Category: Computer Security

Posted on
by

Following up on the PayPal anti-phishing discussion of a few weeks ago, I see that PayPal is promoting a service called Iconix. You install the program on your system, and it looks at your inbox for messages that claim to be from one of its customers. It tries to verify them “using industry-standard authentication technologies such as Sender ID and DomainKeys.” Messages that pass get a lock-and-checkbox icon attached to the sender’s name, and in some cases the name is replaced by the sender’s logo.

On the tech side, it’s similar to SpamAssassin’s whitelist_from_spf and whitelist_from_dkim features. Both allow you to specify a sender to whitelist, and it will only give a message special treatment if it can verify the sender.

On the user-interface side, it’s similar to EC certificates, in that it tries to highlight a “good” class of messages rather than flag or filter out a “bad” class.

It’s not a bad idea, actually, and now that I’m surprised I haven’t seen something similar in other email clients. It’s sort of like setting up custom rings or images for images on your cell phone address book

They seem to be focused on webmail and Outlook so far, and only on Windows, but it looks like the perfect candidate for a Thunderbird extension. They do have a sign-up form to notify you when they add support for various programs and OSes, and I was pleased to see not only Thunderbird and Mac OS listed, but Linux as well. Too often, Linux gets forgotten in the shuffle to ensure compatibility with every Windows variation.

Posted on
by

The CBLDF has issued a press released detailing the victory in the Gordon Lee case. This was the case in which a comic book store in Rome, Georgia, as part of a 2004 Halloween promotion, was handing out free comics left over from that year’s Free Comic Book Day. Among over 2,000 comics, they accidentally included a copy of Alternative Comics #2, which included a story about Picasso which included him running around his studio in the nude. And they accidentally gave it to a kid. The parents wouldn’t accept an apology, and pressed charges instead. The DA has been determined to make an example out of him, pushing grossly overinflated charges including felonies that would have given him prison time. 3½ years, 3 trial dates, a mistrial for prosecutorial misconduct, and $100,000 in defense costs later, the Rome DA finally agreed to drop the case in exchange for a written letter of apology — which is exactly what the store owner had offered in the first place.

Cookie Security in WordPress 2.5. The latest version of the blogging software has a feature that can make it harder for attackers to grab your login sessions. It involves setting a pass phrase in wp-config.php, one which you’ll never have to remember, but which will be unique to your site. You have to copy the SECRET_KEY section from wp-config-sample.php and add in your passphrase…or you can generate a random code at http://api.wordpress.org/secret-key/1.0/ (be sure to put it in the middle of the file!)

The Internet Storm Center writes on Hundreds of Thousands of SQL Injections — all websites that have been hacked to host various sorts of malware.

Posted on
by

IE7On Thursday I stumbled across a campaign to Trash All IE Hacks. The idea is that people only stay on the ancient, buggy, feature-lacking, PITA web browser, Internet Explorer 6, because we web developers coddle them. We make the extra effort to work around those bugs, so they can actually use the sites without upgrading.

Well, yeah. That’s our job.

And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?

Slapping the User in the Face

It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.

Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. Continue reading

Posted on
by

Forklift Driver Klaus (a.k.a. Staplerfahrer Klaus)- a parody of work safety films in which a forklift driver blunders through his first day on the job, maiming fellow employees left and right. German with English subtitles. (via TV Tropes: Scare Em Straight)

And, on a more serious note, the Internet Storm Center is reporting on people finding malware pre-installed on digital picture frames, memory cards, etc. Something to watch out for with portable devices that can connect to your computer.

Posted on
by

FirefoxFirefox 3 Beta 1 is out. Nice so far. Oddly enough, it runs better than the current Opera 9.5 previews on my old Linux box at work, though that mostly seems to be the fault of the find-in-history option.

I usually avoid any sort of shopping on the day after Thanksgiving, online included, but I’ve been getting email from various online stores that are trying to get into Black Friday. Amazon is advertising a Black Friday Sale, and Apple is promoting a “special one-day shopping event” on their website—and annoyingly, neither of them is giving any clue as to what sort of deals are involved. Amazon keeps forwarding me to today’s deals, and Apple just says something’s coming. And neither site lists actual hours. Is it midnight to midnight? What time zone?

Amazon KindleSpeaking of Amazon, their entire home page is currently taken up by the announcement of their new eBook reader, Kindle. At $400 I’m not going to rush out and buy one, but it looks like they’ve solved some of the main e-book problems: it’s small, light and wireless, and they even bring up the reading-in-bed issue in the intro. The real question is going to be compatibility & openness: It’ll read plain text, HTML, Word, and a few other document formats (and they’re promoting its access to Wikipedia), so it should be possible for other stores to sell books for the device. And what about the e-book offerings themselves? Will they be loaded down with draconian digital rights management like the Adobe ebooks of a few years ago, or are they following the model of Amazon’s MP3 store?* In a nice change, their music downloads are entirely DRM-free and they use it as a selling point. Edit: Per Andrea’s comments and further research, Kindle ebooks are locked down with DRM. No, thanks!

The name, however, makes me wonder how soon they’ll offer Fahrenheit 451.

Finally, the Internet Storm Center has an insightful response to the statement, “There is nothing on my computer that a hacker would be interested in.” Let’s leave aside the question of your personal data for the moment. Just the fact that you’ve got a computer with an internet connection could prove very useful to someone who wants to cover their tracks or just add more power to their own distributed system.

* Amazon’s MP3 store is also surprisingly cheap. I replaced my old tapes of the original cast recordings of Les Misérables (Broadway) and Phantom Of The Opera for $9 each—they run upwards of $30 on CD.

Posted on
by

ISC is reporting a new type of vulnerability in web browsers that the discoverer has termed as “Reverse Cross-Site Request,” or RCSR.

Basically, on a site with user-generated content—like a hosted blog—it’s possible to add a form that looks like the site’s login form. If the victim has an account on the same site, and has asked their browser to save their password, it will auto-fill the form. If the attacker can somehow trick the visitor into submitting the form—say, with an invisible image submit button (ever clicked randomly? Or to get back to the page after looking at another window?)—the attacker gets the visitor’s password.

What’s new about this is that all it requires is plain HTML, not scripting, which most blog hosts and similar sites already block.

Chapin Information Services discovered the bug in Firefox 2, and reported it to Mozilla. It turns out that Internet Explorer 6 and 7 are also vulnerable, but only if it’s on the same page as the real login form. Mozilla is currently trying to determine the best way of resolving the problem without breaking all the passwords people have already saved. The ISC article links to the bug report, so you can follow the discussion. Microsoft has only said that they’re “aware of the issue.”

At the moment, I’m glad I don’t let web browsers save my passwords.

Posted on
by

Received the replacement battery for the PowerBook yesterday. It was shipped out via DHL, with a prepaid return label for shipping the old battery back via regular mail.

Last night I drained the old battery, plugged the new one in, and packaged up the recalled one in the box. At lunch today I went to the post office to send it off.

As I was walking up the steps, I remembered the “Does this package contain anything liquid, explosive, or otherwise hazardous?” question that postal clerks are required to ask. If you’re mailing a defective battery that could theoretically burst into flames, how exactly are you supposed to answer?

I figured it would be best not to joke about it.

As it was, I just said it was a laptop battery straight out, so the question didn’t come up.