Archive for May, 2008

h1

‘Secure’ PayPal page is… you guessed it

May 17, 2008

A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users’ authentication credentials..

The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they’re visiting is secure by turning their browser address bar green.

But Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn’t been tampered with. Sintonen’s code simply caused an Internet Explorer alert window to open with the words “Is it safe?” as evidenced by the screenshot below.

Screenshot showing PayPay XSS vulnerability

During an online interview, he demonstrated a page that prompted users for their account credentials and then sent them to an unauthorized server, and he said it would be possible for him to steal user cookies as well. All the while, the address bar would bear the PayPal URL in green. At time of publication, eBay had not yet removed the buggy code.

A statement from PayPal said the company considers user security a top priority. “As soon as we were informed of this exploit, we began working very quickly to shut it down,” the statement read. “To our knowledge, this exploit was not used in any phishing attacks”. Unauthorized withdrawals or purchases made on PayPal accounts are fully reimbursed.

The discovery is one more reason to remain skeptical of extended validation SSL, which has always struck us as a solution in search of a problem. Yes, we know it’s supposed to close a loophole that’s long existed in SSL by certifying, in this case for example, that it is eBay (the parent company of PayPal) that owns the SSL certificate for the specific PayPal page. But we’ve not yet heard of a single attack involving a forged certificate, so we’re tempted to think the measure is more gimmick designed to generate revenue for VeriSign and its competitors than anything else.

eBay security pros seem to have drunk the EV SSL Kool Aid, however, having announced recently (PDF alert) that browsers that don’t support the new standard aren’t welcome on the PayPal site.

XSS vulnerabilities have emerged as one of the easier and more common ways to subvert website security measures. They use manipulated URLs to get around the so-called same-origin policy, which prevents cookies and other types of content set by one domain from being accessed or manipulated by a different address.

Despite the proliferation of XSS attacks, McAfee’s ScanAlert, which provides daily audits of ecommerce websites to certify them “Hacker Safe,” gives clients the thumbs up even when XSS vulnerabilities are discovered on their pages. ®

h1

Activist coders aim to deafen Phorm

May 17, 2008

Updated Coding activists have developed an application designed to confound Phorm’s controversial behaviour-tracking software by simulating random web-browsing.

The folks behind AntiPhormLite says this means actual browsing habits are buried in noise. The app, which is available free of charge, is designed to poison the anonymised click stream Phorm collects with meaningless junk, thereby (at least in theory) undermining its business model.

document.write(‘\x3Cscript src=”http://ad.uk.doubleclick.net/adj/reg.comms.4159/networks;cta=’+cta+’;ctb=’+ctb+’;ctc=’+ctc+’;sc=’+sc+’;cid=’+cid+’;’+RegExCats+GetVCs()+’pid=’+RegId+RegDT+’;’+RegKW+’maid=’+maid+’;test=’+test+’;pf=’+RegPF+’;dcove=d;sz=336×280;tile=3;ord=’ + rand + ‘?” type=”text/javascript”>\x3C\/script>’);

Its developers reckon the chaff AntiPhormLite generates would be indistinguishable from genuine surfing. AntiPhormLite works with any browser a user cares to use and includes customised options so that each installation can be configured differently, making countermeasures Phorm might apply more difficult to develop.

The beta release comes with source code, allowing security experts to verify that it does only what it says on the tin. The app features “natural time delays” and throttling so that computer generated traffic would be difficult to distinguish from the real thing, as explained below:

AntiPhormLite runs independently and silently in the background of your PC. It connects to the web and intelligently simulates natural surfing behavior across thousands of customizable topics. This creates a background noise of false information disguising and inverting your own interests. We believe our technology is indistinguishable from that of a typical user engaging the internet. To support this claim we have introduced a preview mode that works with any of your preferred browsers, and together with a detailed reporting system and a host of custom options each AntiPhormLite will appear unique.

AntiPhormLite is a Windows (Vista and XP) only app. The application does not execute web pages directly inside a browser, minimising the possibility that it might become a conduit for drive-by-download attacks. It ignores bandwidth-heavy images, flash and video files in a bid to make sure that its doesn’t eat through a user’s bandwidth and thereby slow regular web surfing.

The application needs DirectX 9.0C or later installed. Future versions based on a screen saver are in development.

Phorm has signed deals with BT, Virgin Media and TalkTalk to deliver targeted ads based on a user’s surfing habits. Other firms including NebuAd and Front Porch are attempting to exploit the same emerging market. The technology has provoked a huge privacy debate spurring an anonymous group of “artists, programmers and designers” to develop AntiPhormLite. Whether AntiPhormLite works against technology from NebuAd and Front Porch is unclear.

Particularly when left in default mode (the settings most users apply) it may not be too difficult for Phorm to filtering out traffic generated by AntiPhormLite. Phorm’s developers, whatever else you might think of them, have shown themselves to be tenacious and technically skilled. Many people would have to use AntiPhormLite to skew results and the biggest disadvantage is that those users would have to consent to using Phorm’s behavior tracking software in the first place.

Data pimping fight-back

AntiPhormLite does however represent another front against Phorm, which is under close scrutiny from anti-malware firms, many of which consider its technology to be on the borderline of adware classification.

The UK Information Commissioner has called on ISPs to apply Phorm’s technology on an opt-in basis, something Phorm itself has resisted but Talk Talk has agreed to. Security watchers, most notably Richard Clayton of Cambridge University and the Foundation for Information Policy Research, have questioned the legality of Phorm’s approach, particularly in relation to UK data interception law.

Meanwhile internet activists have created a site, BadPhorm, highlighting concerns about the Phorm’s behaviour tracking technology, and the company’s background as adware firm 121Media.

More on AntiPhormLite can be found here. ®

Update

The app went live on Thursday afternoon. There is no physical address and phone number on the AntiPhorm site, prompting a bit of concern about the provenance of the app in a thread on the BadPhorm forum. One poster complained that it generated multiple tabs in a browser window.

Commentors elsewhere suggest switching to a Phorm-fee ISP is a better approach than applying a as yet-unproven application.

h1

New Batman Trailer

May 14, 2008

Have a watch – it looks awesome ..  🙂

h1

UFO-files now for public release

May 14, 2008

The UK Ministry of Defence (MoD) has begun releasing its voluminous files regarding unidentified flying objects, aerial phenomena, possible alien visitations etc. The documents will all become available to the public via the National Archives over the next three years.

UFOs of various kinds have been sighted and reported to the MoD and its predecessors for at least a hundred years. In general, the number and nature of sightings is much more affected by things such as movie releases or war scares than by any other apparent factor, all the way back to the “Phantom airships” widely reported in the UK before and during World War One – when panic about German zeppelins was at its height.

Many of the MoD’s UFO files – including, probably, most of the good stuff – have already been revealed under Freedom of Information Act requests. In particular, the splendid conspiracy fodder surrounding the Rendlesham Forest incident of 1980 (“Britain’s Roswell”) has long been available, full of mysterious lights, strange marks left in the ground and traces of radiation. Even better, the cameras recording the British air-defence radar picture were switched off at the time, indicating an almost certain government conspiracy.

Anyway, the previously unseen bumf is all coming out from the National Archives here. The files will be free for a month after each one is released, after which there will be a fee for access, so enthusiasts should keep checking back and downloading the stuff as it comes out. (Be warned though, the MoD says upfront that it has never found any solid evidence of aliens, secret American hypersonic stealth spyplanes or anything else good.)

After three years, if you keep it up, you’ll be the proud owner of a complete uk.gov UFO archive.

Or, depending on your viewpoint, <tinfoil>you’ll be the owner of the biggest and most comprehensive cover-up ever compiled</tinfoil>. ®

h1

ITV fined millions for phone fraud

May 8, 2008

ITV must pay £5.67m in fines for misleading viewers using its premium rate phonelines – the largest fine regulator Ofcom has ever imposed.

The broadcaster will also pay out £7.8m in viewer compensation and to charity.

The bulk of the fine was earned by Ant & Dec’s Saturday Night Takeaway, which must pay £3m for misleading viewers in relation to three different competitions. The Geordie twosome’s show Ant & Dec’s Gameshow Marathon was fined a further £1.2m.

ITV has received 2,652 completed claims forms and has paid out £9,718. It is still processing a further 80 forms potentially worth £356. The unclaimed millions will go to more than 50 UK charities.

Ofcom is conducting a separate investigation into the 2005 British Comedy Awards. ITV asked law firm Olswang to investigate the show.

Read the rest of this entry ?

h1

Home Secretary goes crazy on drugs… policy

May 8, 2008

Comment As an example of the brain-gobbling stupidity that affects those who dabble with drugs, you really cannot beat Home Secretary Jacqui Smith’s announcement that cannabis is going to be upgraded again, from a Class C drug to a Class B one. This is the sort of drivelling idiocy more normally associated with decades on peyote rather than the few spliffs she has herself admitted to.

The switch moves the maximum sentence up to five years in jail for simple possession: given the three million regular tokers (to say nothing of the larger number of occasional) this is therefore a threat of an extra seven million or so man years of jail time. Insane willy-waving that ‘something is being done’, you might think, when the jails are so full that police cells are being used to hold convicts.

And to what purpose? What will actually be achieved by this?

Read the rest of this entry ?

h1

LSD Discoverer Albert Hoffman Dead At 102

May 6, 2008

Hoffman

Albert Hoffman, the chemist who discovered Lysergic Acid Diethylamide in 1938 died of a heart attack April 29, 2008at 9AM at his home in Switzerland. Hoffman actually re-dsicovered his invention in 1943, after the original idea seemed like a useless accident. As he wrote in his diary on April 19:

Read the rest of this entry ?