Last week the IE team announced that they'll soon start to automatically upgrade IE across Windows 7, XP, and Vista through Windows Update. A follow up from Microsoft's IT pro team details that IE 6 and IE 7 will be upgraded to IE 8 on Windows XP, while Vista and Windows 7 users will get IE 9. With Microsoft joining the herd of auto-upgraders the final pieces of the puzzle start to fall into place, now "everybody" does it. Other major browser manufacturers (Opera, Chrome, and Firefox) have been auto-upgrading their installations for some time already. Apple's Safari now stands out in the crowd and it will be interesting to see whether they'll stick to their current update regime.
For Microsoft, this is yet another important step to kill of IE 6 which still has a considerable user base. Up til now they have been running campaigns urging users to upgrade their browsers. They actually have a website dedicated to kill of the browser, www.ie6countdown.com (I have to point out that Norway is leading the pack, with only 0.2% IE 6 users). Hopefully the automatic upgrades will have a notable impact on the remaining IE 6 installations.
In two earlier posts (one and two) I've advocated silent auto-upgrades as an important strategy to keep Internet users safe by providing them with timely security patches. Recently I came across an interesting study on the effectiveness of different Web browsers update mechanisms. It's definitely worth a read. (*Surprise*, it aligns just fine with my views so I can safely link to it).
Software security blog by André N. Klingsheim, who's learning to love .NET and Microsoft servers.
Disclaimer
Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).
Dec 16, 2011
Dec 13, 2011
See pics of women, free
Just now on Facebook I got the following advertisement:
I didn't quite react at the first glance, since every once in a while you get served the ads for "Russian ladies looking for love" etc. (hope I'm not the only one getting those). Then I realized that this ad was for Match.com! That's amazing. I clicked on it, and yes, it led me to: no.match.com.
The title of the ad suggests that it leads to one of the more sleazy sites on the Internet. If you do a Google search for free pics of women, you'll get the idea. Warning: NSFW!
I'm not convinced that this is how girls looking for a relationship would want their profiles advertised on the Internet. And it is yet an example of how a social website might try to capitalize on the personal information you've shared — in a way that would make you uncomfortable if you were made aware about it.
Shame on you Match.com! This is not how a responsible and respectable dating site would treat their users.
Nov 5, 2011
Twitter app privacy, there just might be hope!
A couple of months ago I blogged about Giving up your privacy for nothing at Yahoo News, ranting about how the Tweet button on a Yahoo News article required you to give complete control of your Twitter account to some Twitter application. Well, I just had a more encouraging experience!
You've probably heard about this Klout thing. On Twitter there has lately been several reports of people getting Klout perks, so I became a bit curious on how all of this worked. After all, there's not that many web pages where you sign up and then get stuff sent to you by mail because you have many Twitter followers (deliberate over-simplification). I had to register to see what this thing was all about.
Note that there is an ongoing privacy discussion about Klout, here's an excellent article that summarizes some of the issues. I won't go in to that discussion here.
You can sign in to Klout using your Twitter profile. An this is where I was in for a pleasant surprise!
You've probably heard about this Klout thing. On Twitter there has lately been several reports of people getting Klout perks, so I became a bit curious on how all of this worked. After all, there's not that many web pages where you sign up and then get stuff sent to you by mail because you have many Twitter followers (deliberate over-simplification). I had to register to see what this thing was all about.
Note that there is an ongoing privacy discussion about Klout, here's an excellent article that summarizes some of the issues. I won't go in to that discussion here.
You can sign in to Klout using your Twitter profile. An this is where I was in for a pleasant surprise!
Labels:
Privacy
Nov 2, 2011
Base64 decode online — are you sure?
Are you using one of the many web pages that let you base64 decode data? In that case you should take a moment to think about the nature of the data you want to decode and what those pages could be doing with the data — apart from showing you the decoded version.
tl;dr: Check out transformtool.codeplex.com for an offline alternative to the online Base64 decoders.Google's keyword tool reports 9,900 monthly searches for "base64 decode online". How many of these searches lead to disclosure of sensitive business information, or personal information (PII) to one of the Base64 decoding webpages? None of these searches are from IT-professionals trying to figure out what's wrong in a production system, right?
Top Google results for "base64 decode online" at time of writing |
Labels:
AppSec,
Privacy,
security,
TransformTool
Oct 22, 2011
Update Java — or just remove it
Oracle recently released an update to its Java software, fixing more than 20 critical security issues in the software. Krebs has a good post on the update, briefly discussing the vulnerabilities and the fact that Java vulnerabilities are exploited for real.
I have to say that in recent years I've installed Java more due to habit than because of an actual need for the software. So when I got the update bubble in the corner of my screen, I figured "of course". I knew they, among other things, fixed the same-origin-policy bypass used in the BEAST attack (You'll find a straight forward explanation of the Java vulnerability here, and links to resources on BEAST here). So I started the update process, and this was one of the first screens I was presented.
I have to say that in recent years I've installed Java more due to habit than because of an actual need for the software. So when I got the update bubble in the corner of my screen, I figured "of course". I knew they, among other things, fixed the same-origin-policy bypass used in the BEAST attack (You'll find a straight forward explanation of the Java vulnerability here, and links to resources on BEAST here). So I started the update process, and this was one of the first screens I was presented.
Labels:
AppSec,
Browser security,
Java,
security
Oct 9, 2011
A Google 2-step verification vulnerability
Early this year Google started rolling out their new two-factor authentication procedure, which they refer to as 2-step verification. On their corporate blog they provided a few hints on why they were rolling out a new authentication procedure — mentioning risks associated with password reuse and phishing attacks. 2-step verification is now widely deployed, by June it was available in 150 countries, and in 40 different languages.
Of course, I took interest in how the two-step verification was designed and I discovered a couple of design issues. In addition I discovered a security flaw that qualified for Google's vulnerability reward program, so I engaged in a responsible disclosure process with Google. Now they've fixed the bug, my reward has been donated to charity, and I've received my 19 bytes of fame, so I guess it's time to blog about this. I'll focus on the security bug here, and blog about the design issues later. I need to do some investigation to see whether Google fixed any of them or not, as they reported that they were re-evaluating some of their design decisions.
If you're unfamiliar with how the two-step verification works, see Google's video below (borrowed from Getting started with 2-step verification).
Now, straight to the point.
Of course, I took interest in how the two-step verification was designed and I discovered a couple of design issues. In addition I discovered a security flaw that qualified for Google's vulnerability reward program, so I engaged in a responsible disclosure process with Google. Now they've fixed the bug, my reward has been donated to charity, and I've received my 19 bytes of fame, so I guess it's time to blog about this. I'll focus on the security bug here, and blog about the design issues later. I need to do some investigation to see whether Google fixed any of them or not, as they reported that they were re-evaluating some of their design decisions.
If you're unfamiliar with how the two-step verification works, see Google's video below (borrowed from Getting started with 2-step verification).
Labels:
AppSec,
Google,
security,
vulnerability
Oct 8, 2011
Making the web even safer: From auto-upgrade to silent updates
Mozilla now aims to add silent updates to Firefox — much like Chrome and Opera already does — as summarized in this Computerworld article. This marks an important milestone, and is an important follow up to Mozilla's decision back in June to auto-upgrade the then soon-to-be unsupported Firefox 3.5. Back then, I blogged about the importance of the bold decision to NOT leave users behind on an unsupported version.
Later in June when Firefox 5 was released, Firefox 4 users where prompted to update to the new version. I was so excited, I had to blog about that too.
Now Mozilla has decided to introduce silent updates to Firefox. From Mitchell Baker's blog we can learn that:
Later in June when Firefox 5 was released, Firefox 4 users where prompted to update to the new version. I was so excited, I had to blog about that too.
Now Mozilla has decided to introduce silent updates to Firefox. From Mitchell Baker's blog we can learn that:
Before Mozilla instituted the rapid release process, we would sometimes have new capabilities ready for nearly a year before we could deliver them to people. Web developers would have to wait that year to be able to make their applications better.And why is that a problem?
A browser is the delivery vehicle for the Internet. And the Internet moves very, very quickly.
Labels:
Browser security,
Firefox,
security
Sep 16, 2011
Bugs get fixed
My bug reporting has been on fire lately. This week I received confirmation from the Google security team that a security bug I reported was found worthy of a reward (a couple of weeks ago Google fixed some issues in their two-step verification procedure). I'll be blogging the details on the security issue anytime soon.
Just now, my hotmail told me that the Visual Studio 2010 firewall setup bug I blogged about last month will be fixed in the next major release of Visual Studio. Cool!
Now, if I could only find and fix my own damn bugs. :)
Just now, my hotmail told me that the Visual Studio 2010 firewall setup bug I blogged about last month will be fixed in the next major release of Visual Studio. Cool!
Now, if I could only find and fix my own damn bugs. :)
Sep 12, 2011
Announcing TransformTool
I've spent some of my spare time on a hobby project lately. I've been missing a tool that could help me easily encode or decode various pieces of information. When you're studying web applications you often come across values in cookies, URL parameters or forms that are encoded in one way or another. They might even be encoded multiple times with the same encoding function. It has been somewhat cumbersome to fiddle about with such pieces of information, that is until now!
I've created TransformTool, that lets you easily apply a series of encoding/decoding operations to an input. Just have a look at this example:
I've created TransformTool, that lets you easily apply a series of encoding/decoding operations to an input. Just have a look at this example:
Labels:
.NET,
Ninja tricks,
TransformTool
Sep 4, 2011
WIF security considerations
I've been working with WIF (Windows Identity Foundation) for the last couple of months, and have to admit I've spent some time googling for WIF articles explaining how the framework should be used. I'll be putting together a blog post on some of the most useful resources I've found when I find the time. However, you'll discover that there aren't many resources covering WIF and the nitty gritty security details out there. An MSDN article on WIF security was brought to my attention the other day (thanks Jonas!), so I figured I'd link to it sooner rather than later. It might be useful for some of you out there.
The article is titled Security considerations, and it's not easy to find on Google. It contains quite a few security considerations you'd want to look into if you're using, or are contemplating, to use WIF. Stay tuned for more WIF (security) stuff as my calendar hopefully frees up at work, and the golf season ends here in Norway.
The article is titled Security considerations, and it's not easy to find on Google. It contains quite a few security considerations you'd want to look into if you're using, or are contemplating, to use WIF. Stay tuned for more WIF (security) stuff as my calendar hopefully frees up at work, and the golf season ends here in Norway.
Labels:
WIF
Aug 3, 2011
VS2010 remote debugging and Windows 7 firewall
*Update, 2011/09/16: The issue has been fixed in the next major release of Visual Studio.
I've had some trouble getting remote debugging going for a development server at work. Turns out there are some oddities in the way VS 2010 creates and manages the firewall entries that let the remote machine connect back to the local computer. You'd might want to read this before checking out the MSDN articles: How to: Set Up Remote Debugging, How to: Configure the Windows 7 Firewall for Remote Debugging.
I was working with a development server that had the remote debugging monitor installed. Others have been debugging on the server, so I was sure that the server was set up correctly. I was pretty sure my problems were caused by the setup on my local machine.
If you lack firewall rules for remote debugging, VS2010 detects this and asks you what to do:
Without giving it much thought I chose to "Unblock remote debugging from computers on the local network (subnet)". After all, the development server was somewhat "local." The remote debugging monitor reported that I connected to the server, but nothing more happened and I timed out with this error message:
I've had some trouble getting remote debugging going for a development server at work. Turns out there are some oddities in the way VS 2010 creates and manages the firewall entries that let the remote machine connect back to the local computer. You'd might want to read this before checking out the MSDN articles: How to: Set Up Remote Debugging, How to: Configure the Windows 7 Firewall for Remote Debugging.
I was working with a development server that had the remote debugging monitor installed. Others have been debugging on the server, so I was sure that the server was set up correctly. I was pretty sure my problems were caused by the setup on my local machine.
If you lack firewall rules for remote debugging, VS2010 detects this and asks you what to do:
Without giving it much thought I chose to "Unblock remote debugging from computers on the local network (subnet)". After all, the development server was somewhat "local." The remote debugging monitor reported that I connected to the server, but nothing more happened and I timed out with this error message:
Unable to connect to the Microsoft Visual Studio Remote Debugging Monitor named 'xxxxxxx'. The Visual Studio Remote Debugger on the target computer cannot connect back to this computer. A firewall may be preventing communication via DCOM to the local computer.I then realized that subnet was probably a keyword here, as the server was in the same domain but on a different subnet.
Jul 21, 2011
Getting started with Windows Azure
Turns out it's very easy!
You need to install the Azure tools for VS. Then you can check out the Code Quick Start guide for Azure, to get up and running quickly. It took me about half an hour to deploy my first application to Azure, including installing the VS tools and eating a pizza.
I'll probably use my Azure subscription to host demo apps in the future. For now, you can check out my first Hello World application in Windows Azure.
This was fun!
You need to install the Azure tools for VS. Then you can check out the Code Quick Start guide for Azure, to get up and running quickly. It took me about half an hour to deploy my first application to Azure, including installing the VS tools and eating a pizza.
I'll probably use my Azure subscription to host demo apps in the future. For now, you can check out my first Hello World application in Windows Azure.
This was fun!
Jul 10, 2011
Sneaking into Google+ uninvited
After seing reports on Twitter that "everyone" now was on Google+, and not having received an invite e-mail myself, I had an intense feeling of being left out. So yesterday, I started tinkering.
There's been several ways into Google+, just after the launch the reports were that a Google+ user could share something with you, and you were offered to join Google+ to see the shared content. Along came also the possibility for Google+ users to invite people directly (which led to people selling their invites). To get in line for Google+, you could also sign up at the Google+ website. I had signed up, and turns out I had also been invited by two friends (I was in their circles already), but without receiving a notice from Google. I was curious to find out what was behind the signup screen shown below, so I had to do something!
There's been several ways into Google+, just after the launch the reports were that a Google+ user could share something with you, and you were offered to join Google+ to see the shared content. Along came also the possibility for Google+ users to invite people directly (which led to people selling their invites). To get in line for Google+, you could also sign up at the Google+ website. I had signed up, and turns out I had also been invited by two friends (I was in their circles already), but without receiving a notice from Google. I was curious to find out what was behind the signup screen shown below, so I had to do something!
Jun 23, 2011
Giving up your privacy for nothing at Yahoo News
UPDATE Nov. 10th: The story about the dog turned out to be a hoax. Pheew.
This weekend I read a somewhat disturbing article on Yahoo News about a Jewish court sentencing a dog to death by stoning by children and decided to share the story on Twitter. Most news sites include buttons to conveniently tweet articles, Yahoo News is no exception. I clicked the "Retweet" button and expected to see the Twitter confirmation screen as I was already signed in to Twitter. But wait!
Yahoo News wants me to let TweetMeme use my account, that was a surprise. Usually I don't bother reading these pop-ups, I just close the window and then go on to share the link manually. But this was Yahoo News, so I started reading the pop-up to see what they were hoping I would agree to. Turns out it wasn't just the article about stoning the dog that was disturbing.
This weekend I read a somewhat disturbing article on Yahoo News about a Jewish court sentencing a dog to death by stoning by children and decided to share the story on Twitter. Most news sites include buttons to conveniently tweet articles, Yahoo News is no exception. I clicked the "Retweet" button and expected to see the Twitter confirmation screen as I was already signed in to Twitter. But wait!
Yahoo News wants me to let TweetMeme use my account, that was a surprise. Usually I don't bother reading these pop-ups, I just close the window and then go on to share the link manually. But this was Yahoo News, so I started reading the pop-up to see what they were hoping I would agree to. Turns out it wasn't just the article about stoning the dog that was disturbing.
Jun 21, 2011
Firefox 5 is out and #4 wants to upgrade
Following up on my recent blog post on how auto-upgrade as opposed to auto-update of web browsers can help make the Internet a safer place, here is the prompt I just got from Firefox 4:
Gotta love it! Firefox 5 is a "security and stability update". No lengthy explanations on why version 5 is better than 4, and an "Upgrade Now" button. User's would want to install this! I also like the prompt I get when one of my add-ons won't work with the new version.
Gotta love it! Firefox 5 is a "security and stability update". No lengthy explanations on why version 5 is better than 4, and an "Upgrade Now" button. User's would want to install this! I also like the prompt I get when one of my add-ons won't work with the new version.
Jun 19, 2011
Slides for recent talks now available
I finally got around to publish the slides for the two talks I did in May: the talk about the online banking trojans at the DND/ISACA/ISF member meeting as well as the lightning talk on browser security at the Roots conference. I figured I'd give Google docs a try, so I made a Talks collection available there.
I've sort of reset my talk list, you'll find it at my dedicated talk page.
The lightning talk at Roots was taped (though probably there wasn't any actual tape involved). If you're interested, go check out The browser - your best friend and worst enemy - André N. Klingsheim on the Roots conference channel on Vimeo.
I've sort of reset my talk list, you'll find it at my dedicated talk page.
The lightning talk at Roots was taped (though probably there wasn't any actual tape involved). If you're interested, go check out The browser - your best friend and worst enemy - André N. Klingsheim on the Roots conference channel on Vimeo.
Labels:
Talks
Jun 12, 2011
Making the web safer: From auto-update to auto-upgrade
The Firefox team has decided to stop supporting Firefox 3.5. They've put a great deal of thought into how they will handle the ~12 million Firefox 3.5 installations around the world. Firefox 3.5 will be updated to the latest 3.6 version, through the auto-update system — which really makes it an auto-upgrade. The plan is to start pushing the upgrade on June 21st, in conjunction with the release of the new Firefox 5. The team has shared their assumptions and rationale for the decision in a Firefox 3.5 EOL article on the Mozilla wiki.
The decision to upgrade users' soon to be outdated and unsupported browsers is important. Home users' computers are under constant attack. The stream of software updates is both endless and rapid, especially when taking into account that there are updates to the operating system, web browsers, and commonly installed software such as Adobe Acrobat and the Java Runtime. The average user should be relieved from having to deal with all the different update notifications and procedures. Apple have been leading the way here for many years already. If you do a Google search for "security update" flash you'll see why: They've been supplying updates to the Flash player for many years through their update system. The Chrome team chose the same route in April when they included an updated version of Adobe Flash with their latest Chrome release — fixing a vulnerability in the Flash plugin in addition to three in Chrome. The simpler the job for users to keep their systems up-to-date, the more users will be running the latest, greatest, and safest software.
The decision to upgrade users' soon to be outdated and unsupported browsers is important. Home users' computers are under constant attack. The stream of software updates is both endless and rapid, especially when taking into account that there are updates to the operating system, web browsers, and commonly installed software such as Adobe Acrobat and the Java Runtime. The average user should be relieved from having to deal with all the different update notifications and procedures. Apple have been leading the way here for many years already. If you do a Google search for "security update" flash you'll see why: They've been supplying updates to the Flash player for many years through their update system. The Chrome team chose the same route in April when they included an updated version of Adobe Flash with their latest Chrome release — fixing a vulnerability in the Flash plugin in addition to three in Chrome. The simpler the job for users to keep their systems up-to-date, the more users will be running the latest, greatest, and safest software.
Labels:
Browser security,
Firefox,
security
May 22, 2011
Lightning talk on modern browser security tomorrow
I'll be giving a lightning talk at the Roots Conference Bergen 2011 tomorrow. I'm excited, I've given quite a few talks but never a lightning talk. It's always fun to take on new challenges!
It'll be interesting to attend the rest of the program as well. If you haven't registered already, you're out of luck. The conference is sold out. Better luck next year! :)
It'll be interesting to attend the rest of the program as well. If you haven't registered already, you're out of luck. The conference is sold out. Better luck next year! :)
Labels:
Talks
May 17, 2011
Serving pac files from IIS
IIS refuses to serve static files that cannot be mapped to a particular MIME type. Since I'm a Windows n00b I spent some time figuring this out for myself. Here's what happened, and how to deal with it.
I tried to serve a proxy.pac file from the IIS on my localhost (IIS 7.5/Windows 7), to test some changes to a proxy auto-configuration script. IIS gave me a 404 error instead of serving the file. After fiddling about with various security settings for quite some time, I was eventually able to figure out the problem. If IIS lacks a configured MIME type for a file then it will refuse to serve it — returning a 404 error instead. I suspected MIME types could have something to do with it after I found out that IIS happily served the file as a regular text file if the file was named proxy.txt. As always with Microsoft, when you've successfully pinpointed the problem yourself, you're finally able to launch a Google search that reveals something useful...
I tried to serve a proxy.pac file from the IIS on my localhost (IIS 7.5/Windows 7), to test some changes to a proxy auto-configuration script. IIS gave me a 404 error instead of serving the file. After fiddling about with various security settings for quite some time, I was eventually able to figure out the problem. If IIS lacks a configured MIME type for a file then it will refuse to serve it — returning a 404 error instead. I suspected MIME types could have something to do with it after I found out that IIS happily served the file as a regular text file if the file was named proxy.txt. As always with Microsoft, when you've successfully pinpointed the problem yourself, you're finally able to launch a Google search that reveals something useful...
May 16, 2011
Enabling IIS log files on Windows 7
I'm baffled. IIS 7.5 does not log to files by default, you have to enable the feature manually. In the settings it's called "HTTP logging", here's how to enable it:
If you can't find IIS log files in C:\inetpub\logs you should open your IIS Manager and check if the logging option is present in the IIS menu section (top right in the screenshot).
If you can't find the Logging option, go to: Control Panel\Programs -> Turn Windows Features on or off to enable IIS logging.
If you can't find IIS log files in C:\inetpub\logs you should open your IIS Manager and check if the logging option is present in the IIS menu section (top right in the screenshot).
If you can't find the Logging option, go to: Control Panel\Programs -> Turn Windows Features on or off to enable IIS logging.
May 2, 2011
Talk on online banking trojans today!
I'll be giving a talk today at a member meeting for The Norwegian computer society, The Norwegian information security forum, and the ISACA Norway chapter in Bergen, Norway. The talk will be given in Norwegian. Hope to see you there!
The talk is titled: Online banking Trojans — Recent developments and countermeasures
The talk is titled: Online banking Trojans — Recent developments and countermeasures
Labels:
Talks
Apr 13, 2011
The importance of verifying file integrity
I've just wasted a couple of hours trying to install Windows 7 on a laptop. I downloaded the Windows 7 Enterprise Edition x32 image from MSDN, burned it to a cd, and thought that all was well.
To my surprise I got this interesting error message early in the install:
Verifying file integrity
I had downloaded the Win 7 ISO file to my Mac. Calculating the SHA-1 hash for a file is straightforward on OS X, since OpenSSL is preinstalled.
klings$ openssl sha1 en_windows_7_enterprise_with_sp1_x86_dvd_620186.iso
SHA1(en_windows_7...620186.iso)= bd06158ceb24ad345d4d83104acf16aebbe5be67
Unfortunately, the hash should have been: 4788041EB06E0F49720C112FBD256AC637909D4F. It turns out that my ISO file is not identical to the one on MSDN! No wonder this didn't work out... I'll blame this one on Chrome, MSDN, or both. Chrome reported my download to be successful.
Don't go wasting your life before you've checked the integrity of the files you download!
For Windows, you might want to check out the Microsoft File Checksum Integrity Verifier, it seems to get the job done.
To my surprise I got this interesting error message early in the install:
A required CD/DVD device driver is missing. If you have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now.What? Windows 98 revisited? After some googling it seemed I wasn't the only one experiencing the problem, and several people reported that the problem was caused by a bad download or a bad cd. I didn't quite suspect this, as downloads are rarely problematic these days. After spending a considerable amount of time searching for drivers around the Internet, I therefore realized that there was only one thing right to do.
Verifying file integrity
I had downloaded the Win 7 ISO file to my Mac. Calculating the SHA-1 hash for a file is straightforward on OS X, since OpenSSL is preinstalled.
klings$ openssl sha1 en_windows_7_enterprise_with_sp1_x86_dvd_620186.iso
SHA1(en_windows_7...620186.iso)= bd06158ceb24ad345d4d83104acf16aebbe5be67
Unfortunately, the hash should have been: 4788041EB06E0F49720C112FBD256AC637909D4F. It turns out that my ISO file is not identical to the one on MSDN! No wonder this didn't work out... I'll blame this one on Chrome, MSDN, or both. Chrome reported my download to be successful.
Don't go wasting your life before you've checked the integrity of the files you download!
For Windows, you might want to check out the Microsoft File Checksum Integrity Verifier, it seems to get the job done.
Labels:
Doh
Apr 6, 2011
Norwegian Facebook users first victims of automated attack?
Norwegian media reports of a supposedly attack on Norwegian Facebook users, here's a link to the Norwegian news article.
Facebook users are calling their local police about the incident, phones started ringing at 22:15 CEST. At the time of writing, reports indicate that users near the city Haugesund were first affected. Users have explained the attack to the police as follows:
First you receive a "message" (unclear if it's a message or a wall post), stating: "You are next." Then your profile picture is changed to some sort of animation. Finally, the attackers change your password, and you lose access to your account.
An enjoyable statement from the police: "There's little we can do. We can't just send a patrol car into Facebook."
I'm logged into Facebook right now and haven't noticed anyting unusual, and I'm unable to find similar stories on the Internet. Have Norwegian Facebook users gone crazy (or the police), or are we seeing the start of a potent attack on Facebook users? Judging from the news article, the attack does not necessarily require user interaction. It could be a Facebook worm. I'll be interesting to see tomorrow how the situation develops.
And for the record: The article is dated April 5, so this should have nothing to do with April fools' Day.
***Update*** April 7.
I contacted the journalist who wrote the story, they hadn't followed up on the matter. But if this was a real attack, I bet it was one of the password stealing apps on Facebook.
Facebook users are calling their local police about the incident, phones started ringing at 22:15 CEST. At the time of writing, reports indicate that users near the city Haugesund were first affected. Users have explained the attack to the police as follows:
First you receive a "message" (unclear if it's a message or a wall post), stating: "You are next." Then your profile picture is changed to some sort of animation. Finally, the attackers change your password, and you lose access to your account.
An enjoyable statement from the police: "There's little we can do. We can't just send a patrol car into Facebook."
I'm logged into Facebook right now and haven't noticed anyting unusual, and I'm unable to find similar stories on the Internet. Have Norwegian Facebook users gone crazy (or the police), or are we seeing the start of a potent attack on Facebook users? Judging from the news article, the attack does not necessarily require user interaction. It could be a Facebook worm. I'll be interesting to see tomorrow how the situation develops.
And for the record: The article is dated April 5, so this should have nothing to do with April fools' Day.
***Update*** April 7.
I contacted the journalist who wrote the story, they hadn't followed up on the matter. But if this was a real attack, I bet it was one of the password stealing apps on Facebook.
Labels:
AppSec,
Facebook,
security,
youarenext
Apr 4, 2011
Why security questions are not
The other day, I received an "encrypted e-mail" through the Cisco Registered Envelope Service. Their "about" page states:
If the envelope is password-protected, it can only be opened by authorized recipients who authenticate themselves. If you are a first-time recipient receiving a password-protected secure envelope, you will be asked to register with the service to set the password which will be used to authenticate you.I had never used the service, so I had to register before I could get access to the e-mail. To my surprise, I had to choose three security questions and provide an answer to them before the registration could be completed.
Labels:
AppSec,
Authentication,
fail,
security
Apr 2, 2011
Introduction to authentication
The last couple of months large players such as Microsoft, Google, and Facebook have announced changes to their login procedures and how they authenticate their users. Facebook and Hotmail offer single-use codes to avoid compromise of users' regular passwords. Google has rolled out a new (optional) two-step verification for access to Google accounts. These are interesting changes in functionality to increase the security for users on the Internet.
I'll be blogging about some of these authentication procedures. To lay the foundation for my upcoming blog posts on authentication I figured it would be a good idea to give a quick rundown of what authentication is, just to get the basics out of the way. Here it goes:
Authentication defined
If you consult the Oxford dictionary on your iPhone you'll learn that:
I'll be blogging about some of these authentication procedures. To lay the foundation for my upcoming blog posts on authentication I figured it would be a good idea to give a quick rundown of what authentication is, just to get the basics out of the way. Here it goes:
Authentication defined
If you consult the Oxford dictionary on your iPhone you'll learn that:
authenticate:When we authenticate users of computer systems, what are we trying to prove? In short, that the correct people are logged in to the correct user accounts. So, for computer systems we'll see that it makes sense to use the following definition:
prove or show (something) to be true, genuine, or valid;
Authentication is the process carried out to show that a user is who she claims to beTo explain what this means we'll break a typical authentication procedure into two phases: the user claims to be the owner of a digital identity, and we need to verify that the claim is true before the user is allowed to assume the claimed identity.
Labels:
AppSec,
Authentication
Mar 26, 2011
Ninja trick: The terminal server has exceeded the maximum number of allowed connections
If you work in an environment where several people fiddle around on the same servers, every once in a while you'll get the message "The terminal server has exceeded the maximum number of allowed connections" when you try to log on to a shared server through Remote Desktop.
In many cases this is because someone is lingering on the server. You could go through the process of figuring out who's logged on and asking them to log out, or kick them from the server. But there's another way.
It's possible to remotely connect to the physical console session on the server (also known as session 0). If someone is already using the console session, you'll learn who's connected and will be asked if you want to disconnect them. Since this feature is only intended for ninja hackers, you'll have to run this from command line.
On Windows 7/2008 Server:
The /admin and /console switches are described in Microsoft's article on changes to remote administration in Windows Server 2008. Also, if you're running Windows Server 2003 or Windows XP it's possible to upgrade to Terminal Services Client 6.0 to get the new and shiny features offered by Remote Desktop on Vista and later.
In many cases this is because someone is lingering on the server. You could go through the process of figuring out who's logged on and asking them to log out, or kick them from the server. But there's another way.
It's possible to remotely connect to the physical console session on the server (also known as session 0). If someone is already using the console session, you'll learn who's connected and will be asked if you want to disconnect them. Since this feature is only intended for ninja hackers, you'll have to run this from command line.
On Windows 7/2008 Server:
mstsc.exe /admin /v:yourservernameOn Windows 2003 server:
mstsc.exe /console /v:yourservernameYou probably figured out that the command switches /admin and /console did the trick here. A word of advice, don't share this with your co-workers, you want to keep the console session to your self!
The /admin and /console switches are described in Microsoft's article on changes to remote administration in Windows Server 2008. Also, if you're running Windows Server 2003 or Windows XP it's possible to upgrade to Terminal Services Client 6.0 to get the new and shiny features offered by Remote Desktop on Vista and later.
Labels:
Ninja tricks,
server 2003,
server 2008,
Windows 7
Mar 7, 2011
Even more Android security issues
Researcher Jon Oberheide explains on his blog how users can be tricked into installing apps on their Android phones — through an XSS vulnerability! This tops of the last weeks fuzz about Android security.
On Saturday, the Google mobile team blogged about how they would deal with the malware spread through their Android Market — the same day they confirmed that there were 58 different malicious apps that had been downloaded onto around 260,000 Android devices.
At the beginning of February I blogged about the dangers rising from the Android market's web driven installation routine. Oberheide now showed one scalable way to take advantage of the market store. Others remain.
On Saturday, the Google mobile team blogged about how they would deal with the malware spread through their Android Market — the same day they confirmed that there were 58 different malicious apps that had been downloaded onto around 260,000 Android devices.
At the beginning of February I blogged about the dangers rising from the Android market's web driven installation routine. Oberheide now showed one scalable way to take advantage of the market store. Others remain.
Feb 14, 2011
How to sync multiple Google calendars with iPhone 4
I just got a new and shiny iPhone, and I wanted to sync a few Google calendars to it. It took a bit of Googling to figure out how to do it, so here's the recipe.
First, check out this article to do the initial account setup for your Google account in your iPhone: Google Sync: Set Up Your Apple Device for Google Sync.
Then go to m.google.com/sync using Safari on your iPhone. There you'll probably get an error message saying that your native language is not supported — not very user friendly by Google. The solution is to scroll down to the bottom of the page, and click on the link to change language. Change it to English, and you should be able to sign in with your Google account.
First, check out this article to do the initial account setup for your Google account in your iPhone: Google Sync: Set Up Your Apple Device for Google Sync.
Then go to m.google.com/sync using Safari on your iPhone. There you'll probably get an error message saying that your native language is not supported — not very user friendly by Google. The solution is to scroll down to the bottom of the page, and click on the link to change language. Change it to English, and you should be able to sign in with your Google account.
Feb 6, 2011
Steal a Google account and get a free OTP device!
I just read an interesting article on the Naked Security blog: New Android Market web store could open backdoor for phone hackers. Turns out, you can trigger installation of applications from the store and the installation procedure will silently complete on the Android phone. This could be a cool feature — but it comes with severe security implications for login procedures relying on mobile phones.
Jan 27, 2011
Why Facebook's social authentication fails
Just a comment on the latest blog post on security by one of the Facebook engineers.
First, it's a good thing that Facebook finally offers its users the most fundamental of all security measures, a secure connection to their website. Still I would have expected them to move faster, especially after the Firesheep controversies back in October.
Then to the most controversial change — the social authentication — which raises a few questions about both the security it is supposed to add and the possible effects on Facebook users' privacy.
The security failure
Consider some malicious Trojan-writer on the other side of the earth, trying to log into your Facebook account with your newly stolen password. Matching the pictures and the names presented in the social authentication should constitute a real challenge. It doesn't! Launching a google search for the suggested names, narrowed down to the Facebook site will reveal..... You guessed it! A picture of the person!
First, it's a good thing that Facebook finally offers its users the most fundamental of all security measures, a secure connection to their website. Still I would have expected them to move faster, especially after the Firesheep controversies back in October.
Then to the most controversial change — the social authentication — which raises a few questions about both the security it is supposed to add and the possible effects on Facebook users' privacy.
The security failure
Consider some malicious Trojan-writer on the other side of the earth, trying to log into your Facebook account with your newly stolen password. Matching the pictures and the names presented in the social authentication should constitute a real challenge. It doesn't! Launching a google search for the suggested names, narrowed down to the Facebook site will reveal..... You guessed it! A picture of the person!
Social authentication illustrated |
Jan 24, 2011
How to give IIS access to private keys
If one of your ASP.NET applications need to access to a certificate from the certificate store along with its private key, you'll probably run into trouble. The private key is saved in a special file with an unguessable name. It's not readable for everyone (for obvious reasons). The lack of file access is not very intuitive, as you can see the certificate in the Certificate MMC snap-in, and it will claim that "this certificate has a corresponding private key". You'll still have to give the application pool's user read access to the key.
There are some differences in how to do this for the 2008 R2 and the 2003 server, here's a short explanation and some useful resources for both versions.
There are some differences in how to do this for the 2008 R2 and the 2003 server, here's a short explanation and some useful resources for both versions.
Labels:
AppSec,
ASP.NET,
Configuration,
server 2003,
server 2008
Jan 17, 2011
Facebook privacy bug: Your likes are leaked
I just discovered that Facebook reveal to search engines the users who "Like" a page , regardless of their privacy settings. Try a Google search and see for yourself — if you've disabled "Public Search" for your profile that is:
site:facebook.com "Your name here"
Why is this problematic? Well, I have set my Facebook profile to not be enabled for public search. Hence, my Facebook profile does not show up in Google's search results.
site:facebook.com "Your name here"
Why is this problematic? Well, I have set my Facebook profile to not be enabled for public search. Hence, my Facebook profile does not show up in Google's search results.
Jan 13, 2011
Google unreachable, a rare occasion
Well, when I have trouble reaching particular websites I often check whether Google works — to verify that my Internet connection is working ok. The assumption: Google is always online.
However, just now:
And yes, for once I was able to reach all other websites I tried, it was just Google that was out. This is a rare situation, so I just had to take a screenshot and share the moment. I might never see one of these again ;)
However, just now:
And yes, for once I was able to reach all other websites I tried, it was just Google that was out. This is a rare situation, so I just had to take a screenshot and share the moment. I might never see one of these again ;)
Labels:
nuffsaid
Jan 11, 2011
NewTwitter not working with Safari's private mode
A couple of days ago I tweeted that I had trouble with NewTwitter. It turns out that Twitter does not work correctly with Safari in "Private mode." At the time, only the top bar would load, no other content was visible in my browser. After switching off the private mode, Twitter yet again worked as expected. Even after turning private mode back on. This meant that I was unable to reproduce the problem.
Today, new problems. This time, the timeline of other users does not load. I get to see their profile, but without the timeline. My own timeline works just fine. Checking with Burp, and comparing with a page load without private mode, I'm able to verify that there's no request for the timeline. Checking the error console reveals the following:
What a strange error message:
QUOTA_EXCEEDED_ERR: DOM Exception 22: An attempt was made to add something to storage that exceeded the quota.
Some investigation reveled that this is an HTML 5 feature, as usual there were clues at stackoverflow.
When turning off private browsing, everything's fine, there are no errors reported.
Checking the localStorage W3 documentation gives me a strong feeling that Safari denies local storage when in private mode, and instead should have thrown a SECURITY_ERR exception (not that it matters to most end users).
I'm not sure who's creating the problem here, Safari or Twitter. I'll send the issue to Apple and Twitter. If I get a response I'll update this post.
Update 19 jan.: Twitter responded to my e-mail just now, they promised to fix the issue. Good stuff.
Today, new problems. This time, the timeline of other users does not load. I get to see their profile, but without the timeline. My own timeline works just fine. Checking with Burp, and comparing with a page load without private mode, I'm able to verify that there's no request for the timeline. Checking the error console reveals the following:
What a strange error message:
QUOTA_EXCEEDED_ERR: DOM Exception 22: An attempt was made to add something to storage that exceeded the quota.
Some investigation reveled that this is an HTML 5 feature, as usual there were clues at stackoverflow.
When turning off private browsing, everything's fine, there are no errors reported.
Checking the localStorage W3 documentation gives me a strong feeling that Safari denies local storage when in private mode, and instead should have thrown a SECURITY_ERR exception (not that it matters to most end users).
I'm not sure who's creating the problem here, Safari or Twitter. I'll send the issue to Apple and Twitter. If I get a response I'll update this post.
Update 19 jan.: Twitter responded to my e-mail just now, they promised to fix the issue. Good stuff.
Terminal services manager and Windows 7
I just found out that Terminal services manager does not exist in Windows 7. But fear not, the Remote Desktop Services Manager will do the trick. It is included in the Remote Server Administration Tools for Windows 7, which can be downloaded from here.
After some serious googling, I was also able to figure out how to actually enable the feature, in "Programs and Features", "Turn Windows Features on or off":
Go to "Remote Server Administation Tools", "Role Administration Tools", and enable "Remote Desktop Services Tools".
There! Now you'll find the Remote Desktop Services Manager in your start menu — and can start kicking out stale remote desktop connections from your servers. :)
After some serious googling, I was also able to figure out how to actually enable the feature, in "Programs and Features", "Turn Windows Features on or off":
Go to "Remote Server Administation Tools", "Role Administration Tools", and enable "Remote Desktop Services Tools".
There! Now you'll find the Remote Desktop Services Manager in your start menu — and can start kicking out stale remote desktop connections from your servers. :)
Labels:
Windows 7
Jan 6, 2011
Customized .Net configuration the easy way
I stumbled across a great series of articles on how the .Net configuration features can be used:
Unraveling the Mysteries of .NET 2.0 Configuration by Jon Rista.
You'll find the MDSN documentation for System.Configuration here.
I've started creating my own configuration sections and they yield several advantages:
Unraveling the Mysteries of .NET 2.0 Configuration by Jon Rista.
You'll find the MDSN documentation for System.Configuration here.
I've started creating my own configuration sections and they yield several advantages:
- No XML parsing
- No more misuse of appsettings
- Extremely readable code
- Easy validation of configuration values
- Understandable error messages for configuration errors
So check out Rista's series of articles and start creating more robust and understandable custom configuration code!
Labels:
.NET,
ASP.NET,
Configuration
Jan 1, 2011
Some Azure signup challenges
Yesterday I blogged that MSDN subscribers got an Azure subscription for free. Today, I decided to activate an Azure subscription and take the first small steps into the cloud.
The ancient browser problem
I've been using Opera as my primary browser for more than ten years now. Why am I telling you this? Well, during the signup process for the Azure subscription:
Oh, the horror. I can't remember the last time I had to tell Opera to identify as another browser. Fortunately, under "Site Preferences" I could tell Opera to "Mask as Firefox" and it was all well... Come on guys. It's the year 2011. I cannot believe that this should still be a problem.A more modern browser problem
But I hadn't left the rough patch just yet.
Subscribe to:
Posts (Atom)
Copyright notice
© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.
Read other popular posts
-
Visual Studio Online looks pretty cool so I’ve decided that I'll use it for the next NWebsec release. The project setup was relatively...
-
I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried...
-
Security headers in an HTTP response There are many things to consider when securing a web application but a definite "quick win...
-
Microsoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they pr...
-
I guess it was long overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 20...
-
The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both...
-
Though Windows Server 2003 has been around for a while, we'll still see them around the Internet for many years to come. Despite their u...
-
Just a quick note on an error I often run into when I'm working on my Azure applications. I usually create Azure packages and upload the...
-
I just discovered that Facebook reveal to search engines the users who "Like" a page , regardless of their privacy settings. Try a...
-
OWASP recently released their Top Ten 2013 list of web application vulnerabilities. If you compare the list to the 2010 version you’ll see t...