TechMiso

If you are an international Google Voice user then beware of clicking the little “upgrade your account” button from within Google Voice. Doing so may render your ability to access the Google Voice web site obsolete.

If you’re not in the US and you want to add credit to your account, make sure that you DON’T CLICK the “Upgrade your account” button from Google Voice. This feature is only useful if you are in the US, since it lets you get a Google Voice number. Unfortunately, if you click on that button and you’re not in the US, you’ll no longer be able to buy credit.

There does not appear to be an easy way to downgrade your account once you have opted for the upgrade. The Google Operating System article does mention the upgrade may be cancelled by using a U.S. based web proxy server but that is a little cumbersome for the average non-techie internet user.

All is not totally lost however. Although the Google Voice web site itself becomes inaccessible, phone calls initiated from within Gmail still appear to function. Hopefully Google will fix this and simply hide the “upgrade your account” button from international users. Doing so will create less confusion and not cause users to inadvertently prohibit access to their own accounts.

An academic research paper by University of Pennsylvania researchers claims touch screen phones may be vulnerable to smudge attacks, a new form of security vulnerability based on the oily residue left on the screen. The researchers claim malicious attackers may be able to ascertain a certain amount of information, such as inferring a password used by the devices owner, left by the smudges left on a touch screen.

The researchers took photos of screens and used a program to analyze the photos closely. They found they could figure out the password over 90 percent of the time. The study used Android phones, which use a graphical pattern to allow users to unlock the phone. Phones included the Nexus 1.

The study also found that “pattern smudges,” which build up from writing the same password numerous times, are particularly recognizable.

While it sounds somewhat plausible, I find it hard to believe that practical use of this vulnerability, assuming it is even an issue, will result in widespread exploits. The attackers would have to gain physical access to the device in order to make use of the exploit, and most bad guys prefer to do their dirty deeds from afar. This is not to necessarily downplay the issue but to speak towards the reality of the situation.

It should be worth watching to see if any true security issues ever come from this research. I applaud the University of Pennsylvania team for conducting some very exhaustive investigative work, and some very informative and interesting research, but the reality is this “vulnerability” is a non-issue right now.

I ran across an interesting article on TechDirt this morning about a couple of bloggers who were playing around with a microscope and the US Visa and Border Crossing Card. What they found was quite interesting. On the back of the card is a strip of tiny etchings of every U.S. president and all the state flags. Nothing overly exciting, right?

The label for the 6th president of the United States is actually printed as “John Quincy Adames” – yes, you read that correctly. There apparently is a typo on official U.S. government documents. An “e” was either accidentally or purposely added to our sixth presidents last name.

That seems like a pretty big mistake. However, some are suggesting that it was done on purpose. In the comments to the Notcot post, two specific theories are presented: the first is that JQA changed his last name to distinguish himself from his father. Doing some quick searches around various bios of Adams, however, shows absolutely no support for this one. Even the White House’s own page on JQA spells it Adams and makes no mention of such a change.

The explanation TechDirt proposes is that the misspelling is a form of fraud and/or counterfeit detection. This makes sense and is the most plausible reason for the “error” assuming this is not an error. On such a seemingly innocuous document there has to be a variety of counterfeit detection options, similar to how U.S. currency has a number of security features.

No matter what the explanation, it is interesting this has never been found until now. It is also intriguing to see the lengths our government will go to protect its very own products, even something as relatively unimportant as the US Visa and Border Crossing card.

In what appears to be a complete reversal from previous rulings across the nation, a federal judge for the 5th Circuit Appeals Court in New Orleans has ruled that breaking digital rights management (DRM) is not considered a violation of the ban imposed by the Digital Millennium Copyright Act (DMCA) if it was not done in the pursuit of copyright infringing.

General Electric did not infringe on a power supplier’s digital copyrights when it used protected software unlocked through a hacked security key, the 5th Circuit ruled. “Merely bypassing a technological protection that restricts a user from viewing or using a work is insufficient to trigger the (Digital Millennium Copyright Act’s) anti-circumvention provision,” Judge Garza wrote for the New Orleans-based court. “The DMCA prohibits only forms of access that would violate or impinge on the protections that the Copyright Act otherwise affords copyright owners.”

The ruling by Judge Garza is a step in the right direction for opponents of DRM and the anti-circumvention ban written in to the DMCA. While the ruling will surely be appealed, since there has now been a split decision between the 5th circuit and the others around the nation there is a strong chance a Supreme Court challenge will be heard in the future. Equally as important, now that there is a precedent set in the 5th circuit, it will be interesting to see the impact this ruling has on upcoming cases in the same and other circuits. Will other courts adhere to the same line of reasoning offered by Judge Garza?

Just as Sony Corp. of America vs. Universal City Studios – the Betamax Case – opened the doors for the very fair use we pride ourselves on today, we can only hope for similar good things from whatever case does end up weaving its way through the court system up to the Supremes. It is inevitable that one case will end up deciding the future of DRM just as the Betamax Case did in the past. It will happen, it is just a matter of time.

Ever considered the thought that the U.S. government, such as the NSA, has the capability to break in to an SSL-encrypted session between you and your bank, and eavesdrop on that conversation? That idea alone should cause you to pause the next time you see the padlock icon in your browser light-up when you think you are browsing securely.

In a purely hypothetical example, the U.S. government can force a Public Key Infrastructure (PKI) to give them a publicly trusted certification for www.amazon.com. They then poison your DNS and route your traffic for www.amazon.com to a site they own that has the fake certification installed. Your browser then gives you that pretty green bar or little lock and you think everything is cool, safe and secure. Or… they can put a device between you and your target and then perform SSL interception.

Never put anything past the U.S. government and its intelligence gathering capabilities. I think that is a safe theory to operate under. Even though suspension of disbelief is required in movies like Enemy of the State and Deja-Vu, where the government employed nifty intel collecting techniques, something as simple as eavesdropping on SSL-encrypted communications should not be underestimated.

In fact, performing an SSL man-in-the-middle “attack” using a web proxy server and SSL decryption is not difficult at all. It is exponentially more believable in a corporate setting, where the IT guys control the operating system and web browser, however that does not mean it is unheard of elsewhere.

What is the point? Be careful who you trust when you are supposedly surfing securely. Educate yourself on the security techniques used by SSL and how they function. While in most cases there is nothing to be concerned with, it is important to understand that SSL is not the end-all be-all of network security. It has its own shortcomings as eloquently articulated in this article.

Thomas Ryan of Provide Security setup a fake identity using a photo of a hot looking female as a means of portraying the potential security threats posed by social networking sites like LinkedIn, Facebook and Twitter. Ultimately the experiment worked as the profiles were used to successfully socially engineering the U.S. government, military and intelligence communities.

And so it apparently was. She was an avid user of LinkedIn – a social-networking site for professionals sometimes described as “Facebook for grown-ups.” Her connections on it included men working for the nation’s most senior military officer, the chairman of the Joint Chiefs of Staff, and for one of the most secret government agencies of all, the National Reconnaissance Office (NRO), which builds, launches and runs U.S. spy satellites. Others included a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and several senior executives at defense contractors, including Lockheed Martin Corp. and Northrop Grumman Corp. Almost all were seasoned security professionals.

It is great to see the U.S. government finally start to embrace social networking, but is the cost of being socially engineered worthwhile? How so many “smart” people fell victim to this ruse may appear to be surprising, but it really should not be. A picture of a hot chick is worth a lot of capital, especially in geek circles. Couple that with a wicked resume and connections to people in important organizations and you have a formula for socially engineering anyone, much less the government.

Hopefully the vulnerabilities exposed by social networking usage in this exercise will be used to help better educate the government, military and intelligence communities. This is one thing lacking in the government – quality education about the dangers of online social networking and the threats these tools pose to our government.

AppleInsider has taken the aforementioned Secunia vulnerability report to task, dismantling the claim that Apple has the highest number of security holes.

Secunia’s vulnerability counts reset when Microsoft changes the name of its product, but continue to accumulate for Apple because the company hasn’t rebranded Mac OS X since 2003, when Secunia began keeping track. Browsing Secunia’s database, it appears Mac OS X has suffered from hundreds of vulnerabilities while Microsoft’s Windows has racked up far fewer, but that’s only because Microsoft’s regular rebranding efforts reset Secunia’s clocks.

At the same time, Secunia does not break up Apple’s vulnerability counts by each reference release of Mac OS X, so its current vulnerability listings date back through Jaguar, Panther, Tiger, and Leopard, as well as the currently installed base of Snow Leopard.

How Secunia arrives at its totals are also puzzling, as according to its own statistics Apple’s Mac OS X was affected by 6 “advisories” in 2010, only one of which has not yet been patched. That issue is rated as “not critical” and can only be exploited by local users.

This is the article I should have written, but unfortunately I did not have the time to conduct the necessary in-depth research to write such an eloquent response to the obviously bogus report. AppleInsider should be praised for clearly articulating their dissection of the claims made in the report, especially since Secunia carries a lot of weight in the security industry.

It is obvious Secunia need to tweak their methods to better express an accurate depiction of the operating system vulnerability landscape. The first thing Secunia needs to do is retract the graph, which is what most people are paying close attention to. A visual representation of the number of vulnerabilities, with Apple sitting atop the chart, clearly does the security industry an injustice by not accurately reporting the current vendor vulnerability situation.

Although Mac OS X has remained virtually free of any large-scale virus or malware outbreaks, according to a report released by security firm Secunia the operating system ranks at the top of the most vulnerabilities chart in terms of the sheer number of exploits available.

Mac OS has remained relatively untouched by major viruses and hacking efforts in the past, as most ne’er-do-wells may have considered the operating system’s market share and thus potential for private information less enticing than those of Microsoft’s Windows. With the rise of Mac market share and the popularity of the iPhone, however, there is little doubt that Apple platforms will become major malware targets in the near future.

Surely this is rather unbelievable to most people, who expected to escape from Microsoft security vulnerability hell by switching to Mac OS X. Apparently the numbers do not lie, however I cannot help but feel the numbers are somewhat off.

I own a Mac at home but administer Windows XP at work, insofar as I am a network security professional whose job is to protect the network from bad guys and evil corporations incapable of adequately programming their software. Thinking back over the last couple years, I cannot fathom how Secunia came to the conclusion that Apple has a higher number of vulnerabilities than Microsoft. It is unbelievable, especially considering the large number of Windows patches I am required to push out on a monthly basis. Contrast that to the number of Apple patches I’ve installed on my home laptop and it just feels like the scales are tipped towards Microsoft by a large margin.

Check out the report for the full details.

Update: I failed to seize the opportunity to dissect the crappy Secunia report, but AppleInsider has taken charge, clearly dismantling the claims that Apple has the highest number of vulnerabilities. It is a wonderful read and is essentially the article I should have written.

Security researches have discovered a fatal flaw in a widely used authentication routine and plan to discuss their findings at the Black Hat conference later this month in Las Vegas. The researches have not yet publicly disclosed the affected application, although it initially appears as if OpenID and oAuth are vulnerable to this newfound attack.

They found that some versions of these login systems are vulnerable to what’s known as a timing attack. Cryptographers have known about timing attacks for 25 years, but they are generally thought to be very hard to pull off over a network. The researchers aim to show that’s not the case.

The attack is thought to be so difficult because it requires very precise measurements. It cracks authentication tokens by measuring the time it takes for a computer to verify a digital signature. On some systems, the server will check a cryptographic signature on a token sent by the user to prove that he has logged into the system. It will kick back an error message as soon as it spots a bad character. This means a computer returns an error for a completely bad token a tiny bit faster than one where the first character is correct.

Since OpenID and oAuth are affected, sites such as Twitter and digg are vulnerable as they make use of these routines to provide additional functionality not seen in average web sites. Ultimately, what this attack facilitates is allowing an attacker to masquerade as a legitimately authenticated user without having to login to the site. While timing attacks such as this are difficult to pull off, they are not inconceivable.

What does this mean for the average user? Probably nothing much at this point since the keys to this particular kingdom lay in the hands of the web site operators. It will be up to the service providers making use of the affected libraries to either switch to an unaffected library or modify the existing one.

If you are a developer, and are using OpenID and/or oAuth then you should definitely be concerned. Pay strict attention to the paper these researchers plan to present at Black Hat to see if the libraries you are using are affected and in need of modification.

Apparently the idea of being able to sit on ones fat ass and ostensibly get paid to “surf porn” for YouTube is not the dream job that it’s all cracked up to be:

“You have 20-year-old kids who get hired to do content review, and who get excited because they think they are going to see adult porn,” said Hemanshu Nigam, the former chief security officer at MySpace. “They have no idea that some of the despicable and illegal images they will see can haunt them for the rest of their lives.”

What is it that is so despicable about the imagery submitted to YouTube? Our always-connected culture has turned to uploading photographs of graphic gang killings, animal abuse, twisted forms of pornography (although “twisted” is quite subjective) and intense bullying. Videos containing this content are flagged, which is where the reviewers come in to play. They attempt to determine whether the material is safe for public consumption on Google’s flagship video sharing site.

Being constantly bombarded with such horrific imagery is taking its toll on the content screening team members, who are increasingly turning to professional psychological assistance to help them deal with problems associated with the evil content they are subjected to daily.

One major outsourcing firm with staff in the Philippines was aware of the risks of this type of work and hired a local psychologist to assess how it was affecting its 500 content moderators. The psychologist, Patricia M. Laperal of Behavioral Dynamics, said she had developed a screening test so the company could evaluate potential employees, and helped its supervisors identify signals that the work was taking a toll on employees.

Ms. Laperal also reached some unsettling conclusions in her interviews with content moderators. She said they were likely to become depressed or angry, have trouble forming relationships and suffer from decreased sexual appetites. Small percentages said they had reacted to unpleasant images by vomiting or crying.

It sure sounds like working as a content reviewer is not the glamorous job you might think it to be. While some folks are sure to be more sensitive to the imagery, as a whole it appears to be pretty tough to be constantly subjected to malicious content.

With video sharing being so pervasive young folks have this idea that all they need to do to become famous on the internets is create the next greatest viral video. A small percentage of folks appear to be taking that to the extreme, using the opportunity to take advantage of people.

If you believe that your ticket to stardom is hurting someone on a video submitted to YouTube then you are sadly mistaken – do something more constructive with your time and – here’s a novel idea – work for the fame.