STILL UNSAFE : Spied on despite encryption
14 August 2008
http://www.heise-online.co.uk/security/Spied-on-despite-encryption--/news/111303
In order to prevent misuse it is always advisable to use encrypted connections for sensitive activities, like online banking, or reading emails at services like Google Mail. However, in certain circumstances, attackers may still gain access to bank or email account data, despite the encryption.
The technique used is a special form of cookie theft. Although it was already discussed a year ago, it has only now received the attention it deserves – the main reason being that a tool has now become available which allows actual attacks to be carried out.
The problem arises because many services handle session management and sometimes also authentication, via cookies. This isn't detrimental when cookies are exchanged via encrypted https connections. However, encryption can't be guaranteed, as many sites don't mark important session cookies with the security flags that prevent the browser from reusing the cookies for unencrypted connections. As a result, browsers may send cookies via unencrypted connections, which can be spied on when users simply access a normal page at their mail provider's web site.
The actual attack can be carried out like this: victims use an encrypted wireless connection to log into a service like Google Mail and read their emails – also encrypted. While still logged in, users then access an arbitrary, non-secure web page. An attacker on the same wireless system, injects this page with a reference to an image, allegedly stored at the unencrypted http://mail.google.com site. The browser tries to retrieve the image, sending the Google Mail cookie to the server in the process – unencrypted. The attacker listens in on this exchange and can subsequently use the cookie to open the user's mailbox at Google Mail.
At the Defcon security conference, Mike Perry demonstrated such an attack and announced that he would release a tool within two weeks. Sandro Gauci appears to have developed the idea at the same time and now not only presents a paper and a video, explaining and demonstrating the details, but even complements his release with a suitable Python script called Surf Jack. Ironically, the script is hosted by none other than Google itself.
The attack can not only be carried out in wireless lans, but also via ARP spoofing, for example in corporate networks, or by poisoning the DNS cache of basically any network. Successful targets are those who use services which authenticate via cookies and whose server does not set the secure flag. According to Perry, these include Google Mail, as well as Facebook and Amazon. Gauci even claims to have found two banks that are vulnerable.
Unfortunately, users normally don't have access to their cookies' security settings. Google, however, recently introduced the option to always use a secure connection for accessing Google Mail. As it happens, this option also causes the server to set the secure flag, exclusively restricting the Google Mail session cookie to encrypted connections. The search engine provider unfortunately neglected to document this measure. As a result, many users already consider their details safe, because they have always accessed their mailboxes exclusively via encrypted connections. Users are advised to enable the respective option in their Google Mail account settings, at their earliest convenience.
HABIT : 89% of web users share personal data online
Even though 84% say they never would
Carrie-Ann Skinner
August 11, 2008
http://www.pcadvisor.co.uk/securityadvisor/news/index.cfm?newsid=102866&&spotlight=7:c
Although 84 percent of internet users claim they never give out personal details online, the reality is very different says AOL.
According to research conducted by the web portal, 89 percent of internet users have at some point willingly given away personal details online, highlighting that while surfers may understand the dangers of data security online, they don't actually take steps to ensure their safety.
"Our research identified a significant gap between what people say and what they do when it comes to protecting sensitive information online," said Jules Polonetsky, AOL's chief privacy officer.
The results of the survey also show that 34 percent of web users expect to be the victim of credit-card fraud online, while only 11 percent have actually experienced the problem.
With this in mind AOL has launched a privacy education campaign designed to make consumers aware of their ability to to easily protect their identity and personal data while online.
According to Information Commissioner Richard Thomas, the sharp differences between what people say and how they behave online need to addressed.
"By taking a practical, down-to-earth approach to data protection and privacy, we can simplify good practice for the majority of organisations who seek to handle personal information well. However, it is equally important for individuals to be aware of their information rights and to take steps to protect their own privacy."
LAW : Sweden Passes Wiretap Law Amid Protests
Kelly O'Connell, IBLS Editor
August 18, 2008
http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2123
A new electronic surveillance law described as "the most far-reaching eavesdropping plan in Europe," was recently passed by the Swedish Parliament. The new statute is popularly referred to as the FRA-lagen, or FRA law, and is meant to fight terrorism in Sweden. It was approved by the Swedish Government on June 18, 2008. It takes effect in 2009, and gives the Swedish National Defence Radio Establishment (FRA, Swedish Försvarets radioanstalt) the right to intercept all Internet and other e-traffic crossing Swedish borders. The reason behind the law is said by some IT security analysts for the Government to better fight Russian cyber-attacks. The new law was formally called proposition 2006/07:63 - En anpassad försvarsunderrättelseverksamhet, or "An intelligence agency accommodation."
The response to the Act from Swedes has been almost wholly negative. Over six-and-a-half million protest e-mails have been sent by irate residents to the 143 Swedish lawmakers who voted for the law. This is a very high number of protest messages considering that Sweden has 9 million residents. A recent poll showed that less than a third of Swedes are for the FRA Act.
Privacy experts, private companies and other governments have expressed deep concern over the new law, which will certainly be resisted by many in Europe. For instance, Google's global privacy counsel, Peter Fleischer, warned that Google will not be making any large investments in Sweden should the already passed legislation be enacted in 2009. Said Fleischer, "We have contacted Swedish authorities to give our view of the proposal and we have made it clear that we will never place any servers inside Sweden's borders if the proposal goes through." The country's intelligence bureau will be authorized to snoop on all cross-border emails, phone calls and faxes without a court order.
The new law has yet to appear in an official English translation, but the Act allows the following actions by the Swedish Government:
v Interception of messages at 20 separate places in the national information infrastructure network. All incoming e-traffic will be re-routed and fed into the Försvarets Radioanstalt (FRA) agency. These junctures are situated to catch all traffic entering and leaving the Swedish borders, but given the difficulty in differentiating, which emails actually originate outside the country, the infrastructure will probably catch most, if not all domestic traffic too.
v Covered by the law is all Internet traffic and telephony traffic, which covers all e-mail, phone, and fax messages.
v FRA hardware will scan all e-traffic in real time, and use 250,000 search criteria to winnow the results. Traffic that matches will be auto-saved for later manual intelligence analysis. The extraordinary demands of such computing labors will be run by the FRA's technical grid, driven by the world's fifth most-powerful computer
v Legal users of the seined data will include all 500 Swedish authorities.
v The Government may order a political wiretapping of any residents they believe might threaten the State interest.
v Major businesses will also be able to access to the wiretap grid, but will need the agreement of the Government to do so.
v Individual Swedes can be singled out for specific scrutiny.
v The FRA will now include in its reason for eavesdropping matters of "external military threats," and "external threats", i.e. international crime; trafficking of drugs, weapons, or people; migration movements; religious or cultural conflicts; environmental imbalances and threats; raw materials shortages; and currency speculation.
Google's Fleischer added, "We simply cannot compromise our users' integrity by allowing Swedish authorities access to data that may not even concern Swedish activity. The proposal stems from a tradition begun by Saudi Arabia and China and simply has no place in a Western democracy. Sometimes Google needs to take a clear stance and my impression is that everybody has listened very intently to what we have had to say."
BEWARE : Malvertizement “Malware Advertisement” attack aplenty
Malicious "ransomware" banner ads go undetected
Security researchers believe a legitimate toolkit used to create Flash animation is also helping cybercriminals fashion malicious banner advertisements that scare users into believing their machines are infected with malware.
Dan Kaplan
August 18 2008
http://www.scmagazineus.com/Malicious-ransomware-banner-ads-go-undetected/article/115517/
Sandi Hardmeier, author of the Spyware Sucks blog, said Sunday that some malicious ads created using Fuse Kit are able to evade detection scans run by websites or third-party ad networks. She said Newsweek.com is the latest trusted website to unknowingly host a "malvertizement."
Simply visiting a page on the Newsweek site that contains the ad will cause a warning screen to appear that falsely tells users their machine is overrun by viruses. They are prompted to pay for and install a bogus anti-virus solution.
A Newsweek spokesperson could not be reached for comment.
"They are going to hit every site that they can, as often as they can, for as long as they can," Hardmeier wrote on her blog. "It worries me that I am seeing complaints about malvertizing-like symptoms all over the net implicating not only Newsweek but at other big names like MSNBC, Facebook, lime.com, Hotmail, MySpace and Yahoo."
Alex Eckelberry, president of security vendor Sunbelt Software, told SCMagazineUS.com on Monday that the free Fuse Kit product is a helpful tool to Flash designers and developers, but it also can aid cybercrooks by allowing them to embed malicious scripts inside ads.
Moses Gunesch, Fuse project director, told SCMagazineUS.com in an email Monday that Fuse is an open-source utility that is not responsible for the animation people use it to produce.
"Fuse has nothing to do with the content people produce with it," he said. "It's just a motion tool. That would be like blaming paint for an ugly painting. There is nothing in Fuse Kit that can be exploited for malicious purposes -- all it handles is animation."
Eckelberry said often the rogue ads are built so that, all of a sudden, they begin serving malicious content – much to the surprise of the websites on which they are hosted.
"It's like a time bomb," he said. "It just sits there and then – boom. I think it's a very serious issue. I think the ad networks need to start taking a very close look at who their advertisers are."
Larger websites typically sell ads themselves. Hardmeier said these sites must also vet their clients.
"Websites simply must increase their due diligence checks with any new advertiser," she wrote. "It is going to take time, and it is going to cost money, but what alternative do websites have if they want to protect and keep their readership, and if they want to avoid the inevitable end result of malvertizing, which is that more and more visitors to their sites are going to block all advertising."
New IT Term of the day
reference template
Also referred to as simply a template, the data in a biometric security system that represents the biometric measurement of a specific person’s identity.
Mourn not the dead that in the cool earth lie, but rather mourn the apathetic, throng the coward and the meek who see the world's great anguish and its wrong, and dare not speak.
Ralph Chaplin
No comments:
Post a Comment