Archive for the ‘Security’ Category

« Older Entries
Newer Entries »

Human Rights Group Used to Spy on Activists

Thursday, December 22nd, 2011

By Paul Royal, Research Consultant

Amnesty International’s UK website has been compromised and is serving drive-by downloads. Historical data indicates the website AIUK was compromised on or before Friday, December 16.

Details:

Visiting hxxp://www[.]amnesty[.]org[.]uk loads hxxp://3max[.]com[.]br/cgi-bin/ai/ai.html via an iframe. 3max.com.br, which itself is a legitimate but compromised Brazilian automotive website, loads malicious Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system.

Details of Vulnerability Targeted by the Exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
VirusTotal Detections for Exploit
http://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324068153
VirusTotal Detections for Exploit Payload
http://www.virustotal.com/file-scan/report.html?id=0e53832e1c36d34a3d05c05f73ebab22a74ade95c5f3b7d9f74fad4f56d10023-1324067892

The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.

Amnesty International UK has been notified about the compromise.

Share

Tags: , , , ,
Posted in Current Events, phishing, Research, Security, Uncategorized, Web Security | 1 Comment »

Seven Annoying Attacks That Facebook Misses

Wednesday, November 16th, 2011

This week Facebook experienced a rash of attacks that posted pornographic images. Some even claimed to be nude celebrities and others claimed to be child pornography. Last month we released survey results that showed that 40% of Facebook users do not feel safe on Facebook. Two weeks later, Facebook released an infographic showing its security initiatives and statistics. We applaud the efforts; however, more is needed. When you are trying to grow a social network as well as increase advertising revenue, security becomes not only a lower priority but sometimes a conflict of interest.

Facebook claims that only 0.5% of users experience spam on any given day. That is still 4 million people out of the 400 million users that log in on any given day. We suspect that measurement only counts spam that Facebook catches which is clearly not 100% of the spam. While working on Profile Protector and other web security intelligence, we regularly come across examples of spam and attacks that repeatedly use simliar approaches that are detectable. We compiled this list of seven annoying attacks that Facebook misses.

1) Fake Product Pages:

Knock off luxury goods have always been popular scams.  You might think you are buying your mother a nice new purse for a great price.  If you actually get the product, which is a bit of a long shot, you are likely to find that the quality you expected from the brand is lacking at best.  Facebook is rife with pages promoting these goods. Somehow these pages remain long-lived even after user complaints.  Once they finally are shut down there are already 8 duplicate pages running the same scam. Clearly there are some brands that just are not sitting on hundreds of photo albums on Facebook as their advertising platform. For example, Christian Louboutin, Louis Vuitton, Air Jordan and Beats By Dre.

 

2) Manipulated Accounts Recommendations:

On social networks those with less good motives have figured out how to game the recommendation system and use it to their advantage. This is very similar to how attackers have used search engine optimization to promote their malware. Friends are recommended in a variety of ways, but a simply exploited example is through shared apps.  Spammer accounts sign up for the same popular apps that real users do and before too long they are showing up in your list of recommended friends, which snowballs nicely into giving them a foothold into the recommended list for each of your friends.

 

3) Affiliate Spam:

Affiliate spam is a bigger and bigger part of the typical users incoming stream. Usually relying on the images of established and trusted brands these scams tend to be very successful and take little work for those who run them.  The hook is usually a free gift card or in some cases something as extravagant as a new iPad. They encourage or require the user to share it out to all their friends and say something like “I love olive garden” before being redirected to a never-ending series of offers in the form of premium text messaging, video rental and reoccurring subscriptions of all kinds that the user is required to sign up for to get the supposed “free” gift card.  A run featuring a Starbucks gift card was successful enough that Starbucks corporate had to comment letting users know it was not legitimate.


 

4) Photo Tagging For Spam:

The Facebook infographic referenced above mentions “Photo DNA” but it is likely that this is little more than a database of hashes related to explicit and exploitative images.  Photo tagging for spamming is one of the most popular methods of spamming through the network but it doesn’t seem to be getting much attention.  With each image uploaded a spammer can tag as many 50 other accounts in a photo, and have as many as 200 photos in an album.  With everyone in Facebook having a maximum of 5,000 friends each photo can reach a quarter million people.  This leads to a fairly nice multiplier for bytes uploaded vs users reached, especially on a network that people spend as much time on as Facebook.  Some basic image analysis will tell you if there are really 40 people in the picture or if it just a pair of Hello Kitty heels.

 

5) Fake Apps

Fake apps, malicious apps, misleading apps, whatever you want to call it, Facebook is overflowing with them.  New examples show up daily, often focusing on giving users features that they wish Facebook would provide.  After all, don’t we all want to know if that old flame still looks you up every few days. Or don’t we all wait for the launch of a ‘dislike’ button.  It is a big network and these are going to exist from time to time anywhere, but it is becoming more like the shareware sites of the late 90s where most the programs were of low quality and a relatively high percentage of them posed a risk.  Usually they are in the information gathering and spamming business, but we have found examples that link to malicious binaries.

 

6) Stolen Pictures

There is not really a set of sextuplets each with the same bikini picture as their personal profile picture. Those are fake accounts. The photo album that as the same two images-one of the front view of a bikini and the other with the back view of a different bikini-repeated 15 times each is not a real user. Certainly there are some images that will be common to multiple people such as a team logo or newly released album cover. However the fake accounts typically use images of a salacious nature.  Sex sells, and these profiles do very well at gathering followers around a fake identity, only to occasionally slip an advertisement into the stream.  Of course there is always the possibility that we’ve stumbled upon a set of identical sextuplets that would be very happy to reconnect…

 

7) Anomalous Behavior

Finally, Facebook and social networks in general should focus on some form of anomaly detection.  We’ve all seen examples of that friend who you never really talk to, and probably weren’t that interested in “friending” anyway, posting on your wall or messaging your account encouraging you get a free iPad or a trip on Southwest airlines, etc.  Similar problems have been appropriately mitigated elsewhere in messaging but social networks have a long way to go.  In many ways we’re seeing the same problems that the security community has been dealing with for more than a decade. Instead of SMTP and a distributed network, more and more messaging is pushed over HTTP and closed networks that give the receiver little that they can do in the way of securing themselves. Looking for behavior that is an outlier to the normal pattern is a well understood approach in other areas of network and messaging security. If someone that never uses chat is suddenly chatting with dozens of people and forwarding the same link, then there is a high likelihood of suspicious activity.

 

 

Share

Posted in Current Events, Internet Security Tips, Research, Security, Social Networking, Spam | No Comments »

Barracuda Labs Releases 2011 Social Networking Security and Privacy Study

Wednesday, October 12th, 2011

By: Barracuda Labs

For Immediate Release

NINE OUT OF 10 PEOPLE ATTACKED AND ONE OUT OF FIVE PEOPLE DAMAGED BY PRIVACY LAPSE ON SOCIAL NETWORKS

Barracuda Labs Releases 2011 Social Networking Security & Privacy Study

Campbell, Calif. (Oct. 12, 2011) Barracuda Labs today released its 2011 Social Networking Security & Privacy Study. The complete study and infographic can be seen at www.barracudalabs.com. Barracuda Labs is the research arm of Barracuda Networks Inc., the leading provider of security, application delivery and data protection solutions to businesses.

“Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially,” said Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks and users are living in fear.”

The study focuses on social networking usage, security and privacy, and is based on survey results from hundreds of users representing over 20 countries. The study was conducted over a two-week span between September and October 2011. Overall, users value security and privacy almost equally to popularity and ease of use. Major highlights from the study are included below.

Social Networking Usage

  • LinkedIn is the most accepted social network by businesses with only 20 percent of companies blocking or limiting its usage, as compared to 31 percent of companies that block or limit Facebook.

Social Networking Security

  • Nine out of 10 people have received spam, and one in four have received a virus or malware, on a social network.

Social Networking Privacy

  • One in five people has been negatively affected by information that was exposed on a social network.

2011 Social Networking Security & Privacy Study – Resources:

 

About Barracuda Labs

Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. Barracuda Labs’ threat research areas include email, Web, network and cloud security and technology. Barracuda Labs aims to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime.

About Barracuda Networks

Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats, as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

Share

Posted in ID Theft, phishing, Research, Security, Social Networking, Spam, Statistics | No Comments »

Spammers exploit confusion over DigiNotar certificate forgeries

Thursday, September 15th, 2011

By Dave Michmerhuizen & Luis Chapetti – Security Researchers

 

Recently Dutch certificate authority DigiNotar suffered a compromise that resulted in the issuance of over 200 forged certificates for a variety of well known web domains including Google, Yahoo and Mozilla.

The certificates have been revoked and certificate users have been quick to update their products. Spammers and malware distributors have been just as quick to take advantage of the confusing stories about SSL certificates that have been appearing in the mainstream media.

Consider this spam that we recently started seeing at Barracuda Labs. The message, pitched directly to business customers of the Royal Bank of Canada tries to convince them that their SSL certificate has expired.

Spam impersonating Royal Bank

(Click for larger image)

While it may look like  garden variety phishing spam, this message is much more dangerous. The spammers try to create a sense of urgency with the hope that you will click one of the links to see what happens; which, in this case, is a particularly bad idea because the second link in the message directs the browser to a server hosting an exploit kit. Once the browser visits that site a series of attacks begin which can result in the download of Trojan.Buzus. This nasty payload steals login credentials and opens a backdoor allowing remote control of the now-infected computer.

Network traffic of exploit attacks

(Click for larger image)

 

Ever since the blackhole exploit kit became widely available earlier this year, the Barracuda Networks Real Time Protection System has been seeing more and more overtly malicious spam directing users to sites such as these which attempt to force malware onto users computers.  All it takes is one initial click on a link to set off a chain of exploits which require no further interaction to infect a computer. As always, we recommend you treat spam messages with great care.

Share

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

Certificate Authority Hacked, Google Users Fall Victim to Man-in-the-Middle Attack

Tuesday, August 30th, 2011

by Daniel Peck, Research Scientist

Yesterday reports began to trickle in that Google users in Iran were victim to a man-in-the-middle attack through the use of an illegitimate SSL certificate issued for “*.google.com”.  This is the latest in a series of events involving a hacked Certificate Authority, but this time there was clear evidence that the fake certificate was being actively used.  Details of the attack and consequences are being written about extensively elsewhere, so we will give a brief overview and link to those directly involved and others with particularly insightful analysis.

The certificate being used was issued by a Dutch certificate authority, DigiNotar. The consequence is that this CA has essentially been given the “death penalty”. Microsoft, Mozilla and Google have removed the DigiNotar root certificate from their chain of trust and certificates signed by them will have no more trust than one you generate yourself.  It is good to see that those who have the strongest position when choosing which certificate authorities to trust are doing the right thing here, with a technology that so many people rely on for security, privacy and economic reason a “one strike and you’re out” system is appropriate.  With each attack similar to this one, we see that the current system of Certificate Authorities is quite open to abuse with the combination of centralized and opaque trust.  Compromises of that trust can have severe consequences.  The system is clearly broken, and while some are working on replacement solutions, it is what we have to use in the mean time.

Users are advised to remove the DigiNotar root certificate.

Firefox:
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

Chrome:
http://googlechrometutorial.com/google-chrome-advanced-settings/Google-chrome-ssl-settings.html

IE:
Some newer versions of Windows seem to be automatically checking a CRL and therefore are able to provide protection without a software update: “All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certificate authority. There is no action required for users of these operating systems because Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List.”

However older versions of Windows do not provide automatic protection:” Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.”

http://www.microsoft.com/technet/security/advisory/2607712.mspx

The DigiNotar root will be being removed from relevant Barracuda Networks products.

 

Further reading:

Google Online Security Blog: An Update on Attemped Man-in-the-Middle Attacks

DigiNotar Response: Diginotar Reports Security Incident

EFF: Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities

 

Tools/Possible SSL Alternatives for advanced users:

Certificate Patrol for Firefox

Convergence

 

Share

Posted in Current Events, Security, Web Security | No Comments »

Do you ever worry about police impersonations?

Thursday, August 18th, 2011

by Shawn Anderson – Security Researcher

Have you ever driven down the road with a police vehicle right behind you? Do your nerves heighten and your stomach drop? This happens to a lot of people, and when the flashing lights turn on there is one thing to do. Pull over, right? The pure adrenaline rush from thinking, “What did I do wrong?” masks the paranoia of whether or not the person is really a police officer.

What would happen if you received an email from the police department stating that you were in violation of the law? Would your stomach drop and your nerves kick in as though the police vehicle just turned on its lights behind you? Would you stop to think whether the email is legit or not? Unfortunately, impersonating the police can be very effective for spammers who are trying to persuade recipients to click on a link or open an attachment. Forcing the recipients to consider their possible guilt can distract them from questioning the legitimacy of the email itself.

At Barracuda Networks, we are witnessing a large spam outbreak with malicious attachments that impersonates (spoofs) the New York State police. The email states that the recipient was in violation of the law, and contains a description of the traffic violation. It also claims to contain the actual ticket as an attachment with instructions to open it, print it and send it to ‘Town Court’ in some small town somewhere in New York state

The attachment is actually malware, a variant of Trojan.Downloader. If run, it downloads Trojan.Fakealert which further compromises the computer.

Emails like these teach a very important lesson. Many malicious spam messages go to great lengths to appear to be sent from some official government agency or other large organization. Unfortunately the contents of email messages are very easy to fake. The sad truth is that you should never assume that an email message is legitimate. Instead, if an email raises concerns you should verify the contents by phone or postal mail, and never run emailed attachments like the one in the message above.

Tips for configuring your spam firewall to block this attack:

Currently, the malicious spam is spoofing the “From” address domain of “nyc.gov”. Since “nyc.gov” has a Hardfail SPF record set up in its DNS txt record, most conventional filters will block these spoofed messages. Enabling SPF on your spam filter will help block these spoofed emails.

It is common, however, that these types of malicious outbreaks will rotate their sender domains, and it is likely that they’ll spoof other state domains. SPF records are not always set up or set up properly in DNS for domains that are commonly spoofed, so relying solely on the SPF filter is not recommended. Other content scanning techniques are required to block these attacks as they rotate sender domains. Customers using the Barracuda Spam & Virus Firewall should make sure their Energize Updates are up to date and that they are on the latest version to help block these types of malicious emails.

 

 

 

Share

Posted in Email Security, Security, Spam | No Comments »

Malformed DHCPv6 packets cause RPC to become unresponsive

Tuesday, August 16th, 2011

by Thomas Unterleitner

There is a vulnerability in the part of RPC processing DHCPv6. The failure results because of incorrect handling of malformed messages. On July 28, 2011, this vulnerability was confirmed and reported by Microsoft.

To exploit this vulnerability, an attacker would need to intercept DHCPv6 traffic. Once a DHCPv6 Request has been intercepted, the corresponding Reply would have to be modified to contain the malformed Domain Search List option. On reception of this malformed packet, RPC on the remote machine would fail. Exploiting this vulnerability would cause the RPC service to fail, losing any RPC-based services, as well as the potential loss of some COM functions.

Failing RPC calls might interfere with the following:

- network connectivity (no IP address acquired, no IP address release/renew, …)

- applications using COM/DCOM interfaces

- machine’s sound system
The error has been found to occur on reception of DHCPv6 Reply (message type 7) packets, containing the option “Domain Search List” (option type 24) with an empty domain.

Affected Systems

Using the sample DHCPv6, it was possible to verify this issue on the following operating systems and configurations:

*       Microsoft Windows 7 Ultimate SP1 32 bit & 64 bit
It is very likely that other versions of Windows 7 (and maybe earlier) are affected by this issue.

Impact

1.      Reception of a “malformed” DHCPv6 Reply packet causes critical error 0xc0000374 within rpcrt4, leaving the RPC server to become unavailable.

a.) ipconfig /release <adapter_name> reporting: An error occurred while releasing interface <adapter_name>: The RPC server is unavailable.

This enables e.g. rouge DHCP servers to prevent other machines from connecting to a network.

Acknowledgments

This vulnerability was discovered by Michael Burgbacher and Thomas Unterleitner on behalf of Barracuda Networks AG. The complete advisory is available here.

Share

Tags: , ,
Posted in Research, Security | No Comments »

Validating validation

Wednesday, August 10th, 2011

by Daniel Peck, research scientist

Coders get a bum rap about code quality with regard to security.  Some of the berating is deserved, like when they try to roll their own crypto algorithms (these people should get the 21st century equivalent of stocks in the public square and rotten fruit pelted at them), but other times it is much more subtle and things that an “end user” coder shouldn’t have to worry about at all.

Success in increasing code quality comes from making it very difficult for a developer to do the wrong thing, making sure that the path of least resistance is also the most correct path.  Unfortunately as some programming languages have come to be used as much by designers and artists than the more mathematically included coder of old, a mindset of working around the coder and giving them results that they expect rather than what they’ve asked for has become common.  This leads the developers to think they’re doing the right thing, while actually shooting themselves in the foot.  A friend of mine (hat tip to @suburbsec) pointed me to a very good example of this the other day on one of spotthevuln.com’s latest entries.

if ( (int) $_REQUEST['w'] && (int) $_REQUEST['h'] ) {
 $choice = array(
 'type'   => "Custom size ({$_REQUEST['w']}x{$_REQUEST['h']})",
 'width'  => $_REQUEST['w'],
 'height' => $_REQUEST['h']
 );
}
...
<iframe src="../../../wp-login.php"
        width="<?php echo $choice['width']; ?>"
        height="<?php echo $choice['height']; ?>"
>your browser does not support iframes.</iframe>

Anyone with a bit of programming knowledge can see that the developer is writing this bit of code with security in mind, testing to make sure that the parameters w and h are indeed string representations of integers before displaying them.  Otherwise they wouldn’t cast to an int, right?  Wrong.  Perfectly valid assumption, but it doesn’t hold true in the land of PHP (a place where black is white, cats and dogs live together, and notions of computational science have no place).

$_REQUEST['w'] and $_REQUEST['h'] still retain the same values as before the int cast, as they should, but if they contain values like “11<bad juju here>” the cast would still return an integer value, 11, and the script is now a funhouse for, admittedly lame, reflected xss.  Another interesting side effect of this function is that either of the variables is “0″ – which last time I checked is still an integer. The test fails as a side effect of the test being done in a boolean context and not a type context.  In this case, the result is a trivial xss bug but similar snippets can be pulled from many codebases that lead to all sorts of problems with the developers honestly believing they’ve performed all the reasonable steps to ensure input validation.  For this particular problem, a much better approach would be to use the is_numeric function for testing or to assign the value of the cast to the variable you’ll be using later, but you’d have a tough time figuring that out by searching for “php string to int”.

It needs to be difficult for the coder to deliver a working product while holding onto false assumptions, and it is up to the languages, frameworks, and development tools to make that more of a reality. Less “more than one way to do it” and more “this is the right way to do it” would go a long way to towards making web security less of a trainwreck than it currently is.

Share

Posted in Security, Web Security | No Comments »

Google+ Gets a “+1″ for Browser Security

Thursday, July 21st, 2011

by Ray Kelly, Manager of Client Side Technologies

 

+1Launching a new Web app today comes with a few certainties, and one of them is, “I will be a target for hackers” for sure.  So when an app as large and as high profile as Google+ launches, it will surely be one of the top targets for malicious activity.  This happened to Facebook the more popular it grew and it still is a favorite platform for malicious activity.  I did some analysis of the HTTP traffic between Google+ and the browser and found that Google is off to a good start in regards to browser security. Below are several take-aways:

Only SSL!
All Google+ traffic is sent over SSL and non SSL is not even an option.  This protects users’ traffic from getting sniffed and their sessions from being hijacked.  It is good to know that Google understands that sensitive information is being shared and SSL is really the only option for transmitting data.

Secure Headers
Here is what a typical response looks like from Google+:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 184942
Set-Cookie: ULS=somehash; Path=/; Secure; HttpOnly
Date: Fri, 15 Jul 2011 14:29:05 GMT
Expires: Fri, 15 Jul 2011 14:29:05 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

There are a few headers in this response that are specific to browser security, for example:

Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection.  So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent  session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type.  For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image.  So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page.  This prevents Clickjacking attacks against the user.  Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack.  If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser.  Instead, you will see something similar to this depending on the browser:

 

What about Facebook?
While these preventions are by no means ground breaking or new, the fact that Google is thinking about and using them is a good step.  In contrast, let’s look at a typical Facebook response:

HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Content-Type: application/x-javascript; charset=utf-8
Expires: Fri, 22 Jul 2011 14:46:37 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
X-Frame-Options: DENY
Set-Cookie: _e_syaN_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
X-FB-Server: 10.52.238.45
X-Cnection: close
Date: Fri, 15 Jul 2011 14:46:37 GMT
Content-Length: 24032

It is surprising that Facebook has not taken the same simple precautions that Google+ has taken. Here, we can see the differences:

Secure Cookie Nosniff XSS Protection X-Frame HttpOnly Cookie SSL
Google+ Yes Yes Yes Sameorigin Yes Yes
Facebook No No No Deny Yes Optional and not default

In fact, just yesterday Microsoft’s Vulnerability Research team released advisory MSVR11-007: “Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise”.   According to the advisory, Facebook has resolved the issue.  I did another check of the headers and still did not see any change to the response.  It is possible that Facebook closed the hole on the server side with input validation in order to prevent the malicious data from entering their database, but they still did not implement the simple browser precautions that Google+ has.   Here is the link to the official MSVR advisory:
http://www.microsoft.com/technet/security/advisory/msvr11-007.mspx

The folks from SecTheory/WhiteHat Security have an excellent write-up on Clickjacking.  For detailed information on this vulnerability visit:
http://www.sectheory.com/clickjacking.htm

 

Conclusion
Unfortunately, not all of these headers are supported in all browsers, meaning any of you still using IE6 won’t be able to take advantage of these headers.  What’s this mean for you? Make sure you are using an up-to-date browser to take full advantage of these protections.

Do these security measures make Google+ impervious to malicious activities?  Absolutely not.  Is it a good start?  Yes, it is. And further, it is good to see an app make its debut with security in mind.  It actually gives us Infosec folks a bit of hope that developers are listening and doing the right thing.

 

 

 

 

Share

Tags: , , , , ,
Posted in Internet Security Tips, Research, Security, Social Networking, Web Security | 9 Comments »

DoSing the security community with a ToS

Wednesday, July 6th, 2011

by Daniel Peck, Research Scientist

The security community echo chamber was rocking hard over the weekend with news of an online backup/sharing service, Dropbox, changing its Terms of Service to grant them “worldwide, non-exclusive, royalty-free, sublicenseable rights to…” do basically anything they want with your content.  From Dropbox’s point of view, this is the sort of thing that they claim they need to have in order to provide you the service. That may or may not be true, but it was probably something their legal counsel told them that it would be in their best interest to include.

The odd part is that anyone in the security community was surprised by this. It does not matter what the ToS said. Fact of the matter is that if you are uploading information to a third-party that is not in an encrypted form that you control, then it needs to be considered public. The only question at that point is the length of time before everyone else knows its public.  Someone who isn’t you can read it and you’re putting your trust in them not to reveal it, share it, or profit from it. In practice this may mean that your information is never revealed or that it is revealed when someone compromises their service, or it may mean when they decide to change their ToS, which every ToS tends to allow the provider to do without much notice and little, if any, recourse.

Too many of us have forgotten, or never learned, that everything on the interwebs is public by default, unless you’re making a real effort to restrict access. Ultimately, there are just gradients of how public that information actually is. Dropbox and similar services are great for what they are, a convenient place to put slides and other random files that you want to be able to access or share easily and don’t mind if someone else sees if they put a little effort into doing so.  Essentially, it is an alternative to sending email with attachment, and it has about the same amount of (in)security.

Share

Tags: , , ,
Posted in Current Events, Security | No Comments »

« Older Entries
Newer Entries »