Category Archives: Internet

Cory Doctorow on the future of the privacy wars

Noted writer and technology analyst Cory Doctorow just posted a new article on the Locus Online web site: “The Privacy Wars Are About to Get A Whole Lot Worse.”

After providing some background on the current privacy situation, and how we got here, Doctorow speculates on what will happen when even the absurd notice-and-consent terms of use agreements that we see (and blindly agree to) every day are gone, leaving us surrounded with devices that invade our privacy without any pretense at consent, all in the name of commerce.

In case you hadn’t guessed, we are talking about the Internet of Things. Despite plenty of warnings from privacy advocates, and numerous real-world examples of the consequences to privacy of poorly-designed devices, the current move toward ‘smart’, connected devices continues apace. And these devices won’t ask for your consent, they’ll just compromise your privacy by default.

Meanwhile, Doctorow wonders whether and when this will come to a head with some kind of legal challenge. There have been attempts to challenge the validity of terms of use agreements that nobody ever reads, but so far the results are not promising.

I’d like to see Microsoft singled out for its current Windows strategy, which includes gathering and transmitting user information, ostensibly for the purpose of providing better support, but which can also be used to better target advertising, another feature of newer versions of Windows. To be sure, these features are currently protected behind terms of use agreements, but even those could disappear in a world dominated by smart devices.

Doctorow is worried about this, and so am I.

Connecting everything to the Internet is dangerous

By now, you’ve probably encountered the term “Internet of Things”, usually abbreviated as IoT. It refers to the rapidly increasing number of devices that are capable of connecting to the Internet. Cars, fridges, thermostats, lights… basically, anything that can be built to include a few microchips can be made to talk to the Internet. Usually wirelessly. Often silently, by default.

Which of course is a perfect scenario for a whole new category of security breaches, privacy concerns, and other, related issues.

Recommendations:

  • Where possible (and unless you have a good reason not to) avoid purchasing any non-computer device that’s Internet-capable.
  • If you must use such a device (and unless you have a good reason not to) disable any Internet-related features.
  • If you’re unable or unwilling to disable a device’s Internet features, at least configure it to maximize security.

Bruce Schneier’s recent analysis of the dangers of IoT is excellent, and definitely worth reading.

Test your browser’s security

A new, free, web-based service from cyscon GmbH tests your web browser and reports any security issues it finds.

Check-and-secure starts by checking your computer for open ports, then compares your IP address against a list of addresses associated with botnet activity.

Next, you have the option of checking your browser version and looking for out of date plugins like Java, Flash, and Silverlight. This is arguably the most useful part of the service, and you can get to it directly, which is handy.

The remainder of the service consists of offers to install various local security software packages. I haven’t yet tried the Cyscon Vaccination software, so can’t comment on its efficacy.

February security roundup

In February, a security researcher discovered that a Silverlight exploit – patched by Microsoft in January – is now being distributed through the Angler hacking kit. The researcher also found web sites using the exploit to infect site visitors who have not yet installed the Silverlight patch.

Comodo Internet Security, a highly-rated security package, was found to include features that actually make the host computer less secure. Most notably, that included a VNC server running without a password. VNC is a remote desktop application. The problems were resolved in subsequent updates from Comodo.

Brian Krebs wrote about serious security issues found in some Internet-connected Trane thermostats, and warns buyers to use caution when purchasing ‘smart’ devices.

IPv6 addresses are confusing

ZeroTier has an interesting and amusing look at IPv6 addresses.

At one time, there were a lot of dire predictions about running out of Internet addresses. It seemed clear that given the number of addresses available with the IPv4 scheme, they would soon all be in use. The increasing use of Network Address Translation (NAT) provided relief, as each single address was then able to provide Internet access to multiple devices behind a router.

However, NAT only delayed the inevitable for IPv4, and IPv6 was planned as its replacement. While there are only four billion IPv4 addresses, IPv6 allows for up to 340,000,000,000,000,000,000,000,000,000,000,000,000 addresses. Which should be plenty, even once the Internet expands to other planets.

Acceptance and deployment of IPv6 has been steady, but there are a few hurdles to overcome. One of those is the IPv6 numbering scheme itself.

I’m sure you’re familiar with the IPv4 scheme, in which any device on the Internet is identified by a sequence of four numbers, like this: 123.456.789.123. A full IPv6 address looks like this: adde:efbe:0000:0000:0000:0000:0000:0001. That’s a lot of digits to remember.

Luckily, the IPv6 developers invented ways to abbreviate IPv6 addresses, so that they typically look more like these:

  • adde:efbe::1
  • 2607:f2f8:a368::2
  • fe80::3cee:cdff:fe30:c27
  • fe80::1
  • 2607:f8b0:4007:809::200e

But while those abbreviated numbers are shorter, they are difficult to understand. The ZeroTier post explains why.

NetworkWorld has a fun and informative infographic that compares IPv4 and IPv6.

Critical security flaw affects millions of systems

Here we go again. Researchers have discovered (actually more like rediscovered) a very bad flaw in the commonly-used GNU C Library, also known as glibc.

The flaw has existed, undiscovered, since 2008. It was discovered and reported to the glibc maintainers in July of 2015 (CVE-2015-7547), but nothing was done about it until Google researchers re-discovered the flaw and reported it on a public security blog.

The glibc maintainers reacted to the Google revelations by developing and publishing a patch. It’s not clear why such a serious vulnerability was not fixed sooner.

But that’s not the end of the story. Any computer or device that runs some flavour of Linux, including most of the world’s web servers and many routers, is potentially vulnerable. Individual software applications that are compiled with glibc are also potentially vulnerable.

Although it’s safe to assume that diligent sysadmins will update their Linux computers, tracking down all the affected software will take time. The Linux firmware running on routers and other network devices will be updated much more slowly, if at all. All of this opens up many exploitation possibilities for the foreseeable future.

The good news is that there are several mitigating factors. Many routers don’t use glibc. In some cases, default settings will prevent exploits from working. Android devices are not vulnerable. Still, this problem is likely to get worse before it gets better.

Update 2016Feb20: Dan Kaminsky just posted his analysis of the glibc vulnerability. It’s very technical, but if you’re looking for a deeper dive into this subject, it’s a great place to start. Dan helpfully explains why it’s difficult to predict just how bad things will get.

Google clamps down on misleading ‘download’ buttons

We’ve all run into this: you’re trying to find some software, and when you finally get to a download page, you’re faced with multiple DOWNLOAD buttons. It’s like a really bad game, in which clicking the right button gets you the software, and clicking the wrong one infects your computer with malware.

Google is aware of this problem, and in keeping with its goal of using its vast resources to help protect users, will now detect these misleading buttons and warn users. Increasingly, when you navigate to a page with these deceptive buttons, Google will warn you: ‘Deceptive Content Ahead’. A welcome improvement.

Latest Ouch! newsletters from SANS

It’s been a while since I posted a link to the SANS Ouch! Security Awareness (“Securing The Human”) Newsletter. It’s a monthly PDF publication that’s aimed at ordinary users, and each issue covers a topic that is – or should be – of interest to everyone.

The most recent issues are Two Step Verification, Password Managers, and Shopping Online Securely. Note: these are all PDF documents.

Note: because they are written for ordinary users, more knowledgeable users may not learn anything new from Ouch! newsletters. Still, they’re worth reading and passing on to anyone who may benefit.

Many new top-level domains used for malicious activity

Blue Coat, a company that develops network security software, recently published a report on the amount of shady activity associated with top-level domains (TLDs) on the Internet. Examples of TLDs are .com, .net, and country-specific domains like .ca and .us.

A few years ago, a new batch of TLDs was introduced, including .zip, .review and .country. At the time, ICANN said the changes would “unleash the global human imagination.” Well, as was widely predicted, many of those new TLDs are apparently being used almost exclusively in connection with all kinds of malicious activity. Apparently it was mostly the imagination of criminals that was unleashed.

July security roundup

Flash improvements

Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.

Asprox botnet status

There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.

Flaw in BIND could cause widespread issues

BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.

Mobile versions of IE are vulnerable

Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.

Stagefright vulnerability on Android devices

A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.

Mediaserver vulnerability on Android devices

More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.

Android spyware toolkit widely available

And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.