Tabjacking
It is pretty common through the course of using the Internet and e-mail to run across phishing scams and fake web pages attempting to fool you into giving away your user name and passwords. Some are done better than others, and even the most careful users can fall in the trap.
There is a new type of vulnerability I want to help spread the word about. I feel that being educated on these types of phishing tactics is the only real way to prevent them from effecting you. And, while this type of scam is still not heavily exploited... the way in which it operates is ingenious, and could potentially cause massive amounts of trouble for PC users.
This new type of phishing tactic is being referred to as TagJacking. With the newest generations of browsers (IE 8, FireFox, Opera, Chrome) the new tab button is being used heavily as an easy alternative to opening new windows and increasing multitasking capabilities. By having so many open tabs this exploit is banking on the fact that a user may not remember that they have opened, for example, their bank account in another tab.
The site hosting the exploit has the ability to change the 'favicon' (the little picture by the site's name that helps users identify it, like a Bank of America logo), the site's title (to something like "Bank of America | Home | Personal"), and the site's contents... to look almost identical to a Bank of America log on page. White this would be one hard to pull off phishing attempt (considering the amount of security, and visual pass-phrases banks including BoA use to protect their clients) there are other examples that would cause just as much trouble for users.
Lets look at this example to see how nasty this variant of phishing could be:
Imagine logging into your web based e-mail account. Over the course of 10 minutes it is possibly you may have opened 5 separate tabs for individual messages, or links you've encountered in an email from a friend. Unfortunately, one of the pages you went to while checking your email contains code that will attempt to fool you. When you're not looking, and busy with another tab, the page will instantly transform without notice to look like your e-mail's log on screen. You were already in your email... so it is realistic that perhaps your session was timed out, and you do in fact need to re-log in. It is this feeling of security between tabs that makes this attack so dangerous.
There is a proof of concept located at: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
This page will transform after you look away from it into a picture of the gmail log in screen (to help show how the attack works, not to try to solicit information).
While this attack mode is still in it's infancy, it is good to recognize that it could cause problems in the future, and should be on the look out.
-Steve, for TTC
Street View = Wireless View? Oh boy
Umm. Hi. Google? WHAT THE HELL ARE YOU DOING?
Man, I wish I could end my post right there. It sums everything up so beautifully. Allow me to explain.
Back on Friday, May 14th, Google announced on its blog that it has been inadvertently collecting data from unsecured wireless networks as its Street View cars have roamed the streets of the world for the past 4 years. At first Google said the only things they were actually collecting were SSIDs (the names of the wireless networks) and MAC addresses of the wireless routers. Well...they lied. Apparently they also managed to collect some 600 gigabytes of transmitted data in more than 30 countries. By today's standards, 600 GB isn't an astronomical amount of data, but it's about 600 GB more than I would like them to be collecting. And for some reason I don't think I'm alone in thinking that. Thankfully I secured my wireless network. But did you?
Google says that it has not used any of the data for anything, nor will it show up in their search engine, or elsewhere. Can we believe that, though? Once Google was aware of what was happening, it segregated the collected data onto another network, which was then "disconnected to make it inaccessible." Inaccessible to who? My goldfish? Call me crazy, but I feel like if something can be disconnected, it can probably be reconnected. Especially by the same people who disconnected it. I don't know. That's just a hunch. 
The obvious question, of course, is how did this even happen in the first place? Turns out there was a slight "oversight". I can't possibly explain it any better than Google did themselves, so here you go:
"In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data."
Okay. More questions for you, Google: Why did you want to collect SSID and MAC info to begin with? I think my favorite line is "code that sampled all categories of publicly broadcast WiFi data." What purpose could this possibly serve other than to collect payload data from the unsecured networks? And how do you not know what your code is really doing? Either you suck at testing your own products, or you suck at lying. Pick one, and explain yourself.
Now, Google is (at least in theory) working to get rid of the data it has collected. Data from Ireland has apparently been deleted, with confirmation from a third-party. Again, here is the link to Google's blog, and you will see at the top there is an update regarding this matter. Woah. 1 country has been taken care of in 10 days, and counting. Let's do the simple math here. There are over 30 countries involved, so at a minimum of 10 days per country, we'll still be dealing with this next year. Not exactly a blistering pace. That should give them plenty of time to fabricate a nice little story for us while they exploit the data as much as possible. Way to hustle, Google.
WHAT THE HELL ARE YOU DOING?
-Mike
Take Control of your FaceBook Privacy
It is no secret that FaceBook has been in the spotlight for its lack of privacy. The Internet is buzzing with news articles about jumping ship and boycotting FaceBook all together. Who wouldn't want to close up their account, considering how much personally identifiable information is being exposed by default all over the internet. FaceBook even goes as far as sharing your information to 3rd party sites like Yelp and Pandora if you haven't opted out of the "Instant Personalization" feature.
Another problem with FaceBook privacy settings is the complex nature of the control system. With over 7 pages of settings to manually comb through, different features to opt out of, and the Armada of applications on FaceBook, it's a miracle it's as easy as it is! The good news is that, according to a Wired news article, FaceBook is working on simplifying privacy controls (http://bit.ly/bV1YFT)! However this attempt may be a little too late, considering the amount of bad publicity just this past week.
In the meantime, there is an excellent tool that will help you lock your account down, and fine tune the amount of information broadcasting from your FaceBook account. The fine folks at http://www.reclaimprivacy.org/ have released a snazzy tool that will remove all the guesswork about which settings may still need changing. Instructions on the use of the Reclaim Privacy tool can be found on their website, and a screen-cast walk-through for users with Internet Explorer 8 (created by yours truly) can be viewed at: http://www.youtube.com/watch?v=KmxB3oMgqMM
-Steve for TTC
Think your Mac is secure? Think again
Most people seem to think that Macs are inherently more secure than PCs. And why wouldn't they? It's not often that you hear of someone having a virus or a security breech on a Mac OS, while these are huge concerns for people in the wonderful world of Windows. But this doesn't necessarily mean that Windows machines are any less secure than, say, a Mac Book Pro running Snow Leopard. In fact, in reality it is the Mac that is technically less secure in many ways. PCs have numerous anti-exploitation technologies built-in that Macs do not, such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Together, ASLR and DEP make it much more difficult for attackers to carry out a successful attack or exploit. It should be noted that Apple is working towards fully implementing ASLR in the future, but they have only made slight progress so far. Microsoft works extremely hard to make sure its operating systems are absolutely as secure as they can possibly be, while Apple seems to be a little more lax about it. I also found a quote from a security researcher that I found very interesting:
"If you look at the number of published vulnerabilities in software and the number of users and compare Windows versus Mac OS you will discover that Mac OS has far more published vulnerabilities per user than Windows does so I think the data pretty much speaks for itself."
Application usage also largely dictates security, particularly when it comes to web browsers. Firefox and Internet Explorer are the two major browsers on Windows systems, and Safari is Mac's main browser. Care to guess which one has the most security flaws and vulnerabilities? Yupp...Safari. Everyone knocks IE, but especially with IE 7 and 8, there have been great improvements and experts agree that it is much safer than using Safari. For an interesting little comparison of the three browsers, click here.
So, given all of this, it seems like a minor miracle that Macs aren't plagued with more viruses, trojans, and intrusions than PCs. But let's not confuse "secure" with "safe" here. It all boils down to one thing: market share. Although Macs are gaining in popularity, Microsoft still has an incredible stranglehold on the market, meaning that it is far more productive for attackers to gear their work towards PCs because it will impact more users. Eventually I think Macs will reach a point where enough people willl own them to make it worth the attackers' time to exploit more of the vulnerabilities, at which point Apple will have to be ready to defend itself. Otherwise, what is seen today as a safe OS will no longer be so. It should be interesting to see if they will be more proactive than in the past when it comes to security, or if they will take the "wait and see what happens first" approach.
The truth is, when it comes to OS security, the new Windows and Mac OSs can be as good as they can be bad; it's all in how you use them. If you don't use anti-virus software and you click on every link that looks enticing, download every file that you receive in an e-mail, download music/movies/pictures from who-knows-where, run Flash, Javascript, and ActiveX by default, and don't update your operating system or your software, I promise you will be infected very quickly, regardless of your operating system. But if you take proper measures, your Windows Vista or 7 (and dare I say XP) PC can be just as safe and secure as a Mac running Snow Leopard, and vice versa. So for all you Mac users out there, you're "safe(r)" for now, but not necessarily as secure. As for people who are shopping for a new computer, for now I'd suggest getting a Mac if you're either too lazy or not computer savvy enough to configure security on a PC. You can do a lot more roaming around the Web with an out-of-the-box Mac before you get infected than you could with a PC.
Here are two great articles if you want to know more (and I promise the links aren't infected, so you can click on them regardless of your OS and browser) PCWorld and CNET
-Mike
Archives
- November 2011 (1)
- July 2011 (1)
- August 2010 (1)
- July 2010 (2)
- June 2010 (2)
- May 2010 (12)
- April 2010 (5)
Categories
- Computing Hardware (5)
- Mobile Technology (1)
- Networking Software (1)
- Reviews (1)
- Security (6)
- Social Networking (3)
- Tips & Tricks (4)
- Uncategorized (3)
- Web Browsing News (1)
- Website Updates (5)
Links
Share Website