ISDPodcast Episode 242 for October 25, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Karthik Rangarajan.
Announcements:
MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.
SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Use the Discount Code: isdpod15 for a 15% discount.
SANS Cyber Defense Initiative 2010
Washington, DC,
Marriott Wardman Park
Dec 10-17, 2010
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx
BSidesDelaware:
When: Saturday November 6, 2010
Where: Wilmington University, New Castle Campus
320 N. DuPont Highway, New Castle, DE 19720
Cost: Free – RSVP is REQUIRED for entry!
Eventbrite: http://bsidesde-Wiki.eventbrite.com
Schedule – CFP is open
Stories of Interest:
http://codebutler.github.com/firesheep
http://blogs.wsj.com/digits/2010/10/25/firesheep-highlights-web-privacy-problem
A new add-on program for the popular Firefox Web browser is stirring up longstanding concerns over how many websites electronically identify their users.
It’s a problem associated with the use of wireless networks. The add-on program, Firesheep, is designed to make it easy to intercept browser “cookies” used by popular Web sites like Facebook, Twitter and others to identify their users, thereby allowing Firesheep users to log-in to those Web sites posing as others.
To work, a user of Firesheep must have the program running on an ordinary computer on a shared wireless network where it can grab cookies after other users on the network log into popular Web sites, according to a post by Eric Butler, the developer of the program. Butler in his post suggests Firesheep works on “open” wireless networks, but doesn’t specify whether that includes networks where many strangers share a common password to access it, as in a café or convention center.
[Karthik: The big deal over this extension baffles me. The web wasn't created to be secure, the web was created as a means of sharing information (remember, open web?). Even then, the extension says your information is unsafe on open wireless. (Wow! I didn't know that!) You can't expect every single web page to have a HTTPS configuration. That said, if you really want HTTPS configuration, most sites let you do it. It will mean slower pages, but if you are on open wireless, and like your private information, you might want to do it. There are loads of extensions that let you do it, this article (http://techcrunch.com/2010/10/25/firesheep/) talks about one. There's also the extension HTTPS Everywhere that we've tried and tested and works pretty well. Hell, use a VPN, that works too.]
It seems like every time Facebook amends its privacy policy, the web is up in arms. The truth is, Facebook’s well publicized privacy fight is nothing compared to the vulnerability of all unsecured HTTP sites — that includes Facebook, Twitter and many of the web’s most popular destinations. Developer Eric Butler has exposed the soft underbelly of the web with his new Firefox extension, Firesheep, which will let you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies. As Butler explains in his post, “As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed” in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user’s site with their credentials.
It’s not hard to comprehend the far-reaching ramifications of this tool. Anytime you’re using an open Wi-Fi connection, anyone can swiftly access some of your most private, personal information and correspondence (i.e. direct messages, Facebook mail/chat)— at the click of a button. And you will have no idea. This is how it works. If a site is not secure, it keeps track of you through a cookie (more formally referenced as a session) which contains identifying information for that website. The tool effectively grabs these cookies and lets you masquerade as the user. Apparently many social network sites are not secured, beyond the big two, Foursquare, Gowalla are also vulnerable. Moreover, to give you a sense of Firesheep’s scope, the extension is built to identify cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. And that’s just the default setting— anyone can write their own plugins, according to the post.
According to Butler’s post, he created this seemingly diabolical tool to expose the severe lack of security on the web. We spend so much time quibbling over the minutia in privacy policies, we lose sight of the forest, or in this case, gaping security holes. “Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” Butler says.
News: http://news.techworld.com/security/3245158/mac-users-warned-of-growing-virus-threat/
Attacks on the Mac are now significant enough to warrant Apple users investing in an anti-virus product, security company Panda Security said as it launched a new product that offers such protection.
Marketing spin to harvest the Apple economy or justified caution? Panda points to the numbers. There are now 5,000 ‘strains’ of malware that target the Mac and the company says it is seeing 500 new Mac-specific samples appearing every month.
In 2009, 34 vulnerabilities were detected in Apple’s OS X, which had risen to 175 so far for 2010, with a 20-year total of 170,000 macros ‘viruses’ affecting the platform.
To be clear, such security threats relate only to Apple desktop and laptop computers and not iPads of iPhones, which are only vulnerable if they have been ‘jailbroken’ or if, somehow, a rogue app breaks through the approval process.
No comments
Trackbacks/Pingbacks