pskl.us

Security

Facebook HTTPS setting is borked

by on Feb.07, 2011, under Reviews, Security, Whining

We are all so busy applauding facebook for adding an “always use HTTPS” setting (thanks for finally responding to firesheep, folks), but maybe we should look a little more closely at it before telling the moms of the world to just set it and forget it. The stupid thing turns itself off (and doesn’t turn itself back on) when you go to a non-HTTPS facebook page.

In case you haven’t seen it described on 50,000 websites at this point, here’s the deal with the new “feature:”

Click on “Account” at the upper right of your facebook page and choose “Account Settings” … you’ll get something like this:

facebook-01

Click on “Account Security” and you’ll be able to check the new https box, illustrated here:

facebook-02b

note that it says “whenever possible” … this implies that there are some parts of the facebook site that are NOT capable of being served up via https. I have no idea why this is still the case, but it clearly is. The wording would also imply that once you check this box, you will get a https connection “whenever possible” and a http connection when https is not possible. What it DOESN’T say is that the first time you view a non-https page, the box will simply uncheck itself and next time you go to a https-capable page, it’ll be back in vanilla http mode.

So what are these non-https-capable pages? I can’t speak for all of them, but I’d be willing to bet that most of them are “facebook applications.” The only facebook app I use is Scrabble. After checking the https box, I tried to go to Scrabble and I got this page first:

facebook-04

Excellent, right? It is warning me that I’m leaving the safe-and-cozy https-zone. What this warning SHOULD say is “if you hit ‘continue,’ you are permanently turning off the https option.”

Yes, that’s right, once I’m done playing my turn in the http-only-danger-zone of the Scrabble application, I go back to facebook home and I’m back to http.

facebook-05

I went back to check my account settings and I see this:

facebook-02

Well, that’s just fantastic. What’s the point of saying “whenever possible” when it means “until impossible?” This has to be a mistake, and I hope they fix it… then we can all tell our moms to go and re-check the box as it has probably been turned off when they went to play farmville or whatever the hell other pages are non-https.


Update:
This was discussed on Tech News Today (first 5 minutes)


11 Comments :, , , , more...

The TSA and Your Privates

by on Nov.17, 2010, under Security, Whining

I’ve had a lot of thoughts lately on the TSA’s new practices for protecting us from terrorist shenanigans during air travel. My privacy-minded friends and I pass links back and forth each day with horror stories from people who have felt violated by the TSA. All of this came to a head today when Jeff Jarvis said this on twitter this morning:

I may stand alone, but I’d rather be groped than blown up in an airplane with a murderer who had not been groped.

This is clearly an oversimplification of the argument (it isn’t an “A or B” situation…a lot of people on twitter were shouting “False Dichotomy!!”) and is beneath Jeff, in my opinion. For those who don’t know Jeff, you can find info about him here http://www.buzzmachine.com/about-me/

Generally speaking, I’m a big fan of his work and of his opinions. Just about every time I hear him speak or read his blog, I feel like he “gets it.” Not so much today, though. Jeff kept spouting fallacious arguments in favor of the TSA’s policies and many people responded unfavorably to what he was saying (Jeff has about 55,000 followers, FYI). I think he’d agree that most of his twitter feedback was negative. I jumped in and sent a few replies but I was frustrated, as usual, by the 140 character limit. Jeff replied to a few of my tweets in a very civil manner, as one would expect, except for the fact that he called me a drama queen. Oh, and he joked that people who are against the TSA procedures must have small penises. Once again, this is beneath you, Jeff.

I won’t recap the entire conversation here (you can see it on twitter if you want to), but Jeff agreed to read my argument if I were to post it in blog form… so here we are. I’ll try to keep this as brief as possible, Jeff, I know you’re a busy guy.

“Enhanced” Security Screenings Are Merely Security Theater And Will Not Keep Us Safe

To many people, this is not news. Many years ago (pre-9/11), George Carlin put it brilliantly when he spoke of the illusion of safety. More recently, Bruce Schneier coined the term “Security Theater.” I don’t know why I’m even writing this post since so many others have already made the point so much better than I ever could, such as Noah Shachtman in this piece from the WSJ….but I’ll do it anyway because I have some bits I’d like to add.

Fallacy #1: If we had these measures 10 years ago, it would have prevented 9/11

My opinion:

The only thing preventing 9/11 from happening again is 9/11 itself. Today’s terrorists know they can’t pull off another 9/11-style hijack-then-crash-into-specific-targets attack again because the passengers won’t stand for it. On September 10th, 2001, we were all told that we should comply and be quiet if we are on a hijacked plane. The September 11th attacks depended upon that and, for the most part, it worked. Evidence has shown that this is no longer the case. Passengers that get goofy on a flight get a first-class ass kicking courtesy of their fellow passengers.

So if we had today’s security and September 10th’s mindset, could they have pulled it off? Of course they could have. They possibly wouldn’t have their boxcutters but there are plenty of other ways to intimidate Sept 10th-mindset passengers with equipment you can still get on a plane. Don’t make me list specifics, I don’t want to get a visit from the FBI. Use your imagination… that’s what the terrorists do. Even using something as simple (and previously thought of as harmless) as boxcutters was fairly inventive on their part. They made use of something they were pretty sure they could get through security. When all you have to do is sit around, day after day, thinking of ways to beat a system, you will find a way. As long as the TSA procedures are made public and the limitations are detailed, which has to be the case, the enemy will think of a method to abuse those limitations. Remember, we cannot project our perception of what is acceptable behavior onto them: they will use children or other extreme measures that will make us sick to our very cores if it will help them accomplish their goals.

Fallacy #2: Today’s security would have caught the underwear bomber.

My opinion:

This one comes straight from one of Jeff’s tweets. While this is essentially true, it misses the point entirely. We started taking our shoes off because of the “shoe bomber” and now we get groped because of the “underwear bomber.” Do you see the pattern? There was never another shoe bomber, there will probably never be another underwear bomber (I’d also like to point out that neither of these dingbats boarded a plane in the US…they both went through European security). Both of them sat around their (no doubt) smelly apartments for weeks formulating a plan based on the limitations of the security through which they would have to pass. I really really hate to say it, but there are probably more dingbats sitting in smelly apartments thinking about the same stuff right now.

We keep reacting to previous threats and the bad guys keep evolving. That is the very crux of security theater: make it look like we’re “doing something about the problem.” Would there have been another underwear bomber if we hadn’t started the new procedures? Possibly, but he probably would have been just as successful as the first one. My understanding of the underwear bomber is that he was a nervous mess. He would have been denied access to a plane in Israel simply from one of their well-trained security people talking to him. They probably would have snagged the shoe bomber, too.

Fallacy #3: The logical conclusion is that we’ll all end up flying naked. THEN we’ll be safe for sure.

My opinion:

This may not come as a surprise, but the goal of a terrorist attack is not “blow up planes” or “hijack planes” … it is to kill or injure a very large group of people. Airlines were, for a long time, an ideal target for this kind of action. Some planes carry over 200 people and none of them can get away from the bad guys. Security was really lousy up until the hijack-happy 80’s when people suddenly became afraid to fly. Security was beefed up and hijackings went way down (especially on flights coming out of the US). As a result of this heightened security, pulling off the September 11th attacks took a great deal of planning, organization, and luck.

After September 11th, airlines in the US ceased to be a viable target for serious terrorists. I say “serious” terrorists because the terrorists who have tried to walk through security since then are crackpots and utter failures. The combination of heightened security efforts (pre-gropefest) and passengers who will not be cowed into compliance makes the chances of success drop lower and lower. I’m not saying that there will never be another airplane-based terror attack, I’m just saying the chances are extremely slim at this point. The bombs-disguised-as-toner recently showed that airplanes can still work for terrorists on SOME level but it also shows that they are not willing to try their luck with security checkpoints any more.

If you look at it from the viewpoint of a terrorist who hates America (I know it makes you feel dirty, but you have to understand the enemy if you ever wish to defeat them), I’ll bet you can think of a LOT better targets than airplanes for accomplishing your goals. Once again, I’m not going to name specifics, but I’ve only thought about this for a few minutes and I can think of a few horrific ideas. Now imagine that you are a terrorist and this is ALL you think about.

I’m not saying all this so that you live your life in fear. We simply can’t allow that to happen. The truth is you have a much better chance of being struck by lightning than being injured in a terrorist attack. This doesn’t mean we should not be diligent, but there are limits to what is APPROPRIATE diligence. I feel strongly that the new TSA procedures cross that line. There are better ways to accomplish the overall goal and it is the job of the TSA to find these methods. Replace security theater with actual security.

I don’t know who said it first this morning, but somebody on twitter brought up the following Ben Franklin quote:

Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety

Couldn’t be more apt.

Some other reading you might be interested in:

Bruce Schneier talking specifically about new TSA procedures
Bruce Schneier – Beyond Security
Jason Alexander’s take on the situation
TSA confiscates heavily-armed soldiers’ nail-clippers
Former FBI Agent shares his feelings about the TSA

2 Comments :, , , , more...

How Windows Boxes Become Infected

by on Oct.27, 2010, under Security

This is a quick screencast which shows how easy it is for a Windows system to become infected with malware. In this example, a fully patched Windows 7 system becomes infected with a fake anti-virus product. The website visited in this video is still actively serving malware, so surf to it at your own risk.

How Windows Boxes Become Infected from Layer Two on Vimeo.

1 Comment more...

500mW USB Adapter goodness!

by on Oct.26, 2010, under Hardware, Security, Tutorials

Alfa 500mW AWUS036H USB Wireless Adapter 802.11 b/g Network Radio Card is a win in Backtrack 4!

I picked up a Alfa USB Wireless Adapter about a month or so ago, and it’s a definitely a good card for Backtrak 4.

For some reason, I’m one of the few that had to switch the realtek driver for it, and boom, every wireless utility a tried in BT4 worked great.  (I’m using BT4 RC1, on a Lenovo x201.)

So to get the good love, follow my simple steps in BT4:
vi /etc/modprobe.d/blacklist

find “blacklist r8187” (if you don’t know how to use vi or vim, I weep for you.)
comment that out with the hash / pound / number / whateveryoucallitinyourworld “#”, and add this line:
blacklist rtl8187

save it and reboot. (too used to dealing winblows.. probably could remove it and rmmod the rtl8187)
it should be using the r8187 kernel module instead of the rtl8187.

Boom, kismet should work and all the other good stuff should work in BT4 with this good card.

A side item: if you’ve never used wepbuster to show someone how bad wep is, *do it*.
Eric and I wrote some scripts for DEFCON a few years ago to automatically crack WEP with the parts that were around then. This does something just like it, but seems to run through all the different vectors you could use. Basically, start it, and let it go… very handy!

Leave a Comment :, more...

iPhone Privacy: What about the SSL Apps?

by on Oct.05, 2010, under Presentations, Security

Following up on our story from last week, we looked more closely at applications which used SSL to encrypt communications between iPhones and remote servers in order to determine if they were transmitting iPhones’ unique identifiers.

We performed SSL MITM attacks against several of these applications to obtain the messages in the clear.

While this study is not yet complete, so far the findings show that many of these applications are using SSL to transmit UDIDs to a remote host.  For example, the “Mirror Free” application (http://itunes.apple.com/us/app/id379516970?mt=8) which emulates a mirror using the iPhone’s front-facing camera was decrypted and shown to be transmitting UDIDs to a remote host.  Here is the plaintext of a portion of the SSL conversation;  the UDID of the test phone is the string beginning with “b3d1bad” and ending with “d46b”.

00 01 00 05 65 6e 5f 55 53 00 00 00 0b 34 2e 30       en_US    4.0
2e 31 2e 38 41 33 30 36 00 00 00 01 00 00 00 98   .1.8A306
0a 28 62 33 64 31 00 00 00 00 00 00 00 00 00 00    (b3d1badxxxxxxx
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   xxxxxxxxxxxxxxxx
00 00 00 00 00 00 64 34 36 62 12 13 63 6f 6d 2e   xxxxxxd46b  com.
61 70 70 63 75 62 62 79 2e 6d 69 72 72 6f 72 1d   appcubby.mirror
00 00 00 00 32 09 69 50 68 6f 6e 65 33 2c 31 3a       2 iPhone3,1:
03 34 31 30 42 03 33 31 30 48 04 52 14 5d c8 f9    410B 310H R ]
23 42 65 ac e5 96 c2 6d 00 00 80 c0 7d 00 40 97   #Be    m    } @
47 58 c0 02 60 e0 03 68 90 01 70 02 7a 03 34 31   GX  `  h  p z 41
30 82 01 03 33 31 30 88 01 00 92 01 03 35 37 30   0   310      570
b2 01 05 65 6e 5f 55 53 00 00 00 0b 00 00 00 09      en_US
0a 05 08 c0 02 10 32 10 01 00 00 00 0c 00 00 00         2
00 00 00 00 0c 00 00 00 00 00 00 00 0c 00 00 00

We studied the following applications from our paper and confirmed they are transmitting UDIDs via SSL:

  • Bed Intruder Soundboard
  • Color Fill
  • Galaxy on Fire
  • I Bomber 2
  • Mirror Free
  • Mr.  Runner
  • Pimple Popper

In most of the cases where SSL was used, communication terminated on the qwapi.com network.  The SSL certificate used on the servers on this domain indicate the name of the company is Quattro Wireless.

qwapi-certificate

Quattro Wireless was acquired by Apple and is responsible for serving advertisements through the iAd system.  Quattro Wireless’s website went down after the acquisition, but the Wayback Machine cached the content.    In 2008 they boasted the following capabilities:

Quattro works with our agency partners to devise media plans to leverage our engaged audience based on partner goals and key targeting ideals: contextual, demographic information when available for both on and off deck sources, registration data, behavioral profiling and clustering. Targeting is available throughout the Quattro Network based on:

Channel, country, carrier, handset, time of day, Geo, demographic and mobile behavior across the Network

Standard Web advertising capabilities such as Frequency Capping, Pacing and Smoothing are available on a per campaign basis.

Sound familiar?

4 Comments :, , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!