Malicious Gadgets

The folks at Offensive-Security dot com published an information advisory regarding a security vulnerability associated with usage of Google gadgets. According to Offensive-Security,

The real vulnerability lies in the ability of a malicious user to add their own Gadgets on a separate domain space, without Google’s authorization…

There is a nicely done and very succinct video, merely 1:26 min in length, which is worth watching. The potential threat from gadgets residing on domains that are not registered to Google is the ease with which such gadgets can be converted into attack tools. A gadget sourced from an unvouched-for third-party could run malicious javascript on victim machines, steal cookies or worse.

Apparently the vulnerability STILL hasn’t been repaired, based on this Google Gadget Group posting I saw yesterday, and dated June 17 with no response by anyone in the group yet, particularly no response by an Google staff…. to be continued.

Published in: on June 16, 2010 at 12:22 am  Leave a Comment  
Tags: , ,

Random Numbers in Java

Dice players of antiquity

Random: Playing the odds in Ancient Rome

Neil Coffey of Javamex UK offers alternatives to the java.util.Random class, the most commonly used method to generate random numbers in Java.

 java.util.Random

This class generates “random enough” values, which are described as having an informal level of randomness. Such numbers have a superficial appearance of randomness to an observer, usually a human observer, not a machine. These are considered low-quality random numbers. They should never be used in any security application.

True randomly generated numbers must have the following characteristics:

  • Any number is equally likely to be generated on every iteration. This is also known as a uniformly distributed series of numbers.
  • The second criterion follows directly: No dependency exists between successive numbers as they are generated.

Alternatives to better match your random needs

Mr. Coffey describes three alternative random number generation methods. Each approach continues to use class java.util.Random, while replacing the underlying algorithm.

The first, called the XORShift generator, produces medium-quality random numbers very quickly, with only a single state variable and very simple code. This method is very well suited to J2ME games.

The next algorithm generates much higher-quality random numbers. It is a combined generator, using two XORShift generators of the sort described above. Mr. Coffey provides the code and explanation for this algorithm. The combined XORShift yields good-quality random numbers. It is suitable for non-gambling games and simulations, although it runs slightly slower than java.util.Random.

A cryptographic quality random number generator should have the following properties:

  1. It should be impossible to predict prior and future numbers from any number generated;
  2. The numbers should have no discernible biases;
  3. The generator has a large period;
  4. The generator can seed itself at any position within that period with equal probability.

A cryptographically secure random number generator is appropriate for security applications such as producing a web-server session id or picking encryption keys.

Very high-quality random numbers are generated using java.security.SecureRandom as the replacement for java.util.Random. The trade-off in quality versus CPU cycle consumption is hardly surprising.  java.security.SecureRandom runs 20 to 30 times slower than any of the other algorithms.

Relative comparison between methods

Here is a very simplified way of understanding the difference between each algorithm. Let’s say that we need to generate a 128-bit encryption key. java.security.SecureRandom actually picks from a pool of 2 raised to the 127th power number of possible keys.

Of course java.util.Random can also be used to generate a 128-bit key. However, the values will be selected from a smaller pool of numbers, on the order of 2 raised to the 47th power number of possible keys. This is because java.util.Random has a much shorter period, equal to 2 raised to the 48th power.

The single XORShift generator method falls between the two, as it has a slightly longer period, of 2 raised to the 64th power. The combined XORShift generator approach extends the period a bit further.

Note than neither java.util.Random nor either of the XORShift generators are seeded randomly. This is why java.security.SecureRandom, with a machine-generated (and much more truly random) random seed, is far superior. The machine-generated random seed is what is called entropy in random number generators.

Onboard Computers Subject to Attack

The New Scientist, May 2010 features an article titled “New Cars Vulnerable to Malicious Attacks”.  Two researchers were able to plug a laptop into the socket under the dashboard with very little change. Using the laptop they were able to control various controls on the car!

via Onboard Computers Subject to Attack?.

Published in: on May 16, 2010 at 10:02 pm  Leave a Comment  
Tags: , ,

Social Web Pathology Part 1

Share and Share A-like

Note: this is an updated version of my April 28th post on the theme of Social Web Pathology.

I’ve been pondering the theme of “Social Web 2.0 Pathology: Are We Connected Yet?”, and will introduce it with this mild example. Today’s post will then assess recent developments in our vanishing degrees of separation.

The date of this graphic was April 16, 2010 thus it does not contain the very consequence-laden “Like” button. Facebook announced the release of the Like button to the World Wide Web domains-at-large at the F8 conference on April 22.

There is a recent development, and it should encourage advocates of the individual’s right to privacy. U.S. Congressman Charles Schumer has an awareness of the potential for abuse via social networking, due to accelerated data sharing.  He seems to have focused his concerns around the announcement at F8 of Facebook’s Open Graph and Like button data collector. Media coverage by wire services such as Reuters – Schumer vs Facebook was prompt: Congressman Schumer explicitly stated his concern over negative impact on the consumer’s right to privacy. Shortly after, Schumer was joined by other lawmakers, who proposed a sweeping internet privacy bill on May 4, 2010, indicating grave concern over the potential risks due to information disclosure resulting from participation in social networks. Not surprisingly, Facebook was mentioned by name, as it has been on the leading edge of the social media innovation.

What abuses might result from the Like button, and by whom? The abusers could be hackers aka crackers. Their method of infiltration might include harvesting of newly accessible personal data (mostly due to recent trends in over-sharing) using social engineering techniques. Alternatively, the traditional exploits involving unauthorized elevation of privilege would remain viable. Such is now facilitated by easier password breaking due to a larger pool of availale data. This becomes more straightforward as we tie ourselves closer and tighter together, along with our most critical identifying information via Social Networking sites and applications.

The other source of abuse might be from Facebook itself, due to sharing of user’s personal information with third-parties. FB announced policy that users will no longer have an opt-out feature available, regarding disclosure of certain basic identifying data.

Maybe the need to prove to one and all that “I have the most friends”, a sort of Web 2.0 version of Thorstein Veblen’s concept of “status seeking” and “conspicuous consumption”, will be reined in (see Professor Veblen’s Theory of the Leisure Class, 1899). While the impulse is present in most of us, many resist the temptation. FB was well-designed, though, because it seems to have overwhelmed common sense for even the most reticent of us. Similar observations could be applied to the rise of Farmville. With 86 million players, this game that seems primarily motivated by guilt (Professor Howard Linn wrote a paper on the subject shortly before his death earlier this year) has spread like wildfire. We will hope that Congressional scrutiny will slow the onslaught of the Like button, and hold it in check until the consequences are more carefully considered. 

Published in: on April 28, 2010 at 8:02 am  Comments (1)  
Tags: , , ,

We Revoke Our Right to Privacy with Assist From Facebook

At the F8 event yesterday, Facebook announced several powerful applications to expand the reach of the Age of Web 2.0’s already prominent social networking model. New product announcements included Open Graph application software and inclusion of location-based services for greater social web interconnectivity. The debut of the highly anticipated “Like” button on sites external to Facebook was also disclosed. In fact, Facebook stated that it already has established partnerships with approximately 30 highly visible websites including Yelp and Microsoft. Senior Facebook developers successfully demonstrated some of the potential uses to marketing and business users as well as individuals.

In light of this rather significant event, I’d like to share some of my concerns regarding the effect of increased information disclosure on us, collectively. The legal and contextual basis for my concern is drawn from a rather prescient January 2010 feature from BBC News, courtesy of watchdog blog Facebook Cleanup Your Act! . The following excerpt regarding erosion of privacy due to online activity is solid background material, and is followed by my own comments, as motivated by yesterday’s F8-associated events.

How Online Life Distorts Privacy Rights for All
By Zoe Kleinman, Technology Reporter, BBC News
Friday, 8 January 2010

People who post intimate details about their lives on the internet undermine everybody else’s right to privacy, claims an academic. Dr Kieron O’Hara has called for people to be more aware of the impact on society of what they publish online. “If you look at privacy in law, one important concept is a reasonable expectation of privacy,” he said. “As more private lives are exported online, reasonable expectations are diminishing.”

The rise of social networking has blurred the boundaries of what can be considered private, he believes – making it less of a defense by law. We live in an era that he terms “intimacy 2.0″ – where people routinely share extremely personal information online. “When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes.”

Dr O’Hara, a senior research fellow in Electronics and Computer Science at the University of Southampton, gave the example of an embarrassing photo taken at a party. A decade ago, he said, there would have been an assumption that it might be circulated among friends. But now the assumption is that it may well end up on the internet and be viewed by strangers….

This is the article’s most critical point: “People who post intimate details about their lives on the internet undermine everybody else’s right to privacy… When our expectations diminish, by necessity our legal protection diminishes…”

The importance and very negative effects associated with such a loss of privacy is significant. Contemplate an analogy, between the social web’s escalating trend toward over sharing and the risk scenario implicit in the herd immunity effect of inoculation to prevent infectious disease.

Start by considering our rapidly growing social web. An individual’s privacy is not a Constitutional right, insofar as I understand. Achieving today’s level of coverage and certainty in the security of our private information was not achieved easily nor quickly. Certain rights, such as protected health information laws under HIPAA, were only legislated during the past five or ten years. However, in this sudden outpouring of social web-motivated information disclosure, we the people might very possibly destroy all that our predecessors, and our own selves, have fought to achieve over a span of decades or centuries.

Now consider immunization against contagious disease. Note that metaphorical comparison to disease is not overstatement: In a worst case scenario, the threat to personal privacy (or possibly infrastructure security) due to unprecedented levels of network connectivity is dire indeed. We’ll use a non-controversial example like polio, for which immunity is achieved at the community level. Decades of time and effort were required to wipe out incidence of this disease. However, by choosing not to protect oneself (or one’s children now), the entire community is made more vulnerable, not just those who choose not to immunize. The collective immuno-status of the “herd’ can be compromised by a small number of now unprotected individuals.

The phrase “going viral” with the spread of social web information is in fact just as sinister as the original epidemiological context from which it was derived.

That is why you will find virtually everyone who works in information security, be it computers, telephony, healthcare, or in financial or IT audit to be very leery of Facebook type services. Every time I scan news feeds from InfoSecIsland.com, or Wired.com, or DEFCON updates, or any other computer or financial information security group forums, I see repeated references to the latest Facebook scam, exploit, user vulnerability etc. The data security and information technology community seem to be of one mind about Facebook: no system safeguards, no matter how stringent, can protect users who choosing to divulge information by over sharing.

I conclude with a link to new media journalist, teacher and Visual Editors CEO Robb Montgomery’s excellent step-by-step instructions on How to Stay Invisible on Facebook.

Published in: on April 23, 2010 at 11:09 pm  Leave a Comment  
Tags: ,

Tech Update One: The Real Smart Card Finally Steps Up, Finally Steps Up

Today I step out from under my dark cloud of foreboding to bring glad tidings! It seems that the consumer is finally able to avail herself of effective and affordable protection from identity theft and collateral loss. Mine arrived in a small securely wrapped parcel from www.PayPal.com a few weeks ago: an ICT Display Card. After a ten-year wait, this form of the long-anticipated “Smart Card” finally debuts.

What does it do, and is it really anything special? Yes, because the ICT Display card appears to offer the first instance of double password protection (dual factor authentication) for the average consumer’s online transactions. Let me describe the process, although I cannot fathom how it works. The account holder logs in to PayPal servers via secure https connection using her established account name and password. After gently depressing the small rubbery nub, the ICT Display Card generates a six to eight digit security key.

How does that new password protocol work?

   It appears on a (possibly LED) display, flush with the surface of the card, on the upper corner. The user then keys in the numeric code, no other process nor hardware needed. After a 6 to 10 second pause (the instructions are contrite, asking for the user’s patience during that nearly imperceptible interval), the key is authenticated and account access is granted. A different randomly generated security key is created for every session, according to the instructions. One could also use a security token delivered via a text message, instead of the card-based security key.  

This nifty little card is the size of an ATM or credit card. It is thinner and lighterthan most office building entrance card readers. The only cost associated is a one-time charge of $5.oo, including shipping and handling.  Remarkable technical innovation was required, as the card is powered by a super lightweight, paper-thin, very long-life battery, which emits a low-power radio frequency transmitting the security code. But where is the receiver? The card is not location-dependent, and may be used with any login, with any IP address. I am very curious how it works!

The developers are a privately-held company, with numerous overseas retail banking customers, and a very low profile website, probably due to this extremely valuable proprietary technology.  PayPal offered this option  for a more secure connection to customers as a bullet point update on the login screen, as opposed to a more visible email distribution to customers.  In fact, I recall seeing it announced only once, with minimal promotion. Instructions are given for users in the USA, Australia, Canada, Great Britain, Germany and Austria. though I believe that PayPal offers the double password option solely to US-domestic customers at present. Actually, I am intrigued by the lack of fanfare as much as the capability of the card itself!

Published in: on April 12, 2010 at 11:01 am  Leave a Comment  
Tags: , ,

Thoughts about Emotional Data in Wiredset Blog

Foursquare User Numbers Soar

The title of the article Data Driven Experiences: Emotional Data, by Mark Ghuneim is fascinating, however, I’m concerned about address-level sharing of geo-spatial information as part of social networks.

FourSquare is a phone application that has seen soaring popularity since the 2010 SXSW event in Austin,Texas in March. Details of how the application works can be found at the Foursquare.com site. I was dismissive initially. It seemed little more than a way of telling others where you are at the moment, maybe make a restaurant recommendation, and earn very cute badges based on level of activity.

Activity is measured by the user’s “check-in” to a location, which is received and time stamped via mobile device by FourSquare and further validated by GIS-type service. Of course there is the element of competition by earning badges and becoming “Mayor” of a location. FourSquare also offers users a less blatant way of informing friends, and possibly everyone else, that you shopped at a great new clothing boutique, or went dancing at an upscale club over the weekend. Better yet, if you made an appearance at not merely one nightclub but three, in a single evening! FourSquare would be very effective for that. Why? Well, the app is new and not yet hacked or gamed by savvy users, it is far more credible than heresay and not subject to human error.

Foursquare activity in TX

Foursquare activity @ SXSW 2010, Austin TX

At first glance, FourSquare and similar didn’t seem terribly compelling. Merely more of the popularity contest and conspicuous consumption effect? Well, I didn’t foresee much potential for widespread appeal for another social networking phenomena, different but novel in its own way: the Facebook game, Farmville… and I was so very wrong.

Foursquare Logo

Businesses will certainly find value from subscriptions to FourSquare user data feeds. Geo-spatial data based social network applications, described by the more general term of LBS, location-based services, are attracting attention in unexpected ways.

For example, FourSquare advocates introduce the alluring idea that it actually enriches the lives of users with a collectively magnified knowledge base of the world to draw on, leading to a higher level of engagement with everything.

However, I believe that most possible benefits are far outweighed by the risks of over sharing. The most obvious negative consequence is increased vulnerability, impacting personal, family and property security. Note that FourSquare does have a posted privacy policy , about which I am not informed enough to comment.

Published in: on April 2, 2010 at 11:21 am  Comments (2)  
Tags: , , ,

Death Comes to Second Life. Again?

Some very special treats have floated by as I idle away my unemployed days.

Farewell, Pathfinder Linden!  I enjoyed happy hours rummaging through your bookshelves, playing your harpsichord, dredging through the copy-mod-transferable sheet music, personal RL photos and CD cases you thoughtfully left strewn on the floor of your in-world office.  Although rumored to be aloof, Pathfinder did appear to be a critical thinker, successful advocate of educational applications for Second Life, and contributor in the RL healthcare field. It would’ve been prudent for Linden Lab to keep him on staff, rather than eliminating his job.

Perhaps Not-so-full-of-Crap Mariner’s Vinnie Linden could be a SL eulogy for Pathfinder? Fly-in-the-ointment with that theory is the timing discrepancy. “Ode to Vinnie” was released in 2008.

On the Viewer War frontlines, many have noted the passing of young Master 5050, noted by NexisONLINE Status blog and at SLUniverse General Discussion.  Advisory to all native and non-native speakers of the English language: the Notorious 5050 has risen and blogs again. I personally hearken more to Mr. Poenta’s campaign to “avenge the banning of the innocents”.

To end on an equally somber note, I was saddened to read of the demise of Luna viewer, discontinued on Agni and no longer running anywhere else as of March 22. Nexis ONLINE experienced no end of complications, ranging from Linden Lab’s viewer policies to the negative impact of copybot activity on Nexis’s SLX-type product FlexMarket.

Massacre at Braunworth: Slaughter of the Newbies

Memento mori. I dedicate this post to the deities of the internet and transformation.  Horus and Hermes, Legba and Shiva, you are having quite a field day in our little corner of virtual reality.  T.S. Eliot always says it best, excerpted from The Four Quartets:

In my beginning is my end.  In succession
Houses rise and fall, crumble, are extended,
Are removed, destroyed, restored, or in their place
Is an open field, or a factory, or a by-pass…
The only wisdom we can hope to acquire
Is the wisdom of humility. Humility is endless.

What we call the beginning is often the end
And to make and end is to make a beginning.
The end is where we start from.

Published in: on March 24, 2010 at 4:06 pm  Leave a Comment  
Tags: ,

Hacking is fun for you and me!

Here are my favorite exploit-themed Flash videos of the moment.  The first is very G-rated: “Copying is fun!” (courtesy of youtube’s 33×3 sketch).  It  is entirely English-language,  although the Russian translation may be counter-intuitive.

The second is an excellent exposition, set to an emotionally charged soundtrack, of a commercial website’s security vulnerability and of the discoverer’s attempts, and eventual success, at enlightening said enterprise of the situation. I’d love to share with the Computer Information Security group on LinkedIn.com, but suspect that this is a more appropriate venue.

AvatarsUnited Security Hole 12 Feb 2010

from Isoz Bioworm on Vimeo.

Published in: on March 13, 2010 at 2:36 pm  Leave a Comment  
Tags:
Follow

Get every new post delivered to your Inbox.

Join 51 other followers