Security Paranoia

Quick answer is NO.

I have been looking into web 2.0 and AJAX lately. AJAX is great. No doubt about that. Everyone loves it and it does provide killer experience for users. But there is cost of it. AJAX and other web 2.0 technologies allows use of cross-site scripting and XMLHttpRequests, which can open up yet another door for vulnerabilities.

Cross-site scripting vulnerabilities are now far more attractive targets than more notorious bugs such as buffer overflows, according to new figures from Mitre, a U.S. government-funded research organization.

Buffer overflows have long been one of the most common types of bugs attacked by malware, with Intel and Advanced Micro Devices (AMD) even building in hardware support for an anti-buffer overflow technology called NX (No Execute) or XD (Execution Disable).

But a shift is under way, according to Mitre’s findings. While buffer overflows affect executable files written in languages such as C, the increasing popularity of cross-site scripting (XSS) bugs indicates attackers are looking more at programming languages typically used for Web applications, such as Java, .Net and PHP.

Client-side scripting languages generally include same-origin policies, which allow interaction between Web objects and pages only as long as they come from the same domain and over the same protocol. XSS bugs allow malicious Web sites to find ways around these policies, potentially accessing sensitive data in other objects or browser windows.

The second most popular type of attack was SQL injection, which allows attackers to execute malicious SQL statements within a database. Third most popluar were PHP “include” vulnerabilities, which can allow attackers to execute arbitrary script on a server by including them in an existing script.

Out of about 20,000 reported vulnerabilities recorded by Mitre so far this year, 21.5% were XSS, 14% were SQL injection and 9.5% were PHP includes. Buffer overflows came in fourth, at 7.9%.

They are getting better and better at this

Here is email I found in my bulk folder recently. I was curious to look into it. I knew it is wrong email.

eBay Phishing email

From:

Subject :

Body

Notes

• Overall, email looks quite authentic ! ( But it is not )
• They used all images from actual eBay website
• Privacy statement and user agreement links also pointing to actual ebay website. Well, no harm there.
• Smartly, actual link to Phishing website was an image, which is pointing “ebaystatic.com”. I don’t think that it is valid ebay domain. I am not sure though.

Where is the catch?

• You only find catch when you see where that image button is actually going ( See it from “view source” )

< a target=“_blank”  rel=“nofollow” 

_ href=“http://rds.yahoo.com/

_ylt=A0ylu=X3oDXzc1/SIG=148vsd1jp/EXP=1138544186

/**http://68.179.141.65/login.php” >

< img border=“0″ 

src=“http://pics.ebaystatic.com/aw/pics//email/btnRespond.gif”  

width=“193″ height=“22″>

Good try ! but we know better Please, remember:

• Good and geniune website will never ask and solicit user to enter login & password information. Most of us know that, but still good reminder does not hurt

IF YOU think the password protection on your MS Word file is keeping it safe from prying eyes, chances are you’re wrong. The time it takes to crack password-protected Microsoft Office files has tumbled from a 25-day average to a matter of seconds, thanks to a decades-old code-cracking technique that until recently was not viable.

The technique, described in a 1980 paper, A Cryptanalytic Time - Memory Trade-Off, involves pre-generating a massive “rainbow table” of passwords and their corresponding hashes - the encrypted strings of numbers computers use to verify passwords.

Until now, the terabytes of storage needed to write the tables haven’t been available. But cheap storage means rainbow tables are in vogue in the IT security industry. “Take a look at hard-drive storage. I buy terabytes like I used to buy megabytes,” says Christian Stankevitz, the laboratory manager for Chicago-based IT security consultancy Neohapsis.

In the past, passwords were cracked by randomly guessing at the correct string of characters in what’s known as a “brute force” attack. In these assaults, the encrypted form of the password - the hash - is extracted from the target file or computer. A randomly generated password is encrypted and its encrypted form is compared to the extracted hash. If it doesn’t match, the process is repeated until a match is found - it’s a long and tedious process.

With rainbow tables, the encrypted form of most possible passwords are pre-computed and stored alongside the actual, clear-text password. Users can simply look up virtually any hash in the massive index and match it to the corresponding password in seconds.

The tables can break password protection in many common file formats, including versions of Adobe’s PDF format (the current version is immune to the attack), the default encryption on protected Microsoft Office documents (40 bit) and even Windows password files.

“It’s a lot of (storage) space but the nice thing is it only needs to be done once,” says Pieter Zatko, a division scientist at BBN Technologies, a government contractor that conducts research for the US Department of Defence and other government agencies.

Mr Zatko is best known for writing the L0phtcrack password cracking tool in the ’90s. It was used to crack Windows passwords with ease, something he hoped would change the way organisations managed their passwords. Instead, L0phtcrack was commercialised and became the industry-standard password auditor, much to Mr Zatko’s dismay. “That was my problem with L0phtcrack. People were using it to audit their passwords,” he says. “It was supposed to be a statement of ‘understand your risks’.”

This article was derived from here

It is interesting thought, isn’t it ? In terms of security, it will be lot safer.

The other day I read a report explaining why we should not sign the back of our credit cards so we will be forced to show our drivers license when we use it. That’s suppose to protect us just in case someone steels it. But, the back of the credit card indicates that the card is not valid unless is signed. Who should we believe?

Of course, signging credit card increases risk of identity theft and hackers have one more way to get to your dollars

Here is my thought - Let’s not sign it. It’s useless as a deterrent, as anyone who takes your card then has a sample of your signature which they can not only use on any charge slip, but on your checks as well. However, do not leave the white strip blank. In that space, write: “Ask For Picture ID,” and be prepared to back that up someday when you’re in a hurry and the clerk wants to see a driver’s license as well as the card. It makes the charge transaction a little longer, but a lot safer.

I know that by saying this I have provoked many thoughts and arguments.

Not signing can have legal issues though

If you write Check I.D., a retailer or p.o.s. may refuse to take said card. Also, according to some banks rules and regulations, if you write check I.D. on the back, you’ve just invalidated the card. It can vary from bank to bank. Banks don’t usually specifically prohibit it per se, but in the agreement for either a debit or credit card it can say, “not valid unless signed by the card holder” and even sometimes include verbage like “signature must match name on front of card” or something similar, implying that signing with “Check ID” makes the card invalid.

I have heard many people write “Ask For Picture ID” or “Ask For ID” and it works for them.

So there are mixed thought and experiences.

What do you think ?

So far, I have found Mozilla’s Firefox better then IE in terms of security.

It claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here’s a roundup of some of the more useful ones I’ve found.

• Add n’ Edit Cookies
  This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience. This extension not only shows you all the details, but lets you modify them too. You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
• Dr. Web Anti-Virus Link Checker
  This is an interesting idea — scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service. I haven’t rigorously tested this or anything, but it’s an interesting concept that could be part of an effective multilayer personal security model.
  
• FormFox
  This extension doesn’t do a whole lot, but what it does is important — showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
  
• FlashBlock
  Flash hasn’t been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it’s often an annoyance. This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like. It lacks the flexibility I’d like (things like whitelists would be very handy), and doesn’t give you much (any?) info about the Flash element before you run it, but it’s still a handy tool.
• LiveHTTPHeaders & Header Monitor
  LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server. Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox’s status bar. They’re not really specifically security tools, but they do offer a lot of info on what’s really going on when you’re browsing, and an educated user is a safer user.
• JavaScript Option
  This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I’d like to see this idea taken farther (see below), but it’s handy regardless.
• NoScript
  This extension is pretty smooth. Of all the addons for Firefox covered here, this is the one to get. NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with. NoScript can also block Flash, Java, and “other plugins;” forbid bookmarklets; block or allow the “ping” attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code.The one thing I’d really like to see from this extension would be more ganularity over what the Javascript engine can access. Now it’s only “on” or “off,” but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces.
• QuickJava
  Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1). Hopefully a new version will be available soon.
• ShowIP
  This is another tool that isn’t aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar. Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info. You can add additional web lookups if you like, as well as passing the IP to a local program. Handy stuff.
  
• SpoofStick
  The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored “You’re on ” in the toolbar. For folks who know what they’re doing this isn’t wildly useful, but it could be just the ticket for less savvy users. It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
  
• Tamper Data
  Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and get an overall feel of what’s going on, but you can still drill down and get as much detail as you like.

Got more Firefox security extensions? Leave a comment and I’ll collect them in an upcoming post.