Security Now 305

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 305

Security Now 305: Ghostery

Security Updates

Errata regarding SD Cards: Obvious in retrospect - they ooperate EXACTLY like floppy disks! TEST your USB-to-SD adapter Or use a USB with a r/o switch -- and test it!

Microsoft's Patch Tuesday 16 updates fixing 34 security vulnerabilities (11 reported bugs in IE.) More than half are "Critical" meaning that they are "wormable" and require little or no user action. The rest are information disclosure, etc.

Java Updated to close 17 remote code execution vulnerabilities Wednesday, June 8, Oracle / Java SE Java 6 / Update 26 / All 17 vulnerabilities could be exploited to execute code remotely without authentication. Nine of the vulnerabilities were given a 10 out of 10 security risk. The update is available for Windows, Linux and Solaris; Apple users will not have a fix until Apple issues an update to address the flaws. STILL TRYING to stick me with the Yahoo Toolbar! :( Windows: Start / Control Panel / Java Check Version Enable auto updates / change to more frequent than monthly!

Security News

World IPv6 Day: Mostly went okay. Little implementation glitches here and there, mostly related to switching over and back. "www" redirected to "m" and the mobile sites were IPv4 only. Filtering ICMPv6 for MTU Path Discovery IPv6 traffic WAY up, but only relative to regular IPv6 traffic HIGH amount of tunneled IPv6 Facebook had a million visitors over IPv6. A few participants, such as, are keeping their IPv6 addresses in DNS. Bookmarklets for IE, Firefox & Chrome

iPhone & Android Security Concerns: LinkedIn, Foursquare & Netflix -- storing passwords in plaintext text files. Foursquare has since updated their Android application. (Same username and password for Netflix as elsewhere?)

IE and Firefox both losing marketshare to Chrome and Safari (Safari gaining due to Mac's increasing marketshare.) With the new IE9 and FF4 ... Firefox users are upgrading, IE users are not 10% of IE is STILL IE6! IE is now at 54.27% / FF is at 21.71% / Chrome up to 12.52% / Safari 7.28% / Opera dropped a bit to 2.03% Chrome is the ONLY browser now seeing consistent month-to-month gains. Firefox to release FF5 in late June with four releases per year.

Nissan's new LEAF EV leaks its location... Leak includes a GSM cellular connection to the Internet for providing voluntary telemetry information to Nissan, the location of new charging stations, competitive driver rankings, and RSS feeds. Called: "CARWINGS" BUT!! The RSS "GET" query contains a TON of information sent to anyone you pull an RSS feed from: lat & lon, speed == current position and speed car_dir == compass direction of the car lat_dst & lon_dst == your destination configured into the Nav system There is NO WAY to prevent the data from being sent, nor any warning that this data is being sent. Cookies are NOT accepted & NO obvious identifying information

Attacks & Breaches

IMF (International Monetary Fund) Little is known. But attackers were reportedly able to place software on a computer within the IMF network which enabled them to have some level of external access. It may have been planted through a targeted spear phishing campaign. Bloomberg reports that the attack appears to have been mounted by a foreign government, though no specific country was named. Bloomberg's unnamed source also stated that the IMF lost "a large quantity" of data. Much of the IMF's data is extremely sensitive, dealing with the internal financial state of economies and the state of negotiations.

Citi Breached 210,000 Customer names, email addresses and account numbers and contact details lost. But PINs, card security codes (CVVs) and other data are held on different systems which were reportedly not breached. Reports indicated that browser URLs contained account numbers.

US server breached Compromised server only held content for public consumption Same group (Lulzsec) as claimed responsibility for Sony, Nintendo & PBS

Commercial Bank Fraud Liability: SANS and Brian Krebs both reported May 2009 in Sanford Maine, Patco Construction Co. filed suit against Ocean Bank. Patco used online banking primarily for weekly payroll. Patco alleged that cyber thieves used the ZeuS Trojan to steal its online banking credentials and then transferred $588,000 in batches of fraudulent ACH (automated clearing house) transactions over a period of seven days. In weeks following, Ocean Bank was able to recover $243,406 of the fraudulent transfers, leaving Patco with a final loss of $345,445. Patco sued the bank to recover its losses, arguing that Ocean Bank had failed to honor the terms of its contract by allowing customers to log in to accounts with a user name and password. Late last month a magistrate recommended that the court make Patco the loser by denying Patco's motion for summary judgement and granting the bank's motion. It is believed unlikely that the judge in the case will overturn the magistrate's findings. "Reasonable Security" does not mean "Bullet Proof Security." Threshold for asking a challenge question ... lowered from $100,000 to $1. This questions were always asked and Trojan was able to acquire. Judge said virtually ZERO case law. But not anymore.


Most Common iPhone Passcodes (via @SimonZerafa) [1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998]

Bitcoin Largest Bitcoin holder has 297,000 bitcoins. At $31, that's $9.2 million. charges 0.65% for its brokerage. A few months ago that was only pennies a day of income, but last Wednesday it was making more than $40,000/day! - trouble? BLACK FRIDAY! -- 1st Bitcoin Depression Opening Bell: $28.919 USD By midday: $20.01, a drop of 30.8% In ONE day: $2 million in Bitcoins traded in 5,871 transactions

Topic: Ghostery

IE, Firefox, Safari, Chrome - Capabilities vary with capabilities allowed to platform extensions "7 Trackers found on this page, 7 blocked" DoubleClick DoubleClick Spotlight Insight Express Microsoft Atlas MSN Ads Omniture Pulse360

Initial Config: Everything is Opt-In ~ info gathering

Optionally enable Ghost Rank Enabling GhostRank will allow you to anonymously participate in an information-gathering panel designed to improve Ghostery performance and create a census of advertisements, tracking beacons, and other page scripts across the web. The data collected is used only in aggregate, contains no personally identifiable information, and will never be used to target advertising.

When you encounter a script (and have GhostRank enabled), Ghostery sends a record that includes the following:

Page element(s) identified by Ghostery Element(s) blocked by Ghostery Number of times the element has been identified Domains identified as serving elements Advertisements served at particular domains, including companies associated with each ad Information about the type of notice associated with each ad The browser in which Ghostery has been installed Ghostery version information

GhostRank is an opt-in feature. You can opt-in to GhostRank now, or any time in the future via the Ghostery options menu.

Enable Alert Bubble When Ghostery detects companies with page elements present on the site you are browsing, it notifies you by listing those company names in a bubble. By default, this bubble appears at the top right corner of your browser window. You can customize its appearance below: (that doesn't appear to be on the page yet.)

Bug list autoupdates Ghostery routinely adds to and refines our list of companies that operate trackers, ad servers, analytics services, page widgets, and other page elements. You can update this list manually from the Ghostery options menu, or you can enable Ghostery's auto-update service, which periodically checks for new additions to Ghostery's library and includes them automatically.

Blocking Ghostery can prevent the page elements it detects from running in your browser. Page elements that are blocked will appear crossed out in the notification bubble.

Ghostery can also prevent domains in our library from creating browser cookies. If you have blocking enabled, these domains will be identified in the notification bubble as “ (cookie)”.

Click here to enable Blocking (and block all known trackers) Click here to enable Cookie Protection [experimental] Initially 518 bug & 345 cookies Updated Bug list from 523 to 557

Sometimes a site's scripts are responsible for loading 3rd-party trackers

Comprehensive and even-handed guide to what these things are doing Ghostery's Blogging Service: Facebook Social Plugins Tool menu: "What is Facebook Social Plugins? About Facebook: Facebook operates: Facebook Beacon, Facebook Connect, Facebook Social Plugins Privacy and Data Collection Information Data Collected: Anonymous (browser type, location, page views), Pseudonymous (IP address, "actions taken") Data Sharing: Data is shared with third parties. Data Retention: Data is deleted from backup storage after 90 days. New Relic Twitter Button

Answering the question: Does Ghostery stop the tracking process? It's an option, but most of our users like to allow some page elements and disallow others. The free content on the Internet is paid for largely by advertising, and data collection is a part of that. We don't want to deprive publications or advertisers of their revenue (that would be bad for content on the web) but we do want our users to know who is collecting their data and control it wherever possible. How much data collection a person will tolerate is their own, subjective decision and we would never try and make that for you guys!

Domains can be whitelisted Individual tracker bugs and cookies can be whitelisted




Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.