Security roundup for June 2015

What’s in a name?

ICANN is the non-profit organization that governs the basic naming system used on the Internet. Anyone who owns a domain name has an ongoing relationship (even if indirect) with ICANN. Unfortunately, there’s alarming evidence that ICANN is now being guided by corporate interests. Update 2015Jul08: this is a very real privacy threat.

ICANN wants to make it impossible for site owners to be anonymous. They insist that this will only apply to commercial sites, but the definition of commercial promises to be so vague that almost any site would qualify. Spammers will be rubbing their hands together in glee, since the information associated with domain registration is extremely valuable to them.

Free proxies: use with caution

Brian Krebs reports on recent research in which 443 free, open proxy services were tested, to determine whether they: a) support secure web traffic; b) maintain the privacy of user information; and c) modify user traffic in any way. Fully 79% of the tested proxies force web pages to load non-securely, which means that the service operator can see all their user traffic in unencrypted form. Sixteen percent of the services actively insert advertising into customer web traffic.

Recommendation: if you’re looking for a free proxy service, try to find one that allows secure (HTTPS) web traffic.

Why We Encrypt

Another insightful post from security expert Bruce Schneier explains why encryption is important, why it should be enabled by default, and why recent efforts to weaken encryption are a huge mistake.

Failure to encrypt

Researchers at AppBugs used their security software to detect flaws in the way apps encrypt Internet traffic, and the results are depressing. Over fifty Android applications – downloaded by millions of users – are using encryption incorrectly, or not at all. While some of these apps probably don’t transmit anything sensitive, many do, including several high profile apps from the NBA, Match.com, Safeway, and Pizza Hut.

New method for managing passwords

The free, open source Master Password simplifies the task of securely generating and storing secure, unique passwords. It does this without the need to store or access anything on the Internet; all you need is the app itself and a master password. The catch? You’ll have to generate and set new passwords for all the sites and services you use. Master Password is available for iPhone/iPad, Mac, Windows Desktop, Android, and on the web.

Steganography toolkit for malware

Steganography is a technique used to hide information inside otherwise harmless-looking image files. Security researchers have previously detected its use in hiding malware, but now they’ve discovered software that helps malware authors use the technique. Dell SecureWorks researchers recently analyzed StegoLoader’s capabilities. From their report:

Stegoloader is stealthy in many aspects; it evades analysis tools and deploys only necessary modules, without writing them to disk. Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities.

The dangers of using secret questions for account recovery

Anyone who uses Internet-based services has seen them: ‘secret’ questions and answers you set up to facilitate password resets and account recovery. The idea is that the service can be sure you are who you say you are because you can correctly answer one or more of these questions. The problem is that this method has serious failings, as reported by Google researchers (PDF). The authors recommend using email-based, or – better still – SMS/text-based account recovery methods.

Testing your anti-malware solution

Is your anti-malware software working? Short of visiting a web site known to distribute malware, how can you be sure? One method involves a special string of text known as the EICAR test. Visit the EICAR web site and download a file containing the text; your anti-malware software should detect the text and identify it as the EICAR test. Alternatively, you can download Didier Stevens’ EICARGen software, which generates files containing the EICAR text. Depending on your anti-malware software’s configuration, the EICAR text may be detected when you attempt to download it, or when you write, read, or execute a file containing it. I currently use Avast, which by default detects EICAR when attempting to download it, and during full and explicit scans, but only detects EICAR in existing files when they are executed.

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.