CAPTCHA Easily Bypassed

http://www.networkworld.com/news/2011/110111-researchers-defeat-captcha-on-popular-252620.html

Security Researchers at Standford have been able to use robots to bypass certain CAPTCHA systems with ease – in some cases up to 70% of the time. Digg, CNN, eBay, and Wikipedia were all successful targets in the operation. Google’s “ReCaptcha” was the only CAPTCHA system that was not able to be bypassed.

CAPTCHA in itself is an interesting system where users filling out online forms to sign up for a specific website are told to verify their status as a human before continuing. While questions to a form are always identical, it is easy for a bot to fill out fields by default. However, CAPTCHA introduces garbled text that only humans can truly decipher with relative ease. Every time you get the Captcha wrong, it typically gives you a new string of garbled text to decipher. Google’s ReCaptcha system presents a user with two words from a random digitized Google book – one word it already knows – the other it doesn’t completely know, but a human would. Thus, when a user enters in both words, it is able to use that data to translate text from scanned books into searchable text (rather just images).

This research proves that Captcha cannot solve everything, and companies need to improve their security systems soon.

 

 

Mac OS X Sandbox Vulnerability “Not a Threat” to Apple

http://www.networkworld.com/news/2011/111411-researchers-bypass-the-restrictions-of-253051.html

Recent additions to Mac OS X allow developers to run their applications in a semi-protected sandbox mode. In this mode, if an attacker were to compromise an application, it would be limited to the resources and permissions of the sandbox environment.

However, security researchers have been able to bypass permissions in the sandbox environment and gain full control of a system via Apple Scripts that can restrict internet access or send malicious scripts to other applications in a non-sandboxed environment. Unfortunately, Apple does not view this a security concern, but will most likely release a patch for it in the next Mac OS X update.

 

 

 

 

Facebook vs. FTC

http://www.networkworld.com/news/2011/111011-facebook-may-be-close-to-252997.html

With charges from the FTC looming, Facebook has decided it will be taking an additional step in privacy settings with its userbase. Reportedly, Facebook will require consent before making additional security or privacy changes to user’s profiles.

While this doesn’t necessarily mean Facebook will require a democratic “majority vote” from its users every time they want to make a change, it will probably tell users individually via notification that their privacy settings will be changed with their consent. This is a step in the right direction, and hopefully they will eventually standardize on profile security instead of changing it every few months.

How High is Bank Security?

Upon opening a student bank account at M&T Bank, the banker opening the account for me had me type in a username and password for online banking. That’s when I noticed the dreaded Internet Explorer 6. Surely, there cannot be any legacy websites that require such a security threat. Of all places, a bank was using a browser that has been outdated for nearly six years. Can that be a reflection on the rest of their security practices?

Is having that old browser really that bad? Yes it is. So bad, in fact, that Microsoft has a website called http://www.ie6countdown.com/ that actually tracks the usage of IE6 throughout the world, and encourages people to stop using it immediately by upgrading to at least IE7 if not the latest Internet Explorer. Global IE6 usage is still at 9%, the majority of that being in China, however in the United States the usage has dropped to 1.4%. Therefore, M&T Bank is part of an extremely small 1.4% of computers still using IE6.

I’m seriously considering sending a brief message to M&T to see their reasons for using such an outdated browser. It could have been a simple machine that slipped through the cracks, or it could be a sign of incompetent technical staff that has a lot more to worry about.

Drive-by malicious downloads inhabit Facebook

http://www.networkworld.com/news/2011/100511-drive-by-download-attack-on-facebook-251615.html

Facebook users who clicked on ads on the website may have been subject to malicious downloads. Trend Micro reported that ads affiliated with a Facebook application would take users to an advertisement page but quickly redirect them to a website hosting the malicious content.

The reason this slipped by Facebook was primarily because Facebook only checks the validity of a landing page. Therefore, if the landing page were to redirect to a malicious site, it could easily slip through the filters. I doubt Facebook will take too much action regarding this problem until users revolt. Since users are too busy complaining about UI changes, this probably won’t happen. Like most free websites, Facebook makes a large chunk of money through advertising. Therefore, they wouldn’t want to put more difficulty on advertisers trying to advertise on the social networking website.

 

 

 

 

 

 

 

 

 

Department of Defense creates their own Linux distro

http://www.computerworld.com/s/article/9218771/DoD_debuts_brand_new_security_focused_Linux_for_telecommuters?taxonomyId=142

Aimed at telecommuters, the Department of Defense (DoD) has released a lightweight Linux distro aimed at telecommuters who need a secure VPN connection to their government websites.

The distro, called “Lightweight Portable Security” boots directly from a CD or Flash Drive, requiring no installation from the end user. While this is typical of most linux distros, it also comes packaged with a modified Firefox browser that accepts Common Access Cards and other physical authentication mechanisms that other distros may not support out of the box.

This is a good alternative for employees to use instead of their own operating system. The DoD can ensure employees are all on the same page by running their own Linux operating system. Since storage is not persistent, a simple reboot would wipe any malware that managed to make its way onto the system. If this is available for public download I will definitely be looking into this.

OnStar decides tracking Ex-customers not actually a good Idea.

http://www.networkworld.com/news/2011/092711-onstar-reverses-course-on-controversial-251334.html

Over the past few weeks, OnStar has been gaining a lot of criticism because of their plans to track customers after they unsubscribe from the service. OnStar is a service built into many new cars that allows the driver or passenger to have one-touch access to emergency services as long as they pay the yearly fee. Tracking users after they unsubscribe from the service has raised huge security concerns, especially since OnStar was likely going to resell this location data to a third party to increase revenue.

The other problem OnStar faces is what happens when someone who doesn’t subscribe to the OnStar service and is in an emergency. Technically, OnStar can track them, but wouldn’t be obligated to help save their life since they are not a paying customer. This is a slippery slope, and I think OnStar is better off disabling tracking altogether after a customer unsubscribes from the service.

 

 

 

 

 

 

 

InMotionHosting Hacked

I woke up this morning to a text message from a friend: “Hey what do you do when your website is hacked,” he asked me? I logged into both of the website he runs and found a nice “Hacked” page from a Bangladesh hacker. Since he is on a shared server, I typed in the server hostname and found the entire server appeared compromised. At one point during the morning, InMotion’s front page also displayed the same error, and users were reporting they could not access their servers with their root username and password.

Luckily I just started running my own nameservers so I was able to redirect people to a different page after a few minutes.

This goes to show that not all web hosting companies are immune to attacks. While InMotion has fixed the issue, it will be interesting to see what their response to this will be.

The picture is what the server displayed this morning.

 

 

 

 

 

 

 

Turkish Hackers able to hack DNS

http://www.networkworld.com/news/2011/090511-turkish-hackers-strike-websites-with-250422.html

Turkish hackers were able to using MySQL injection to access the back-end database of NetNames, a popular nameserver company. MySQL injection is an ever-increasing form of attack that threatens even the largest of companies. In this hack, approximately 186 domains were redirected to a page established by the hackers, including domains owned by UPS and Vodafone.

Many companies are focused on internal security – such as securing their servers and network infrastructure. However, they don’t focus as much as on the security of their nameservers, especially if they are “outsourced”. It’s important for companies to never put all of their eggs in one basket. In my opinion, if you find yourself owning more than five domains, you should split them up among multiple nameservers or domain registrars. No DNS service is immune to hiccups, so it’s important online companies diversify their nameserver providers.

 

 

 

 

 

 

 

 

 

Not all Certificates are Created Equal

http://www.networkworld.com/news/2011/090911-google-contacts-iranian-users-to-250653.html

The certificate authority (CA) DigiNotar was recently involved in a case that made their certificates malicious. DigiNotar failed to go through the proper channels of contact to notify companies such as Mozilla, Google, and Microsoft, who all run web browsers that “trust” certificates signed by numerous publishers. Previously, browsers would automatically accept certificates signed by DigiNotar, however their lack of communication has caused them to be blacklisted by most browsers.

This certificate problem originated in Iran, where the government was spoofing citizens’ requests to pages like Google and Microsoft. Even though the users connection to these sites was secure, the government regained control of the certificates, thus allowing them to snoop on citizens web traffic. This is basically a Man in the Middle Attack.

Google has notified approximately 300,000 account-holders in Iran about this issue and encouraging them to change their password.

This is a smart move, but obviously a required move on Google’s part, and I believe the blacklisting of DigiNotar certificates was the best course of action. We take the lock-icon and https:// in our web browsers for granted, but this entire incident shows us what can happen when hacking and lack of communication collide.