Posts Tagged ‘Security’
Adobe on Tuesday patched security flaws in its Acrobat and Reader applications. The updates repair bug CVE-2009-1492, which concerns Adobe’s implementation of JavaScript in Reader and Acrobat. That flaw could allow a hacker to create a malicious PDF file that could execute other arbitrary code.
A second vulnerability, restricted to Reader for Unix, has also been fixed.
Adobe promised last week to fix the problems with its PDF software. The company recommends users of Acrobat or Reader versions 7, 8, or 9 update to the latest versions.
When we think of phishing attacks, in which scammers try to lure sensitive information out of Internet users, we think of fake official-looking e-mails and Web sites.
But you don’t even need to be online to get phished. A phishing attack making the rounds tries to dupe cell phone users into revealing their personal data over the phone. It uses SMS.
It all starts with a spam text message purporting to be from a financial institution. In this case
, it’s from a source identified as KeyPoint Credit Union, warning that an account has been locked and providing an 888 phone number to “verify” the account, said a CNET News reader who received one of the spam text messages on his Sprint phone.
When the phone number is called, an automated message prompts for SocialSsecurity number, credit card number, and driver’s license number, he said.
“Every carrier has seen it,” Matt Sullivan, a Sprint spokesman, said on Tuesday. “We have filtering technology that we are constantly updating to try to weed out some of this.”
Asked how spammers get hold of the phone numbers, Sullivan speculated that they are using a random auto-dialer. Even if only 1 percent of the people called expose their information, the SMiShers are successful, he said.
Customers can block specific numbers that keep calling, but for most spammers that isn’t effective, as they usually take one shot at the phone number and then move on, Sullivan said.
Most websites use an encrypted connection to transfer sensitive information, including usernames, passwords, and credit-card numbers, over the Internet.
In a presentation given this week at Black Hat DC, a computer-security conference in Washington, DC, an independent security researcher who goes by the name Moxie Marlinspike unveiled a tool that can hijack secure connections and trick users into sending sensitive information in the clear.
The attack relies on the fact that most communication over the Internet takes place insecurely. Connections become secure when needed, using the Secure Socket Layer (SSL) protocol.
The beginning of the URL shown in a Web browser’s address bar reveals what kind of connection has been established. If the address starts with “http,” the connection is standard and unencrypted. If it starts with “https,” then the connection between the user and the website is encrypted.
“S” Is for Security in Https
But most users do not bother to type in “https” to establish a secure link. Instead, they rely on a website redirecting them to a secure connection when needed.
“People only tend to access the secure protocols through the insecure protocols,” Marlinspike says.
Marlinspike has developed a software tool called sslstrip that interferes with a website’s attempt to direct the user toward that secure communications channel. Sslstrip can be used once an attacker has infiltrated a network to watch passing traffic for anything that might redirect the user to a secure connection — for example, a login button that links to an “https” URL.
When the tool sees that information, it strips out the link to the secure page and replaces it with an insecure one. The tool then sits between the user and the website’s server, passing information back and forth.
But before passing on information to the server, it encrypts it, so that the Web server has no idea that anything is wrong.
Users Think Many Sites Are Secure When They’re Not
Marlinspike admits that some users might notice that something is wrong because browsers often show that a connection is encrypted by placing a lock in the corner, and that would be absent. However, he says that many sites feature confusing design elements that could easily make users think that a connection is secure when it isn’t.
For instance, some sites show the lock icon in the login window, informing the user that the link is supposed to lead to an encrypted page. Certain banking websites also provide no indication that they are about to switch to an encrypted connection, meaning the user may not realize that anything has gone awry.
Marlinspike even showed several ways that the attack could be made more covert, by creating an encrypted link with the user.
Internet Security Problems Aren’t Going Away
Marlinspike tested sslstrip by collecting data from Tor, an openly accessible network for anonymizing Web traffic. Over 24 hours, he collected login details for 117 e-mail accounts, 16 credit-card numbers, 7 PayPal logins, and 300 other postings that were intended to be secure.
He monitored to see if anyone would balk at using an insecure connection; no one did.
Dan Kaminsky, a well-known security researcher and director of penetration testing for the Seattle-based security company IOActive, says that Marlinspike has expertly exploited several problems that have been known about for years.
“It’s not like [those problems are] going away,” Kaminsky says, “and that matters.”
Kaminsky adds that the problem does not lie with Web browsers, website owners, or users. “What we’re doing isn’t working,” he says. “I think we’re missing critical pieces of infrastructure that we need to secure the Internet.”
One way to add another layer of security to the Internet, Kaminsky argues, would be to introduce a new secure protocol called DNSSEC, for linking Web servers to domain names.
He believes that DNSSEC could be configured to instruct browsers to connect to certain sites using only an “https” connection.
Marlinspike is skeptical that such a major overhaul of the Web’s existing structure would work. He also says that owners of websites could introduce design changes to help make the difference between a secure connection and an insecure one clearer.
Ultimately, however, he believes that a proper solution will be elusive so long as most traffic is sent over the Internet in an insecure fashion.