Tag Archives | Security

New Twitter Frontpage Resembles Search Engine

Posted by David Worthington on July 29, 2009 at 6:08 pm

twitterlogoTwitter’s new home page, which went live yesterday, resembles a search engine, with trending topics taking the place of categories. Twitter is a useful way to learn what is happening now, but it is also a way to become quickly misinformed.

Social media is a nontraditional, but effective means to keep up with the day’s news and events. Event feeds, where friends share information with one another, are a much better way to stay on top of what people are talking about than e-mail ever was. I regularly check my feeds on Facebook, and to a less extent, Twitter, to stay looped in.

People that I add to my social mesh are typically people whose opinions I respect, and I find it useful to read their take on what’s happening. There is a certain amount of trust required, because status updates and tweets are not vetted sources or information (at least upfront).

Therein lies the rub. Twitter has a history of security problems and exploits, and it can be a hotbed of misinformation. In May, a rogue tweet was responsible for causing a civil rights panic, and rumors about other celebrities dying were propagated on Twitter after Michael Jackson passed away last month. The effect was viral.

Twitter is also the target of hackers. The accounts of public figures, including ABC News broadcast journalist George Stephanopoulos have been phished, and taken over by unknown persons.

The site also relies on outmoded, and easily compromised, security questions for account password retrieval.

In short, while Twitter is useful to tune into the day’s buzz, it is not a news organization. A certain degree of skepticism is required when controversial or shocking information surfaces from social media. I’m not saying that people shouldn’t use Twitter, but I am urging people to validate what they read before sharing it with others.

One comment

iPhone SMS Vulnerability: Should You be Scared?

Posted by Jason Meserve on July 29, 2009 at 10:25 am

iPhone ScreamRun for the hills! That’s the message iPhone owners are receiving after multiple reports say security researchers will tomorrow unveil an iPhone vulnerability that could allow the popular device to be taken over via simple SMS (or text) message.

The bug, discovered by iPhone hacker Charlie Miller, will be outlined during a presentation at the Black Hat security conference in Las Vegas on Thursday. Miller’s presentation will supposedly show, as Forbes’ headline screams, “How To Hijack ‘Every iPhone In The World’”. To do so, attackers only need to send a series of specially-formatted SMS messages to an iPhone in order to take over functions such as dialing and turning on the camera and microphone, as well spreading the attack via an affected iPhone’s contact list.

Apple, which Miller notified about the bug six weeks ago, has not commented on the vulnerability and as of this writing has not released a patch for the problem. What can iPhone owners do in the meantime? Miller tells Forbes about the only thing that will surely protect the device is to turn it off.

Miller’s talk isn’t the only centered around SMS vulnerabilities. Other talks will show a somewhat similar flaw in Windows Mobile that would allow for complete control of a device to be achieved through a SMS hack. A third Black Hat talk will center around how an SMS flaw that affects both iPhone and Google Android devices could be used to knock impacted phones off a carrier network for upwards of ten seconds via a blast of SMS messages.

Should you be scared of these newest flaws and really turn off your iPhone in anticipation of an attack? I don’t think so. The SMS attack vector is not all that new. This past spring, CSO Online did a video demonstration of such an attack against various smart phones (see parts one and two of the video).

While the various Black Hat presentations this week will show SMS as being a newer vector for attacking popular smartphone platforms, the odds are still relatively low that any one device will be hit. Most likely (or hopefully), device makers like Apple and carriers will come up with a patch for the SMS flaws well before any mainstream attacks occur. You have a greater chance of being bitten by a Twitter-based hack than an SMS attack.

5 comments

“Secret” Questions: Not. Secret. At. All.

Posted by Harry McCracken on July 20, 2009 at 7:10 pm

I still have Twitter’s document leak on my mind, and am therefore hypersensitive at the moment to the “forgot your password?” features that Web services offer and their potential for abuse by people who want to steal your information (or even your money). I just signed up for a Barnes & Noble account, which I’m bringing up here not because it’s a bad example but because it’s perfectly typical.

B&N asked me to choose a question that nobody else could answer:

Barnes and Noble questions

And then it gave me eight questions to choose from:

Barnes and Noble

I don’t see a single question here that nobody else on earth can answer. Some are the very definition of public information, like the names of parents and pets. Others are profoundly guessable, even by perfect strangers. (If you know what metropolitan area someone lives in, doesn’t that give you a gigantic head start in figuring out what his or her favorite team might be?)

As for me: Lots of people know what city I was born in, what my mother’s middle name is, and what sports team I root for. If you’ve got access to my Facebook profile you can make excellent stabs at figuring out my favorite author and movie. My favorite car is pretty obvious, too–it’s the one parked in my driveway, and I’ve mentioned it repeatedly on Twitter and in other online venues.

Oh, and my father doesn’t have a middle name and I don’t own any pets at the moment, so those questions are out.

When you think about it, there’s almost no such thing as information that’s A) known only to one person and B) virtually impossible for anyone else to guess. There are terrible implementations of secret-question security and less terrible implementations, but they’re all based on a fundamentally flawed idea.

It’s true that like many services, Barnes & Noble only asks you the security question after you’ve clicked on a link it sends you via e-mail. So an intruder would have to both have access to your e-mail and know or be able to guess the answer to your security question to get access to your account. In other words, the security question is an added level of protection, not a primary means of defense–but I still don’t like the Web-wide pretension that nobody knows my mother’s name except me.

Conclusions?

1) If Web sites insist on using secret questions–and I’m sure they’re not going anywhere–they should at least stop pretending there’s anything secret about them;

2) Letting us choose our own secret questions and answers is much better than forcing us to use one supplied by the company;

3) Providing bizarre made-up answers remains the best way to keep secret questions secret. Which is why I just decided that my favorite team is the Atascadero Wombats…

11 comments

Twitter’s Security Problem is Our Security Problem

Posted by Harry McCracken on July 20, 2009 at 12:36 am

Twitter VaultHow did French data thief “Hacker Croll” break into accounts and swipe the 310 internal Twitter documents which he leaked to TechCrunch?  TechCrunch’s Nik Cubrilovic has a long post explaining what happened–or at least what “Croll” says happened–in surprising detail. Even if you have serious issues with TechCrunch’s ongoing use of stolen documents–as I do–this story is worth a read.

Basically, “Croll” didn’t do anything particularly brilliant–and there were no chinks in Twitter’s security armor that aren’t pretty much universal. Mostly, he took advantage of  (a) Twitter’s use of other Web-based services to run its business; (b) the fact that every organization has employees who use the same damn password for multiple accounts; and (c) password recovery systems that can make it absurdly easy to break into someone else’s account.

Companies aren’t going to stop using Web services, and if there’s a way to prevent employees from using the same password for disparate services from unrelated companies, I can’t think of it. The one aspect of security breaches such as the Twitter break-in that’s addressable is the lax state of password recovery. I’m worried it’ll stay lax, since the easier Web companies make it for users to get back lost passwords, the less costly it is from a customer service standpoint. But I dearly hope that Twitter’s embarrassment services as a wake-up call for the whole industry–one that’s about a decade overdue.

4 comments

With Online Passwords, Dishonesty Can Be the Best Policy

Posted by Harry McCracken on July 15, 2009 at 8:11 am

Twitter VaultWell, this is embarrassing: A hacker who apparently broke into various online accounts associated with Twitter executives and employees has sent TechCrunch hundreds of documents he purloined, including everything from user-growth projections to staffers’ meal preferences. TechCrunch’s Michael Arrington says he’s going to publish the stuff that has a lot of news value.

I’m not that interested in sensitive Twitter documents, so the most interesting aspect of all this is how easily the hacker was apparently able to get into Twitter’s online accounts. Actually, he doesn’t appear to have done any true hacking–he was just able to determine or reset passwords at Gmail, AT&T, MobileMe, and elsewhere.

Observers are rightly saying that the pilfering is a potentially useful reminder of the risks associated with storing sensitive information on the Internet. And most specifically, it may show that some Web services’ password-recovery features are inherently dangerous. It’s possible that some Twitter employees chose passwords or password questions that were too easy to guess, but it’s also possible that they followed the advice and instructions at the services in question to the letter, and their accounts still weren’t safe.

When someone broke into Salma Hayek’s MobileMe account in April, I wrote that using easily-obtained information like a user’s birthday or the maiden name of his or her mother to protect an account is unacceptably risky. It’s alsodangerous to provide password recovery tools that let someone reset a password in one browser session, without having to access information sent by e-mail.

Even after the crummy publicity of Salma’s security breach, MobileMe is still suggesting to users that “What is my pet’s name?” is a reasonable secret question:

MobileMe

If you know (or can guess) a MobileMe user’s account name, birthday, and the answer to his or her secret question, you’re in.

Bottom line: It pays to be paranoid online, especially since some of the companies whose serves you may use are probably way too nonchalant. If a service asks for easy-to-find information, it’s not a bad idea to simply lie like a rug. Any fool can determine that your mom was a Benson, so why not decide that for the purposes of your online security, she was a McGillicuddy–and then never tell another living soul? Even when you can specify your own “Secret Question,” specifying an answer that’s wrong isn’t a bad safety measure.

7 comments

Google’s Chrome OS Security Claims: Idiotic?

Posted by Harry McCracken on July 9, 2009 at 11:37 am

Among the things that Google says about its upcoming Chrome OS is that it’s going to shine from a security standpoint:

And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. It should just work.

IDG News Service’s Grant Gross talked to security guru Bruce Schneier, who isn’t just skeptical about Google’s promises–he’s downright insulting:

Bruce Schneier, the chief security technology officer at BT, scoffed at Google’s promise. “It’s an idiotic claim,” Schneier wrote in an e-mail. “It was mathematically proved decades ago that it is impossible — not an engineering impossibility, not technologically impossible, but the 2+2=3 kind of impossible — to create an operating system that is immune to viruses.”

Like much of what Google has said about Chrome OS so far, its claims about security are pretty darn vague, which leaves us on the outside who try to fact-check them at a disadvantage. It doesn’t say that the OS is virus- and malware-free–just that folks “won’t have to deal with” these threats. I “don’t have to deal with” viruses and malware on my Mac in the sense that I’ve never been infected. But that’s not the same thing as the OS being invulnerable. And while Google might be confident that it’s building something that won’t ever require Windows-style constant patching, I can’t quite believe it’s saying that there are no circumstances under which Chrome OS might need a security fix, period.

We still know very little about just how much of Chrome OS and users’ data will reside on the netbook, and how much will live remotely on Google’s servers. Maybe the local OS won’t do much more than boot the computer and provide drivers and a rendering engine. Maybe all user files will be stored in the cloud. If so, it’s possible that Chrome OS will be radically safer than traditional desktop OSes.

Even so, Schneier’s surely right that it’s impossible to write an OS that’s 100.000000% impervious to viruses. As long as computing involves the fallible devices known as human beings, there’s a chance that somebody will unwittingly allow a particularly piece of software onto the system.

Here’s a way of looking at it: In the post I quote at the top of this story, Google makes reference to the Chrome browser when touting the security of Chrome OS. Chrome the browser is indeed well-done from a security standpoint, but that doesn’t mean that Google hasn’t had to patch up holes. If Chrome-the-OS is as safe as the browser, it’ll be a point in its favor. But it won’t give users a license to fall asleep at the wheel.

10 comments

Denial-of-Service Attack Tried to Catch Government Sites Napping

Posted by Jason Meserve on July 8, 2009 at 10:08 am

While the United States was busy celebrating Independence Day and worrying about North Korea launching missiles towards Hawaii, a massive 50,000-node botnet began targeting US government Web sites, successfully bringing down the Federal Trade Commission and Department of Transportation sites.

According to Computerworld, the attacks started appearing on the 4th, with government and business sites as the primary target, including the New York Stock Exchange, the White House, and the Washington Post’s Web sites. Many were able to deflect the attack enough to stay online, but the researchers say FTC and DOT sites did go down under the traffic load. Sites in South Korea were also targeted.

Over the weekend, the distributed denial-of-service attack was consuming upwards of 40 gigabytes of bandwidth per second, enough to overload sites not prepared for massive simultaneous traffic. As of yesterday, the rate of traffic fell to only 1.2 gigabytes per second.

Researchers say the code behind the botnet is not all that sophisticated and does not use the typical antivirus evasion techniques found in other networks. Despite its simplicity, the DdoS attack was successful. “It’s the biggest I’ve seen,” an expert, who asked not to be identified because he was not authorized to discuss the matter, told Computerworld.

Timing could be a key to the attack. By launching on the weekend, particularly a major holiday, the attackers were likely figuring guard would be down as people spent the time celebrating. In this case, they seemed to have bet correctly.

One comment

Critical iPhone SMS Vulnerability Revealed

Posted by David Worthington on July 2, 2009 at 8:00 pm

Yesterday, security researcher Charlie Miller gave Apple a good pantsing at the SyScan conference in Singapore. Miller, who is the author of “The Mac Hacker’s Handbook,” revealed that the iPhone allows remote code installation and execution through SMS, a security hole that Apple is working to patch up.

That means that a hacker could potentially turn the iPhone into a remote tracking device by exploiting its microphone and GPS capability, or do whatever else he or she pleases.

Software that runs devices like the iPhone is complex, and there is always going to be a Charlie Miller who can uncover defects. However, Apple has been sharply criticized for lacking a company wide, holistic approach to secure software development. Vulnerabilities will continue to slip by its engineers, placing iPhone user’s personal information and privacy at risk.

The iPhone 3.0 update contained 46 security patches, but it did not address against the SMS vulnerability that Miller discovered–that fix is on its way (likely to be wrapped into the iPhone 3.1 update).

I expect that this SMS vulnerability is just the tip of the iceberg, and we will continue to see more like it until Apple upgrades its security practices.

10 comments

Maybe There is Such a Thing as Karmic Justice

Posted by Harry McCracken on July 1, 2009 at 4:32 pm

PinocchioThe U.S. Court of Appeals has ruled that security software maker Kaspersky Labs had the right to label adware from Zango as malware and help PC users identify it and remove it. The ruling ends a legal battle that had been going on since 2007–part of a campaign by Zango to get off of security software’s enemies lists through lawsuits and cease-and-desist letters.

For Zango, Kaspersky’s victory is moot–the adware company closed its doors earlier this year. For consumers, it’s good news: It’s a legal precedent that supports the notion that PC users have have the right to control what’s on their computers, and to use software that assists them in doing so.

Zango’s founders would and did argue that there was nothing mal about their wares. But even if Zango had cleaned up its act before it folded, the company was the result of the merger of 180Solutions and Hotbar, two companies whose applications wound up on a lot of PCs without their owners’ knowledge or permission earlier this decade. Including mine. Zango execs kept acknowledging past sins, blaming third parties such as rogue affiliates, and bragging about the company’s current policies, but when I tried Zango after its launch it failed to live up to its allegedly consumer-friendly policies on multiple fronts. And anti-adware crusader Ben Edelman played hectoring Jiminy Cricket to Zango’s Pinocchio for years, documenting what he said were questionable tactics even after the company had supposedly decided to be good.

In this revealing blog post, Zango CTO Ken Smith acknowledges that Zango’s bad rep helped seal the company’s fate. I hope other companies consider it a cautionary tale: Consumers (and large advertisers) have memories like elephants, and you simply can’t take actions that make their lives miserable, then proclaim that you’ve changed your ways and expect the world to welcome you as a solid citizen.

One comment

Michael Jackson’s Death Seen as Attack

Posted by David Worthington on June 26, 2009 at 7:02 pm

Google interpreted the swell of searches inspired by the passing of entertainer Michael Jackson as a malicious attack on its Google News service, according to reports.

People searching for news about the music icon after word spread about his condition were met by a cryptic message: “We’re sorry, but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can’t process your request right now.”

It may sound as if Google goofed, but on the contrary, its system worked almost flawlessly. The alert was probably automatic, because traffic was at a significantly higher volume than under normal conditions, and many searches were mobile searches. The company caught onto what was really happening approximately 25 minutes later, CNET reported.

Google did not release specific traffic data, but Yahoo received 16.4 million visitors within 24 hours. The fact that both sites remained accessible is laudable; there was no change in performance from my end.

Had there been a major emergency somewhere in the world, the search giants would have remained a useful conduit for people seeking credible information about what was going on. The companies also showed that they could effectively protect their services from an actual attack.

7 comments