Archive for the ‘Security’ category

“Flash cookies” are the new privacy offenders

September 8, 2009

Ever heard of an LSO?  A Local Shared Object is similar in many ways to a typical HTTP cookie, but it’s used with Flash instead of HTTP.

In case you’re not up on the subject, a cookie is a 4KB text file that is stored on your computer.  When used by ethical developers, it’s a fairly innocuous way to make your browsing experience more convenient.  They’re responsible for remembering your Gmail password, your address that auto-fills on the electric company’s website, etc.  They’re a useful way to keep information around in a relatively secure manner.

There are some significant privacy concerns with cookies, though, as marketers quickly found a way to abuse them.  Enter third-party cookies.  But even with those concerns, you can set your browser to reject third-party cookies.  Or all cookies, for that matter.

However, with LSOs, many users don’t even know they exist.  And unlike your vanilla 4KB cookie, LSO’s can store 100K of information.  Doesn’t sound much, but in plain text, that’s a whole lot of information about your browsing habits.  Like HTTP cookies, LSOs are domain-specific (that is, an LSO can only be read by machines on the domain that created the LSO).

So the big concern with LSOs is this: many users think their privacy is secure when they turn off cookies.  It’s not, because LSOs are cookies but are not controlled by your browser – they’re controlled by Adobe software.

LSOs are turned on by default.  You can find information on managing (read: turning off) LSOs on Adobe’s website here.

Are LSOs a concern to you?  Why or why not?


Adobe, I was wondering the same thing…

July 28, 2009

Why wait seven months to release a fix for a vulnerability that (for all intents and purposes) can’t be worked around?  Michael Kassner calls Adobe and MS out:

Chrome/IE security flaw

April 28, 2009

Kaspersky Labs journalist Ryan Maraine writes up the new security problem when running IE + Google Chrome.

I was particularly interested in this since I run Chrome as my default browser and IE6 as a secondary.  I mainly use IE for online banking (since it doesn’t play well with Chrome) and my time card at work.  However, if you’re surfing with IE while Chrome is installed, you need to read this article.  I will copy over what Ryan said:

The skinny:

  • If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker’s choice.

The “high severity” vulnerability affects Google Chrome versions and earlier.

So class, what is rule #1 for making sure a system is secure?  That’s right.  Keep your A/V (you do have A/V, right?), OS, and other software fully patched.  I’m typing this in Chrome v.  So I’m (hopefully) all set, as I’m 4 builds ahead of the vulnerability.  Keep it up to date.  You can check your version by clicking on the “wrench” icon in the upper right hand corner of Chrome and clicking “About Google Chrome.”

Here’s another snide sort of comment Ryan included:

“It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles’ heel and has been widely used previously to attack other various applications,” [Roi Saltzman at IBM] said.  Proof-of-concept code for this issue is publicly available.
Microsoft maintains the problems are not related to vulnerabilities in its code.
Of course.

The “OH CRAP” mode in gmail

March 20, 2009

Gmail labs is rolling out another good feature. The “Undo” button. If you turn the feature on it will delay a message from leaving the server currently for 5 seconds and 10 seconds may be added later. Gmail keeps coming up with good ones, like when they added the “Drunk” mode making users solve simple math problems in order to send a message (the user would turn it on for certain hours of the night to prevent drunk messaging something you would regret). Personally I like this feature, but with only 5 seconds that is hardly enough to proof a message over again. Still I have had plenty of times when I send a message and immediately realize something I typed wrong or forgot to say. Undo sounds like a good feature to me.

CanSecWest provides security lessons

March 19, 2009

Interesting to see some of the results of CanSecWest.  Within “seconds” Safari/MacBook fell, and the others were soon to follow.  The  Safari attack was, of course, planned beforehand to execute flawlessly.

I have heard it said that ‘obscurity does not equal security.’  There are two sides to that.  One (obivously) is that you can’t assume you’re secure simply because you’re obscure.  But the flip side of that is this: while no system is truly secure, many systems are ignored by ‘street security analysts’ (in part) due to a low ROI.

So what’s the point?  I think part of the point is that every system can be exploited – even ones that aren’t market giants.  And while this is true, most security/obscurity concepts are very basic.  So be safe out there.  Here’s a brief list for starters (add more in the comments, readers!)

– Keep A/V software installed and updated (especially on a Windows system).  Use only one A/V system.  Geeks disagree as to the best A/V program, but I personally recommend Kaspersky or AVG.  If you need a free system, try AVG or Avast!, but Kaspersky is worth the money.

– Don’t use cracked software.  I’m not saying I think it’s ethical to exploit users by overcharging them for a piece of software (nor will I say that it’s ethical to pay nothing for the same software).  I’m just saying that many people who are willing to exploit a major software company by cracking their software are also willing to exploit you.  There are plenty of totally legal and reputable downloads out there (Linux distros, freeware, music released under the Creative Commons License, etc).  But be prepared to suffer if you download the shady stuff.

– Secure your wireless network (that one’s for my neighbors).  It’s not really that hard.  Or pay me $50 to do it for you.  It’s worth it.

– Keep all your software patched.  This is basic stuff, but it’s important.

– Stay off of questionable Web sites.  Think before you click.

– Don’t click links in dubious emails that read like they were written by a fourth grader.  Don’t even bother responding to them.  If you need to get to an important Web site, make sure you know what the official URL is, and use only that URL.  Don’t be afraid to contact a company directly to verify the authenticity of any communication you receive which claims to be from them.

– Remember that your bank/credit card lender/PayPal/MySpace won’t ever ask for any kind of account information, including your PIN, SSN, or password via email.  Along that line, most businesses which require you to have an important financial account will almost always contact you via regular mail if your account status is in jeopardy.  If you receive an email stating that your account is in bad standing or requires an update to your information, DON’T use the contact information in the email.  Contact the company, but use contact information you KNOW is good (like through their official website or literature), and ask about the email.  99% of the time, they are false, but know how to contact the company in the other 1% of instances.

– Just maybe, consider one of the less pervasive OSes out there.  Ubuntu is a good one for former Windows users, and it runs pretty well on the x86 (Pentium-type computer – your typical PC).  Mark and I have both posted (he more than I) about how relatively simple Ubuntu is to install and run, even as a second operating system.  Look through the archives for some of those posts about Wubi and the like.

Something else you might consider is running Ubuntu as a second OS to use mainly when you’re on the Web, especially if you do financial transactions on the Web.  Many of the exploits out there are based on drive-by downloads (as in the ones used in CanSecWest), and you’re less likely to be exploited on the Web if you’re running Linux/Firefox.  Not necessarily less ABLE to be exploited, just less likely.  Because even though obscurity doesn’t equal security, obscurity does equal … well, obscurity – you aren’t an easy target if you’re obscure.  Sounds lame, but it’s true.