Skip navigation.

Security beyond Obscurity

Another Bambi Blog

Coders' Rights Project

Coders' Rights Project - EFF.org

EFF's Coders' Rights Project protects programmers and developers engaged in cutting-edge exploration of technology in our world. Security and encryption researchers help build a safer future for all of us using digital technologies, yet too many legitimate researchers face serious legal challenges that prevent or inhibit their work. These challenges come from the Digital Millennium Copyright Act (DMCA), the Computer Fraud and Abuse Act and state computer crime laws, among others. The Coders Rights Project builds on EFF's longstanding work protecting researchers through education, legal defense, amicus briefs and involvement in the community with the goal of promoting innovation and safeguarding the rights of curious tinkerers and hackers on the digital frontier.



Much more at the site link including a link to:

"Unintended Consequences: Seven Years under the DMCA."

What a great idea EFF! Two Thumbsup!

The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation

The
Black Hat USA 2008 is this week in Las Vega and I wish I could be there to listen to ALL the presentations.

All of the Talks that will take place at the Black Hat USA 2008 are very important (quite impressive list!!).

I wouldn't want to say one talk is more important than another or would have more affect on people's use of the Internet than another, but the substance of the talk entitled, "The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation" is pretty impressive and the possible exposure to users is very far reaching and not fixable from a central location or central set of locations, and thereby not easily fixed.

The dangers of client-side threats such as XSS and CSRF are well understood in the context of vulnerable web applications. Furthermore, the dangers of malicious script as a vehicle for exploiting browsers flaws and reconnoitering the Intranet have been discussed at length. Now what if XSS and CSRF could be leveraged to directly to compromise the host… by design?

Rewind a few years ago and the client-side landscape was somewhat different: research was focused on exploiting the complex interactions between components exposed by the browser. The security of the whole was defined as the sum of the weaknesses of the parts, namely JavaScript, Java, Flash, and anything accessible via a protocol handler. These types of attack gave way to direct browser flaws... after all, why carry out a multi-stage attack when you could trigger straight code execution? Fast forward to 2008: browser flaws are not going away in the foreseeable future but they are on the decline, and in a world of stack cookies, non-executable stacks and ASLR they are becoming increasingly hard to exploit. Which takes us back to the complexity issues. They never went away. In fact the situation has gotten worse spurred by the development of offline solutions such as Google Gears and Adobe AIR, the plethora of protocol handlers and an explosion of browser helper objects.

This double session presentation combines the research of four notable Black Hat presenters who have previously discussed client side exploitation from browser to rootkit. This combined with a rapidly increasing corporate interest in "outsourcing" applications to the browsers, this fast paced, entertaining, and novel presentation answers the question: should we really be building next generation applications on the shaky foundations of the browser?

This is NOT another talk focused on XSS or CSRF, it's about issues and vulnerability classes that have not been discussed anywhere else. ...



The concerns about these vulnerabilities have spurred the following articles:

A photo that can steal your Facebook account (Computerworld):

They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR but omit a few key details to prevent it from being used immediately in any widespread attack.

To the Web server, the file looks exactly like a .gif file. However, a browser's Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim's browser. The browser then treats this malicious applet as though it were written by the Web site's developers.



Black Hat Sneak Preview (ZDNET):

There are numerous web applications out there that allow you to upload images, but very few that allow you to upload Java class files. This is for the obvious reason that an attacker created applet uploaded onto a legitimate web application will allow the execution of arbitrary applet code in the victim’s browser under the context of the web application it was loaded from. Of course, this all goes out the door if you can convince the application that what you have is a valid file for its purposes, yet still deliver the Java applet to the server.



A photo that can steal your online credentials (InfoWorld):

By placing a new type of hybrid file on Web sites that let users upload their own images, researchers can circumvent security systems and take over Web surfers' accounts



It's only the tip of the iceberg and the Internet sure seems to be beginning to look an awful lot like the Titanic ... will it hit this iceberg head on and sink, graze it and hope for the best while it tries to patch it's gushing innards, or will it go around the iceberg?

I don't think it's possible to miss it entirely, but even a grazing can't be avoided without a concerted effort by an awful lot of developers.

Also from the InfoWorld article:

But researchers say that while a Java fix may disable this one attack vector, the problem of malicious content being placed on legitimate Web applications is a much larger and thornier issue. "There will be other ways to do this, with other technologies," said GIFAR developer Nathan McFeters, a researcher with Ernst & Young's Advanced Security Center.

"In the long term, Web applications are going to have to take control of the content," McFeters said. "It's a Web application issue. The Java attack that we're currently using is just one vector."



I am sure that there will be more discussion and concern after the full, well nearly full impact has been discussed at the Black Hat USA 2008 conference.

Filesharing deal will drive swapping underground

, , , ...

Cory Doctorow has again hit the proverbial nail on the head in his Guardian article entitled, "Illegal filesharing: A suicide note from the music industry" -- The deal between record companies and ISPs will drive music-swapping underground and erode their profits still further"

Under the new scheme, the rule of law is replaced by a cosy inter-industry deal. Whereas before, anyone who wanted your ISP to spy on your internet connection would have had to show evidence to a judge and get a court order, now any joker who claims to be an aggrieved copyright holder can do so.



I'm a science fiction writer by trade, but even I am impressed by the incredible inventiveness on display in the figures used by the record industry to justify this measure: they add up all the kids who've downloaded a song this week, multiply by the highest retail price, add 30% to account for the wear and tear on their faces from tugging at their beards in dismay, and announce a billion quid "piracy loss" that government and ISPs have to step up and do something about right now, please and thanks, and forget about all that tedious law business.



The original Napster had a fine proposition: they would charge their users for signing onto their network and write a cheque for as-many-billions-as-you-like to the record industry every quarter. After all, they had the fastest-growing technology in the history of the world at their disposal, 70 million internet users in 18 months, and they'd found that the average American user was willing to spend $15 a month for the service. The record industry sued them into a smoking hole instead, and out of the ashes of Napster arose dozens of new networking technologies. Each one was more hardened against monitoring and disconnection than the last.



And that's just the highlights!! Great article. Great thoughts. I hope the RIAA is reading it.

Control is not what music is all about ... if that's what they wanted, they should have gotten into a totally different venue of products. Music is to help people feel free! They are stifling that and their own products!

Cory has written so many great articles for The Guardian as well as other places on the web.

Cory Doctorow's articles on The Guardian

Also check out his May 20, 2008 article entitled, "The odds are stacked against us."

It's time for Apple to wake up and smell the coffee, errr, Java!

, , , ...

This makes no sense at all. I know Apple has been busy, but come on!

We Mac users have been waiting a long time for the Java 6, update 2! By the time they get it done, Java 6, update 3 will be available for the other OSes fixing yet more vulnerabilities!

Oh, wait ... too late for that, right? This one's been out since July 2007: FastSilicon.com - Newly Discovered Java Security Flaw Affects *ALL* Platforms.

I have had Java turned off in my browser since October 2006!! As Ryan Naraine stated in his ZDNET blog, Mac users waiting months for ‘critical’ Java runtime update, "One big problem. It’s August 2007 and Apple’s Java runtime has not yet been updated, meaning that millions of Mac OS X users are at risk of remote code execution attacks."

It's no wonder my Jim refuses to even install SUN Java at all!

First SUN was slow on getting it fixed in the first place (for all OSes), and now even though it's been fixed for all OTHER OSes, we Mac users still are waiting for the update to be pushed out by Apple. What's the hold up? Apple's had the code since the May 2007 when Java 6 update 2 came out for the other OSes, so what gives?

And while we are talking about third party addons, what about Flash? When will that be updated for the Mac?

Apple, if you are not going to keep up with critical updates to the third party addons, unbundle the addons, and give the third parties the information they need to do make a Mac version when they do it for all the other OSes.

I love the Mac! So don't get me wrong here, but Apple's Mac is at least as popular as Linux. I use them both -- Java is fixed for Linux and still not for the Mac?! I sure hope they will be putting it out soon.

Welcome to my Other Blog!

, , , ...

Howdy and welcome to my other blog. My main blog is at BambisMusings.com but I wanted to try out Opera's offerings and I do enjoy the Opera browser quite a bit. I also enjoy Mozilla's Firefox browser as well.

I figured with all the hoopla about Vista coming out, Mac OS X Leopard on the horizon as well. And many great Linux distros out there. Why not discuss Security beyond Obscurity?

I have always enjoyed Windows despite the philosophy of Security by Obscurity, until this latest thing, Vista, which I am not going to use. I have recently received a Mac which is more open in that respect due to it's Darwin/BSD roots, albeit not when it comes to Aqua or certain other elements. And of course I also use things like Fedora Core and Ubuntu, which are basically Open Architecture or Security through Knowledge ... in other words the ability to see what's under the hood, change it if you want or need to, or create your own if you are capable in the programming realm, because it's an open architecture.

Well, I will try to post on my new other blog :wink: as often as I can. But it might not be as often as I'd like since we are very busy folks! But please check back often as I hope to talk more about this in the coming days, weeks, months, years even! LOL!

Thanks for taking time to visit and come back soon, ya hear! :smile:
July 2009
S M T W T F S
June 2009August 2009
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31