Web Insecurity

On the Subject of Privacy and Pants...

2011-09-26T18:32:00.000-04:00

I was proofreading a privacy paper this afternoon and came across the funniest typo. I feel it is funnier if I illustrate it so that you too can see what popped into my head when I read it:

(Photo by cnewtoncom. For geek points, guess whose famous pants those are without clicking the link!)

Privacy breeches are much funnier than privacy breaches.

I'm not going to be able to get dressed tomorrow without laughing at my privacy-preserving pants. One could argue, perhaps, that the function of many pants is to provide basic privacy... but I leave the finding of non privacy-preserving pants as an exercise to the reader. And though it is a bit tempting to run a contest for the best illustration of a privacy breech breach, I imagine it would get not safe for work very quickly!

I admit, I laughed: LulzSec as popular as orgasms?

2011-06-24T02:52:00.002-04:00

Unless you've been ignoring the news for the past few weeks, you've probably seen mention of LulzSec, and if you're a security person you've probably seen this article about Why [security folk] secretly love LulzSec. The short version is that they're the latest hacker gang, and rather than profit or social justice, they're just in it for the lulz. They're really making the state of computer security more obvious to the layperson:

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.

While I often joke that web security is an oxymoron, they demonstrate it in the funniest ways they can find. As a web security researcher, I have to admit that their antics often make me laugh... and kinda make me wish I was allowed to use stolen data for research -- all those passwords! Data was always hard to come by when I did my spam immune system work so that much just makes me salivate a little, even if I'm pretty sure our ethics committee wouldn't let me touch it. And it's not like I do authentication research. But still! Data! I hope someone's doing cool things with it.

But here's a bit of meta-lulz: LulzSec scam discovered on Facebook - but it's not what you think. The excellent Graham Cluley discovers a Facebook scam that purports to have a picture of a LulzSec suspect, and then he sleuths out that the pixelated bait picture is, in fact, of another hacker arrested in 2008.

This means that LulzSec is apparently now so newsworthy that potential pictures of them can be used as bait for Facebook scams. They're up there with Obama, celebrity sex tapes and the ever-popular dislike button.

I don't know about you, but I got a great chuckle out of the thought that LulzSec might be as popular as orgasms... at least when it comes to scam bait.

And to end with more lulz, here's my favourite LulzSec tweet of today, which came in the midst of explaining what they had and hadn't actually hacked as the media attributes everything and anything to them:

News: Experts recommend stronger protections for "Geodata"

2011-04-07T10:28:00.003-04:00

Interesting article: Personal 'Geo Data' as Sensitive as Private Genetic Information, Experts Argue

Currently, no consensus exists for the definition of "sensitive data" in data protection and privacy law either in the EU or the USA. However, given the status of both regions as major trading partners it is essential in the digital age that such consensus is formed soon while legislation is in a transitional period. Consistent legislation would not only protect consumers and sellers, but also improve confidence across the whole of e-commerce and mobile computing.

That's perfectly true and reasonable. But I'm less thrilled about the example of why it might be sensitive:

Jessen points out in what particular situation geo-tracking might be most sensitive. "The intrusion and loss of integrity related to the processing of geographic location data are apparent when customers are subject to constant monitoring or when geographic location data are combined with other sensitive or demographic data, such as the location of bars, casinos, red-light districts," she says. She adds that "Personal profiles are established for behavioural advertising purposes on this basis." Even anonymised location data might compromise and individual's privacy, so it too must be subsumed in new privacy legislation.

Red light districts? Once again, privacy is not just for people who have something to hide, news writers and legislators. Surely, someone can come up with some other convincing reasons for geodata to be sensitive that don't make it sound like you're protecting only compulsive gamblers, alcoholics, and others who could be conceived of as doing something not entirely socially appealing? Especially if you're then going to try to convince the US to provide consistent legislation, it seems some other examples could be helpful in making the case.

Comprehensive Guide to Twitter Privacy: Where are you?

2011-03-31T09:00:00.109-04:00

Comprehensive Guide to Twitter Privacy

Now read on to learn How your iPhone may be letting people know where you live and what being responsible about sharing your location really entails!

Part 2: Where are you?

A year ago, I talked about How Foursquare can help people steal your stuff. Someone had set up a handy site called PleaseRobMe.com which let you search to find out who in a given area wasn't at home based on their Foursquare checkins. (The site now says the the authors have made their point about oversharing and have disabled the search.)

The point being that while sharing your location can be a neat way to meet up with friends, it can also be used in dangerous ways. So whether it's Foursquare, Yelp, Facebook Places, Google Latitude, or Twitter, you need to think about what you're sharing and why.

Twitter's built-in location settings

At the time I wrote about PleaseRobMe.com, I don't think location was built into Twitter, but it's since been made an option for any Twitter post. I have to say, that I really love how twitter has done to make this option clear... including doing their best to make it possible to recover from an "oops" moment where you realise you've been sharing waaay too much information and want to delete all the location data to be safe:

They've also done a nice job with the "Learn more" help document, which includes the following message:

Be cautious and careful about the amount of information you share online. There may be some updates where you want to share your location ("The parade is starting now." or "A truck just spilled delicious candy all over the roadway!"), and some updates where you want to keep your location private. Just like you might not want to tweet your home address, please be cautious in tweeting coordinates you don't want others to see.

That pretty much sums up the advice any security/privacy expert would give you, although the complete document also explains how to turn things on and off, when one might prefer a precise location and when one might prefer just the city, etc.

But just like with the tweet privacy settings we talked about in part 1, this isn't the only way your location can be shared. Only this time, we're not going to blame your followers... we're going to blame your camera.

How your iPhone may be telling everyone where you live

Many modern smartphones and cameras, including the iPhone, have a GPS built-in such that you can store location data with every photo. That's pretty cool when it comes to sorting photos later, but because this information is stored with a photo, each picture you share could potentially tell someone exactly where you are (or were when you took the photo).

In Cybercasing the Joint: On the Privacy Implications of Geo-Tagging, Friedland and Sommer started looking at how many people share location data, whether they did so in unsafe ways, and whether they were aware of what information they were sharing. I highly recommend you flip through their HotSec presentation to look at the examples. (Even better if you can catch them presenting -- I really enjoyed seeing that presentation in person! -- but the slides are pretty informative on their own.)

My favourite one involves William Shatner accidentally revealing a "secret" studio location when he posted about recording there! And perhaps more relevant to "cybercasing the joint" are the craigslist posts that show expensive items, their exact geolocation, and the list of times when someone will be at home to take a phone call from an interested buyer.

The issue here is that geodata is often recorded by default. And it can even be dangerous to share this information. As a parent, how would you feel if you realized your teenage daughter had been taking photos of herself in her bedroom and it turned out that any predator could figure out where she lived? How do you feel about the fact that your friends' photos from your last party may have told everyone on the internet where you live?

Many photo services, such as Twitpic and Flickr, allow you to generalize your data so that it shows up as being in a city without showing precisely where within that city. But if you choose to have it visible (or just don't hide the data), you can often get a nice map where you can zoom in:

On Flickr you can view the exif data (Exchangeable image file format -- basically extended meta-information for pictures of the photo) and get the coordinates there...

All ready for someone's stalking pleasure!

The moral of this story

Sharing your location can be scary, and protecting your location privacy doesn't stop at turning off location on Twitter or refusing to sign in to Foursquare/Facebook places/Yelp. If you don't want everyone to know exactly where you are, you also have to make sure your camera and your friends' cameras aren't giving the game away.

Stay tuned for more Twitter privacy posts in April! And in case you missed it, here's [Part 1: Who hears what you say?] which talks about tweet privacy.

Comprehensive Guide to Twitter Privacy: Who hears what you say?

2011-03-07T18:00:00.028-05:00

Comprehensive Guide to Twitter Privacy

I've become fascinated with how Twitter has such simple settings, and yet Twitter privacy is in many ways quite complex, so I'm starting to put all of this information together. This is part 1 of... many.

[Part 1: Who hears what you say?] <-- you are here![Part 2: Where are you?]

Note that many of the things I'm saying here are true of other social networks or any place you might share information online, but I decided this would be most readable with examples from one site, so I've decided to use Twitter, which I like and use regularly.

Part 1: Who hears what you say?

On the surface, Twitter has perhaps the simplest privacy policy of any social network:

Either everyone can read your tweets (everything you say on twitter is public) or you can make your feed private (and then maintain a list of people who are allowed to see it).

You also, regardless of which option you choose, have the option of blocking individuals from following you. Blocking someone isn't hugely effective if they can then log out and read your public feed anyhow, but it can cut down on spam.

Retweeting

Blocking everyone you don't know is not necessarily the end of the story. Just like gossip, anyone who can read what you've said can also share it. It's fairly common in twitter parlance to "retweet" a message: that is, repeat the message verbatim or sometimes with small edits for length or the addition of commentary.

When you have a public account, retweeting is pretty much harmless behaviour. Anyone could see that funny thing you said if they looked, so if one of your followers retweets it, you're really just winding up with a few more strangers seeing it than you might otherwise. But they could have looked at that tweet at any time if they so chose. Often it's a really positive thing: more people get to hear about a cause you believe in or something cool you've done.

However, the story can be quite different if you have a private account. Perhaps you have chosen to keep your account private because you and your boss don't share political views. That "funny" thing you said could become seriously awkward if she winds up seeing it retweeted. Probably you chose to make your account private for a reason, and retweets can violate your expectation of privacy.

Violating privacy with retweets?

There's actual a whole paper on this subject that appeared in Web 2.0 Security and Privacy 2010. It has the cheesy-cute title RT @IWantPrivacy: Widespread Violation of Privacy Settings in the Twitter Social Network. They found that while some clients did block users from retweeting private feeds, many didn't and of course users could always just type RT and repeat the whole message anyhow. The researchers collected 4.42 million tweets that were exposing private information in this manner, and they expect that the numbers will continue to climb.

It's hard to tell, however, whether those millions of exposed tweets were really problematic for the people who wound up exposed, however. Perhaps millions of people asked before retweeting (something you should always do before sharing private information, but I know even I forget to do this sometimes when telling a good story I heard, so I suspect retweeting is no different). Perhaps most of the tweets were cute pictures of cats that no one really minded sharing. But either way, you should be aware of what you retweet and aware of what you say that could be retweeted.

Retweeting lies

It's also worth noting that even though researchers assumed that most of those tweets were actual privacy exposures, it's equally possible that many of them were made up. If someone can type RT and your name and cut and paste in the message, there's no reason that it has to be your message that they post in. Often edits are minor, but there's nothing stopping one from going RT @twitter we hate kittens or something significantly more damaging to someone's reputation. Without a public feed, it's hard to refute since no one can check what you said, and even with a public feed people may expect that you deleted the offending message. A recent defamation lawsuit in the US may serve as a reminder that what you say and what you seem to say on twitter could have real implications.

So that little checkbox? It's clearly not the end of the story.

Stay tuned for Part 2 next week!

[Part 1: Who hears what you say?] <-- you are here![Part 2: Where are you?]

News: Facebook still going to share your address/phone # with external sites

2011-03-01T11:26:00.005-05:00

Old Facebook home page
by Terriko.

Over a month ago, I wrote Facebook now enabling annoying phone calls and paper junk mail? and shortly thereafter they pulled the plan.

But it sounds like it's back on the table, along with an updated privacy policy format.

Given that anyone can buy a targeted Facebook advertisement, is this going to lead to new levels of stalking and general harassment from "adveritisers" who think it's totally worth a few bucks to get the phone #s of all the women who they might find attractive in their metro area? Awkward.

As usual, I recommend not having private contact information available in Facebook for your own safety.

To whom are you confessing?

2011-02-15T09:00:00.003-05:00

Many people have been abuzz over the iPhone Confession App which even received approval from the church.

The Office of the Privacy Commissioner of Canada isn't ready to give the app their blessing, though:

Confessions
by jess.g..
One of the selling points of the app appears to be the password-protection feature, enabling you to lock out anyone who may try to find out about your sinnin’ ways. But what seems to be missing is what Little iApps, the developer of Confession, will do with the data they collect. According to reports, the app asks users to also provide information on their age, sex and marital status – paired with detailed information on the user’s transgressions, that’s a potentially detailed profile that would be quite attractive to marketers and others.

Details on the collection and use of the user-provided data wasn’t available on Little iApps’ site…so if the developer is collecting and using information without the user knowing, does that mean they’ve broken one of the commandments themselves – “Thou shalt not steal”?

Read their entire blog post entitled ‘Fess up – where does my data go?

Free Wordpress themes considered harmful

2011-02-14T16:21:00.001-05:00

It used to be that you could tell what was likely to give your computer a virus: if you stayed away from the porn and "free screensavers" then you were pretty much ok. Nowadays, though, with cross-site scripting, it's much harder to gauge which content might be unsafe.

So Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else caught my eye because it's a new example of how free... sometimes isn't. Why bother to exploit people's wordpress blogs, which is illegal in many places, when you can just give them the code and let them install and run it themselves? Mostly it looks like the code found is all about adding spammy SEO-boosting links for dubious properties, but there could definitely be worse elsewhere in those themes: that free theme could be using your blog to install malicious software on your visitors' computers!

Out of the ten sites on the first page of Google, here are the stats:

Safe: 1
Iffy: 1
Avoid: 8
8 out of 10 sites included base64 encoding in their themes. The average WordPress user no doubt knows that Google isn’t the best place to find themes but the stats on these sites show that there are thousands of people downloading them and using them on their websites. Someone who has come to WordPress on the first time is more than likely to type “free WordPress themes” into Google to find a site that gives them what they want. Unfortunately they’re more than likely to end up with spammy links, at best, on their site.

Read the whole article to hear about what might be hiding in that free template you just downloaded. Basically, if you see a bunch of random encoded stuff that you don't understand, you should be awfully wary... Thankfully, the author demonstrates the use of two tools for figuring out if that theme you'd like ot try is safe: Theme Authenticity Checker and Exploit scanner. I guess those are the new antivirus for Wordpress?

Will Facebook's choice of social authentication (face CAPTCHAs) lead to huge gains in facial recognition software?

2011-01-27T13:30:00.005-05:00

Some of my friends,
for your future hacking pleasure
by Terriko.

We've actually talked about this sort of thing considerably within my research group, so it's hardly a new idea, but it's still interesting because I hadn't heard of a large scale implementation of this before: Nevermind CAPTCHA, Facebook Asks If You Know Your Friends.

They're calling it "social authentication" where rather than reading obfuscated text as in a normal CAPTCHA, you're asked to identify friends.

"Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication," writes Rice. "We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."

Of course, that's not true at all. For many people with public profiles, flickr accounts, etc. it's pretty easy for a hacker to identify your friends. (Even easier if your would-be hacker is a jilted lover or angry sibling, but presumably those folk could also pass a regular CAPTCHA.) The key here isn't that this social authentication isn't hackable, though, it's that the hack has to be more carefully crafted to your account, and may well require a human to do the facial recognition necessary, thus slowing down the attack and doing exactly what CAPTCHAs were intended to do.

I'm curious to see how well it works in practice, though. CAPTCHAs in their current "mangled text" form relied on assumptions about the ineffectiveness computer text recognition... assumptions that have been rapidly broken as determined attackers and researchers have improved our text recognition algorithms. (Nowadays, many captchas can be bypassed with a higher than 90% success rate. Here's a link to one such paper but a websearch will turn up many others.)

Friends in costume
by Terriko.

So the interesting question to me is "Will Facebook's choice of Face CAPTCHAs lead to huge gains in facial recognition software?" -- we're well overdue for gains in that area, actually, given that law enforcement is hoping to use facial recognition to stop crime and even terrorism, but the technology is so poor right now that if they used it now they'd likely be arresting a lot of innocent folk. Facebook will lead to some great cases: What about when your friends are in costumes? Wearing different makeup? Different lighting? Different poses? Different hair?

Beyond the usual halloween costumes, my facebook friends include theatre geeks, haunted house aficionados, members of the 501st legion of Star Wars costumers and folk involved with things like the Society for Creative Anachronism. Will my friends' and acquaintances' penchant for elabourate costumes mean that I'm more secure? Or will it mean that I'll have more trouble identifying them in photos unless I've seen their standard costumes before?

Mostly I'm torn between excitement at new gains in image processing and a vague sense of unease when I contemplate the potential applications of better facial recognition software.

"My account got hacked"

2011-01-27T09:00:00.004-05:00

Some bite-sized wisdom from Jeremiah Grossman:

Funny how people, "my account got hacked," rather than "someone hacked into my account", like they think getting hacked is an act of nature.

I had a good laugh, but it's got me wondering... given how frequently attacks occur online, maybe it really does make sense for people to conceptualize attacks as something that just happens as opposed to something more akin to "that guy robbed me." Makes it easier to deal with somehow, or perhaps easier to accept that there will likely be no retribution?

And more disturbingly, does this "act of nature" approach to hacking explain the general public's sometimes apathetic response to routine privacy violations, both online and offline?

Zuckerberg... hacked?

2011-01-26T05:29:00.001-05:00

There's an amusing story up on TechCrunch suggesting that Mark Zuckerberg's fan page may have been hacked.

Obviously, Zuckerberg didn’t actually write it. Or at least, we’re pretty sure he didn’t. Instead, it would appear that his fan page was hacked. Facebook has now taken down the page — but not before we grabbed a screenshot.

Honestly, these things happen. But what made the story actually funny to me was this tweet:

@snipeyhead Hah. FB is flagging the Tech Crunch article reporting on Zuckerberg's fan page hack as "abusive or spammy" http://twitpic.com/3thf68 #classy

Edit: More news on what happened according to Facebook: Facebook blames bug for Zuckerberg page hack

Ethical hacking? How about some ethical writing?

2011-01-26T03:05:00.000-05:00

Now, I haven't verified this at all, but here's an interesting link for you: Ankit Fadia / Manu Zacharia - "Network Intrusion Alert" Heavily Plagiarized.

An extremely detailed analysis has been performed for the first chapter (10 pages) to show the scope and method of plagiarism. Our analysis shows that roughly 90% of the first chapter, including the six graphics used, has been taken from other sources. Due to time constraints, notes are used for brevity for the rest of the material.

Given my experiences with plagiarism among my undergraduate students and the recent Cooks Source plagarism story (which attracted quite a lot of attention)... I'm sadly inclined to believe that this entire book may be plagiarized.

What's funny about this story is that the book in contention here is titled "Network Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection." Emphasis mine.

Facebook now enabling annoying phone calls and paper junk mail?

2011-01-17T23:06:00.004-05:00

Drowning in Verizon junk mail
by Night-thing.

Sophos points out that Facebook has made yet another change to the way it handles your information: this time, allowing third-party developers access to contact information on Facebook.

Now, part of me wants to just shrug: it's always been technically possible for third party developers to get access to this information because of the current state of web security. It's long been true that anyone who can execute JavaScript in your browser on a site (e.g. every facebook app) can gain access to anything you can see. So if your friend installed FarmVille and you've allowed your friend to see your phone number, FarmVille can see your phone number (and the pictures of you in that horrible halloween costume, and that drunken post you made on your ex's wall...). And if you install FarmVille, they can even more easily glean your phone number and anything else on your profile. What Facebook's doing is in some ways good: they're helping to make this clear to users, and maybe even helping to track who is actually looking at and using that info.

But of course, most people aren't aware that this has always been possible, so they're suddenly envisioning FarmVille sending them paper brochures filled with new crop info, or phoning all their friends to ask why they haven't helped out on the farm lately. Maybe an automated call would help convince you to join the game and seek out that lost kitten?

And maybe those third party apps didn't realize they could do it either, and they're salivating over the extended marketing possibilities. Technically possible doesn't imply endorsed by Facebook the way putting the ability into the API does, so while getting this information might have been in the realm of sketchy scams before, now it's going to be considered a legitimate asset by more companies. After all, you consented when you installed the app. And remember, corporate assets do tend to be about making money, so don't assume they won't sell those lists.

So, while it was technically feasible before, maybe now is a good time to reconsider what data you keep within Facebook. And it's always a good time to re-evaluate which applications you have installed or will install. As always, I recommend that you don't leave anything on facebook you wouldn't want shared with the world, so now's a great time to delete your phone number and address from your facebook profile. And if you don't? Well, don't be too surprised when you start getting texts saying that someone needs help with their FarmVille crops.

A bit late: Santa's privacy policy

2011-01-03T16:05:00.001-05:00

A bit late, but sent to me by a few folk as a fun follow up to A brutally honest privacy policy, here's a gem of a privacy policy from... Santa Claus.

Santa Claus requires your information in order to compile his annual list of Who is Naughty and Who is Nice, and to ensure accuracy when he checks it twice. Your information is also used in connection with delivering the kinds of goods and services you've come to expect from Santa, including but not limited to toys, games, good cheer, merriment, Christmas spirit, seasonal joy, and holly jollyness.

Read the rest here: "Santa's Privacy Policy" and leave those christmas decorations up just one more day before getting back to regular old January.

A brutally honest privacy policy

2010-12-14T00:18:00.001-05:00

Dan Tynan has decided to cut through the legalease and confusion inherent in many privacy policies and produced a "real" privacy policy which is open-sourced for anyone to adopt. What results is hilarious and sad at once because it reflects a lot of how "private" data may be used. Here's an excerpt:

"At COMPANY _______ we value your privacy a great deal. Almost as much as we value the ability to take the data you give us and slice, dice, julienne, mash, puree and serve it to our business partners, which may include third-party advertising networks, data brokers, networks of affiliate sites, parent companies, subsidiaries, and other entities, none of which we’ll bother to list here because they can change from week to week and, besides, we know you’re not really paying attention.

We’ll also share all of this information with the government. We’re just suckers for guys with crew cuts carrying subpoenas.

Remember, when you visit our Web site, our Web site is also visiting you. And we’ve brought a dozen or more friends with us, depending on how many ad networks and third-party data services we use. We’re not going to tell which ones, though you could probably figure this out by carefully watching the different URLs that flash across the bottom of your browser as each page loads or when you mouse over various bits. It’s not like you’ve got better things to do.

...

So just to recap: Your information is extremely valuable to us. Our business model would totally collapse without it. No IPO, no stock options; all those 80-hour weeks and bupkis to show for it. So we’ll do our very best to use it in as many potentially profitable ways as we can conjure, over and over, while attempting to convince you there’s nothing to worry about.

Read the rest along with commentary on Dan's blog. He notes that it’s 5,085 words shorter than Facebook’s policy, just for comparison.

Security Costs vs Benefits: Should companies deploy SSL to deal with Firesheep?

2010-11-03T10:00:00.010-04:00

SSL
by jeff_golden.

Yesterday, I talked about why end-users don't care about security and how that actually makes a certain amount of sense for them since the cost of behaving more securely can overwhelm the cost of an actual breach.

However, what I didn't talk about is whether this is true for companies. A single security breach in a single user account maybe doesn't cost a company much, but if breaches get common enough that they start losing users, it could be a problem with a much higher cost.

While users trying to protect themselves from curious folk with firesheep are counseled to use a VPN, website owners can choose to do encryption right from their end using SSL. But it was thought that SSL was computationally costly and even environmentally costly due to the supposed need for extra electricity and machines.

But who's been looking at what those costs actually are? A blog post entitled Overclocking SSL looked at the severity of these costs as they deployed SSL, and made a pretty clear statement:

If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users.

So there you have it: the people who should be protecting users from firesheep attacks are probably the companies who run the websites, since SSL isn't likely to be as costly to them as numerous complaints and support requests would be from their users. The cost equation might not be the same for all organizations, since the cost of certificates and labour can be non-trivial if you don't already have expertise on hand. But sure enough, Google has decided to provide https access by default to all gmail users, so they clearly believe it's worth it.

This leads to an interesting question: Does the burden of security always fall heavily on corporations and large organizations rather than on end-users? Many would argue that this is naive and that users must bear some responsibility, others would argue that only corporations have the resources necessary to make an impact on security. This is a much larger discussion that I expect we'll see occurring over and over again for a very long time.

Apathy or sensible risk evaluation: why don't people care about security?

2010-11-02T12:42:00.039-04:00

Starbucks' Christmas Bokeh
by pierofix.

Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.

This is the most shocking thing about Internet security: not that we are all on a worldwide system held together with duct tape that has appalling security vulnerabilities; not that a freely available tool could collect authentication cookies; and certainly not that there are people unaware of either. What's absolutely incomprehensible is that after someone has been alerted to the danger (from their own account!) that they would casually ignore the warning, and continue about their day.

But is this shocking? To someone who cares about security, maybe. To someone who knows people? Less so.

Cormac Herley has an absolutely great paper entitled "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users"

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.

So let's think a little bit about cookies and firesheep. One of the ways to be most safe is to browse using a VPN. For someone who already has one set up, this is pretty much a matter of toggling something on your computer: pretty low difficulty and less trouble than having your accounts hacked. You can see why many geeks think it's ridiculous that people wouldn't just secure their sites: even if you include time setting up the VPN, for many folk that's a task that falls under the heading of "something I meant to do anyhow" and isn't really perceived as costly.

But if you're not a computer-savvy person who has a server online to host a VPN, setting up a VPN can be stupidly costly. Maybe you'd have to replace your router with one that can handle it. Maybe you'd have to pay for hosting. Maybe you'd have to spend hours figuring out how to generate keys, or pay someone else to do that. Maybe just figuring out what you need to do at all is going to take hours. Quickly, the hours required seem worth more than the cost of having some stranger send you messages from your own facebook account, or maybe set your status message to something embarrassing.

Perhaps what we need to raise the costs of a security mishap is a little evil. It's actually easy to craft a firesheep-based attack that would raise the cost high enough to make VPN hunting (or just not using the Starbucks wireless) seem worthwhile to most people: Log into someone's account, delete all their status messages, notes and photos, defriend all their friends. Since there's no easy way to back up your facebook profile, the results would be devastating and partially unrecoverable: worth more than the pain of setting up a VPN or going without FB while in a coffee shop. It might be easier to litigate for theft/unauthorized access than it is to restore that profile, so I don't recommend any security vigilantes start doing this!

So I guess the take-home message here is that while it's worth trying to educate users so they can make smarter decisions, they're not necessarily being delusional or foolish when they just say "meh" and go on with their lives. If we want to make a really huge impact, we need security solutions that are so low-pain that there's no longer any rational reason to reject them.

Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

2010-10-29T00:56:00.000-04:00

Privacy is not a crime
by sunside.

This maybe shouldn't surprise anyone, but Mashable is reporting that Facebook Lobbied to Kill Social Networking Privacy Act in the USA.

It's one thing to believe that privacy isn't important, or to make mistakes that expose users, but paying people to lobby against privacy legislation that might protect your users seems like a big step further. It makes me concerned as a user of the service.

Incidentally, Facebook has already broken Canadian privacy law (they're not the only ones), and likely the laws of several other countries, so I guess it makes sense that they wouldn't want to run afoul of further laws... but I really wish they'd do this by handling privacy issues better rather than paying people to make sure the laws don't come into effect. Maybe the law was simply ill-conceived (I haven't read it) but this really doesn't sound like the actions of a socially-responsible company. Very disappointing.

Why 12 year olds may be our best bug hunters

2010-10-28T09:00:00.002-04:00

You may have heard the news: Mozilla pays 12-year-old San Jose boy for hunting bugs in system:

bugged
by Oℓivia.

It's safe to say a typical Willow Glen 12-year-old doesn't earn $3,000 for a couple of weeks' worth of work. Then again, Alex Miller is no typical 12-year-old.

Alex is a bug hunter, but the bugs he's uncovering are unlikely to end up in any entomological reference book. Instead, the bug Alex found was a valid critical security flaw buried in the Firefox web browser. For his discovery, he was rewarded a bug bounty of $3,000 by Mozilla, the parent company of Firefox.

Much of the coverage I've seen has been along the lines of "wow, if a 12 year old can find a bug, then anyone can do this!" which I think is awesome if it has more people out looking through code in hopes of one of those $3k bounties. But I also find that attitude a little sad because frankly, Alex Miller sounds like a pretty smart guy and implying that what he did is easy because he's young is a bit condescending and likely incorrect.

But the more I think about it, the more I think that maybe younger bughunters have some natural advantages, and maybe we should go out of our way to recruit them. I taught 17 year olds doing in-lab tutorials for several years running, and work students down to around 12 years old when I've taught mini-courses in the spring, and they're pretty darned sharp.

Here's some assets younger folk bring to the table when it comes to security flaws:

A different point of view -- Some teachers take it as incredibly frustrating that their students just don't see the world the way they do because it can be hard to teach without common ground, but I've always found it fascinating how my students will write code in ways completely different to what I expect. Frankly, I don't see this kind of diversity when I work with my colleagues, probably because we have similar educational backgrounds. A different way to think can help you find things that others are going to miss, in research or in security bug hunting!
Time -- Alex Miller says he only spend 90 minutes/day for around 10 days to find his bug, but in general tweens and teens can have a lot more free time than their adult counterparts. Sure, there's school and homework and often a slew of extra-curriculars, but there's usually less time spent on childcare, laundry, groceries, cooking, cleaning, yardwork. Younger students may do some of that, but usually not all of the above.
Enthusiasm -- Let's face it; if you stare at code all day at work, you're not always likely to set aside 90 minutes/day to do it at home. Whereas when I was a teenager and was writing essays at school, 90 minutes of debugging sounded like a lot more fun!
Chutzpah -- It's easy for us as adults to think "meh, so many people have looked at this... I'll never find anything" and in general the students I work with have a lot more guts and are just more willing to believe that they personally will change the world if they just try. Certainly, my gaming students often propose genre-busting epic game ideas that I can just imagine getting shot down at a company meeting.

So maybe we shouldn't be saying "if a 12 year old can do it, anyone can" and instead thinking "how can I channel my inner 12 year old?"

Quick Hit: Firesheep

2010-10-27T15:18:00.001-04:00

Mountain view with sheep
by Jule_Berlin.

By now, probably everyone's already heard of firesheep, the nice user-friendly way to use cookies to do session hijacking. Want to be logged in as someone else on Facebook? No problem.

It's nothing spectacular on a technical level, since it's been easy enough to use other people's cookies for quite some time, but it's a pretty impressive social hacking tool. It's making it clear to a lot of people (and media) that this is a real problem, and that it's an exploit anyone can do now.

I'm actually sort of surprised that I haven't seen this earlier: it used to be a bit of a game in the undergrad lounge to see what one could sniff off the network, with people using some tool whose name I've forgotten to show any images that came up from users surfing on the wireless. Hacking session cookies would have been a fun addition to our childish games -- and I'll bet plenty of college kids are using it for just that. Or for checking out their ex-boyfriends/girlfriends...

Does expiring passwords really help security?

2010-10-11T20:30:00.014-04:00

Change is Easy
Originally uploaded by dawn_perry

I've heard a lot of arguments as to why expiring passwords likely won't help. Here's a few:

It's easy to install malware on a machine, so the new password will be sniffed just like the old.
It costs more: frequent password changes result in more forgotten passwords and support desk calls.
It irritates users, who will then feel less motivated to implement to other security measures.
Constantly forcing people to think of new, memorable passwords leads to cognitive shortcuts like password-Sep, password-Oct, password-Nov...

And yet, many organizations continue to force regular password changes in order to improve security. But what if that's not what's really happening? Three researchers from the University of North Carolina at Chapel Hill have unveiled what they claim to be the first large-scale study on password expiration, and they found it wanting.

They focus especially on the idea that consecutive passwords will be related, and build a system which could try a variety of transforms such as changing which letter was uppercase, duplicating letters/numbers/symbols, and even "leet" translation (eg: raven becomes r@v3n). The implications of their results are fairly clear and potentially disturbing for those who thought password changing was providing extra security in the case of a breach:

With offline attacks: "On average, roughly 41% of passwords can be broken from an old password in under 3 seconds."
With online attacks: "An average of 13% of accounts can be broken (with cer- tainty) in 5 online guesses, and 18% can be broken in 10 guesses."
"As we expand our consideration to other types of transform trees, we would not be surprised to see these success rates jump significantly."

In essence, they've shown that changing passwords doesn't provide nearly as much security as system designers had hoped, and they suggest we abandon the practice rather than continue to annoy users with a policy that has been proven ineffective.

Privacy and Twitter lists

2010-09-20T13:34:00.015-04:00

I think twitter may have among the simplest privacy settings of any social network. Your choices are either everything you post is public, or everything you post is private.

But simple does not mean that things will stay private. Just like everything on the internet, the minute you post something someone else might choose to share it. Some researchers have actually studied how often people retweet private content on Twitter.

Something I haven't seen studied, however, is how private information can leak out through twitter lists.

Twitter allows you to make lists of people who you'd like to have grouped together. For example, I have a list of technical women who I follow. These are women in technology who I've met in person or interacted with extensively online, and I really made it for my own personal use but since it's a public list others can (and do) follow it. Presumably they're looking for more cool women to expand their social networks.

Twitter allows you to see what lists a person has been added to, and this is where it gets interesting. Let's take a look at the lists of which I am a member and see what we can learn about me.

Here's a few things you can get a glance:

I have a lot of real-life friends on twitter (and now you know many of them are)
I'm a musician
I work in security, technology and on open source software
I'm speaking at an upcoming conference and have attended a variety of events
My friend Leigh is stalking me ;)
I live in Ottawa

Wait... what? Despite the fact that I explicitly chose to say a more generic "Canada" in my profile information, my current city can be determined by the fact that it shows up in several of the lists I'm on. There's of course no way to be sure that any of this is true, but when more than one person lists me as being in Ottawa it seems fairly reasonable to guess.

I'm not personally concerned (obviously, since I'm talking about all this information in a public blog post!) but some folk are much more private than I am.

So what are your options if you want to hide this information? Well, if I don't like the lists I'm on, I can... uh... There's no apparent way to leave a twitter list. I suspect one could block the list curator, but the people revealing your location are most likely to be actual real life friends: people you wouldn't want to block. So you'd have to resort to asking nicely, but that's assuming you even notice: while you can get notifications of new followers, you do not get notified when you're added to a list. I've been asked about exactly two of the lists I've been put on (thanks @ghc!) so obviously it's not the social norm to ask (I certainly have never asked anyone I've listed!)

A quick check says I can usually get the current (and sometimes some former) cities for many of my friends, as well as information related to their occupations, interests, and events they've attended. For most of these people, I know this isn't information they consider private either. But it's obviously possible that this could be a problem... I wonder how many people it affects in a negative way?

Maybe this is a potential little workshop paper if I have time to analyse a whole bunch of twitter lists. Anyone want to lend me a student who's interested in social media privacy?

Edit: A note for those concerned about not being that privacy-violating friend. You can make twitter lists private if you want (it's just not the default), so just do that for the lists you think are sensitive and you're good to go!

Visual Security Policy for the Web

2010-08-23T15:12:00.001-04:00

This is the annotated version of a presentation I gave at the 5th USENIX Workshop on Hot Topics in Security (HotSec '10). My slides tend to be designed to complement what I'm saying rather than as stand-alone pieces, so I'm writing out approximately what I said during my presentation so that you can get the whole sense of the presentation. I also make heavy use of creative commons content to put together my presentations: click through each image for attributions and more details about the photos used.

According to WhiteHat Security, 83% of web sites they looked at had a serious vulnerability at some point in their lifetimes.

They found that nearly two thirds of all websites had such a vulnerability right now.

So really, we should be asking ourselves... why?

What makes the web so difficult to secure?

Unfortunately, that's not an easy question to answer. If you asked 20 web security experts, you might get 20 different answers...

From technologies to attackers to standards... there's a lot of little things that can go wrong and result in an insecure web page.

I don't have time to talk about all of them and I certainly don't know how to solve all of them, so I'm going to focus on one particular issue...

And that's that there are no restrictions within a web page.

So in the typical way of describing things, your browser makes a sandbox for your web page to play in.

So you put your cute little baby web page in there, and things are pretty good. But eventually, you get bored...

And you want to add some toys in. User comments, latest status updates, advertisements, pictures. There's a lot of toys available for your web page. And that's great...

... if your web page is filled with nothing but cute and cuddly things that like to play together. But even cute and cuddly things have accidents...

And not every bit of stuff that gets added to a web page is necessarily safe. It's quite easy to wind up with sharks in your sandbox.

We've actually got some great web security work out for mashups that deals with separation, so you can put all those potential sharks into separate tanks and keep other content safe.

So your web page becomes a bit more like an aquarium with lots of separate boxes or containers or fish tanks.

But even though we have known ways to add separation, web developers don't use it. And then you wind up with sharks pretty much everywhere...

(This actually isn't photoshopped; it's a real art installation.)

And if you're worried about sharks running in to houses, you should be especially worried about the menace that is MegaShark. If you've watched the trailers, you know that MegaShark is a giant shark capable of jumping out of the ocean into the air and taking out an airplane.

[pause]

But no, I'm not here to talk about MegaShark.

What I want you to see is that the picture I have up here is an infographic. That's a graphical way to represent data, usually statistics, used by magazines and other who want to convey complex data in a way that people can readily understand it.

So here you can see visually how much bigger MegaShark is than a great white or even a meglodon. The infographic shows you how fast MegaShark would have to be going, reminds you that a shark travelling that quickly would damage other nearby boats, and so on.

It's not the only way to represent the information. One could also use the equations that were used to calculate the speed of the shark. This lets you get a lot more detailed information, like the density of the water in the San Francisco Bay.

But you can only glean that information if you understand the equations. I have a math degree, and I can tell you that I certainly can't get that information at a glance: you need to know the symbols used, the physics, etc. It may provide great detailed information to experts, but for many people it will be impenetrable, and even for experts it's going to take a lot more time to analyze.

So that's two ways to represent information, one which is very good for quick explanation and memorable presentation, another which provides greater detail and precision.

But what does this have to do with web pages?

Well, the thing you should note is that the people who make web pages are often the same sort of people who make infographics. They're graphic designers, often with artistic backgrounds, and they like to work within the visual space, often to reach a wide audience.

And that's the sort of thinking that inspired my work on visual security policy. Existing work allows extensive customization of policy, but it didn't really give a higher level, at-a-glance sort of way to deal with web page security.

Or to put it more flippantly... Math is hard, let's draw boxes.

So here's an example. Let's say you're running a site with forums. This is the support forum for Drupal, a content management system. People post their questions, and other people can help them out with answers.

But what if one of those people answering wasn't interested in being helpful so much as gaining control over other users? Suppose this person was able to inject a little bit of code (I don't know of any vulnerabilities on Drupal right now, but and remember, with over 80% of sites vulnerable at some point in their lifetimes, it may just be a matter of waiting for many sites).

So here, let's suppose poster #2 has injected some code that changes the login box so that it sends usernames and passwords out to attacker.com.

That's about two lines of code, so it's easy enough to disguise and hide in a lengthy comment.

If we wanted to stop this using boxes, we'd probably take a look at the page and think “well, that's user-inserted content there and there... there could be sharks!” so you could put a box around each comment separately. And then we might realize that login box contains the username and password, so we should probably protect it too. Into a box it goes! That way if we missed a source of user content, it's still protected.

So if poster #2 goes and tries to attack the page, they get stopped in their own box, and they cannot change the login box, so nothing gets sent out to attacker.com.

Visual Security Policy (or ViSP for short) has 4 components. The first as we saw in the example is a box: it's a visual area on screen that has an associate security policy.

The second is a channel, which allows communication between boxes. This can be one-way.

Then there's the multibox, which is a bit different in that it's more of a shortcut. There are many cases where there are a whole bunch of similar things on a page: lists of status updates, news stories, comments, etc. We might want to give them all similar security properties, and the multibox lets us do that. Also sometimes the “next” button may add things into the page instead of loading a new one, so the multibox makes sure you don't have to care if there's 5 things or 20 – they'll still be boxed up.

Finally there's structure which is the... invisible part of visual security policy. It lets you group things into columns, etc. even if the column itself shouldn't have any special security policy.

So here's what the ViSP would look like for our Drupal example. It's short xml, and you'll note that the id attribute can be used to show how ViSP can be associated with the underlying HTML.

But this is a relatively small example. What would ViSP look like on a larger site?

So let's look at Facebook. At ¼ of the page views in the US, you pretty much have to be able to handle Facebook if you want to claim you have a system that can do web security. While you might have to whitelist facebook itself, the elements of it will show up on other sites because that's what people expect.

And some of those are high-risk elements: user-generated content, advertiers, apps, and people who sometimes don't realise the risks they're taking. And of course, it's a fairly complex layout which could be an issue for a visual solution.

So here's what Facebook looked like a little while ago. They've since redesigned by many of the elements are still there, like the menu bars.

And here's what a visual security policy for Facebook might look like. I've protected menu bars on the top and bottom because attackers might modify those to facilitate phishing attacks. There's my chat on the right and an advertisement on the far right, and then there's a big multibox with all my friends' status updates in there. I might trust my friends, but you never know when someone might get their account compromised or hit with a virus or something, so we want to separate those out.

And here's what that fairly visually busy policy looks like in XML. Not too bad, really.

... Especially when you compare it to the actual code for facebook. This is some of the code used to generate the page I showed you (you can see my name in there). It's complex JavaScript, and it can be surprisingly difficult to figure out where a box should begin and end in all that mess. And that's not a critique of Facebook specifically: many web sites are generated from a variety of server and client-side systems. Writing policy for generated HTML can be very complex, and that could be one of the reasons so few web developers have embraced security policy.

The real question at this point is “does it work?” and I can tell you that I do indeed have a working prototype. You put it into policy creation mode through the menu or a keystroke, mouse over the page, and click to draw the boxes. Right now, it only handles boxes: you have to write in channels and multiboxes by hand.

Now, you may be asking... what about the properties of channels? How do they work? And the answer is “I wish I could tell you.”

Channels are a staple of the existing work in mashups, with the idea that you'd want to set up a page so changing, say, your city could also update news, weather, etc. In other parts of the page. But within my test set, I was surprised to find very little use of this sort of inter-page communication. I don't know if this is an artifact of the pages we chose, or if there simply isn't much communication going in within the page. Perhaps most communication comes from attackers? I really don't know the answers.

So here's some of the issues we found and some things I'd like to do. The big issue with ViSP is that it can only handle visual parts of the page, so if you've got JavaScript in your header, there's no way to encapsulate that. We found that in many cases, JavaScript was included where it was used, so you'd have menu code and the menu right together where the menu is displayed in the page instead of in the headers. But that may not always be the case.

It's unclear how that's going to work, just like it's unclear about how channels will work.

Several people, including one of my anonymous reviewers rightly suggested that ViSP might be even easier if it could be deployed not as separate XML but instead as a “security stylesheet” in CSS. So we're working on that. We're also putting together a user study for the fall so we can answer the question of whether it really is more usable. And of course, there are more tests to be had against other websites and real world attacks.

Since this is HotSec, here's a few questions to get the discussion started:
- Is ViSP really more usable? I've gotten really positive responses in my informal discussions with web folk, but it's still an open question.
- How much communication goes on within the page? Was that a fluke of our test set or have we learned something about normal web behaviours?
And finally
- What technologies should ViSP play well with to provide a complete solution?
This is only one piece of the web security puzzle that deals with one part of the web security problem – how does it need to interact with others to provide a complete solution?

Thanks for listening!

Want to know more? You can read the whole paper "Visual Security Policy for the Web" at the following locations:
www.usenix.org/events/hotsec10/tech/full_papers/Oda.pdf
webinsecurity.net/resources/visp-oda-hotsec2010.pdf
You can also comment here or contact me at terri (at) zone12.com if you have any questions or ideas you'd like to discuss.

Privacy: Not just for people who are doing bad things

2010-08-19T15:10:00.003-04:00

I'm happy to see that Gizmodo is already recommending that people disable Facebook Places in as much as you really can. And the article has a nice step-by-step on how to limit the amount your friends can (accidentally or intentionally) violate your privacy.

But I take issue with the fact that their examples were "you're lying to your girlfriend" and "you're cheating on your wife." Seriously? I know they were trying to be funny, but the implication you get from the article is that privacy should only matter in this way if you've got something to hide. But that's not the case:

What about a parent who doesn't want to advertise to strangers the exact geo-location of the parks his kids play in every day?

What about a woman who has received threats from unpleasant people who feel that women should not be involved in open source software? (I wish I were kidding, but this happened to me, and other people receive threats from disturbed individuals online.)

What about someone shopping for an engagement ring who meets a friend at the mall?

There's plenty of reasons one might prefer privacy. I think maybe we would do well to include this sort of example in articles, so that even those living utterly honest lives will realize that privacy is important to them and people they care about.

Preparing some curricula on web security

2010-07-09T11:03:00.000-04:00

Among the other cool things I'm doing this summer is working as a teaching assistant for 1.5 days worth of tutorials on the subject of web security. This is part of my national research group's "summer school" program where we try to give our graduate students more background into other areas of security. I'm working up a list of potential topics so we can get our teaching materials together.

So... What would you want to learn in a short course on web security? What do you wish other people knew about web security?

Here's my brainstorming list, to be updated as new things occur to me:

Attacks

Overview of the OWASP top 10 / WASC threat classification
XSS (incl. filter evasion techniques and a variety of ways to use XSS for defacement through to more subtle modifications, password/data theft, etc.)
CSRF
SQL Injection
Clickjacking

Defenses

Best coding practices
Web Application Firewalls
Web Vulnerability Scanners
Tainting
Mashup solutions (e.g. MashupOS, OMash)
Policies (e.g. SOMA, BEEP, CSP)
Penetration testing techniques

Notes: The tentative plan is to separate things into a hands-on lab tutorial (probably using webgoat) and a set of lectures, mostly running simultaneously. We're going to have some top-notch students here, since we're drawing from a pool of smart security researchers to start, so we can cover a lot of ground and go much further in depth than we might teaching developers with no security background.

A crash course in the social media equivalent of defensive driving

2010-06-29T10:00:00.000-04:00

How can you stay safe and keep things private while still taking part in online life? I'm a web security researcher, so I get asked this fairly frequently. And it's easy to see how people get overwhelmed by all the news stories, the marketing blurbs, and the constantly changing policies.

Why I'm not telling you to quit Facebook

Let's say you're worried about your risk of getting into a car accident. Do you sell your car and refuse to get into any moving vehicle? No. Refusing to use a car might make you safer, but it would be quite isolating and, depending on where and how you live, very difficult. Just like many people live without cars, you can live without social networking, but it there are some significant costs to refusing to participate. Many people's need or desire to participate is much stronger that the risks they face.

If you're worried about car accidents, you've got other options to manage your risks than giving up your car. You can learn to drive defensively. You can make sure you wear your seatbelt. You can learn about the safety ratings and use cars that perform better in safety tests. You can refuse to drive places that are dangerous.

So what I'm hoping to do here is give you a crash course in the social media equivalent of defensive driving.

The web is not a safe place

When I learned to drive, my driving instructor often reminded me that I had to treat every car on the road as if it were being driven by a moron who might swerve into my lane at any time. It might seem like a very negative point of view, but it's a very practical one that's helped me avoid accidents on numerous occasions simply because I was expecting it.

My blog is called Web Insecurity for a reason. Nearly 2/3 of web pages currently have a serious vulnerability. So that means no matter what the policy is, how careful you are, or how careful your friends are... there's a good chance you are going to view some code controlled by a bad guy, and they could get information about you that you don't want them to have. It's often very easy to exploit these vulnerable parts of a website. 75% of websites with malicious code are legitimate sites.

You may be thinking, "sure, but no one's going to care about my data." And you may be right. But if a bad guy is trying to make a company look terrible, one way to do so is to expose information about all of their users. You can definitely wind up as collateral damage.

Learn your legal protections

Learning about legal stuff can be time-consuming and confusing, and frankly companies may violate laws anyhow. But it's still worth learning a bit about your rights. The EFF has quite an impressive body of work covering free speech, privacy, intellectual property and other important issues, and they do a great job of translating legal speak into clear, comprehensible articles. You might also consider reading bloggers like Michael Geist, and your country may have great resources like the Office of the Privacy Commissioner of Canada.

Remember that things that may seem similar often have very different legal protections. For example, if my credit card number is stolen, there are laws that limit my liability to $50. But that's not true about all money transactions online: Debit/bank cards have no such legal protection. Some modern credit cards that require a PIN have no such protection even though these cards aren't actually safe. You may have no legal protection from your bank if you don't follow their security procedure to the letter, and those security requirements of online banks can be pretty crazy: Do you reboot your computer every time you bank? No? You might be on the hook if someone compromises your account!

So yeah. It's a bit of work, but it's worth it to at least learn about the issues that affect you.

Learn the controls

It may seem a bit silly, given that I've already told you that websites can easily be compromised, but if you're managing risks you should learn to use your privacy controls, choose good passwords and security questions, and keep those things private. Again, it's about managing your risks: even if these controls can't make you 100% safe, they might make you safer.

Companies are not your friends

For many companies online, you are not really their primary customer: your time and your personal information are assets the company sells to their advertisers. You have to expect to be treated accordingly. You have to treat every company or organization you interact with online as potential hazards. Many companies intentionally or unintentionally violate privacy laws and even violate their own privacy rules. And privacy rules change, sometimes because the company itself changed them, sometimes because they get bought out by another company. Your guarantee when you signed up for the site is unlikely to hold a year from now, but it may be nigh impossible to remove your data from the system when it changes.

And that's just the "legitimate" problems that could affect you: there's a good chance any company's sites could be attacked and your data exposed as a result -- it happens to fully legitimate companies all the time, no matter how good their intentions towards you and your data.

Choose your friends wisely

You wouldn't tell all your secrets to the office gossip, but online your friends may be "forced" to become gossips either through malicious software or through changing policies. It sounds like some crazy super-spy movie: trust no one! Your friends could be compromised! But once again, just like I'm not telling you to delete your facebook account, I'm not going to tell you not to share, just to be defensive.

For example, I have a couple of friends who really enjoy Facebook games. They seem to install every new thing that comes along and invite me to join. Nothing wrong with that, right? I mean, if I don't want to join, I just don't, and that's the end of it. Except that it's not: my friends have all these games and thus all these extra ways that someone might break in to their accounts. And indeed, these are the folk who wind up with compromised accounts more often than most. So while these are great people who I'd be happy to share job concerns or relationship woes with in real life... It's too risky for me to share private stuff with them online. They are the office gossips, whether they mean to be or not. They're not the only ones who put me at risk (any friend can end up on the wrong end of a broken website) but they're the riskiest.

Choose what you want to share

The biggest part of managing your risk is choosing what you want to share online. Here's a few questions you might want to ask yourself:

Will this embarrass me if it gets out?
Will this affect my safety?
Will this affect my employment?
Will this affect my family/friends?

If your job requires you to be a role model, you may have to be a role model even in your off-hours. Maybe it shouldn't be that way, but let's be pragmatic: you have to assume that it is that way.

You have to assume that anything you share online could become public knowledge. You can't trust the companies, you can't assume their sites are safe, and you can't even trust your friends because of unsafe websites.

Think before you share.

Using a pen name

One other way to manage risk is to use a pen name or pseudonym. Lots of people do this to give them a layer of privacy, especially when trying out something new like starting a silly blog, or when engaging in discussion that could be sensitive such as online political debate. Sometimes it's even an open secret that so-and-so goes by a nickname online, and the only reason they do is to make it harder for potential employers to come up with a list of everything they do online when searching their legal name and given email address.

This is a great tool if you want some more freedom to speak, but people sometimes will do the legwork necessary to figure out who you are, especially if you're high-profile or saying something unpopular. So pen names are great, but do remember that they're not 100% guaranteed to keep you safe. Again, it's another way to manage risks.

No matter what you do, everything may become public

I've said this a bunch of different ways, but this is the real take-home message here: No matter how careful you are, anything you do online can become public knowledge. It's up to you to manage your risks accordingly.

But don't despair -- it may sound stupidly hard, but you're already handling issues of trust and privacy every time you choose to tell a story to a friend or complain about work at a party. You might have to pretend you're in a spy movie and trust no one, or you might decide some things are perfectly fine to share with the world. Just try to make an informed decision.

No Website Left Behind: Are We Making Web Security Only For The Elite?

2010-05-21T20:20:00.003-04:00

This is an annotated version of my presentation at W2SP 2010, since I realized my slides by themselves are missing a lot of the story. The full paper is available from the conference website and I should be putting up an HTML version shortly.

Hi, I'm Terri, and I'm here to talk about whether we're excluding some very important people when it comes to web security.

The first thing you need to know is that...

And of course you knew that, because we all know the Internet is actually run by cats.

... and we all know that cats aren't programmers; they're artists.

Seriously, though, many of the people who do web design professionally are artists, not programmers. You can see this through the job titles used and other services offered by many web design firms.

And then there's all the people who make pages but aren't professionals. Cat blogs, community sports team sites, small church websites, etc. are often made by non-professionals.

And in many ways, it's fantastic that all these people can make web pages. Web 2.0! Sharing! Communication! But the problem is that web security is designed for programmers.

So, for the purposes of visualization, let's pretend that a web page is like a car...

Thus we can imagine web security issues like cross-site scripting and cross-site request forgery are sort of like getting gremlins in your engine.

With this analogy in mind, let's look at some of the best tools we have for fixing websites:

The big one is safer programming practices. You take your existing website, and replace it with a new, gremlin-proof one. This is pretty programming-intensive, much like you'd need some serious mechanic skills to replace your entire car engine.

Then there's tainting or data flow analysis, which allows you to trace the path of the gremlins through your engine...

But once you've done that, you still have to patch the code so that the gremlins can't cause problems. Programming!

We've got known exploit detection, such as web application vulnerability scanners and web application firewalls. They tell you exactly where and what kind of gremlins you have.

But while they might protect you for a time, best practice still says you should fix your code.

And then there's the cool mashup protections which help you fix your code to provide isolation between components so that the gremlins can't breed in your engine. But they mostly involve a lot of coding to implement.

Even the language of security is heavily oriented towards programmers. The documentation for Mozilla CSP even includes set theory notation! Not exactly friendly for artists.

Some of the organizations that do the best job of communicating (web) security flaws tend to be intimidating to non-programmers, and really send the message “If you're not a programmer, this isn't for you.” This is not the message we want to send!

Because non-programmers really do need security.

The web is a big target, and attackers aren't limiting themselves to big sites – automated attacks make it worthwhile to compromise even smaller targets. Lots of attackers are interested in sending spam, SEO, evading blacklists, etc. all of which can utilize smaller sites. And the attacks aren't always where you'd expect: Did you know your Facebook account is currently worth more on the black market than your credit card?

But if you're thinking “So, we just let the designers design and handle security at the programming layer below,” you're missing two important points:

First, smaller sites may not have anyone who can handle security, period.

And second, the design of a page actually affects the security of a page. For example, if you put an advertisement on a page with a form, you've just given that advertiser or advertising server access to your user's data. Programming under the hood can't fix that; it's done on the client side. A lot of “small” sites will use a variety of cut-and-paste code that they found elsewhere, increasing their risks even though they may not realize it.

So... that's not terribly good. What can we do about it?

Before we propose any solutions, we need to keep in mind that the cost/benefit ratio for smaller sites may be very different from what we expect. Users will reject security advice if it's more costly to implement than their risks are. And for non-technical site creators, the cost of learning security may be months of additional time, personnel, and money spent on training. Whereas how much risk is there of your community sports team website getting compromised? It may not be clear, and it may not be easy to translate into dollars.

So the first thing we can do is provide a more secure environment. The same origin policy already provides some basic protection to websites, and it's something designers just accept as part of the web infrastructure.

When I put together these slides, I didn't have any other ideas of what to do, but I've now seen a presentation that suggested some security restrictions that would have minimal impact on the top 100,000 websites but could improve security. (The paper is titled “On the Incoherencies in Web Browser Access Control Policies”)

It'd be really handy if graphical tools like Dreamweaver could generate secure mashups. I even talked to some students from the University of Virginia who are working on small policy additions to Ruby on Rails that could provide security – we need more work like this!

Education is also a big deal: people won't bother with better security if they don't understand the risks, and they won't fix problems correctly if they don't understand the solutions. But we have to be really careful to provide materials that make sense to the target audience of designers, and that are sufficiently short that they don't cause the costs of learning to exceed the risks.

You know how the EFF has done a great job distilling the complex privacy issues in Facebook and explaining them to the general public? We need materials like that for web security as well as privacy.

Another way we can help is by providing something akin to website first aid. If you fall and skin your knee, you know enough to wash out the wound, maybe put a bandage on it. You don't need to be a doctor to help your daughter if she trips in the playground. But right now you need to be a website surgeon to handle any security!

There's already some neat things out there: The Origin: header provides protections against XSRF with minimal effort. I worked on a system called SOMA which provided additional controls over includes in websites. But the risk is in letting these minimal interventions get too huge to be useful for average websites. I'm not a huge fan of Mozilla CSP because it's getting just too big for a quick fix. We need to put a lot of thought into optimizing policy and other solutions use for common cases and less into flexibility for unlikely edge issues.

And of course, it'd make our lives a lot easier if we could provide more separation between security and design so that design choices wouldn't necessarily compromise your security.

If we had more separation between security and design of web pages, we could offload security to others. For example, the person in an organization who may care most about security are your systems administrators, because they're the ones who get woken at 4am if something goes wrong, and they're the ones who have to clean up the mess.

We may even want to consider offloading security to the users: they're the ones whose data is most at risk, and they're willing to install virus scanners and even NoScript to try to protect themselves: surely we could do better there.

And finally, there's always the option of hiring outside security experts. The costs currently are prohibitive for smaller sites, but if basic security were easier, maybe we could make this more reasonable.

One thing I've been working on is a visual system for defining security policy, so it can be integrated with design tools and so security can be articulated in a language designers already understand. I'd be happy to talk more about it if you're curious.

In conclusion, while we're doing some good work in web security, we're really limiting our impact if we don't reach out to the broader range of folk who create web pages. Making web security all sound complex, time consuming and hard at all levels may be great for our job security, but it isn't the best way to go about actually making the web safer for the world!

Edit: Although I was unaware of this when I wrote the paper whose title is used in this blog post, apparently "No Website Left Behind" is trademarked by Cenzic.

Subverting Ajax

2010-05-15T22:00:00.001-04:00

I write this on 9/15/08 but never published it for some reason. The paper I'm discussing is still interesting, though, so here's the post, years late!

Today's paper is Subverting Ajax which was published in December 2006 at the 23rd Chaos Communication Congress. It is, as one might expect from the title, an overview of ways in which Ajax (Asynchronous JavaScript And XML) can be compromised.

You might think that since this paper was from 2006, many of these flaws would be closed, but sadly, the paper seems to retain its relevancy even in 2008.

Although the focus of this paper is on Ajax, particularly the case in which an attacker has placed another layer of communication "between" the browser and the server, it also covers a number of techniques that can be used in any JavaScript based attack. For example, the wrapper used around the built-in XMLHttpRequest could potentially be used to subvert any built-in JavaScript object. Also clever is the use of proxies and iframes. To be honest, the attacks I've seen in the wild have not been this complex, but if we ever close the obvious holes we can expect that more subtle attacks would happen, and it's good to understand them in advance.

The one downside to this paper is that it is clear the the authors are not native English speakers, and I'm sorry to admit that there were places where I found their use of language distracting.

Overall, I'll have to recommend the paper, as it was recommended to me, but I have high hopes that owasp.org will produce easier to read documentation on Ajax-specific threats one of these days.

Will privacy issues herald the end for Facebook?

2010-05-11T11:47:00.011-04:00

escape!
by dev null.

I've been seeing a lot of people talking about deleting their facebook accounts over the privacy issues. At first, I chalked it up to my twitter contacts being more aware of security issues than average (I do follow a lot of security folk), but I'm starting to see retweets from outside my own network that imply a lot of people are jumping ship:

@tonyakay: "I deleted my Facebook" is the new "I don't own a TV"

Which really probably sums it up. It's a bit pretentious and holier than thou to announce your lack of Facebook, and it's kind of a techno-elite status marker. When Wired called for an open alternative to Facebook I figured I was right on the money, and it was just a thing for tech nerds to do.

But then I started seeing things like this:

@thesixthbaron Was told by a student this morning that not having a Facebook account is now cool. #abouttime

The Great Escape
by Hryck..

Facebook's biggest strength is in the network effect. The more people you know who use Facebook, the more useful it becomes. Everyone says, "Oh, I have to keep my account because $some_friend_or_family_group still uses it to communicate." But if Facebook is starting to be uncool the way myspace became less cool, then there aren't going to be as many people worth keeping an account for.

It's not just the people that keep users on Facebook. No one says, "I'm too addicted to FarmVille to leave." But I'm guessing that's an issue for some. However, it turns out the games may be jumping ship too. (And if you don't want to admit you're leaving because of the games, you're probably going to say the problem was privacy, because that's what the cool kids are saying.)

So now you have fewer friends on Facebook, and you have fewer new games... will you stay, or will you find you're spending most of your time elsewhere and encouraging your friends to do the same? People will keep their accounts in case Joe from highschool wants to chat, but they'll use them less and less.

We're starting to see suggestions that the facebook ecosystem actually could collapse, not just that some tech people wish it would.

Escape
by just.Luc.

Privacy is a big deal and countries are starting to care. Those are big players, but a mass exodus of actual users now shows that it's more than a few policy-makers and the techno-elite who care: privacy may actually be a selling point for future social networks because it seems that the market is demanding it.

The question for Facebook is "at what point will enough people leave?" and the answer right now may be, "when they have somewhere else to go." And that next big thing may have to provide some pretty strong privacy guarantees to woo over enough audience. Is it possible? Yes. Will it happen? That remains to be seen.

The advertising social contract vs malvertisements: how can online advertisers earn your eyes?

2010-05-10T10:00:00.007-04:00

I'd like to draw three related things to your attention.

First: Avast released a study on malicious advertisements in February, and the media's had some fun reporting on "malvertising" while seasoned professionals tried not to roll their eyes at yet another buzzword. (Tired of malvertising? Try "badvertisements!") Malvertising is one way legit sites get hosed: estimates say 75% of sites with malicious code are legit sites that got compromised.

Second: Back in March, Ars Technica posted a rant, "Why Ad Blocking is devastating to the sites you love." That they felt ad blocking was impacting revenue and asked people not to do it. (Note that this argument spawned rebuttals.)

Third: I went to a talk by Terry O'Reilly and Mike Tennant, as part of their book tour for The Age of Persuasion: How Marketing Ate Our Culture. (I recommend their radio show.) Among the things they talked about the advertising social contract: In exchange for your attention, advertisers give you something in return. TV advertisements subsidize programming, so they're honouring the contract. Billboards don't really give anything back to the consumer, so they're breaking it.

----

So here's where we put it all together:

Using ad blockers breaks a social contract with advertisers: namely, you get free stuff (content) in exchange for those eyes. If you're taking without exposure to the advertisements, you're "stealing."

But advertisers are breaking the contract in even worse ways with malvertising. They're basically stealing from viewers. It might not be intentional, but it's probably the equivalent of having advertisements on the TV that blare so loud that they cause hearing damage. Could you blame people for turning those off?

Ad blockers do more than keep you from seeing advertisements: they may actually make you safer.

So what to do? The advertisers can try to woo people away from ad blockers by giving more. Terry O'Reilly and Mike Tennant talked about how they like to make their ads funny: so you're giving more in terms of entertainment. What can advertisers do to give back when it comes to security and privacy?

One answer I've seen on that front comes from a surprising source: Facebook. Although Facebook isn't known for getting privacy right at all, but they are doing their darnedest to put a nice spin on their privacy violations. Sure, maybe you didn't want to share with those Facebook connect apps... but isn't is awfully convenient how other sites already know your preferences?

Unfortunately, I (and many others) don't WANT creepy customization. So in the end what they're trying to do doesn't really help with their end of the social contract at all. It may even hurt for many people. Let's just hope that later attempts are a little more generous on their side of the bargain.

You know who did it better? Burger King. Their Whopper Sacrifice where you defriended 10 people for a whopper was quite the hit. In exchange for ditching your friends and giving up some privacy, you could get a free burger. And lots of people did.

I'm not sure I'd give up more privacy and security for a burger, but I'm curious to see how the more creative advertising folk handle this challenge. If users become more aware of malicious advertising, will it even be possible to overcome this challenge and still use banner advertisements, or will we be seeing advertising in new ways?

Why Facebook is like your psycho ex

2010-05-08T10:00:00.002-04:00

There's been lots of really interesting articles about the privacy changes in Facebook. My personal favourite is Matt McKeon's excellent infographic showing your (private) data spreading out further and further. (See left for mini version.)

The thing that I don't quite get is how upset every one seems to be about this.

No, hear me out. I'm not just being a smug security researcher.

I caught the 6 o'clock news on TV a few weeks ago, and tried in vain not to laugh during the segment on THE DANGERS OF TEEN SEXTING. Basically, for those of you who haven't heard, sexting is the practice of sending sexually-charged text messages and photos. According to the news segment, it is a plague upon our youth, who are too foolish to realize that those naked pictures they sent to their significant others might eventually wind up on The Internet. The segment was so over-the-top that it was begging to be parodied by some comedy group, but the take home message wasn't wrong: anything you send can be shared, so don't send stuff you don't want shared.

So, when we're seeing news where smug adults talk about how teenagers don't know any better about protecting their data (or at least their naked breasts) from public scrutiny, I'm not really sure how adults can justify being horrified and shocked that their Facebook data isn't as private as they thought it was. Tell your children not to record anything they don't want available for all time, but OMG FACEBOOK IS SHARING MY DATA?!!!

I hope teenagers everywhere are laughing.

So here's what I recommend: Treat web sites much like you would potential ex-boyfriends or ex-girlfriends. You may want to trust them now, but you can never be sure when they might go psycho and write your number in bathroom stalls and share your naked pictures with the Internet. It is, of course, safest to never share anything... but we're not wired that way. People like sharing! It'd be a bit of a lonely life if you never shared anything, and nowadays sharing includes sharing online.

But websites are about as trustworthy as the worst psycho ex: you never know when policies will change, the website will get bought out by someone who has different policies and now controls your data, or someone will exploit a security hole in the website. At least ex-friends aren't usually bought by megacorps who profit from selling all their mementos of your relationship. And probably, unlike websites, 64% of your friends don't have a security flaw.

My sister has a funny story about doing a security check for a previous job that went something like this:

The guy who was doing my clearance was old enough to have children my age, and I sort of think he might have because he was getting increasingly uncomfortable about the questions he had to ask me. When he got down to ones like, "have you ever had a threesome?" he reminded me that, "you don't have to tell me if you aren't embarrassed about it. We only care if you can be blackmailed. If you're not embarrassed, it doesn't matter."

So there you have it: As long as you're not embarrassed by the stuff you share online, it doesn't matter if it gets out.

Or if you prefer dramatic news segment style: SHARE BUT BEWARE. ;)

How Foursquare can help people steal your stuff. PS - Want to buy some privacy insurance?

2010-02-17T14:53:00.009-05:00

Thief by daveknapik.
by daveknapik.

When I first got access to the Internet, my parents were quite paranoid about me talking about when we'd be going on vacation, and when people weren't home. I'm not sure if they're still paranoid about it, but I admit I think about their concerns every time I mention that I'm in another city on Twitter.

However, I've never seen anyone get that point across so nicely as pleaserobme.com which uses Foursquare and Twitter to build a nice list of people who aren't home right now. Combine that with a little extra observation to find out where their homes are, and I bet you'll probably also find a wealth of other information about the things they own that are worth stealing. Handy for all your thieving needs!

I wonder how many people will rethink using Foursquare after seeing this. I'm guessing not actually that many, though. Just like Facebook, a few people will be appalled, but more will be thinking "eh, that'll never happen to me." My supervisor asserts that people will only really care about privacy when someone from Google goes completely bonkers and uses the information at their disposal to kill someone. But I am not sure even that would be enough: they're already risking people's safety with gaffes in new products, and while that gets people upset, I know I haven't closed my Google accounts or turned off the phone that's transmitting my location data to them all the time...

Mind you, I know how easy it is to break in to my house and I haven't upgraded my locks either, just bought insurance and backed up my digital assets off-site. I know how insecure my credit card is, yet I'm counting on the law to keep me from being liable if it's abused. And you can buy insurance on top of that for identity theft.

So sure, I'm happy to hear that the Canadian privacy commission wants to know more about Google Buzz. But what I'm really wondering is how to sell insurance for privacy. I'd make a killing in this market!

(Addendum: If only I could figure out how to make that work... Can't you just imagine a team of lawyers descending upon your mother to do damage control when your friends' drunken antics get leaked through Facebook?)

Bank being sued for teaching customers bad security habits

2010-02-10T23:27:00.005-05:00

After mentioning in a previous post that banks are now suing customers who get robbed, here's a lawsuit going the other way: Comerica Phish Foiled 2-Factor Protection.

A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.

The short version is that the bank regularly sent customers emails where they were required to click a link and then enter their password on that site in order to update a security certificate. Unfortunately, priming people to do this also makes them easy marks for phishing attacks which often... have users click a link to go somewhere that looks like their bank site, then enter their password. Awkward.

Read the details here (or scroll down on that site to see the lawsuit and initial response from the bank).

Amex thinks shorter passwords without special characters are more secure

2010-02-08T11:32:00.007-05:00

slash
by TheTruthAbout....

I was working on a background section of my thesis proposal and was talking about how some misconceptions regarding security policies can result in web sites being a lot less secure. But American Express takes security misconceptions to a new low:

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.

And it gets worse!

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed”.

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Uh, no guys. Just no.

Also, the former magazine editor in me is going, "softwares? softwares?!" but that's another problem entirely.

Read the rest of what American Express said and see the screenshot here.

Barcodes for breaches

2010-02-06T12:10:00.001-05:00

Barcode: <script>alert("test")</script>

I'm highly amused by the XSS, SQL Injection and Fuzzing Barcode Cheat Sheet. Who knew security attacks could look almost... pretty? It's just standard XSS and SQL injection test code translated to bar codes, so they could be used as injection vectors. I know I've scanned codes to grab an app I want faster on my phone, and I'm seeing codes popping up in the free daily papers, which I find somewhat interesting given that early attempts to get people to use barcodes have met with commercial failure and ridicule. Oh well, it's all ok now that we have smartphones, right?

Anyhow. This is still an entertaining attack vector. Maybe governments (such as my own!) will ban bar codes as hacking tools next?

Credit card companies covering their asse(t)s

2010-02-05T11:07:00.006-05:00

Exactly whose security does your credit card company have in mind? Here's a hint: It's probably not yours.

I often use Mastercard SecureCode as an example of a usability failure in online security: in order to order plane tickets where SecureCode is used, I found I had to disable many of the browser security measures I have in place for regular browsing. So, that time when I'm making an expensive transaction is thus the time when I'm at most risk... Not exactly trust-inspiring, is it?

But Steven J. Murdoch and Ross Anderson of Cambridge do more than just complain about "Verified by VISA” and “MasterCard SecureCode.” They presented a detailed analysis of the '3-D Secure' card protocol. Check out the abstract:

Abstract. Banks worldwide are starting to authenticate online card transactions using the ‘3-D Secure’ protocol, which is branded as Veriﬁed by Visa and MasterCard SecureCode. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards for cardholder-present payments in Europe and elsewhere. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has signiﬁcant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics. While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants and customers – given a gentle regulatory nudge.

So, basically, 3-D Secure provides economic security rather than technical security -- but not for you, the customer. It's providing extra security for the banks by passing the buck.

This is hardly the only way in which the banks protect themselves above the consumer. Take a look at Security and Usability: The Gap in Real-World Online Banking for some fascinating insight into what your bank thinks you should do to be secure online, and how few people do these things in practice. And this is especially worrisome now that, as Mannan anticipated in that paper in 2007, banks have started suing their customers when breaches occur.

I'll be really curious to see if this paper about 3-D Secure manages to make changes in industry or government legislation. Amusingly, this paper about how insecure they are makes me feel more secure -- at least if a bank sues me because someone's stolen my money, I'll have more evidence to claim in court that the bank wasn't trying hard enough to protect me.

My favourite story of today (April First)

2009-04-01T14:15:00.003-04:00

From Netcraft: Deluge of Browser Security Issues Drives Mass Migration

Financial institutions have noted that the Lynx browser is particularly suitable for online banking, as it supports the latest cryptographic ciphers used in ecommerce, and is immune to attacks via JavaScript, Flash and other multimedia content. Lynx's algorithms for dealing with such threats are so comprehensive, it is just as safe as if the multimedia content was not there.

[Read More]

Spamalytics Show Spam Doesn't Pay

2008-12-09T21:42:00.003-05:00

SPAM!
Originally uploaded by cursedthing

This is the second in my series of posts about talks I enjoyed at ACM CCS. The first was here.

As some of you may know, my master's thesis involved creation of a spam-detector based on the workings of the human immune system. Forgoing modesty, I'll say that my system was pretty cool (I even got slashdotted) but I couldn't see myself doing spam research forever -- there's only so many times you really want to stand up in front of a room full of academics and try not to make viagra jokes.

I digress. But when I saw the paper entitled "Spamalytics: An Empirical Analysis of Spam Marketing Conversion" on the program, I knew which track to choose for that session.

They wanted to get some numbers showing click-through rates on spam, to see how much money spammers really are making nowadays, and how many people were seeing those emails. Obviously, the spam kings aren't inclined to be cooperative on this front, so they had to get creative. How they got the numbers is somewhat interesting in and of itself: They broke in to the Storm botnet and subverted some Storm controllers so a number of the bots would send out spam altered to use links they could track. The text for these email advertising campaigns remained the same; they only changed the links.

The question did come up as to whether this was ethical, as the test did involve unwitting human subjects, but they asserted that these people would have gotten the spam anyhow, and at least their links were malware-free.

Three campaigns were chosen as the focus of their study: one was a standard pharmaceutical campaign. I'm sure you're all familiar with those. The second and third were postcard and April fools' messages designed to infect more computers with the botnet software. Self-propagation for Storm.

I highly recommend you check out their paper for the detailed results, but the things I found most interesting were as follows:

(1) Very little mail actually got through to the recipients.

Using dummy addresses on popular webmail servers and an email hidden behind the popular Barracuda spam-filtering appliance, they found that less than 0.005% of mail got through in most cases. Messages were either dumped into a spam folder, or 75% of messages appeared to be dropped by the servers before delivery was even completed. This is likely due to blacklisting at the server level.

(2) Very few users visited the sites in question

(3) Some people did "infect" themselves by clicking the postcard/april fools site

(4) Many fewer people ordered pharmaceuticals. In fact, so few people did that it's unlikely that the campaign could have made money!

The final conclusion was really the most fascinating one: they gauge it as highly unlikely that the pharmacy site could have made any money given the costs of renting the botnet to send spam. In fact, they guess that spam sending would have to be 20 times cheaper for the pharmacy site to make a profit!

Could it be that spam doesn't pay?

The authors suggest that the pharmaceutical spams must be sent by the owners of the botnets (who thus wouldn't have to pay the rental cost), but I propose an alternate theory: that the only people making money from spam are the people who get paid to run the botnets. Those renting don't know that they won't make money, and the botnet owners sure aren't going to tell them. No, they'll just keep sending low-profit spam to keep up illusions that there are fantastic profits to be made (otherwise why would people send them, right?).

Maybe if I'm lucky, I'm right, and eventually the would-be spam senders will notice and stop paying exorbitant prices for botnets. But I'm afraid I don't hold out too much hope. Still, a very interesting paper, with some very interesting results!

Web Insecurity.net

2008-12-08T22:06:00.001-05:00

Web Insecurity.net just got a facelift!

Hope you like the new design. There's a few quirks to be ironed out with the blogger template, but things are definitely looking shiny and new over here!

Physical key security (highlights from ACM CCS)

2008-11-27T12:57:00.003-05:00

do not forget the key
Originally uploaded by purplbutrfly

I recently attended the security conference ACM CCS, and I wanted to share some of the talks I really enjoyed at the conference. Many of these are a little outside the scope of web security, but I think you'll find them interesting too!

Today's post is about the paper Reconsidering Physical Key Secrecy: Teleduplication via Optical Decoding by Benjamin Laxton, Kai Wang and Stefan Savage at the University of California, San Diego. This one was almost out of scope even for the conference (which is Computer and Communications Security) because it focused on physical security, and the computer was only involved as a tool to break it.

Mechanical locks and keys are a staple of physical security. A basic key is a piece of metal with notches along one side. When pushed into a lock, the key moves a set of tumblers inside the lock so that the whole thing can be turned, allowing the door (or whatever) to be opened. The thing to note about keys, in this case, is that for a given key manufacturer, those notches only have a set number of possible depths, and there are only a set number of notches. The whole key can be represented as a string of numbers showing the notches.

So what they did, is they built a system that could take a picture of a key and produce that string of numbers. Once you have that string, you can enter it into a key-cutting machine, and voila, you have a copy of that key. (In fact, some keys they showed actually had this number written on the key for easy duplication in case it was lost!)

The thing that was perhaps a little disturbing is how easily they could do this. They could duplicate a key from all sorts of photos, with keys at all sorts of angles. They showed a lot of online photos of people's keys and mentioned the popular "what's in your bag?" meme. Their web searches found many keys that their system could decode and duplicate... often people even gave the address that went with the keys!

Then they got into stuff that really seemed to come out of a spy movie. With a bird spotting scope and a digital camera, they started taking pictures of keys that were further and further away... at 35 feet they could duplicate the key every time. At 65 feet, it took two guesses before they could get all keys. At 100 feet, still only three guesses were necessary. And then they climbed onto the roof of one of the university buildings and took a picture of a set of keys 195 feet away on a table below, and still managed to decode one of them correctly. James Bond apparently could use some modern academic research!

The take-home message here? If you want to keep things physically secure, you'd better make sure no one sees the keys! For more information, check out the complete paper.

SOMA at ACM CCS

2008-10-27T01:11:00.006-04:00

I'm off to present at ACM CCS this week. We're talking about our simple web security solution, SOMA. It's a pretty neat little system -- turns out a handful of simple rules can be used to block a lot of current web attacks.

We call it "Same Origin Mutual Approval" because the idea is that all servers involved in making a web page all have to approve before anything gets loaded or included in the page. This means the site providing the page as well as any sites providing content (eg: youtube, flickr...) have to agree that that's ok. It's very simplistic, but surprisingly powerful because a lot of web attacks rely on the fact that the browser currently includes anything without checking, letting attackers include nasty code or send information out by loading other content.

I'm hoping to have my presentation slides online after the conference is done, but for now, I recommend you take a look at the SOMA webpage. There's a brief explanation along with links to our technical report, and the ACM CCS paper should be available soon too.

What constitutes new? Why buzzword bingo might help security.

2008-10-15T18:58:00.012-04:00

Last week, I was reading through the web security mailing list. The topic of the day was ClickJacking, which of course had come under fire because it's not really that new. Critics accused it of being just another useless trendy buzzword applied to a specific style of Cross Site Request Forgery.

This caught my attention for two reasons:

(a) This was my first reaction to the announcement. I'd talked about this sort of attack with colleagues at the university months (maybe over a year?) ago. My first experience that got me thinking about what is now called clickjacking was a car ad that overlaid a huge chunk of a page I was visiting. It was a flash thing that just made a car drive across the page. Harmless, except that it happened to cover something I wanted to click on at the time. And it made me realise -- there's no reason my click supposedly on that ad couldn't result in me clicking something else I didn't want to click on that page... I've been suspicious of those "x to close" things on ads ever since.

If I'd realised I could just give it a shiny new name and publish, we could have gotten some nice papers out of it. Oh well. It seemed so obvious, though, what was the point?

(b) This was actually one of the reactions we got for the next paper I'll be presenting at a conference. Roughly translated, the reviewer said "It's not really that new an idea, but it's a nicely combined set of protections." The reviewer recommended us anyhow and the paper was accepted.

I didn't agree that our solution wasn't novel, but I could definitely agree that it clearly synthesized ideas from other sources (in fact, we'd made this clear in the paper!). If we assumed that anything made from wood was more or less the same and not novel or worthy of note, Ikea would be out of business, though. ;) It's an important part of science to learn which things are related and how they can influence each other. Why shouldn't it be a useful part of computer science?

The author of this web security mailing list post got me thinking further about buzzwords and media-awareness however:

"Which one is the proper way to describe the attack vector? The one labeled with the shiny new name or the one with the more technically-accurate name? And which one had the most positive impact, that is, which one educated the most people? And finally, should security researchers package security issues for media consumption?"

As someone with a fair amount of biology training, I know the answer to this. People connect much better to the Sugar Maple than they do to its scientifically useful name, Acer saccharum. Do you care about Danaus plexippus or is it the words Monarch Butterfly that would bring to mind the delicate migrators? And honestly? As long as you don't overdo it, having "common" names for things just makes it easier to communicate about them.

And communicating about web security issues is clearly something we need to do. With many web programmers convinced that they don't need to write secure code because they're not handling traditional targets such as credit cards, it's leaving a lot of people at risk. Part of the reason is that security sounds complex, and it's filled with "if you mess this up at all, your entire system is insecure" leading people toss up their hands. Everyone knows how easy it is to make a mistake, so what's the point?

If a new name and some media attention helps people communicate and maybe even realise that they are at risk and that mitigating it might be a good idea, we might be one step closer to a more secure world. "Oh, that's not new," may be true, but it can lead people to believe that they can go back to their dangerous assumptions that all is well in their worlds...

So next time, I'm going to think twice about dismissing the latest buzzword. It may be doing more good than I think!

Where's the JavaScript

2008-09-15T16:34:00.007-04:00

As part of some investigation for my thesis, I made myself a little add-on for Mozilla Firefox that shows where in the page that JavaScript has been included. I'd been doing this sort of investigation by reading the code myself, but although that told me useful things, it wasn't ideal for communicating things to other people.

My add-on shows inclusion of new JavaScript (using a script tag) by putting a red border on the parent tag, and it shows JavaScript called from the onMouseover, onLoad, onClick, etc. attributes in blue.

One of the most interesting things I've found is that these are actually relatively predictable things. If there's an expanding menu, there's probably some JavaScript. Certain types of forms. Content that you'd expect to be external. Links that involve pop-ups. Embedded content from other sources.

Take a look at the way the add-on colours this weather site:

Once you've seen a few of the things it colours, you could guess a lot of the rest.

The question now is... Can this predictability be a helpful tool in developing more secure web pages?

What does security mean for web 2.0?

2008-07-29T15:05:00.006-04:00

Clearly there is no widely accepted view of what security means in the Web 2.0 software development era. We’re still trying to figure things out and convince ourselves that we have the right answer. Or that someone does.

This is taken from a survey of web application security professionals. It's not a terribly scientific survey by any means, but I think it's interesting reading despite vague questions and a somewhat undefined audience.

The above quote really sums up what I got out of the article: that no one's really sure what web security means. The addendum to that is that people seem to feel that more is needed, but there is general skepticism about the existing tools (see the section in there about web application firewalls, for example, where 54% of respondents said they were skeptical, although open-minded, or the question above on web application vulnerability scanners).

The survey mirrors the sorts of impressions I've been getting from people I talk to both locally and at conferences, so if you're curious about what people think of web security, I think it's worth checking out the pretty graphs given in that survey as well as the author's commentary.

2008-03-28T01:09:00.005-04:00

More cuteness in JavaScript comments:

//OhNoRobot.com search code for The Devil's Panties at 
// devilspanties.keenspot.com
//OhNoRobot is powered by hugs.  Also: Javascript!

Facebook

2008-03-06T23:24:00.001-05:00

After much resistance, I finally joined Facebook... because I wanted to see what their JavaScript looked like. I admit, I could have done this without signing up properly, but just as I was contemplating signing up, someone sent me an email with links to baby pictures and I finally caved.

Anyhow, I haven't seen anything too spectacularly interesting in their code yet, but this snippet did make me laugh:

function URI(uri){if(uri===window){Util.error('what the hell are you doing');return;}

Classy, eh?

Wait, did that look like that before?

2008-02-15T12:23:00.005-05:00

Wait a second... In a previous post, I noted that gmail just quietly downgraded to HTML if you didn't have JavaScript turned on. But today, I noticed this message:

They could use a small fix to their formatting (ie: don't let the poor text jam into the side of the box like that -- I had to grab some of the surrounding window so this screenshot would be legible) but this is strangely more helpful than it was before.

Why the difference?

Well, much as I like to believe someone at Google saw my comments and made the change, I'm not quite arrogant enough to believe that's true. Although I suppose it could be -- there's a lot of Google people out there, and for all I know they've got something that scans Blogger for mentions of their products. It would be a clever, if time-consuming, way to find out what the public really thinks.

Err, I digress. Self-centred worldviews aside, I'd guess it more likely that this message has always been there, and I just missed it last time because of my NoScript configuration.

Why do I find this interesting? Well, I'm currently working on a theory that users will be more safe if they can disable JavaScript that they don't really need to run the page. This is the theory underlying NoScript, and it has some face validity. But if users start running only some JavaScript, what is this going to do to the usability of the web? My current answer is that if you leave JavaScript off entirely, you're going to turn some pages into a usability nightmare, where things will just not work (more on this later). But these different error messages based on my various setups indicate to me that you may have these usability problems even if you have partial JavaScript. In fact, the usability problems may be much worse because the page won't know to generate an appropriate error message!

I don't know how to solve this problem yet, but I guess that's what makes this research!

Another cute error message

2008-02-15T11:36:00.002-05:00

One of my labmates pointed this one out:

That is possibly the most adorable of the JavaScript error messages

Patented JavaScript

2008-02-10T23:00:00.000-05:00

Another interesting line I turned up in examining JavaScript:

//hbx.js,HBX2.0,COPYRIGHT 1997-2006 WEBSIDESTORY,INC.
ALL RIGHTS RESERVED. U.S.PATENT No.6,393,479B1 &
6,766,370. INFO:http://websidestory.com/privacy

(Wrapped by me so you can read it)

Now, given how much JavaScript I've found that's obfuscated, I shouldn't be too surprised to see patent numbers in there, but I was!

Best software conditions ever

2008-02-10T22:33:00.005-05:00

This is just too amusing not to share. Got to love the conditions (I've coloured them to stand out) on this particular piece of code:

/*
Copyright (c) 2005 JSON.org

Permission is hereby granted, free of charge, to any person 
obtaining a copy of this software and associated documentation 
files (the "Software"), to deal in the Software without 
restriction, including without limitation the rights to use, 
copy, modify, merge, publish, distribute, sublicense, and/or 
sell copies of the Software, and to permit persons to whom the 
Software is furnished to do so, subject to the following conditions:

The Software shall be used for Good, not Evil.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES 
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 
OTHER DEALINGS IN THE SOFTWARE.
*/

I turned that up on CNN.com as I'm just roughly examining various types of code to see if I can see obvious similarities.

I wonder if the author believes CNN.com is good or evil?

The web without JavaScript. Part 2: Black Holes and Revelations

2008-02-09T12:14:00.001-05:00

As I implied in Part 1, while sites do sometimes provide helpful error messages related to JavaScript, often as not they just behave strangely.

Perhaps the most common issue I've seen is missing content. The things I notice most often are missing ads and missing video. Sometimes, it's nice and obvious that there's a missing element on the page:

Many pages leave very obvious spaces for their ads, and when they're filled with blank space, it's fairly obvious that there's a problem.

The videos are less obvious, however:

There's a video in there. Really. Normally, it would appear right below the header, so the page would look more like this:

There you can see the video loading in the big black box. But how would you tell that the previous page had anything missing? The page has nicely moved the text up, leaving no trace that there should be something there. In the case of the missing video, there are usually only a few clues:

The page looks abnormally short (there isn't much text)
I'm expecting a video on the page, and it's not there.
I happen to check the JavaScript list from NoScript and notice something that looks like video.* or sounds like a domain that might host video.

Usually, the winning clue is #2, since a friend will send me a link and mention that it's a video, or the comments on the page will talk about the video, or sometimes the text itself will tip me off by what it says.

And often, you'll see both missing spaces and the lack thereof on the same page. The page featured below would normally have both an ad and a video:

Could you tell there was a video on this page? You can see the blank space for an advertisement, but the text automatically moves up so you can't tell that the page with the video looks like this:

That's the video in bright yellow at the bottom there.

But it gets even more fun when you've changed which sites are JavaScript disabled in NoScript. Check out that same site with all the JavaScript disabled:

They're pretty smart! If they can tell that JavaScript is disabled (ie: I've disabled it for the main site) then they both provide the helpful error text AND they provide a ad, showing that you don't really need JavaScript to do it. Unfortunately, my weird way of disabling some JavaScript but not others had limited their ability to do damage control on the page I was trying to break. Interesting...

Next up in this series: Sites that have more than a few holes, and sites that just don't work without their JavaScript!

What does the web look like without JavaScript? Part 1: Error Messages

2008-02-04T16:37:00.000-05:00

So what does the web look like without JavaScript? This post focuses on the error messages you see when you decide to ditch the JavaScript, but the sad reality is that although some sites will give you warnings, this is hardly the norm. Still, it's worth looking at what you might see...

Without JavaScript, occasionally the web looks like this:

That's a nice big red error message indicating that there's no JavaScript. Simple, clear, informative, lets you know where to go for help, or even lets you use the website for things that don't require JavaScript.

In a similar vein, you sometimes get error messages like this one:

I find it hilarious that it first tells me that JavaScript is turned off, then tells me what to in the event that JavaScript redirection isn't working... even though if I saw this page at all, JavaScript redirection won't work. But maybe I'm too easily amused.

Anyhow, similarly, it lets you know in nice big red letters what the issue is and how to fix it. Good good.

But this isn't the norm among pages. Sometimes, you get error messages more like this one:

Well, it could be JavaScript, or maybe something else is wrong. Here's how to get Flash player! Err, that's almost helpful. I can see a lot of people reinstalling Flash player and assuming it was broken when JavaScript is the real culprit.

Also, although it's fairly clear where the error message is when you've got a nice little page fragment like this, it's pretty easy to miss that black text on a page with lots of black text and little images and video responses and so on and so on. Especially if you're looking at a video site where really, you're scanning the page for the big video window and mentally blocking out all the text, which you know isn't what you came to the page to see.

And then there's the not-quite-an-error message route:

Okay, so I know that the reason gmail is showing in basic HTML is that I don't have JavaScript enabled, because I've been out messing with it. But if you, say, sat down at my computer and tried to log in to gmail, you'd be asking me why it looks so funny on the mac. Or at least, that's how the friends who've tried to use my laptop reacted when I left things like this.

I do love how Google automatically downgrades when possible (and it does this with a lot of services) but sometimes it might be worth letting people know why you're seeing the reduced interface. This is really apparent if you use Google maps, which only gives driving directions (no maps!) if you have JavaScript disabled and search for one address to another instead of a single address. Very confusing if you're not the one who disabled JavaScript, or you did it because of some unrelated thing and didn't realise it was going to break the web.

But it's still better than no error message at all combined with pages that just don't work, which seems to be very common. Stay tuned for more broken pages!

Want to be safe from malicious web scripts?

2008-02-01T21:53:00.000-05:00

Want to be safe from malicious web scripts? The solution, apparently, is to disable JavaScript.

It's always that last line of the security bulletin, the reminder that if we just didn't run this code, we'd be safe from the latest Facebook abuse, bad mojo in Yahoo, or whatever the (bad) flavour of the week is. But really, you might as well tell people that the only way to protect their computer is turn it off, lock it in a dark bunker disconnected from the world, and throw away the key. Sure, that'll keep it from getting the latest piece of web crud, but the machine won't do you very much good.

Think I'm exaggerating? Try turning off JavaScript and see how long you last before you need to turn it back on. The first time I tried it, I lasted half a day before I needed to change some configuration on my router and found that the settings pages wouldn't even load properly with JavaScript disabled.

However, I was raised by scientists. My parents are the sort of people who, when the stove clock broke, gave it to me and my brother, showed us how to use some screwdrivers and other hand tools, then let us experiment on the remains. I'd love to claim we somehow fixed it, but no, we just found new ways to break it and put parts of it back together in weird ways. But my parents are smart people: taking things apart and breaking them does teach you a fair bit about them. And now that we're older, we can put them back together as well as take them apart.

So with that thought in mind, I realised that if I was going to build a safer web, I needed to know how to take it apart and put it back together. In the "breaking things" phase, I decided I needed a nicer way to turn JavaScript on and off on a whim so I could see what else didn't work. Thankfully, Firefox has a lovely little add-on called NoScript which lets me disable or enable JavaScript on a per domain basis. I wouldn't recommend it to novices, but I'm a trained professional, so I set out to learn some stuff.

With that tool, I was ready to start breaking my web.