TechMiso

An academic research paper by University of Pennsylvania researchers claims touch screen phones may be vulnerable to smudge attacks, a new form of security vulnerability based on the oily residue left on the screen. The researchers claim malicious attackers may be able to ascertain a certain amount of information, such as inferring a password used by the devices owner, left by the smudges left on a touch screen.

The researchers took photos of screens and used a program to analyze the photos closely. They found they could figure out the password over 90 percent of the time. The study used Android phones, which use a graphical pattern to allow users to unlock the phone. Phones included the Nexus 1.

The study also found that “pattern smudges,” which build up from writing the same password numerous times, are particularly recognizable.

While it sounds somewhat plausible, I find it hard to believe that practical use of this vulnerability, assuming it is even an issue, will result in widespread exploits. The attackers would have to gain physical access to the device in order to make use of the exploit, and most bad guys prefer to do their dirty deeds from afar. This is not to necessarily downplay the issue but to speak towards the reality of the situation.

It should be worth watching to see if any true security issues ever come from this research. I applaud the University of Pennsylvania team for conducting some very exhaustive investigative work, and some very informative and interesting research, but the reality is this “vulnerability” is a non-issue right now.

I ran across an interesting article on TechDirt this morning about a couple of bloggers who were playing around with a microscope and the US Visa and Border Crossing Card. What they found was quite interesting. On the back of the card is a strip of tiny etchings of every U.S. president and all the state flags. Nothing overly exciting, right?

The label for the 6th president of the United States is actually printed as “John Quincy Adames” – yes, you read that correctly. There apparently is a typo on official U.S. government documents. An “e” was either accidentally or purposely added to our sixth presidents last name.

That seems like a pretty big mistake. However, some are suggesting that it was done on purpose. In the comments to the Notcot post, two specific theories are presented: the first is that JQA changed his last name to distinguish himself from his father. Doing some quick searches around various bios of Adams, however, shows absolutely no support for this one. Even the White House’s own page on JQA spells it Adams and makes no mention of such a change.

The explanation TechDirt proposes is that the misspelling is a form of fraud and/or counterfeit detection. This makes sense and is the most plausible reason for the “error” assuming this is not an error. On such a seemingly innocuous document there has to be a variety of counterfeit detection options, similar to how U.S. currency has a number of security features.

No matter what the explanation, it is interesting this has never been found until now. It is also intriguing to see the lengths our government will go to protect its very own products, even something as relatively unimportant as the US Visa and Border Crossing card.

Ever considered the thought that the U.S. government, such as the NSA, has the capability to break in to an SSL-encrypted session between you and your bank, and eavesdrop on that conversation? That idea alone should cause you to pause the next time you see the padlock icon in your browser light-up when you think you are browsing securely.

In a purely hypothetical example, the U.S. government can force a Public Key Infrastructure (PKI) to give them a publicly trusted certification for www.amazon.com. They then poison your DNS and route your traffic for www.amazon.com to a site they own that has the fake certification installed. Your browser then gives you that pretty green bar or little lock and you think everything is cool, safe and secure. Or… they can put a device between you and your target and then perform SSL interception.

Never put anything past the U.S. government and its intelligence gathering capabilities. I think that is a safe theory to operate under. Even though suspension of disbelief is required in movies like Enemy of the State and Deja-Vu, where the government employed nifty intel collecting techniques, something as simple as eavesdropping on SSL-encrypted communications should not be underestimated.

In fact, performing an SSL man-in-the-middle “attack” using a web proxy server and SSL decryption is not difficult at all. It is exponentially more believable in a corporate setting, where the IT guys control the operating system and web browser, however that does not mean it is unheard of elsewhere.

What is the point? Be careful who you trust when you are supposedly surfing securely. Educate yourself on the security techniques used by SSL and how they function. While in most cases there is nothing to be concerned with, it is important to understand that SSL is not the end-all be-all of network security. It has its own shortcomings as eloquently articulated in this article.

Thomas Ryan of Provide Security setup a fake identity using a photo of a hot looking female as a means of portraying the potential security threats posed by social networking sites like LinkedIn, Facebook and Twitter. Ultimately the experiment worked as the profiles were used to successfully socially engineering the U.S. government, military and intelligence communities.

And so it apparently was. She was an avid user of LinkedIn – a social-networking site for professionals sometimes described as “Facebook for grown-ups.” Her connections on it included men working for the nation’s most senior military officer, the chairman of the Joint Chiefs of Staff, and for one of the most secret government agencies of all, the National Reconnaissance Office (NRO), which builds, launches and runs U.S. spy satellites. Others included a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and several senior executives at defense contractors, including Lockheed Martin Corp. and Northrop Grumman Corp. Almost all were seasoned security professionals.

It is great to see the U.S. government finally start to embrace social networking, but is the cost of being socially engineered worthwhile? How so many “smart” people fell victim to this ruse may appear to be surprising, but it really should not be. A picture of a hot chick is worth a lot of capital, especially in geek circles. Couple that with a wicked resume and connections to people in important organizations and you have a formula for socially engineering anyone, much less the government.

Hopefully the vulnerabilities exposed by social networking usage in this exercise will be used to help better educate the government, military and intelligence communities. This is one thing lacking in the government – quality education about the dangers of online social networking and the threats these tools pose to our government.

AppleInsider has taken the aforementioned Secunia vulnerability report to task, dismantling the claim that Apple has the highest number of security holes.

Secunia’s vulnerability counts reset when Microsoft changes the name of its product, but continue to accumulate for Apple because the company hasn’t rebranded Mac OS X since 2003, when Secunia began keeping track. Browsing Secunia’s database, it appears Mac OS X has suffered from hundreds of vulnerabilities while Microsoft’s Windows has racked up far fewer, but that’s only because Microsoft’s regular rebranding efforts reset Secunia’s clocks.

At the same time, Secunia does not break up Apple’s vulnerability counts by each reference release of Mac OS X, so its current vulnerability listings date back through Jaguar, Panther, Tiger, and Leopard, as well as the currently installed base of Snow Leopard.

How Secunia arrives at its totals are also puzzling, as according to its own statistics Apple’s Mac OS X was affected by 6 “advisories” in 2010, only one of which has not yet been patched. That issue is rated as “not critical” and can only be exploited by local users.

This is the article I should have written, but unfortunately I did not have the time to conduct the necessary in-depth research to write such an eloquent response to the obviously bogus report. AppleInsider should be praised for clearly articulating their dissection of the claims made in the report, especially since Secunia carries a lot of weight in the security industry.

It is obvious Secunia need to tweak their methods to better express an accurate depiction of the operating system vulnerability landscape. The first thing Secunia needs to do is retract the graph, which is what most people are paying close attention to. A visual representation of the number of vulnerabilities, with Apple sitting atop the chart, clearly does the security industry an injustice by not accurately reporting the current vendor vulnerability situation.

Although Mac OS X has remained virtually free of any large-scale virus or malware outbreaks, according to a report released by security firm Secunia the operating system ranks at the top of the most vulnerabilities chart in terms of the sheer number of exploits available.

Mac OS has remained relatively untouched by major viruses and hacking efforts in the past, as most ne’er-do-wells may have considered the operating system’s market share and thus potential for private information less enticing than those of Microsoft’s Windows. With the rise of Mac market share and the popularity of the iPhone, however, there is little doubt that Apple platforms will become major malware targets in the near future.

Surely this is rather unbelievable to most people, who expected to escape from Microsoft security vulnerability hell by switching to Mac OS X. Apparently the numbers do not lie, however I cannot help but feel the numbers are somewhat off.

I own a Mac at home but administer Windows XP at work, insofar as I am a network security professional whose job is to protect the network from bad guys and evil corporations incapable of adequately programming their software. Thinking back over the last couple years, I cannot fathom how Secunia came to the conclusion that Apple has a higher number of vulnerabilities than Microsoft. It is unbelievable, especially considering the large number of Windows patches I am required to push out on a monthly basis. Contrast that to the number of Apple patches I’ve installed on my home laptop and it just feels like the scales are tipped towards Microsoft by a large margin.

Check out the report for the full details.

Update: I failed to seize the opportunity to dissect the crappy Secunia report, but AppleInsider has taken charge, clearly dismantling the claims that Apple has the highest number of vulnerabilities. It is a wonderful read and is essentially the article I should have written.

Security researches have discovered a fatal flaw in a widely used authentication routine and plan to discuss their findings at the Black Hat conference later this month in Las Vegas. The researches have not yet publicly disclosed the affected application, although it initially appears as if OpenID and oAuth are vulnerable to this newfound attack.

They found that some versions of these login systems are vulnerable to what’s known as a timing attack. Cryptographers have known about timing attacks for 25 years, but they are generally thought to be very hard to pull off over a network. The researchers aim to show that’s not the case.

The attack is thought to be so difficult because it requires very precise measurements. It cracks authentication tokens by measuring the time it takes for a computer to verify a digital signature. On some systems, the server will check a cryptographic signature on a token sent by the user to prove that he has logged into the system. It will kick back an error message as soon as it spots a bad character. This means a computer returns an error for a completely bad token a tiny bit faster than one where the first character is correct.

Since OpenID and oAuth are affected, sites such as Twitter and digg are vulnerable as they make use of these routines to provide additional functionality not seen in average web sites. Ultimately, what this attack facilitates is allowing an attacker to masquerade as a legitimately authenticated user without having to login to the site. While timing attacks such as this are difficult to pull off, they are not inconceivable.

What does this mean for the average user? Probably nothing much at this point since the keys to this particular kingdom lay in the hands of the web site operators. It will be up to the service providers making use of the affected libraries to either switch to an unaffected library or modify the existing one.

If you are a developer, and are using OpenID and/or oAuth then you should definitely be concerned. Pay strict attention to the paper these researchers plan to present at Black Hat to see if the libraries you are using are affected and in need of modification.

Jeremiah Grossman has uncovered a fatal privacy flaw in Apple’s Safari Web Browser v4 and v5 which allows a malicious web site to surreptitiously extract data automatically filled Jeremiah Grossman by way of the “AutoFill” functionality.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

There is currently no fix available for this vulnerability. Until Apple does release a security update addressing this exploit, immediately turn off the AutoFill feature in Safari. Either that or modify your Address Book Card to something with innocuous data.

On a side note, according to Grossman he informed Apple over a month ago about the exploit but has yet to receive a response. No surprise there – Apple is renown for not responding to such submissions. This is not to say they will not provide a response, but rather to keep the issue on the down-low, which is really how Apple rolls when it comes to flaws with their products.

A recently discovered flaw with Windows shortcut LNK files is being exploited by installing malicious software which is then used to gain administrator level access by esoterically installing a rootkit.

Microsoft has already warned users, in the Microsoft Security Advisory (2286198), that hackers are exploiting an unpatched Windows vulnerability within the Windows Shell component where Windows incorrectly parses shortcuts. Since the warning, Microsoft has reconfirmed what researchers discovered this exploitation to be an issue with shortcut (.LNK) files. The vulnerability is apt to allow malicious code to be executed most likely through removable drives. When executed, the malware includes a Trojan horse which can implement attack code that downloads a rootkit and then remain undetected while running.

Several version of Windows are affected by the Shortcut flaw including Windows 7 and the now-unsupported Windows XP SP2 (Service Pack 2 – As of July 13, 2010 Microsoft no longer provides security updates or support for Windows XP SP2). Researchers have noticed that the related Shortcut flaw malware is mostly from an infected USB drive.

There is a strong chance anti-virus software would not have caught this malware, mainly because it is a 0day but also because it is becoming exceedingly difficult to adequately detect rootkit installations. There is strong evidence suggesting the attackers will take advantage of this vulnerability to spread malware through Windows XP SP2 installations since Microsoft is opting not to offer a patch for that version of the operating system. A lot of SP2 installs are floating around the internets, for some reason completing ignoring the fact that Microsoft released XP SP3 well over 18 months ago.

In what has got to be one of the wackiest technology related stories I have read in quite some time, Wired’s Threat Level is reporting that kids across the United States are getting high on the internet thanks to so-called ecstasy-inducing MP3 files:

Kids around the country are getting high on the internet, thanks to MP3s that induce a state of ecstasy. And it could be a gateway drug leading teens to real-world narcotics.

At least, that’s what Oklahoma News 9 is reporting about a phenomenon called “i-dosing,” which involves finding an online dealer who can hook you up with “digital drugs” that get you high through your headphones.

Oddly enough, an Oklahoma school is taking this whack-ass threat seriously. They ended up sending out letters to parents to warn of this supposed new “drug” making its rounds on the internets. A side effect of this is the school has now banned iPods on school grounds to hopefully prevent students from becoming “cyber-drug” fiends. Seriously.

For the life of me I can not believe this is serious. No matter how much these digital drug dealers try, I can not fathom how this would even work to create some crack-like state of ecstasy. This whole idea is ridiculous.

Now I’ve listened to some MP3 music which made me want throw my laptop out of a fourth story window because the music was absolutely horrifyingly bad. I’ve listened to other highly intense music which made me feel all tingly inside.

But never have I listened to an MP3 which made me high, as if I had just gotten baked off some of the good stuff. Never. Ever.

The article is worth a read, if for no other reason than the amusement factor. Maybe it was meant to be taken in stride, maybe it is completely serious. Whatever the case, it sounds like there are some morons out there “educating” our students about things that do not yet exist.

The lesson in all this: keep your kids away from the Oklahoma Mustang Public School district because they will surely not be receiving a quality education from idiotic teachers like those who believe one can get high off an MP3 file.