features

With new modifications implemented on facebook, and without proper changes to some privacy settings, your friends can see your current activities such as what game your  playing, websites or articles that you are currently visiting, and even what music or song that you are listening to without your consent to share this information. With all of these new ‘real time’ apps on facebook, it brings up the common question “where is the line  drawn that the information being broadcasted is getting too personal”.

Another new feature that will be added onto facebook is a timeline feature. It has already been documented that this timeline could pose to be a “gold mine” for harvesting information about people. The information would be displayed in chronological order, and could potentially increase the risk of the user being “cyber-stalked”. The information provided in the timeline could also help a criminal steal your passwords, since most users generally use personal information as their credentials.

Overall, I think that the new modifications on facebook will take some ‘getting used to’. It is becoming more of a controversy whether the information outputted on the website, knowing or unknowing to the user is being displayed is a privacy concern.

Sources:
http://www.cnn.com/2011/09/23/tech/social-media/facebook-real-time/index.html?iid=EL

http://www.computerworld.com/s/article/9220240/Facebook_s_Timeline_will_be_boon_for_hackers

Biometric Authentication Systems

Many companies are now looking for ways to leave behind the “password”. The problem with using passwords is human error. Many people usually just make really simple password that are easy for them to type and or remember. Many times it not just simple passwords but rather some employees are willing to trust anyone with their password. This leaves a huge security risk for companies because many of their employees have access to sensitive information and if their account is compromised then there will be problems.

Biometric security systems fix many of the problems with passwords. Biometrics provides faster access to secure documents which in the end leaves employees happy. It also prevents people from letting others know their password because you can’t really lend a finger or eyeball. Biometrics is improving and now offers things like USB finger print scanners which allow users to easily access their account form multiple systems. They are also developing Biometrics for mobile platforms which will give users even more ways to access their accounts. Biometrics still has security risks but it is much more secure than passwords.

Internet Legislation in the Era of Digital Warfare

Ever since the inception of CYBERCOM (a newly created branch of the US Department of Defense that deals with cyber strategy, security and networking for the military), there has been a noticeably heightened sense of awareness here in the US due to the increased attention given to a number of cyber attacks sustained by the government and civilian networks over the past two years.  These attacks range from hacktivism (like the DDoS attacks on Paypal),  to espionage (like the Chinese cyber attacks),  and even fraud (like the recent bitcoin scams).  However serious all these attacks may seem, the most serious of them cross into the realm of cyber terrorism (examples include the successful disabling of government networks, and multi city blackouts caused by hacking).

If the increased number of proposed legislative bills are any indication, the US government is trying to be proactive in answering a very serious question – how can it protect itself and the nation against cyber attacks, especially attacks targeting critical infrastructure. While some proposals (like the Cyber Security Enhancement Act of 2010) suggest the improvement of cyber security technical standards, other proposals are more controversial. Take for instance, the proposed amendment to the Homeland Security Act, which would give the president almost limitless power to restrict internet access to protect national interests in the from of a figurative ‘internet kill switch’.  And even though the idea of using regulatory power to restrict communication or access is not new in the United States (see the Communications Act of 1934), the fact that it could now be applied to the open landscape of the internet has inspired many arguments for and against proposals to apply regulations on internet use. With all this being said, it makes me wonder – do people fear the government abusing this power more than they fear the outcome of an actual attack or vice versa? Could that fear, whatever it’s origin, result in a far less open version of the internet as American’s now know it?

Whatever the case, government officials are closer than ever on coming to a consensus on these issues.  The only thing Americans can hope for is that the measures being put in place today help mitigate the fallout of possible attacks in the future, and create a more capable cyber security defense for American networks and infrastructure.

To learn more about new legislature or to track the progress on proposed legislature, please visit http://govtrack.us.

*The Image in this post is bring used for educational purposes, and is owed by Ars Technica.

USB Dead Drops

The first time that I heard about Dead Drops, I was intrigued by the idea behind them. Offline public file sharing using USB thumb drives that were built into buildings; but then I realized how bad this idea is from a security stand point. Auto run scripts, viruses with images in them, etc. could very easily be planted in these thumb drives and then installed on an unsuspecting machine. The faq page at deaddrops.com suggests to use a virtual machine to read the drive, but even then it is not always easy to tell whether or not the USB port is directly sent to the virtual machine or if the data first gets sent to the host OS. If the latter, this is not any more secure than no virtual machine. Another option is to use a machine that is dedicated to connecting to Dead Drops. This works as long as it stays dedicated to Dead Drops. Even then though, if the Dead Drop isn’t actually a real Dead Drop and is actually connected to 110v wall power (for example), good luck trying to fix your computer.

See also:

http://www.instructables.com/id/USB-Dead-Drops/
http://deaddrops.com/
http://deaddrops.com/dead-drops/faq/
[EDIT: After I posted this I was checking xkcd and the current one is relevant- http://www.xkcd.com/956/] 

Image above credited to Aram Bartholl (Creative Commons By-NC-ND).

Evil-VNC: A VNC Server Injector

There has been countless trojan/back door viruses made over the last decade, some more complex than others, but all unnerving nonetheless. There is one in particular though that I’ve always found to be a good example of how hackers can sometimes run ideas off of normal legitimate software.

Back in early 2000 remote access software known as RealVNC was released. Since then it has become widely used by many people. Basically it allows a computer to be remotely controlled by another computer. The server part is installed on the remote computer and then the computer accessing it would use the client part. RealVNC is meant for legitimate purposes. It doesn’t really present a security threat since it requires the cooperation of the remote computer and can have a password set for the server.

An example screenshot running of the client viewing two other remote computers:

In around 2004 a hacker known by matiteman created a vnc server injector. He named it Evil-VNC. It can secretly install an vnc server on remote host and run it automatically. The victim would not see anything or even know it would be running. After installation the hacker would be notified immediately by the server with the remote ip and password for connection sent to a preset cgi or php logger.

When it was first released it only had few features, but eventually was updated to include a whole bunch more, like even file transferring and built in file binding.

The hacker can use RealVNC client to view his victims, but since the Evil-VNC server features a JavaViewer Applet, it allows for remote control without any viewer application. This means the hacker could use any computer that has an internet browser with java and watch/control their victims from there!

Although Evil-VNC is well detected by anti-viruses nowadays, it’s source code was released. Thus anyone with the know how could crypt it with a crypter of their own or one that hasn’t been used by other people.

The “Chinese” attack on Google

I decided this week to revisit a very interesting news story late January into early June of this year. Google was hit with a seemingly organized hack attempt. The hackers aimed for the email accounts of high end US Officials as well as political activists and journalists residing in China. The attack originated from China, but has not been officially linked with the government hacks that went on in 2009 and early 2010. Apparently both of the attacks originated from Jinan, China. What got me was the fact they went after high government officials from other countries as well as activists. The Chinese government declined any part in this latest attack, but Google didn’t rule out the possibility that the government was at it again.

The hackers once inside the account changed forwarding settings. Though it isn’t exactly clear what they were after it seems the hackers were trying to keep tabs on what information these people were passing around through email. In the world today not only does each person need to take responsibility and be aware on the internet, this attack shows that even government must be aware of what is going on. A break in high officials email accounts may lead to countless amounts of information winding up in the wrong hands. This coupled with the attacks of early 2010 send a clear message that it doesn’t matter who you are when you’re on the internet, if you’re not careful you are at danger. With the added danger of government hackers it changes the game up a bit. The most interesting part of the article was the type of attack. According to Google these passwords were gained by phishing. Though they may have been more thorough than most phishing scams it just goes to show that nine out of ten times its the user that hands over their password, proving we all need to think more about cyber security.

Resource:

http://www.cbsnews.com/stories/2011/06/01/scitech/main20068093.shtml

New England Information Security Forum and Hacker Halted USA 2011 are Coming

Within the next 45 days two renowned information security meet-ups are returning.
Hacker Halted is back in the USA this October 21-27. The global conference series is dedicated to raising awareness in computer and information security and now it finds itself in Miami. The conference will be broken into two distinct parts; from the 21st to the 24th the conference will be providing  information security training while the last three days are for presentations, the first of which is for the keynote speakers.
The five keynote Speakers are:
Jeremiah Grossman: CTO of WhiteHat Security  and the founder of the Web Application Consortium
Barnaby Jack: recently made popular by giving an ATM hacking demo at another security conference
George Kurtz: Executive VP and Worldwide Chief of Technology Officer of McAfee and Co-author of Hacking Exposed: Network Security Secrets and Solutions
Dr. Charlie Miller: expert of Apple security, and winner of CanSecWest’s Pwn2Own Apple hacking challenge
Bruce Schneier: author of Applied Cryptography and to some the spokesperson for the entire information security field.
The last two days are broken into tracks: “Cut the Crap, Show me the Hack”, “Securing SCADA and Critical Infrastructures”, and  ”What’s Hot”.
If you can’t wait until October, the New England Information Security forum is coming up September 20th and 21st in Boston. The conference is in its 11th year and strives to share information and insights about information security.
It includes the following tracks: “Information Security in a Borderless World”, “Security 2.0: The Proactive Security Organization”, “Next Generation Security Operations”, “Strategy 2.0: Anticipating Legislation, Mitigating Risk:, and “Application Security with Impact”.
Keep your eyes peeled for some great stories from those events.

For more about Hacker Halted go to http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/09/15/prweb8799026.DTL and http://www.hackerhalted.com/2011/
For more about the New England Information Security forum go to http://www.marketwire.com/press-release/information-security-leaders-gather-11th-annual-new-england-information-security-forum-1559880.htm

Defeating Windows 8 ROP Mitigation

Windows 8 introduced a number of exploit mitigation features. Including a feature designed to help mitigate exploits leveraging return-oriented programming (ROP).

Return-oriented Programming is where an attacker leverages control of the call stack to execute certain machine instructions in subroutines of programs. This avoids the need for direct code injection.

Windows 8 adds a simple function in an attempt to mitigate these exploits. Every function associated with manipulating virtual memory, includes a check that the stack pointer falls within the range defined by the Thread Environment Block (TEB).

Source for an in depth look at the exploit: http://vulnfactory.org/blog/2011/09/21/defeating-windows-8-rop-mitigation/

Abusing HTTP Status Codes

The result of abusing HTTPS status codes is actually very severe. The format of this attack is fairly simple. A user will upload a picture into a website such as gmail.com on their account. Then they will enable to picture to be seen by everyone so their fore it is public. By doing so this allows hackers to almost inject different types of code into the html. This code is written in java script and can be prevented by just turning off the enabled java script option. However for a hacker this tool is very interesting. By injecting such code they can potentially tell if you are logged into a specific sight or not. They created a code that checks and sees if you are logged onto a website if not the status code returns something to the effect of “no tlogged in” if they are on the site then it will return “logged in”. This type of attack is very interesting because it is almost like a GPS tracker on your computer. The person who created the hack for better or less track a lot of your movement on the internet and ultimately stalk you. This type of script has worked with internet explorer, Mozilla Firefox , safari and chrome. This hack cant also attack Facebook users and see when they are logged on using a manipulated code but it is limited by some browsers.

https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information

SSL and TLS

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both very important to the security of the internet. They are the protocols that encrypt any secure connection between you and the server.

When you connect to the server, a “handshaking” process begins. The first step is that the server sends you its identity certificate and public key, then it asks for the same from the client. The client then responds with its public key and verifies the server’s identity certificate with the certificate authority that created it. Once this has been successfully completed, the connection can now be encrypted.

If those steps are not completed, the client can not trust the server and closes the connection.

See also:

http://technet.microsoft.com/en-us/library/cc785811(WS.10).aspx