Sourceforge.net, a hosting service for open source projects, has suffered a serious security breach. They are currently working to identify the source of the exploit and ensure the integrity of the remaining data in their environment. Some services, notably CVS, are still down as of this writing.
Facebook HTTPS
January 27, 2011Facebook is adding https functionality spanning the entire web site. Previously, only pages that required authentication credentials to be entered were encrypted; this meant that authentication cookies could be captured in plaintext, as with the Firesheep tool. This should put an end to that.
The capability can be activated by end users on the “Account Settings” page.
Leave a Comment » | 
Networking | 
Permalink
Posted by matt
UNC Breach
January 27, 2011An excellent writeup on the recent UNC-Chapel Hill security breach at Inside Higher Ed.
Here’s a quick synopsis: Dr. Bonnie Yankaskas, a professor of radiology at the university, was collecting mammography data for a study. The server holding the data, which included medical records and social security numbers, was breached by an unknown attacker and the data is considered to be potentially compromised.
The University wanted to fire her, but settled for demoting her to Assistant Professor and halving her pay.
Dr. Yankaskas’s argument is that she is an academic researcher, not a computer security expert – disciplining her for a security breach is unfair, because this is not her area of expertise or her responsibility. The school’s policy is that she should have appointed a “server caretaker” to monitor the firewall, install patches, etc., and the person she chose is a programmer with no training in security and no experience in server administration. She also ignored his requests for training over the years, and continually graded him as “excellent” in his administration of the server, despite the fact that he did not know what he was doing.
This is a typical tension in higher education – the faculty want to be free of the strictures of security and IT policy, because they feel it unfairly confines their research. IT, on the other hand, wants to be as strict as possible and keep everything in a nice, predictable box.
Leave a Comment » | Incidents, Syndicated | Permalink
Posted by matt
HTTP Status Code Harvesting
January 26, 2011An excellent example of using http status codes to determine what other pages a web user is currently logged in to. This would be useful in many environments – say, adding a “Check out our Facebook Page!” link to a corporate home page when determining that the user is currently logged into their own Facebook account.
Leave a Comment » | Networking | Permalink
Posted by matt
In-App Purchases on Android
January 26, 2011Google has announced that they are adding the capability for purchases from inside of an application to the Android operating system. For example, if a video game company wants to sell additional content to players, that will be doable from inside of the game itself rather than some kludgey additional app download.
I can’t wait to see what the scammers come up with to exploit this idea.
Leave a Comment » | Smartphones | Permalink
Posted by matt
Student Intellectual Property
January 26, 2011It’s a given in the world of research universities that the school is at least a partial owner of new patents or products created by its faculty. But with students creating more and more “apps” for platforms like iOS and Android, and with those apps often being worth big money, policies on university ownership of student creations are getting more attention.
From the article:
Missouri relented in Brown’s case. It also wrote rules explicitly giving student inventors the legal right to their unique ideas developed under specific circumstances. If the invention came from a school contest, extracurricular club or individual initiative, the university keeps its hands off. If the student invention came about under a professor’s supervision, using school resources or grant money, then the university can assert an ownership right – just as it does for faculty researchers.
This is an important trend that needs to be watched – in your organization, are there policies governing what intellectual property rights belong to the company for work performed by employees? If one of your call center workers invents The Next Big Thing while taking a support call, what happens?
If you haven’t thought about this yet, it’s probably time. Writing policies as they are needed is never a good idea.
Leave a Comment » | Legal | Permalink
Posted by matt
File Transfer Via DNS Query
January 25, 2011The always-resourceful Johannes Ullrich has posted an excellent step-by-step tutorial on the Internet Storm Center outlining a method for performing file transfers using DNS queries and tools built into a typical Linux installation (specifically, xxd and dig).
If you start seeing lots of hexadecimal A record queries showing up in your named.log — you might have a problem.
Leave a Comment » | Networking | Permalink
Posted by matt
Domain Blocking 2010
January 25, 2011OpenDNS has released a report [warning: PDF file] on the white- and blacklisting of domains in 2010. Interestingly, Facebook was the single most commonly blocked site – but it was also the second most commonly whitelisted site. This means that networks that disallowed social networking sites in general were still likely to make an exception for Facebook, likely owing to its popularity as a legitimate marketing tool.
Apparently the bad guys were also aware of this. The report indicates that Facebook is the second most commonly spoofed site for phishing attacks, behind only Paypal.
Leave a Comment » | Networking | Permalink
Posted by matt
iPhone NFC
January 25, 2011Apple is planning on introducing NFC, or “Near Field Communications”, in the next generation of iDevices. This means that users will be able to pay for purchases at NFC-compliant kiosks using their smart phone as an authentication token.
It will be interesting to see how Apple secures this functionality; I would hope that there is some sort of PIN or other unlocking required. Otherwise, losing a phone would be equivalent to losing a phone and a credit card. In fact, since NFC payment is generally a direct bank account debit rather than a credit transaction, it would be even worse.
Leave a Comment » | Smartphones | Permalink
Posted by matt
Facebook and Tunisia
January 25, 2011A fascinating story in The Atlantic about the cat-and-mouse game between the Tunisian government and Facebook during the recent political unrest. Ammar, the governmental security apparatus, strongarmed the ISPs that Tunisian citizens were using into running domain-level keylogging. Essentially, they were stealing an entire country’s worth of passwords.
The Facebook developers responded with an ingenious technical hack to get around the key capture. All password submissions were pushed over an encrypted channel, and also required the user to identify a friend from his or her accounts. Ingenious – the passwords as a single authentication token were rendered useless.
Leave a Comment » | Networking, Social Engineering, Syndicated | Permalink
Posted by matt