Security

The private browsing options provided by the four major Web browser publishers aren't as anonymous and secure as most users might think, researchers at Stanford University's Computer Science Security Lab said in a new paper (PDF) to be published next week at the Usenix Security Symposium.

In tests comparing the anonymity and security of the private browsing modes in Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, the paper concludes that "current private browsing implementations provide privacy against some local and Web attackers, but can be defeated by determined attackers."

Firefox's private browsing mode, taken from a "Minefield" nightly build.

(Credit: Screenshot by Seth Rosenblatt/CNET)

When activated, the private mode is designed to prevent the browser from retaining browsing tracking data. Private browsing can include visited-site history, cookies, search history, download history, Web form data, and temporary files and is colloquially known as "porn mode" because--as the researchers determined scientifically for the first time what many have long suspected--people most often use private browsing to visit pornographic sites. Despite its most common use, though, the implementation of private browsing has not yet been standardized and can vary from browser to browser.

The report also examined the risk that add-ons running under private browsing modes pose to anonymity, and concluded that, as with the implementation of private browsing itself, the risk of add-ons writing to the hard drive or retaining browsing tracks from private browsing sessions varies depending on the add-on.

In Firefox, for example, 16 of the top 32 JavaScript-only extensions allowed writing to the disk that a hacker could then later uncover. The study actually looked at the top 40 Firefox add-ons, and treated any binary extensions as unsafe in private browsing mode because of what the study called the inherent difficulty in parsing their arbitrary read-write behavior.

In Chrome, the study determined that 71 of the top 100 extensions use the "localstorage" API, implying that they might pose a risk to Incognito (Google's name for it's private browsing feature). The study did not address how extensions from the other browsers affect their private browsing modes.

"Incognito mode helps you limit the information that is saved on your computer when you browse the Web. It does not remove all records, as we make clear in our Help Center and whenever a user open a new Incognito mode window," said a Google representative. Google does allow for users to select extensions to run in Incognito individually.

The researchers determined that an add-on designed to disable extensions automatically in private mode could mitigate the risks posed by add-ons that write to the disk during private browsing, although they stated that "we need to restart Firefox to make sure that appropriate extensions are completely enabled or disabled." The Adobe Flash plug-in used to pose a tracking risk, but it has since been updated, "to be consistent with the browser's privacy mode," the researchers said.

The study did not address the Opera browser, No. 5 on the most popular browser list, which offers a private browsing mode but doesn't have extensions. The browser does have widgets, which Opera spokesman Thomas Ford said are "completely sandboxed" from the rest of the browser.

Blink! detects your face at your Windows log-in screen.

(Credit: Luxand)

This free application uses advanced biometric identification, allowing users to log into their computer simply by looking into a Webcam. Blink cleared numerous tests, including sunglasses. The program has multiple security functions, such as support for multiple users and the capability to create a log of those who access the computer. It is great for people who have trouble remembering passwords, as well as those who want an added layer of log-in security.

The lack of support for Web site log-ins is an obvious deficiency, but maybe that is coming next to the handy app.

The new browser security flaw in iPhones, iPods, and iPads could be more dangerous than initially suspected.

The vulnerability comes from the way the jailbreak software, released on Sunday, uses the mobile Safari browser instead of requiring that the device be connected to a computer. Jailbreaking the phone allows it to run apps not approved by Apple. But this flaw could be used to launch an exploit if the user were to surf to a Web site hosting a malicious PDF, giving unrestricted access to the device.

"The same PDF exploit used to jailbreak the device could also be used to install something malicious," security expert Mike Kershaw told CNET on Thursday.

Apple said Wednesday it is working on a fix for the problem. But until then all iOS devices are at risk.

Now researchers are coming up with different ways to get an iOS device user to visit a Web page hosting the exploit, which is vital for an attack to succeed and not necessarily easy to do if trying to attack a stranger.

Kershaw, who wrote the open-source Kismet Wi-Fi sniffer, has envisioned several attack methods, which I will attempt to describe below. They are theoretical at this point--at least he hasn't heard of anyone attempting them--but that doesn't mean someone hasn't tried or won't.

"If I had an iPhone I would be very worried about using it out in public," he said. The attacks might sound far-fetched, "I wouldn't want to trust my company's security" to the devices as they stand, Kershaw said. "One way to mitigate (these threats) is to turn off Wi-Fi," he added.

The attacks, which he wrote about on his Kismet Wireless blog, go something like this.

Scenario 1:
An attacker could spoof a wireless access point, (here's an example) by pretending to be a legitimate access point, and redirect the iOS device user to a Web page hosting the exploit.

Scenario 2:
An attacker could use a tool dubbed Metasploit Airpwn to hijack unencrypted Web traffic and pretend to be a Web server that an iOS device user is attempting to visit.

Scenario 3:
An attacker armed with so-called "IMSI-catcher" equipment, used to snoop on GSM (Global System for Mobile Communications) phone calls, could pretend to be a cell tower. Because the radio software in the device doesn't support data, the device is forced into voice-only mode and will switch to wifi automatically. The attacker could then send the user a text message, appearing to come from the carrier, that directs the user to a Web page hosting the malicious exploit, or even revert at this point to either method one or two.

Kershaw got the idea of using an IMSI catcher from security researcher Nick DePetrillo who saw it demonstrated by fellow researcher Chris Paget using a homemade device in a demo at Defcon last week.

These attacks "are concrete examples of how this iPhone exploit isn't just a jailbreak," DePetrillo said in an interview on Thursday. "It's a serious issue, and people need to pay attention."

(Credit: Adobe)

Adobe said Thursday that it will release an emergency fix the week of August 16 for a critical hole in Reader that was publicly disclosed at the Black Hat conference last week.

The flaw, which could be exploited to take control of a computer, is related to the way Adobe's PDF (portable document format) reader software handles fonts, said Charlie Miller, principal analyst at Independent Security Evaluators. He disclosed the hole in his presentation on a tool that can be used to figure out the underlying bugs to software crashes, he said.

"I don't give the exploit, but you could take what I provide and turn it into an exploit," he told CNET.

Asked if three weeks was a reasonable time for Adobe to release a patch, Miller said: "I'm kind of surprised how fast they're fixing it."

The vulnerability is an "integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, (that) allows remote attackers to execute arbitrary code via a TrueType font," according to the description in the National Vulnerability Database.

Adobe's security update, which will come ahead of the company's quarterly security releases scheduled for October 12, will resolve an undisclosed number of critical issues in Reader 9.3.3 for Windows, Mac, and Unix; Acrobat 9.3.3 for Windows and Mac; and Reader 8.2.3 and Acrobat 8.2.3 for Windows and Mac, according to Adobe's advisory.

"We are not aware of any exploits in the wild around any of the vulnerabilities that will be fixed in this out-of-band update," an Adobe spokeswoman said in a statement.

(Credit: Microsoft)

Microsoft will issue 14 security bulletins on Tuesday to plug 34 holes, including eight that are critical, in Windows, Office, Internet Explorer, SQL and Silverlight, the company said on Thursday.

"This will be the most bulletins we have ever released in a month; we have released 13 bulletins on a couple of occasions," Angela Gunn, security response communications manager at Microsoft, wrote in a blog post. "However, in total CVE [common vulnerabilities and exposures] count, this release ties with June 2010, so there's no new record there."

Affected software includes: Windows 7; Windows XP; Vista; Windows Server 2003 and 2008; Windows Server 2008 release 2; IE 6, 7 and 8; Office XP Service Pack 3; Office 2003 Service Pack 3; 2007 Microsoft Office System Service Pack 2; Office 2004 and 2008 for Mac; Office Word Viewer; Office Compatibility Pack for Word, Excel and PowerPoint; 2007 File Formats Service Pack 2; Microsoft Works 9; and Silverlight 2 and 3.

The IE, Office, and Silverlight updates fix an increasingly used type of flaw "where attackers and malware go through the installed applications rather than through the core operating system," said Qualys CTO Wolfgang Kandek.

"Windows XP SP2 users do not have any patches supplied to them, even though the five critical vulnerabilities for XP SP3 most likely apply to their discontinued version of the OS as well," he said. "Windows XP SP2 users should upgrade to SP3 as quickly as possible."

Earlier this week, Microsoft released an emergency patch for a critical Windows vulnerability that was being exploited by a fast-spreading virus and other malware. The so-called "shortcut" vulnerability could be used by attackers to take control of a computer.

If the United States wants to defend itself against cyberattacks, it needs to focus on four key areas, according to United States Cyber Command head and NSA Director Army Gen. Keith Alexander.

U.S. CyberCom head General Keith Alexander

(Credit: National Security Agency)

Speaking Tuesday on the first day of the Armed Forces Communications and Electronics Association's LandWarNet conference in Tampa, Fla., Alexander discussed the dangers to the country's military networks and what the U.S. must do to safeguard them.

The general said the threat of cyberattack affects more than 7 million different computers on more than 1,500 individual networks maintained by the Defense Department.

"On any given day, our networks are probed over 250,000 times an hour," said Alexander. That figure adds up to 6 million per day and includes more than 140 foreign spy organizations trying to infiltrate U.S. networks.

Attacks on the network have also grown from exploitative to disruptive to more destructive. And it's the destructive threats that worry the general.

"It's only a small step to go from disrupting to destroying parts of the network," he said. "If you think about our nation, our financial systems, our power grids--all of that resides on the network. Our government, our defense department, our intelligence community, all reside on the network. All of them are vulnerable to an attack like that. Shutting down that network would cripple our financial system."

To combat the growing threat of cyberattacks, the first priority is to have the right tools to hunt down the malware itself. That will require the DOD to protect its network the same way the Army protects an area of land, according to the general. "Give the system administrators, our network operators, weapons to hunt inside our networks for malicious software and malicious actors to destroy them," said Alexander.

Protecting network borders is another key goal. At points where users interact with the data, real-time notification of malware must be sent to the administrators in charge of protecting the network as well as foreign intelligence officials and law enforcement on the outside, Alexander said.

The government must also establish strong partnerships with key stakeholders, including allies as well as other federal agencies. "We have to, with our allies, be able to see what is going on with the global network so we can provide real-time indications and warning to our defensive capabilities," said Alexander.

Finally, those who protect the network must know what they can and can't do, both offensively and defensively, without having to seek approval for every action they take, according to Alexander.

"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us," the general said. "You need autonomous decision logic that's based on the rule of law, the legal framework, to let network defenders know what they are allowed to do in the network's defense."

But that last point has been a key area of controversy as the U.S. has been struggling to determine what's okay and what's off limits when responding to foreign sources of cyberattacks. Are denial of service attacks acceptable in cyberwarfare? Are banks and electrical grids valid targets?

During a congressional committee hearing over Alexander's nomination to head U.S. CyberCom, the general was asked a series of questions (PDF) on how he might respond in cyberwarfare. But saying such information was classified, Alexander declined to answer those questions publicly.

About 9,000 soldiers and IT experts from the corporate sector are attending the three-day LandWarNet conference.

Hacker Kevin Mitnick is conscientiously working on his image.

Kevin Mitnick was eager to participate in a social-engineering contest at the Defcon hacker conference in Las Vegas last weekend and was told he would target Microsoft in the event.

He figured it would be fun to show off his schmoozing skills, which he so easily used to trick employees at tech companies in the 1990s into handing over passwords and other sensitive information, ultimately landing him in jail.

But when he called his attorney to run it past him, the response was "Are you crazy?!"

Mitnick's lawyer, who declined to be interviewed, advised his most famous client that wire fraud statutes can be broadly interpreted such that any interstate commerce (phone calls) conducted to defraud someone, even if it is part of a contest, could be construed as a violation, according to Mitnick.

Mitnick was able to get source code and other sensitive data from companies using social engineering, a hacking technique that involves simply tricking people into offering up sensitive information, rather than technical means. He was arrested in 1995 and pleaded guilty to wire and computer fraud charges. He was released from prison in 2000 and got off supervisory release in January 2003.

Given Mitnick's high-profile status and his guilty plea to four counts of wire fraud for misrepresenting his identity to gain information from Novell, Motorola, Nokia and Fujitsu, his attorney suggested that it was probably better to sit this one out.

"When my lawyer says I might be committing wire fraud I get worried," Mitnick told CNET in the corridors of Defcon on Saturday. He said he was "bummed and disappointed" about not getting to compete in the event but was asked to give a talk as part of the event instead.

Attorneys for the Electronic Frontier Foundation (EFF) advised the social-engineering contest organizers on legalities and since no confidential information was being sought the event passed muster. "We would never advise anyone to break the law," Jennifer Granick, EFF civil liberties director, said in an e-mail exchange this week.

CNET asked David Schindler, a former federal attorney who prosecuted Mitnick, for an opinion on the legalities of the social-engineering contest. A prosecutor would look at what information was being obtained from the companies, whether the purpose of the contest was to defraud or harm the company, and what was done with the information obtained, he said.

There doesn't seem to be anything "inherently illegal, but it depends on the context," said Schindler, chairman of the white collar and government investigations practice group at the law firm of Latham & Watkins. "What was the intent and what was the potential for harm?"

"It would have been a prudent piece of advice not to have your client extracting information through deception, even if you're doing it for purely educational purposes," Schindler said, adding that there's also no guarantee that someone in the audience won't misuse the information.

The situation illustrates the fine line Mitnick has to walk to avoid potential legal problems and to steer clear of anything that might make him look like he's doing something improper.

In a phone interview with CNET on Wednesday, Mitnick said he is wary of doing anything that might interfere with the consulting and public speaking business he has built up during the past decade. He's also written several books, including one on social engineering called "The Art of Deception" and has another book due out next year. Tentatively titled "Ghost in the Wires: The Adventures of the World's Most Wanted Hacker," it will be a memoir.

"Not only could I get arrested, but it would ruin my career. Everything I worked so hard to do could be gone over night. And I don't want to commit any crime," he said. While most Defcon attendees wouldn't register on Microsoft's radar, the company could conceivably try to send a message if Mitnick were to publicly shame it over perceived lax security practices.

"I have done a lot to rehabilitate my reputation," Mitnick said. "I wanted to participate to show how social engineering works, but the benefits weren't worth the risks of the legal issues and issues with companies that might decide 'hey, he's up to his old tricks.'"

One of Kevin Mitnick's business cards doubles as a lock picking kit.

(Credit: Josh Miller/CNET)

Asked for his thought on Mitnick now, Schindler said, "In the end, I am always hopeful that someone I prosecuted will manage to turn his life around and do something productive with his talents."

Even though he's been on the straight and narrow path for 10 years, Mitnick has had a couple of close calls or misunderstandings related to his background.

In 2008, CNET got the scoop on his being detained at the Atlanta airport after a visit to Colombia. It's unclear why he was treated to such intense scrutiny, but the FBI cleared him of any wrongdoing and he was allowed to go. Despite the fact that he had done nothing wrong, an executive at a company whose advisory board he sits on called him up "frantically," worried that he would make the company look bad.

Mitnick declined to identify the company, except to say that it was an identity theft protection firm. However, the Web site for LifeLock shows that Mitnick is on that company's fraud advisory board.

Ironically, LifeLock doesn't need any help in damaging its reputation. Earlier this year, the company agreed to pay $12 million to settle charges that it failed to protect customers against identity fraud as advertised and instead put customer data at risk. And in 2007, Chief Executive Todd Davis brazenly published his Social Security number in ads touting LifeLock's services, but later found himself victimized by someone using his identity to take out a loan.

Just having the name "Kevin Mitnick" is enough to scare off some potential clients. One large antivirus firm keeps toying with the idea of hiring Mitnick as a speaker, but the executives keep backing down, he said. And a law firm wanted to hire him to be an expert witness in a computer and cell phone forensics case but withdrew the offer after learning of his past.

"That was very disappointing, but I thought it best to be up front," he said. "Usually companies hire me and they know full well who I am and that's one of the reasons they want to hire me."

Government officials don't seem to be shunning him, though. He was recently hired to give a speech at an event hosted by an intelligence agency on the East Coast, he said. After a speech at General Dynamics earlier this year, he was bombarded with requests from the audience, including FBI agents, to have their photos taken with him.

"That was surreal," he said. "I was running from these people (before) and now they are wanting autographs."

Mitnick goes to extreme measures to avoid any problems when he does penetration tests at companies that hire him to test their security defenses. For example, his contracts allow very broad discretion in conducting security assessments so that nothing he does "can be construed as illegal," he said. "I can physically go in their facility and hack any system, con any employee and they are giving me explicit written authorization."

He is careful to learn the laws of each state and country he speaks in so that when he does things like demonstrations of caller ID spoofing, a technique that obscures the real identity of a caller, he isn't breaking the law, he said.

However, Mitnick carries a business card that could be risky. It is metal and contains a set of small lock picking tools that can be dislodged. In certain states, lock-picking tools are illegal, he said.

"It's more of a novelty. I'm willing to take that chance," he said. "I'm not using them or giving them out to people who I know are doing bad."

Asked if he can ever truly repair the damage done to his reputation from his illegal hacking past, Mitnick said: "To some people I'll always be the bad guy."

Apple says that it has a fix for the browser security flaw discovered earlier this week on its iOS-powered devices.

After the iPhone Dev Team released the latest jailbreak software hack for the iPhone over the weekend, it became apparent that the way the jailbreak worked--via an iPhone's mobile Safari browser--that the phone has a security vulnerability when it comes to the way it loads PDF files from the Web.

On Wednesday an Apple spokeswoman said in a statement, "We're aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update."

Apple declined to say when the update would be pushed out.

There are two distinct vulnerabilities in the iPhone uncovered with the jailbreak software's release, principal analyst Charlie Miller of Independent Security Evaluators told CNET Tuesday. One flaw is in the way the browser parses PDF files, enabling the code to get inside a protective sandbox, and the other hole allows code to break out of the sandbox and get root, or control, privileges on the device.

The security flaw is so serious that the German government issued an official warning to citizens about it on Wednesday and said it was investigating.

Apple declined to comment on Germany's Federal Office for Information Security's statement.

TippingPoint sponsors the Pwn2Own contest at CanSecWest every year, providing cash prizes to researchers for successful exploits. Dino Dai Zovi (left) won the contest two years ago. He helped out during the contest this year and is shown here consulting with TippingPoint security researcher Aaron Portnoy during a mobile-phone hack attempt.

(Credit: Elinor Mills/CNET)

In October 2006, security researcher H.D. Moore discovered a serious problem with the way applications running on Windows display rich text content.

He reported the vulnerability to Microsoft and nearly four years later it's still not fixed, despite the fact that it could be exploited to run malicious code on a PC and take control of it.

Unfortunately, this is not an isolated incident. According to the Zero Day Initiative, which serves as a broker between security researchers who find flaws and software companies who need to fix them, there are 122 outstanding vulnerabilities that have been reported to vendors and which have not been patched yet. The oldest on the list was reported to IBM in May 2007 and more than 30 of the outstanding vulnerabilities are older than a year.

But a new policy announced Wednesday by TippingPoint, which runs the Zero Day Initiative, is expected to change this situation and push software vendors to move more quickly in fixing the flaws.

Vendors will now have six months to fix vulnerabilities, after which time the Zero Day Initiative will release limited details on the vulnerability, along with mitigation information so organizations and consumers who are at risk from the hole can protect themselves.

"There is a large quantity of bugs that have gone unpatched for a long time," said Aaron Portnoy, manager of security research at TippingPoint, which is owned by Hewlett-Packard.

Retroactive deadline
The deadline will apply retroactively so all currently outstanding vulnerabilities--regardless of when they were submitted--will have to be patched by February, a TippingPoint spokeswoman said.

"That's awesome," security researcher Dino Dai Zovi said when told about the Zero Day Initiative deadline news.

"A number of high-profile attacks in the past year have used exploits that had been known by the vendors and had been in the queue to be fixed," he said. "Decreasing the amount of time from when the vulnerability is discovered to when it is patched will shrink the window when other people may discover the vulnerability and take advantage of it."

Vendors can request an extension and it will be granted on a case-by-case basis, Portnoy said. The group will share e-mails TippingPoint and vendors exchange when an extension is requested so the community can see why the vendor needs more time, he said.

"We understand some vulnerabilities will take longer to patch," he said. "We're hoping for a quicker turnaround time."

The lack of a deadline fostered a vulnerability-disclosure environment that was ripe for abuse. Security experts accuse vendors of dragging their feet on fixes. That leaves computer users at risk for attack by unscrupulous hackers who may have discovered the hole on their own and are able to exploit it without anyone knowing, security researchers say.

Giving burglars the keys?
Vendors complain that releasing information to the public on vulnerabilities before a patch is available is akin to giving a burglar the keys to the house. But if computer users know about the risk then they can protect themselves with workarounds and other fixes, researchers argue.

"I think vendors were stretching things out quite a bit," said Chris Wysopal, chief technology officer at Veracode. "We reported a bug to a vendor, a simple cross-site scripting bug, and now its been four months and we're still waiting for them to fix it. I think vendors sometimes take liberties if there is no pressure put on them."

The debate came to a head recently when a researcher at Google publicly disclosed a Windows XP-related flaw and released code to exploit it five days after reporting it to Microsoft. Within days of the disclosure, there were attacks discovered that exploited the hole. Microsoft has since fixed the hole.

"I would like to point out that if I had reported (the issue) without a working exploit, I would have been ignored," Tavis Ormandy wrote in his post to the Full Disclosure e-mail list in June, adding that he was acting as an independent agent and not as a Google employee.

Microsoft and a few other researchers criticized Ormandy for being hasty in his disclosure, but his move was praised by numerous other researchers tired of waiting for patches that seem to take forever to come.

Google, which distanced itself from Ormandy's actions and the debate at the time, released a blog post addressing the disclosure issue a few weeks ago that was signed by Ormandy and others on the security team. The post suggested that 60 days is a reasonable time frame for vendors to fix critical holes.

"We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts," the Google post said. "Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, this small tweak to the rules of engagement will result in greater overall safety for users of the Internet."

Microsoft responded with a blog post of its own that did not suggest a timeframe for fixes.

Asked for his thoughts on Google's proposed 60-day deadline, Mike Reavey, director of the Microsoft Security Response Center, said "I don't think there is a one size (fits all) for deadlines for fixing vulnerabilities in products."

Magic number
Dai Zovi and other researchers contacted by CNET said six months is plenty of time for vendors to fix most issues, and it provides more time than the U.S.-CERT (Computer Emergency Response Team) deadline of 45 days.

"It's hard to say what the magic number is," said Charlie Miller, principal analyst at Independent Security Evaluators. "Tavis reported a bug to Microsoft and wanted them to agree to patch within 60 days and they refused so he released it. So, if everyone can agree on a timeline (the industry) will benefit."

A Google spokesman said the company had no comment beyond the earlier blog post, and Ormandy was not available to comment.

Dave Forstrom, director of Microsoft's Trustworthy Computing Group provided this statement from Microsoft: "Many vulnerability coordinators have established timelines for disclosure and as always, we'll continue to work with them to in a way that minimizes customer risk. Microsoft advocates for coordinated vulnerability disclosure, where vendors and finders work together closely toward a resolution. Extensive efforts should be made to make a timely response, and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible."

When asked about the Zero Day Initiative deadline for patches, Moore, the researcher who has been waiting nearly four years for Microsoft to patch a hole he discovered, said: "It's about time."

"For too many years, vendors have been pressuring researchers and research organizations to withhold vulnerability information until the patch is released," said Moore, who is chief security architect at Rapid7 and founder of the open-source Metasploit exploit database, which is used for penetration testing of software, networks, and Web sites.

"Personally, I'd like to see a shorter deadline," he said, "but this is a good compromise."