| |
|
Friday, February 16, 2007
|
|
Security researchers at Symantec Corp and Indiana University have figured out a way to compromise home networks using a single line of JavaScript in a web page. The attack, which they have called "drive-by pharming", would enable attackers to convincingly pretend to be any web site on the internet, making it fairly trivial to repeatedly phish for sensitive information, install malware on users' machines, or steal email. "When I tried it out for first time, when I wrote the proof-of-concept, I had a moment of internal panic when I saw how easy it was to do," said Symantec senior principal researcher Zulfikar Ramzan, and one of the paper's authors. Don't panic yet. There are no bad guys known to be using the technique, and making your network completely invulnerable is a simple case of setting a strong router password, if you have not done so already. The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers. The attacker would have to persuade the user to visit the web page containing the attack code. This could be done with spammed links, or by inserting it into a page on a compromised web server on a popular site.
1:46:15 PM 
|
|
Drive-By Pharming Attack Could Hit Home Networks. Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks. [Slashdot]
1:42:34 PM
|
|
$82 Buys E-Voting Secrets. Five Sequoia electronic voting machines sold at on online auction? $82. A chance for a researcher to dissect the embedded software that the company refused to make public? Priceless. By Kim Zetter. [Wired News: Top Stories]
1:39:17 PM
|
|
It's because of this that I'm so happy to see an initiative like OpenID succeeding. A few years ago, the idea of OpenID was floated by the inestimable Brad Fitzpatrick (the father of LiveJournal, now a Six Apart
property) as a way for people to carry around virtual identity cards on
the net, and to securely use those credentials as a way of
demonstrating to others on the internet who they really are. Between
then and now, OpenID's development has taken place out in the open, on
mailing lists and wikis and web forums, and the result is a technology
that Microsoft adopted last week and AOL has been quietly rolling out to its online service and instant messenger users for a few months now.
That's a great adoption rate, and I'd like to think that it's because
it's a technology that's sorely needed on today's web. I'm not naive
enough to think that it's a salve to cure all the net's wounds -- for
example, there's still work to be done to make sure that anonymous ID providers
don't become the way spammers and miscreants get around the system --
but I'm hopefuly enough to recognize that OpenID might be one of the
more important building blocks to us all being able to trust our online
interactions just a bit more.
1:28:06 PM
|
|
When C.L. Lindsay prepares to speak at a college, he looks for local photos online.
In less than two minutes he has dozens of photos of underage students drinking or smoking marijuana.
"I totally get that you want to take pictures," said Lindsay, who is an attorney and college student advocate. "But you do not want to put 10,000 copies up on campus." When a person posts photos online, it is the equivalent of hanging thousands of copies, he said. Lindsay spoke at Bismarck State College at noon, 2 p.m. and 7 p.m. Thursday. He spoke about privacy on the Internet and other legal issues.
Besides finding photos of debauchery, Lindsay finds identifying information, like where the person lives. He recommends people set their personal Web page security to private, so only friends can see. Then he recommends people be cautious of what they post.
Across the country, students have been kicked off sports teams, kicked out of school or suspended for items posted on their social networking Web site, Lindsay said.
Employers also are starting to screen social networking sites to weed out candidates. Lindsay cited a survey of employers that showed 40 percent of employers eliminated candidates based on online information.
People should think about what they post in terms of whether it is illegal if they did it "offline" and if they would want future employers to see it, he said.
11:03:06 AM
|
|
Apple Works To Stave Off Big Mac Attack. Apple Inc. on Thursday issued patches to plug five separate security holes in software included on its Mac OS X computers. Mac users can download the free updates through the Mac's built-in software update feature or directly from Apple downloads.
The five flaws were vulnerabilities identified in January as part of the controversial Month of Apple Bugs project. Among those addressed in this go-round's batch are bugs in iChat, Apple's built-in instant messaging software and Finder, the Mac's ubiquitous file-search capability.
Mac users hope that Apple soon will issue a remedy for the flaw the MoAB curators detailed in the software update function on Apple. That's the same program that the company uses to push security fixes to its customers. I've received a half dozen e-mails from Mac users wondering how to mitigate the threat from this particular flaw. By my count, Apple still has to address at least 15 Mac-specific vulnerabilities highlighted in the MoAB project. But it's not clear which, if any, of these flaws are serious.
While there are scant indications that any nefarious characters are busy exploiting the weaknesses noted by the MoAB crew, it might benefit Apple and their customers if the firm explained how users could minimize their exposure to any of these potentially serious vulnerabilities.
"It should be very interesting to see what security changes Apple institutes in OS X 10.5, and if they dedicate more resources to improving the base security of the operating system," said Gartner analyst Rich Mogull. "Now that Apple is becoming more of a target, they should take advantage of the opportunity to improve fundamental platform security before we start seeing more exploits in the wild."
[Security Fix]
10:54:56 AM
|
|
The Dangers of Default Passwords. Stroll through any neighborhood with an open laptop in hand and you will probably notice your machine automatically connecting to various wireless Internet routers that local residents have set up. If you are given a connection that allows you to surf the Web, chances are very good that you can also assume control over the same network that gave you the access.
In my experience, few people who operate wide-open wireless networks -- those unprotected by even the simplest encryption technology -- ever bother to change the default user name and password needed to reconfigure the router. Perhaps consumers who operate open networks aren't terribly worried about their neighbors "sniffing" the ambient wireless airwaves for passwords and other sensitive data. But it may be that a person running a router under the default factory settings has more to fear from a malicious Web site than a local interloper.
Researchers at Symantec Corp. have devised a series of "proof-of-concept" exploits that show how an Internet user running any one of several name-brand, $50 - $100 routers under the default factory settings could be in a world of trouble in a very short time, just by browsing to a malicious Web site. One of the easiest ways to commandeer a factory-set wireless router remotely is through the use of Javascript, a powerful Web programming language that makes it easy for Web sites to monkey with or otherwise manipulate a computer's settings.
For example, a nasty site could use Javascript to change the default settings on a router so that anytime the victim tries to visit a bank Web site he or she is silently redirected to a counterfeit site set up to steal online banking credentials (this is a type of phishing attack known as "pharming.") Or, the attackers could poke holes in the router's built-in firewall to allow certain types of traffic to slip through.
Zulfikar "Zully" Ramzan, senior principal researcher at Symantec, said he successfully tested such scenarios using mock Web pages and some of the more popular routers on the market today, including those sold by Linksys, D-Link and Netgear. "Using the same techniques, an attacker could create a very simple Web page that when viewed by a Web browser could change the default settings on a router," he said.
The reason this has the potential to be such a problem is that a broadband router sits apart from the user's computer, so it's likely to be one of those set-it-and-forget-it type appliances. Indeed, if a malicious Web site succeeded in altering the default settings on a router, the router might be the last place most users -- even security professionals -- would look to as the source of the problem.
Michael Sutton, security evangelist for Atlanta based SPI Dynamics, said Javascript's flexibility and power make it an increasingly common component of cyber attacks.
"People are always coming out with new tricks with Javascript, but the reality is that it's a very powerful language and if you can convince someone to run your code by visiting your site, you effectively control their actions," Sutton said.
So what's the takeaway here? Whether you're using a wired or wireless router to split traffic on your home network, make sure you change the default password. A comprehensive list of default usernames and passwords for just about every commercial router is already available online. If you're the forgetful type, write down your router password and store it in a safe place. Even if you don't remember it, all consumer Internet routers ship with a tiny pinhole in the back that -- with the aid of something pointy and a steady grip -- allow you to reset the router to the factory settings (and back to the default password).
Also, consider browsing the Web with Mozilla's Firefox; with it, you can use the excellent "noscript" add-on that allows you to control which sites should be permitted to run Javascript inside of the browser. It's not a perfect solution, but it has saved my bacon on more than a few occasions. If anyone is aware of a similar add-on for Internet Explorer 7, please drop a pointer to it in the comments section below. [Security Fix]
10:48:27 AM
|
|
In a rebuke of a surveillance practice greatly expanded by the New York Police Department after the Sept. 11 attacks, a federal judge ruled yesterday that the police must stop the routine videotaping of people at public gatherings unless there is an indication that unlawful activity may occur.
Four years ago, at the request of the city, the same judge, Charles
S. Haight Jr., gave the police greater authority to investigate
political, social and religious groups. In yesterday's ruling,
Judge Haight, of United States District Court in Manhattan, found that
by videotaping people who were exercising their right to free speech
and breaking no laws, the Police Department had ignored the milder
limits he had imposed on it in 2003. Citing two events in 2005 -- a march in Harlem and a demonstration by homeless people in front of the home of Mayor Michael R. Bloomberg -- the judge said the city had offered scant justification for videotaping the people involved.
"There was no reason to suspect or anticipate that unlawful or
terrorist activity might occur," he wrote, "or that pertinent
information about or evidence of such activity might be obtained by
filming the earnest faces of those concerned citizens and the signs by
which they hoped to convey their message to a public official." While
he called the police conduct "egregious," Judge Haight also offered an
unusual judicial mea culpa, taking responsibility for his own words in
a 2003 order that he conceded had not been "a model of clarity." The
restrictions on videotaping do not apply to bridges, tunnels, airports,
subways or street traffic, Judge Haight noted, but are meant to control
police surveillance at events where people gather to exercise their
rights under the First Amendment. "No reasonable person, and
surely not this court, is unaware of the perils the New York public
faces and the crucial importance of the N.Y.P.D.'s efforts to detect,
prevent and punish those who would cause others harm," Judge Haight
wrote. Jethro M. Eisenstein, one of the lawyers who challenged
the videotaping practices, said that Judge Haight's ruling would make
it possible to contest other surveillance tactics, including the use of
undercover officers at political gatherings. In recent years, police
officers have disguised themselves as protesters, shouted feigned
objections when uniformed officers were making arrests, and pretended
to be mourners at a memorial event for bicycle riders killed in traffic
accidents. "This was a major push by the corporation counsel to
say that the guidelines are nice but they're yesterday's news, and that
the security establishment's view of what is important trumps civil
liberties," Mr. Eisenstein said. "Judge Haight is saying that's just
not the way we're doing things in New York City." A spokesman for Police Commissioner Raymond W. Kelly
referred questions about the ruling to the city's lawyers, who noted
that Judge Haight did not set a deadline for destroying the tapes it
had already made, and that the judge did not find the city had violated
the First Amendment.
10:44:49 AM
|
|
Judge Restricts New York Police Surveillance of Public Spaces.A federal judge ruled that
the police must stop the routine videotaping of people at public
gatherings. Reversing (and clarifying) an earlier ruling, the judge
stated that such public surveillance is allowable only if there was an
indication that unlawful activity may occur. From the NYTimes report:
Four years ago, at the request of the city, the same
judge, Charles S. Haight Jr., gave the police greater authority to
investigate political, social and religious groups.
In yesterday's ruling, Judge Haight, of United States District Court
in Manhattan, found that by videotaping people who were exercising
their right to free speech and breaking no laws, the Police Department
had ignored the milder limits he had imposed on it in 2003.
Citing two events in 2005 -- a march in Harlem and a demonstration
by homeless people in front of the home of Mayor Michael R. Bloomberg
-- the judge said the city had offered scant justification for
videotaping the people involved.
"There was no reason to suspect or anticipate that unlawful or
terrorist activity might occur," he wrote, "or that pertinent
information about or evidence of such activity might be obtained by
filming the earnest faces of those concerned citizens and the signs by
which they hoped to convey their message to a public official."
While he called the police conduct "egregious," Judge Haight also
offered an unusual judicial mea culpa, taking responsibility for his
own words in a 2003 order that he conceded had not been "a model of
clarity."
A win for the preservation of "privacy in public," but this also
shows how important is it to ensure such rights are made explicit, and
not left to be interpreted by those who hold the power of surveillance.
[michaelzimmer.org]
10:40:46 AM
|
|
|
© Copyright 2007 Paul Hardwick.
Last update: 3/4/07; 10:39:17 AM.
|
|
|
