28. October 2010 · Comments Off on Force-TLS does not force TLS · Categories: Security-Compliance · Tags: , ,

Robert Graham from Errata Security tested Force-TLS and found that it does not protect against Firesheep.

First of all, the plug-in “Force-TLS” does not protect you, as some have suggested. I proved this with Twitter, where I was able to sidejack the connection with both FireSheep and Hamster. I’m not sure what Force-TLS does, but it doesn’t force a connection to be TLS/SSL. I configured *.twitter.com (the domain and all subdomains), and the URL “http://twitter.com” still appeared in the address bar.

In addition, Firesheep’s ability to successfully sniff traffic depends on your network adapter.

FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody’s traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).

Rob provides extensive details and screenshots on his test methods.

28. October 2010 · Comments Off on hackademix.net » Forcing HTTPS with NoScript · Categories: Encryption, Security-Compliance · Tags: , , ,

hackademix.net » Forcing HTTPS with NoScript.

Looks like those of you already using the NoScript Firefox add-on, you do not need another add-on to enable/force SSL when it’s available.

Fortunately NoScript, for more than two years now, has also allowed us to manually select the web sites which we want to browse via HTTPS only, by adding them in the NoScript Options|Advanced|HTTPS panel. Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your webmailaddons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now and the aforementioned addons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now.

24. October 2010 · Comments Off on Facebook Advertisers Can Glean Private Data – NYTimes.com · Categories: Privacy, Security-Compliance · Tags: , ,

Facebook Advertisers Can Glean Private Data – NYTimes.com.

Privacy vulnerabilities continue to be revealed on social networking sites like Facebook and MySpace reports the NYTimes. The Times describes two research papers which discuss how unethical advertisers can game social networks to determine people’s private profile information like sexual orientation.

Facebook counters that it has tools in place to prevent unethical advertiser behavior. However, Facebook realizes it needs to do more. In fact, Facebook announced that it proposing encrypting user IDs as a way to prevent the sharing of IDs with data brokers. But Facebook admits this will only “address the inadvertent sharing of this information on Facebook.”

Mashable weighs in with the obvious question, “Frankly, we think that encrypting the UID parameters within an iFrame is a good idea and a good first step towards accountability. Our big question is: Why is this only happening now?”

If you are looking for a clearer technical explanation of what the fuss is all about and the limited step Facebook is proposing read Ars Technica’s, Facebook touts encryption as solution to security flaw.

19. October 2010 · Comments Off on Microsoft: ‘Unprecedented Wave of Java Exploitation’ — Krebs on Security · Categories: Malware, Security-Compliance · Tags: , ,

Microsoft: ‘Unprecedented Wave of Java Exploitation’ — Krebs on Security.

Microsoft is confirming a huge increase in attacks against Java vulnerabilities. Why is this important? Java is installed on the majority of the world’s desktop computers.  In fact, the attack volume on Java dwarfs that of Adobe, which is saying something. Java may not be quite as ubiquitous as Adobe, but it’s close. For example, Java is required for Webex and GoToMeeting, the two most popular web meeting applications. To get an idea of the Java to Adobe proportion, see the graph below, courtesy of Microsoft via Krebs on Security.

According to Microsoft, the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions.

Krebs claims the reason for this spike is the inclusion of Java exploits in the commercial crimeware kits sold in the hacker underground.

Java surely falls into that set of PC applications which must be kept up-to-date.

14. October 2010 · Comments Off on YouTube – Black Hat Spam SEO · Categories: Security-Compliance · Tags: ,

YouTube – Black Hat Spam SEO.

Interesting presentation on Black Hat Spam SEO by Zscaler’s Julien Sobrier.

10. October 2010 · Comments Off on New Password Not Enough to Secure Hacked E-mail Account | threatpost · Categories: Security-Compliance · Tags:

New Password Not Enough to Secure Hacked E-mail Account | threatpost.

Good set of recommendations for Gmail users. If you Gmail account is hacked and you change your password, you could still have problems. Make sure you do the following:

  • Check your filters
  • Check the Password Recovery settings
  • Check for Authorized applications
09. October 2010 · Comments Off on NitroSecurity Fuels Momentum With New Funding and Technology Acquisition – MarketWatch · Categories: Security-Compliance · Tags: , ,

NitroSecurity Fuels Momentum With New Funding and Technology Acquisition – MarketWatch.

Having spent eight years of my life at LogMatrix (which had been called OpenService until it was renamed in 2009) helping develop its security business, I am glad to see it in the hands of the fast-growing NitroSecurity.

We brought to market several innovative concepts to improve the effectiveness of SIEM solutions including a risk-based quantitative algorithm that worked on both network and application logs, and a user-based behavioral anomaly algorithm.

I wish my friends at LogMatrix who moved over to NitroSecurity all the best.

07. October 2010 · Comments Off on Schneier on Security: Stuxnet · Categories: Security-Compliance · Tags: ,

Schneier on Security: Stuxnet.

Excellent summary of Stuxnet. Separates facts from conjecture. Points out some of the erroneous descriptions you may have read, e.g. SCADA is incorrect.

04. October 2010 · Comments Off on A phone application that threatens security · Categories: Security-Compliance · Tags: , , ,

A phone application that threatens security.

London: A cheap mobile phone application that can track the precise location of passenger aircraft in the sky can be a serious terrorist threat, security experts have claimed and called for its immediate ban.

The Plane Finder AR application, developed by a British firm for the Apple iPhone and Google’s Android, allows users to point their phone at the sky and see the position, height and speed of nearby aircraft.

The new application works by intercepting the so-called Automatic Dependent Surveillance-Broadcasts (ADS-B) transmitted by most passenger aircraft to a new satellite tracking system that supplements or, in some countries, replaces radar.

Apparently the ADS-B transmits all this information in clear text. If this information can be used to aid terrorists, why is it not encrypted? Don’t blame the developer. Blame the people who built the ADS-B system!!

01. October 2010 · Comments Off on The Big Picture of the Security Incident Cycle · Categories: Security-Compliance · Tags: , ,

The Big Picture of the Security Incident Cycle.

Via Lenny Zelster, Richard Bejtlich, a well known Computer Incident Response Team (CIRT) person has an interesting view of IT Security pictured here:

What is normally considered the major functions of IT Security, are simply the first two phases of Bejtlich’s Incident Response cycle – Plan and Resist.

Note the use of the word, “Resist” rather than “Prevent,” thus forcing the recognition that incidents will happen. In other words, if you are not detecting incidents, it’s because you don’t have the right tools in place.

Well worth reading the whole post. Also there is a link to the Bejtlich’s complete presentation.