| |
|
Friday, February 16, 2007
|
|
Security researchers at Symantec Corp and Indiana University have figured out a way to compromise home networks using a single line of JavaScript in a web page. The attack, which they have called "drive-by pharming", would enable attackers to convincingly pretend to be any web site on the internet, making it fairly trivial to repeatedly phish for sensitive information, install malware on users' machines, or steal email. "When I tried it out for first time, when I wrote the proof-of-concept, I had a moment of internal panic when I saw how easy it was to do," said Symantec senior principal researcher Zulfikar Ramzan, and one of the paper's authors. Don't panic yet. There are no bad guys known to be using the technique, and making your network completely invulnerable is a simple case of setting a strong router password, if you have not done so already. The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers. The attacker would have to persuade the user to visit the web page containing the attack code. This could be done with spammed links, or by inserting it into a page on a compromised web server on a popular site.
1:46:15 PM 
|
|
Drive-By Pharming Attack Could Hit Home Networks. Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks. [Slashdot]
1:42:34 PM
|
|
Apple Works To Stave Off Big Mac Attack. Apple Inc. on Thursday issued patches to plug five separate security holes in software included on its Mac OS X computers. Mac users can download the free updates through the Mac's built-in software update feature or directly from Apple downloads.
The five flaws were vulnerabilities identified in January as part of the controversial Month of Apple Bugs project. Among those addressed in this go-round's batch are bugs in iChat, Apple's built-in instant messaging software and Finder, the Mac's ubiquitous file-search capability.
Mac users hope that Apple soon will issue a remedy for the flaw the MoAB curators detailed in the software update function on Apple. That's the same program that the company uses to push security fixes to its customers. I've received a half dozen e-mails from Mac users wondering how to mitigate the threat from this particular flaw. By my count, Apple still has to address at least 15 Mac-specific vulnerabilities highlighted in the MoAB project. But it's not clear which, if any, of these flaws are serious.
While there are scant indications that any nefarious characters are busy exploiting the weaknesses noted by the MoAB crew, it might benefit Apple and their customers if the firm explained how users could minimize their exposure to any of these potentially serious vulnerabilities.
"It should be very interesting to see what security changes Apple institutes in OS X 10.5, and if they dedicate more resources to improving the base security of the operating system," said Gartner analyst Rich Mogull. "Now that Apple is becoming more of a target, they should take advantage of the opportunity to improve fundamental platform security before we start seeing more exploits in the wild."
[Security Fix]
10:54:56 AM
|
|
Child Protection Bills Introduced in Congress Raise Legal and Policy Concerns. The new Congress has an array of proposals aimed at protecting children in the online environment. Unfortunately, many of the proposals would not be effective in protecting kids, and raise very serious constitutional and policy problems. As done in at least one new bill, Congress should instead focus its efforts on promoting the education of both children and parents about online child safety, and promoting the voluntary use by parents of filtering and other tools to protect kids. CDT has released an analysis of the legislative proposals now pending before Congress. [Center for Democracy and Technology]
10:51:42 AM
|
|
The Dangers of Default Passwords. Stroll through any neighborhood with an open laptop in hand and you will probably notice your machine automatically connecting to various wireless Internet routers that local residents have set up. If you are given a connection that allows you to surf the Web, chances are very good that you can also assume control over the same network that gave you the access.
In my experience, few people who operate wide-open wireless networks -- those unprotected by even the simplest encryption technology -- ever bother to change the default user name and password needed to reconfigure the router. Perhaps consumers who operate open networks aren't terribly worried about their neighbors "sniffing" the ambient wireless airwaves for passwords and other sensitive data. But it may be that a person running a router under the default factory settings has more to fear from a malicious Web site than a local interloper.
Researchers at Symantec Corp. have devised a series of "proof-of-concept" exploits that show how an Internet user running any one of several name-brand, $50 - $100 routers under the default factory settings could be in a world of trouble in a very short time, just by browsing to a malicious Web site. One of the easiest ways to commandeer a factory-set wireless router remotely is through the use of Javascript, a powerful Web programming language that makes it easy for Web sites to monkey with or otherwise manipulate a computer's settings.
For example, a nasty site could use Javascript to change the default settings on a router so that anytime the victim tries to visit a bank Web site he or she is silently redirected to a counterfeit site set up to steal online banking credentials (this is a type of phishing attack known as "pharming.") Or, the attackers could poke holes in the router's built-in firewall to allow certain types of traffic to slip through.
Zulfikar "Zully" Ramzan, senior principal researcher at Symantec, said he successfully tested such scenarios using mock Web pages and some of the more popular routers on the market today, including those sold by Linksys, D-Link and Netgear. "Using the same techniques, an attacker could create a very simple Web page that when viewed by a Web browser could change the default settings on a router," he said.
The reason this has the potential to be such a problem is that a broadband router sits apart from the user's computer, so it's likely to be one of those set-it-and-forget-it type appliances. Indeed, if a malicious Web site succeeded in altering the default settings on a router, the router might be the last place most users -- even security professionals -- would look to as the source of the problem.
Michael Sutton, security evangelist for Atlanta based SPI Dynamics, said Javascript's flexibility and power make it an increasingly common component of cyber attacks.
"People are always coming out with new tricks with Javascript, but the reality is that it's a very powerful language and if you can convince someone to run your code by visiting your site, you effectively control their actions," Sutton said.
So what's the takeaway here? Whether you're using a wired or wireless router to split traffic on your home network, make sure you change the default password. A comprehensive list of default usernames and passwords for just about every commercial router is already available online. If you're the forgetful type, write down your router password and store it in a safe place. Even if you don't remember it, all consumer Internet routers ship with a tiny pinhole in the back that -- with the aid of something pointy and a steady grip -- allow you to reset the router to the factory settings (and back to the default password).
Also, consider browsing the Web with Mozilla's Firefox; with it, you can use the excellent "noscript" add-on that allows you to control which sites should be permitted to run Javascript inside of the browser. It's not a perfect solution, but it has saved my bacon on more than a few occasions. If anyone is aware of a similar add-on for Internet Explorer 7, please drop a pointer to it in the comments section below. [Security Fix]
10:48:27 AM
|
|
In a rebuke of a surveillance practice greatly expanded by the New York Police Department after the Sept. 11 attacks, a federal judge ruled yesterday that the police must stop the routine videotaping of people at public gatherings unless there is an indication that unlawful activity may occur.
Four years ago, at the request of the city, the same judge, Charles
S. Haight Jr., gave the police greater authority to investigate
political, social and religious groups. In yesterday's ruling,
Judge Haight, of United States District Court in Manhattan, found that
by videotaping people who were exercising their right to free speech
and breaking no laws, the Police Department had ignored the milder
limits he had imposed on it in 2003. Citing two events in 2005 -- a march in Harlem and a demonstration by homeless people in front of the home of Mayor Michael R. Bloomberg -- the judge said the city had offered scant justification for videotaping the people involved.
"There was no reason to suspect or anticipate that unlawful or
terrorist activity might occur," he wrote, "or that pertinent
information about or evidence of such activity might be obtained by
filming the earnest faces of those concerned citizens and the signs by
which they hoped to convey their message to a public official." While
he called the police conduct "egregious," Judge Haight also offered an
unusual judicial mea culpa, taking responsibility for his own words in
a 2003 order that he conceded had not been "a model of clarity." The
restrictions on videotaping do not apply to bridges, tunnels, airports,
subways or street traffic, Judge Haight noted, but are meant to control
police surveillance at events where people gather to exercise their
rights under the First Amendment. "No reasonable person, and
surely not this court, is unaware of the perils the New York public
faces and the crucial importance of the N.Y.P.D.'s efforts to detect,
prevent and punish those who would cause others harm," Judge Haight
wrote. Jethro M. Eisenstein, one of the lawyers who challenged
the videotaping practices, said that Judge Haight's ruling would make
it possible to contest other surveillance tactics, including the use of
undercover officers at political gatherings. In recent years, police
officers have disguised themselves as protesters, shouted feigned
objections when uniformed officers were making arrests, and pretended
to be mourners at a memorial event for bicycle riders killed in traffic
accidents. "This was a major push by the corporation counsel to
say that the guidelines are nice but they're yesterday's news, and that
the security establishment's view of what is important trumps civil
liberties," Mr. Eisenstein said. "Judge Haight is saying that's just
not the way we're doing things in New York City." A spokesman for Police Commissioner Raymond W. Kelly
referred questions about the ruling to the city's lawyers, who noted
that Judge Haight did not set a deadline for destroying the tapes it
had already made, and that the judge did not find the city had violated
the First Amendment.
10:44:49 AM
|
|
Judge Restricts New York Police Surveillance of Public Spaces.A federal judge ruled that
the police must stop the routine videotaping of people at public
gatherings. Reversing (and clarifying) an earlier ruling, the judge
stated that such public surveillance is allowable only if there was an
indication that unlawful activity may occur. From the NYTimes report:
Four years ago, at the request of the city, the same
judge, Charles S. Haight Jr., gave the police greater authority to
investigate political, social and religious groups.
In yesterday's ruling, Judge Haight, of United States District Court
in Manhattan, found that by videotaping people who were exercising
their right to free speech and breaking no laws, the Police Department
had ignored the milder limits he had imposed on it in 2003.
Citing two events in 2005 -- a march in Harlem and a demonstration
by homeless people in front of the home of Mayor Michael R. Bloomberg
-- the judge said the city had offered scant justification for
videotaping the people involved.
"There was no reason to suspect or anticipate that unlawful or
terrorist activity might occur," he wrote, "or that pertinent
information about or evidence of such activity might be obtained by
filming the earnest faces of those concerned citizens and the signs by
which they hoped to convey their message to a public official."
While he called the police conduct "egregious," Judge Haight also
offered an unusual judicial mea culpa, taking responsibility for his
own words in a 2003 order that he conceded had not been "a model of
clarity."
A win for the preservation of "privacy in public," but this also
shows how important is it to ensure such rights are made explicit, and
not left to be interpreted by those who hold the power of surveillance.
[michaelzimmer.org]
10:40:46 AM
|
|
|
© Copyright 2007 Paul Hardwick.
Last update: 3/4/07; 2:35:43 AM.
|
|
|
