Clickjacking

Clickjaking seems to be going on a lot lately, you may have heard of it with the whole Facebook attack going on right now. Many people are victims of Clickjacking attacks, and its a hard attack to detect them. Many times it happens in the background without the user ever knowing. So what is Clickjacking? Well just check Wikipedia its a good enough description. http://en.wikipedia.org/wiki/Clickjacking

Simply put by wired.com

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.

Wired.com also had a fairly good example explanation:

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button. You don’t think twice about it — you’ve done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie. It just so happens that a button allowing access to your camera and microphone has been placed over the movie’s play button. Now, when you think you’re playing the movie, you’re actually permitting the hacker to access your video camera and microphone.

So your click on something that isn’t what it seems to be causes bad things to happen. Usually without you knowing. So how do you prevent it?

Keeping your browser and flash player up to date is the first step. Instead of repeating the rest of the information that’s already on the internet here’s a link that will give you some tips:
http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks#Upgrade_Flash_Player

 

Hopefully this information will help for people who haven’t heard about Clickjacking yet. For those who have, hopefully all of you, this is just a reminder to make sure your secure.

 

 

 

 

New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .

http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html

Anonymity Online Through The Tor Project

Since it’s release in 2002, the Tor (short for The Onion Router) has been a system running intended to enable online anonymity.

Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user’s location or usage from someone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity, including “visits to Web sites, online posts, instant messages and other communication forms”, to the user. It is intended to protect users’ personal freedom, privacy, and ability to conduct confidential business by keeping their internet activities from being monitored.

http://www.torproject.org/

I have tried using Tor years ago and it seems somewhat practical, but effective for someone who would like anonymity online. The Tor client software can be run through virtually anything that uses the internet on your computer. The downside I found with it though was that sometimes it can cause slow speeds, due to running through other people who have slow internet. Also the fact that you are volunteering yourself while on the Tor network, might make some uneasy about using it.

Have any of you guys used Tor? and if not, do you think it is worth using it to protect your privacy?

Browser Sandboxing

Sandboxing is the process of sequestering away programs so that they runs in  a specific and and controlled environment. This is done by controlling the programs area of allocated memory and limiting access to system resources. This process is effective at enclosing programs in the hopes of preventing system contamination. In practice by controlling program i/o and memory access the computer system at large can be fenced off from risky programs such as web browsers or untrusted programs.

In particular sandboxing a web browser can perform such functions as preventing browser exploits from reaching critical sections of the system, sequestering drive by downloads, and allowing risky programs to be downloaded, installed, and run in a safe isolated environment. Combining this with script blocking and a strong anti-virus should result in a system. that is all but impervious to to malicious websites.

Several companies offer sandboxing utilities such as Comodo and Sandboxie. Comodo bundles their sandboxing product as part of their greater personal firewall and hips package. Sandboxie is a purpose built cross browser sandboxing utility.

An example of the use of a browser sandbox can be found at:                                               http://www.youtube.com/watch?v=2IbwhE-r8_k&feature=relmfu

http://www.sandboxie.com/                                                                                                             http://personalfirewall.comodo.com/free-download.html

Someone shut off the Internet!

Someone shut off the Internet! No I’m not kidding.

Yesterday, November 7th, 2011, the internet briefly ‘died’ for about 30 seconds. This event was witnessed by users and servers all around the U.S. in places ranging from highly populated areas such as Washington D.C., Los Angeles, San Francisco, Raleigh, N.C., Dallas, NYC, and some lesser known locations in the Midwest.

Obviously this affected individuals world wide. Servers and services hosted in the U.S. could no longer be reached by any client, regardless of their location.

Time Warner took responsibility for the massive outage with only a brief statement on their Twitter account.

@TWCableHelp: We appear to be recovering from a large but brief internet outage affecting most of our service areas. Please attempt to connect again.

This raises the question of how easy would it be to actually ‘turn off’ the internet in the event access could be gained to the systems Time Warner controls? Either that, or, how easy would it be to disable the systems preventing Time Warner’s customers from going offline?

Security is a huge issue here, because, if Time Warner has the power to disable the internet and adjacent services, at least the portion they control (which is massive! they had over 36 million subscribers as of 2009), then, potentially, other ISPs might have the same amount of incredible power. Could we be facing a state where a complete shutdown of the internet, ala Egypt or China, is feasible and a real threat to our freedoms as citizens?

What if an unscrupulous individual manages to take control of these systems and have an entire country’s internet at their fingertips? If a merchant like Amazon goes offline for even a few seconds, they potentially lose millions of dollars. Thirty seconds of downtime is a massive outage in any network administrator’s eyes. It is certainly unacceptable for such a large service provider conglomerate.

Sources:

• http://www.businessinsider.com/weird-the-internet-just-died-for-about-30-seconds-around-the-country-2011-11
• http://twitter.com/#!/TWCableHelp/status/133551519311216640
• http://en.wikipedia.org/wiki/Time_Warner_Cable

America will not provoke war!

This article ( http://www.wfaa.com/news/politics/Cyber-weaknesses-should-deter-US-from-waging-war–133493833.html ) explains that America is so weak to cyber attack that it would be too risky to initiate war. Many countries could hit us over the internet, a new tool of war, and have devastating effects. Even a battlefield can be harmed! If equipment just stops working then things would turn out pretty badly. It is simply too risky for us to go to war, and we are at huge risk of being attacked. Until we can fix our internet problem, we will be at a severe disadvantage to any opposing forces.

The good news is that now the network is becoming more secure. If we manage to make our internet infrastructure more secure then we might actually transition into a position of advantage over other weaker networks. But for now, we are in a no – attacking position and if we weren’t at such a risk for being attacked (like an unfair cold war) then I would feel pretty happy about our forced pacifism.

Cloud storage and the new realities for IT departments

IT departments love control and for a good reason. Security is a major concern for large corporations with thousands of employees, but even a small business like your local bakery also wants to be protected from cyber crimes.

The challenge is a lot of people are switching to a new breed of web applications like dropbox and box.net which are very easy to use. Employees already use these tools at home for their everyday lives and they love it, so why not at work!

The problem is security and lack of control over these application. IT departments need the ability to tackle issues and attacks in real time and depending on a service such as Dropbox might not be their ideal solution.

Dropbox and other services are noticing the trend and started offering business packages and more control for teams.

To me the main thing to understand here, is the power of good design and development. People use applications like Dropbox because they are so easy to use and there are no crazy setup preferences to make you call a younger son or daughter to teach you how to do something.

CAPTCHA Defeated!

Have you ever tried to post a comment on your favorite blog or tried to creat an entry on Wikipedia and you had to type in these strange distorted letters? These letters are called CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”

Its an annoying system that most of us have come to hate but had to use to block spam bots that automate tasks like account registration and comment posting.

A team of researcher have defeated the system with a process called segmentation where they were able to separate the letters and through a special process, clear up the image and automate a method of reading them.

The only system that was not defeated was that used by Google. Are we going to look for alternative solutions? Are the new solutions going to be even more annoying? Why do you think?

Government requests to Google for information on users has spiked.

 

 

 

The number of requests from the government to Google for information on its users has increased by 29% in the last 6 months.  Google is one of the few companies that release these kinds of statistics to the public. The reason they give for doing this is that they want to raise awareness about the ECPA.

The ECPA is the Electronic Communications Privacy Act and it was enacted 25 years ago. It was set to provide people with protection and privacy against government intrusion but hasn’t been updated since it was made to reflect new advances in technologies. Because of this people are still massively vulnerable to government intrusion, with their ability to get access to users online information with out having to go through a judges approval like they would need to with a warrant. Google is just  one of many high tech companies that have formed the Digital Due Process coalition to advocate reform.

This isn’t the first time Google has attempted to rock the boat over government monitoring. Most of you probably remember back when Google refused to censor search results in China. Their refusal of this demand caused them to close up shop in a much of China. On the other hand companies like yahoo have no trouble with censoring or even monitoring and giving information on political dissidents.

http://www.digitaldueprocess.org/index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163

http://m.wired.com/threatlevel/2011/10/google-data-requests/

Opera didn’t patch a vulnerability?

Opera recently released an update for its browser fixing a vulnerability with its handling of Scalable Vector Graphics (SVG) files. So yes it was fixed, but why did it take 362 days before it happened? I can’t answer that question, but Opera is denying it happened.

Computerworld posted news about this topic saying:

Security researcher Jos A. Vzquez stirred controversy at the beginning of last week when he released proof-of-concept exploit code for an unpatched vulnerability in Opera.

 

Making security issues public without notifying affected vendors in advance is generally frowned upon in the security community, but is not particularly uncommon. However, in this case, the researcher claims to have tried acting responsibly without success.

Jose claims that he reported this vulnerability to Opera through their SecuriTeam Secure Disclosure (SSD) program. After 362 days of waiting from when Opera was notified a patch to fix this vulnerability was still not out. Jose decided to give them some encouragement by writing his proof-of-concept post on the internet, hoping that the vulnerability being publicly available would get Opera to fix the problem. Luckily this pushed them to fix this problem.

Opera tried to defend themselves by saying:

Opera admits being alerted about the flaw six months ago, as part of a larger report, but it claims that it couldn’t replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren’t successful.

Sigbjørn Vik also responded on behalf of Opera in a post saying:

we find out that a researcher – presumably the same original researcher – has found a way to modify the vector, so current Opera releases could be exploited. We received no details about this modified vector until the details of it were made public, effectively putting our users at risk from the issue, without us immediately having any way to protect them.

He blames Jose for putting Opera users at risk, which realistically Jose did. But if Opera had fixed this problem when it was originally reported that would not have had to be done.

So Jose claims to have told them about a year ago. Opera claims to have found out about six months ago, and no patch until a little over a week ago after they were slightly forced by the information about the vulnerability being posted. To me it sounds like Opera messed up somehow or just decided not to patch it for whatever reason. You can decide for yourself. Personally if this was chrome I’d be worried, but hey, its Opera, almost nobody uses it anyway.

http://www.computerworld.com/s/article/9221043/Opera_denies_refusing_to_patch_critical_vulnerability
http://my.opera.com/securitygroup/blog/2011/10/19/about-the-svg-font-manipulation-vulnerability-that-was-fixed-in-11-52
http://spa-s3c.blogspot.com/2011/10/spas3c-sv-006opera-browser-101112-0-day.html