Tag: Security

Categories
Links

Fallout from Comodo and DigiNotar Hacks Continues

The hacking of major certificate authorities, Comodo and DigiNotar, has been somewhat addressed by certificate blacklists and revocations. Despite these measures, however, the fallout of the hacks continues. As picked up by PC Magazine,

This week Kaspersky has discovered malicious droppers – programs that install malware – bearing stolen VeriSign certificates originally issued to a Swiss company called Conpavi AG.

One of the droppers carries a 32-bit driver containing a malicious DLL, which gets injected into your Internet browser process. A malicious 64-bit dropper injects the DLL directly.

From there, the DLL reroutes all your search queries in Google, Yahoo!, and Bing, to a pay-per-click search engine called Search 123. Search 123 makes money off people who search and click on their results.

As a colleague of mine commented, this is just another nail in X.509’s coffin. Let’s just hope that not too many innocents are buried along with it.

Categories
Links

Google Chrome Addons Fingerprinting

Krzysztof Kotowicz has recently published the first part of a Chrome hacking series. In what went up mid-March, he provides the proof of concept code to ID the addons that users have installed. (The live demo – avoid if you’re particularly privacy conscious – is here.) There are various advantages to knowing what, specifically, browser users are running:

  • It contributes to developing unique browser fingerprints, letting advertisers track you passively (i.e. without cookies);
  • It enables an attacker to try and compromise the browser through vulnerabilities in third-party addons;
  • It lets websites deny you access to the site if you’re using certain extensions (e.g. a site dependent on web-based ad revenue might refuse to show you any content if you happen to be running adblock or Ghostery)

Means of uniquely identifying browsers have come and gone before, and this will continue into the future. That said, as more and more of people’s computer experiences occur through their browsers an ever-increasing effort will be placed on compromising the primary experience vector. It will be interesting to see if Google – and the other major browser vendors – decide to see this means of identifying customer-selected elements of the browser as a possible attack vector and consequently move to limit addon-directed surveillance.

Categories
Links Writing

On Hiring Hackers

Kevin McArthur has a response to firms who are demanding highly credentialed security staff: stop it!

Much of his argument surrounds problems with the credentialing process. He focuses on the fact that the time spent achieving an undergrad, MA, and set of professional certifications leaves prospective hires woefully out-of-date and unprepared to address existing security threats.

I recognize the argument but think that it’s somewhat of a strawman: there is nothing in a credentialing process forcing individuals to solely focus on building and achieving their credentials. Indeed, many of the larger companies that I’m familiar with hire hackers as employees and then offer them opportunities to pursue credentials on their own time, on the company dime, over the course of their employment. Many take advantage of this opportunity. This serves two purposes: adds ‘book smarts’ to a repertoire of critical thinking habits and makes the company ‘stickier’ to the employee because of the educational benefits of working for the company.

Under the rubric of enabling education opportunities for staff you can get security talent that is very good and also happens to be well educated. It’s a false dichotomy to suggest that you can have either ‘book smarts’ or ‘real world smarts’: there are lots of people with both. They don’t tend to be right out of university or high school, but they are out there.

What’s more important, and what I think the real focus of the article is meant to be, is that relying on credentials instead of work accomplished is the wrong way of evaluating prospective security staff hires. On that point, we entirely agree.

Categories
Links Writing

Poison Texts Targeting Mobile Phones

While smartphones get in the news for security reasons related to mobile malware, it’s important that we not forget about the other means of attacking mobile phones. USA Today has a piece which notes that,

One type of poison text message involves tricking people into signing up for worthless services for which they get billed $9.99 a month. Another type lures them into doing a survey to win a free iPhone or gift card. Instead, the attacker gets them to divulge payment card or other info useful for identity-theft scams. “Malicious attacks have exploded well beyond e-mail, and we are very aware of their move to mobile,” says Jacinta Tobin, a board member of the Messaging Anti-Abuse Working Group, an industry group combating the problem.

This approach is really just phishing using text messages. It’s significant, but not necessarily something that we should get particularly jumpy about. The same article recognizes that “hackers are repurposing skills honed in the PC world to attacks on specific mobile devices. Particularly, handsets using Google’s Android operating system are frequently the target of hackers.” What is missing in the article is a recognition that text-based phishing can be made considerably more effective if an individual’s smartphone has already leaked considerable amounts of personal data to the attacker via a third-party application. This is the scenario we should be leery of.

Specifically: we can easily imagine a situation where a hostile application that has been installed on a smartphone acquires enough personal information that an attacker can engage in targeted spear phishing. By getting name, address, names of friends and family, places of employment, recent photos that are geotagged, and so forth, it is possible to trick individuals by text messages to ‘give up’ information. Moreover, by first compromising devices attackers can better target specific individuals based on how the phishermen have profiled device owners: they can be choosy and target those who would either be most vulnerable or best resourced. It’s the integration of two known modes of attack – phishing and compromising smart devices – that will be particularly devastating far in excess of either attack vector on its own.

Categories
Aside Humour

Unencrypted Wifi Hotspots 😬

Just one of the reasons not to use open, unencrypted, wifi hotspots

Categories
Aside Humour

Home Security?

Home security ?

Home automation robots just got a little more dangerous (?)

Categories
Videos

IBM and Intelligence Cities

IBM’s efforts to add ‘intelligence’ to cities – and thus make them more manageable – is an ongoing effort. While what they’ve developed in Rio is interesting, I suspect that several facets of the ‘defence mechanism’ obfuscate residents’ economic realities.

Specifically, the video notes that residents of favelas may receive text messages that warn of oncoming disasters. This is good, but misses the point that a warning system without a capacity to absorb/protect residents who are fleeing poorly-build environments is effectively useless.

While the IBM ‘smart city’ project may  make the city more intelligent, and improve daily operations, such intelligence doesn’t necessarily mean that the city can temporarily house residents of favelas in ‘safe’ areas of the city if a major disaster occurs. Unfortunately, the sale of technology in this video obfuscates this key truth of disaster preparation.

Categories
Videos

Wacky Security Devices

This is the kind of wacky security device that would lead to lawsuits if it worked and hilarity regardless of functionality.

Categories
Links

Reasons To Not Use A Proxy Server

Some of the reasons to be concerned about using unknown third-parties’ proxy services.

Categories
Links

Phishing on Mobile Devices

A good paper on (you guessed it!) phishing on mobile devices. Paper is here (.pdf) and abstract is below.

We assess the risk of phishing on mobile platforms. Mobile operating systems and browsers lack secure application identity indicators, so the user cannot always identify whether a link has taken her to the expected application. We conduct a systematic analysis of ways in which mobile applications and web sites link to each other. To evaluate the risk, we study 85 web sites and 100 mobile applications and discover that web sites and applications regularly ask users to type their passwords into contexts that are vulnerable to spoofing. Our implementation of sample phishing attacks on the Android and iOS platforms demonstrates that attackers can spoof legitimate applications with high accuracy, suggesting that the risk of phishing attacks on mobile platforms is greater than has previously been appreciated.