Apr 15

I came across an interesting article today that touches on the topic of security, so I’d thought I’d write about it briefly. Christopher Boydon over at SpywareGuide.com found a phishing utility called Apheve up for download on Cnet.com. It allows phishers to disguise the program as an instant messaging program like Yahoo IM, Skype, or Live Messenger. The unexpecting victim then goes to log into this fake program and receives an error. After the victim has left, the phisher goes back to that computer and is able to retrieve the username and password the victim attempted to login with.

What is shocking is how this program is freely available for download on Cnet.com and probably a host of other websites. Somehow this program has squeeked through the filters. It has no other purpose other than to steal passwords. The creator of the program has also posted up youtube videos with tutorials on “How to hack Msn, Skype or Yahoo with Apheve 1.1″. I think it is pretty clear about the nature of the program.

This is just one more reason why you really need to be careful about what you access if you are using an internet cafe computer or a computer other than your personal one. You can never be too safe.

Posted in Identity Theft, Internet | No Comments »
Sep 8
A little time has passed since the major uproar over the critical DNS cache vulnerability that researcher Dan Kaminsky discovered. Since then a temporary “band-aid” fix has been applied. Randomized source ports are used to make it very difficult for an attacker to poison a DNS server’s cache. But it is not a fix that can stand the test of time to secure DNS. DNS is still broken and vulnerable and much more work and many more ideas are needed to secure it. 10001
There have been a lot of ideas to come out from researchers to find a way to secure DNS. Many of them are discussed on Dan Kaminsky’s blog and he discusses their benefits, downsides, and their possible implementation.

In an earlier article on his blog he discussed using TTL as a security feature. Someone came up with a method of using TTL to prevent someone from poisoning the cache on a server unless the TTL (time-to-live) on a record has expired. Kaminsky states several things wrong about this. One is that the TTL on servers vary and for those servers that have vary high TTL’s it can actual cause of a lot of problems and for those with very low TTL’s, you don’t gain much value from it.

For more on Kaminsky’s take on TTL being used to try and fix DNS, you can read his statements on his blog. It will be interesting to see what people come up with to secure DNS.
Posted in Internet, Vulnerabilities | No Comments »
Sep 3
It seems as if Apple’s MobileMe service has quite a few problems going for itself. A couple weeks ago, the TechCrunch Blog reported a design flaw with the service that allows attackers to crawl the site’s public folder structure and obtain usernames. These usernames are the same usernames used for email addresses for the service. While this isn’t a huge flaw concern for users of the service because it does not expose sensitive information about the user, it is one more way for a spammer to easily obtain email addresses.

Email addresses obtained in this way can be used to launch a targeted spam campaign to phish for passwords and other sensitive information. One more reason why it is important to filter emails and be mindful of what you click on.

A larger concern about the service is the fact that the service does not use SSL security when transferring data from one account to another. The service is an email, contant, and file management service that allows users to collaborate with each other. Account and credential information is encrypted, but not the data that the users send. This is a larger concern due to the fact that users may not be completely aware of this issue and sensitive and confidential data may be transferred over the web and put at risk.

The combination of knowing the users email address and being able to openly view transferred data through the service could allow an attacker to target their attacks knowing direct information about the user.

With that said, Apple is not the only one to blame when it comes to openly displaying usernames in a public webpage format. Many social network sites display a user’s login name on searchable webpages that can then be used to find information on the user. One more lesson on how the internet is an open and public forum.
Posted in Data Protection, Encryption, Internet | No Comments »
Sep 2
Come September 2nd, Google is going to release a beta version of their new browser called Chrome. So what does this new browser mean for security? Here are some of the features that this new browser with entail.

It runs each new browser tab in a seperate sandbox. Each tab gets its own process and memory space. This means that one tab cannot crash another, so you won’t lose all your sessions if just one of them hangs. This also means that
applications from one tab does not have direct access to stored memory data of another browser tab. This increases the protection provided by the browser from rogue sites.

This ’sandboxing’ technique that it uses Google claims to protect against malicious data from websites. If a website is causing an issue, it is contained within Chrome and simply closing the browser will protect your PC. However, Google admits that installed plugins in the browser bypass this security feature.

It also features a privacy mode. This is similiar to Microsoft’s InPrivate mode. No user information is recorded while in this mode. No usernames, passwords, website history, form data, etc, are recorded or stored while in this mode. This is useful for users using a public PC and can’t guarantee privacy. This does not protect against your data once it leaves the PC however. Once the data leaves the PC it is still vulnerable to attackers sniffing out data over the network.

Similiar to current features in Internet Explorer, Chrome will also download the latest list of known phishing sites to protect and warn users from unknowingly accessing a phishing site.

All these security features however are nothing new with Internet Explorer and Firefox already in the market and claiming their stake in the “high security” web browser market. It will take something new and extraordinary from Google to take market share away from Microsoft and Mozilla.
Posted in Information, Internet | No Comments »
Aug 29

With public key infrastructure in use today, the defense we have against man in the middle attacks with SSL sessions is limited to certificates issued from trusted certificate authorities only. If a session is initiated with a server that isn’t using a trusted CA signed digital certificate and the authenticity of the server is not verified, then there is no guarantee that your transactions with that server are secure.

With a man in the middle attack, an attacker can route all traffic between the
server and client through their own system and capture all the data sent. If the connection is encrypted, the attacker must decrypt all data before being able to access it. But, if authentication was compromised before hand or the certificate was not verified for authenticity, then the attacker could gain access to all encrypted data easily.

At Carnegie Mellon University, researchers have developed a possible way to ensure that transactions over the internet with unverified servers are secure. The method is called “Perspectives.” It uses a system of notaries that maintains a history of public keys used with the server. The client can use a web interface to verify that the key received is the same key that the server received. In order for the man in the middle attacker to successfully issue the attack, they would need to successfully initiate a man in the middle attack on both the client and the notary. This makes it very difficult to successfully launch the attack.

This method however, is not a replacement for the current PKI system. Perspectives assumes that the man in the middle (MITM) is close in proximity to either client; the client user and the notary. For example, the MITM might be in the same subnet as the client. But, if the MITM is close enough to the server so that both the client and the notary must pass through the MITM to access the server, then the attack may be successful without the Perspectives system being able to detect it.

The Perspectives system also needs to maintain a history of public keys used in order for the system to work. So while the chances are slim, but if a MITM server were to go up at the same time as the notary server, then validity of the notary server is compromised from the start.

For the time being SSL CA’s and PKI is here to stay and is the most efficient and effective way to secure trusted transactions between client and servers. But Perspectives has an intuitive way to verify untrusted certificates and it will be interesting to see if this method takes off in the future.

Posted in Encryption, Internet | No Comments »
Aug 28
In case you needed further confirmation that the internet is not a safe place, an exploit in the Border Gateway Protocol can be used to divert internet traffic to another location. This can be done from anywhere on the internet and does not require the attacker to be within the same subnet. This was demonstrated at the DEFCON security conference in August.

While this is not a new discovery, the recent demostration helps show how unstable and insecure the core infrastructure of the
internet really is. Not only are higher level applications like DNS vulnerable, but also the lower level protocols have flaws in their design that can be taken advantage of. Experts in the field are calling for changes to internet routing and have been making warnings for years. A newer secure protocol, S-BGP, is a possible solution that could be deployed, yet there are still issues that need to be worked out regarding deployment and operation.

For now however, the only solution to any privacy over the internet is to use point-to-point encryption such as a VPN tunnel. Send data over the internet without encryption and you risk compromising it.
Posted in Encryption, Internet, Routing, Vulnerabilities | 1 Comment »
Aug 12
Network security is an evolving animal that changes every year. Just as your virus protection changes its signature database, your company needs to change its endpoint security to maintain quality security control throughout your network. Hackers are modifying their approach to attacks constantly and if you don’t change how your network filters out these attacks, then you will lose the war.

Managing endpoint security and control on your network is a key factor in your overall
security. Today endpoint security requires a multi-layer approach. A study done by the European Network and Information Security Industry showed that more than half of all exploits come in the form of browser hijacks and vulnerabilities. Attacks today are also becoming much more blended which means they take advantage of multiple protocols and mediums to accomplish the task. Attacks like these require that all points in your network are covered and endpoint security of the past is no longer effective enough.

The best way to combat against blended attacks today is with a blended or multi-layer endpoint security solution. Intrusion prevention systems are a must. They are not just a solution for enterprise business, but also for small and medium sized business, if not even more so. Today small businesses are becoming a large target for attackers. This is due to the fact that many small businesses process credit card information today, but then lack the budget for a quality endpoint security and control infrastructure. This makes them a an easy target for attackers.

Your endpoint security and control infrastructure today contains several features that help protect your network. They typically involve several of the following forms of protection: antimalware, desktop firewall, hardware gateway firewall, intrusion prevent and detection, device control, application monitoring, and network wide event monitoring. All these facets are usually monitored and controlled to provide a comprehensive endpoint security solution. Because each facet can now be broken down into a seperate product in and of itself, it allows for scalability among all business levels.
Posted in Antivirus, Content Filtering, Firewalls, Internet, Vulnerabilities | No Comments »
Aug 8

Web 2.0 has become a huge buzz word on the internet in the last few years and it will only continue to grow over the next few. It provides a way for people to collaborate and share their ideas in ways they never could before. Generally speaking the internet has not changed much technically. But, since the introduction of Web 2.0, the way people use the internet has. Not only has the general public caught on to this idea of Web 2.0, but businesses are also seeing it as a great way for its employees to communicate, express their ideas, and promote teamwork. Today more than two-thirds of businesses are using at least one Web 2.0 application.

Information thieves have caught onto this fact and have begun looking into new ways to steal information and exploit weaknesses. Over the years we’ve seen many different ways for attackers to initiate attacks. Several years ago email attachments were one of the most prominent ways to spread a virus. But with the introduction of Web 2.0, attackers are seeing it as a new medium for malicious attack. Whereas before users would have to click on email attachments to execute them, now web protocols allow attackers ways to spread malicious code just when a user visits the web page.

Malicious code is not the only threat that Web 2.0 applications expose businesses to. Exposure of confidential information is one of the number one threats that face businesses that Web 2.0 directly exposes them to. More than a third of information leaks are through message boards or blogs that are found on the internet.

Controlling access to Web 2.0 applications has become a main concern for many IT departments. Content control is no longer just a concern for enterprise businesses. Today even small and medium sized businesses are having to look into solutions to control the access to certain content.

Posted in Content Filtering, Email, Information, Internet | No Comments »
Aug 7
More and more people today are taking their banking online. Some 42% of internet users do their banking online. Considering that this number is growing every year, banks and credit unions are looking at their online banking security and making sure that they are able to provide safe interactions with their customers. For those that don’t do their banking online claimed that their main reason for not doing so is the lack of online banking security. One of the reasons why they feel insecure about banking online is because of misinformation and not knowing the correct information on internet security.

A study from the University of Michigan by Atul Prakash looks at design flaws that many banking sites have today that fail to protect users who don’t know the basics about internet security. It looks at design flaws rather than actual application vulnerabilities. Design flaws are different from application vulnerabilities because they are based on decisions that were made when designing the website. Many of these decisions that the designers of banking sites have made promote insecure user behavior and because many users are uneducated about basic internet security, these flaws can be taken advantage of.

Some of the flaws of online banking security that were noted were things such as being able to access the site by using insecure HTTP, being redirected to an untrusted site, low security password thresholds, and emailing confidential data to users. These are all flaws that have been found that if a user is unaware of the risks that these designs pose, can lead to confidential data being leaked.

As far as user password information goes, many of the sites involved in the study don’t require password restrictions for users. Having low quality passwords invite themselves to being disclosed by brute-force attacks. But it is also noted that with the introduction of phishing sites and keyloggers, having a strong password doesn’t protect against those and many banks find it to be just an inconvenience for their users to force strong passwords. It is also claimed that by enforcing a ‘three-strikes’ lockout policy when incorrectly typing in a password makes brute-force attacks on low quality passwords unrealistic. But the study finds that even enforcing a lockout policy is not enough if low quality passwords are allowed. Parallel dictionary attacks can be used if a list of usernames are available where a string of authentication requests are run across all the usernames using common passwords.

The study also mentions websites that break the chain of trust. Often times bank websites will redirect to other websites without notice. Regardless of whether these sites are secured by using SSL, many times the certificates used are not affiliated with the bank at all and there is no way for the user to tell if they are still on the banks website or not. This makes it hard for even a knowledgable user to know if they are on a phishing site or not.

As mentioned, other sites present secure login options under insecure webpages. While their site may offer secure logins via SSL and HTTPS, that same webpage may be available insecurely under an HTTP version. While redirection to a secure page may occur, if the user had already entered in credential information under the insecure page, their credentials are at risk of being compromised.

For more information on this online banking security study, you can visit the following page: Analyzing Websites for User-Visible Security Design Flaws
Posted in Compliance, Encryption, Internet | 7 Comments »