Many people have been praising Mozilla’s Firefox 3 ever since pre-beta. I myself can easily throw myself onto that band wagon. But there is one feature that has been causing a little commotion, and I again can easily agree with the commotion.

Firefox 3 (FF3) limits usable encrypted (SSL) web sites to those that have an approved digital certificate from an authorized vendor of Mozilla’s choosing. Making it so you have to pay to be recognized. What’s the big deal?

When you visit an encrypted site in FF3, and that site uses a self-signed, or simply unapproved certificate, FF3 doesn’t immediately show the page. Instead you are greeted with what, at first glance, would seem to be an error page.

In order to move beyond this page, and actually continue to the site as intended you need to process through 4 clicks to add that site as an “exception”.

The use of a certificate is for SSL – which has two main purposes – allow connections to be encrypted so they can’t be snooped, and it allows sites to be authenticated so they can’t be impersonated. Advocates to Mozilla’s policy seem to only focus on the later stating that a self-signed certificate has no value for authenticating a web site. The real concern is that snooping is much more of a easily attainable threat then impersonation. So it is much more valuable to have a self-signed certificate than nothing at all. But doing so put’s yourself at a inconvenience for FF3 users.

This to me sounds like it is blatantly going against the notions of Net Neutrality. Something that has been fought to keep open for ages. Something like this completely discriminates against those not willing to purchase a “approved” certificate.

I really like my mac. It usually is pretty secure. However, Apple just patched their copy of BIND yesterday. I just got the software update request today. This is almost a month since Kaminsky’s coordinated release of the DNS patch. I wonder why Apple was the recalcitrant one that waited so long? Could it be because the exploit was finally in the wild and was on longer just proof of concept? Could it be that the patch was more critical on servers rather than desktops, and desktops are Apple’s mainstay?

Whatever the reason for Apple’s late release, it has made me think about Apple’s security practices. As far as I know, Apple doesn’t have a “patch Tuesday”, and the DNS patch release coincided with Microsoft’s patch Tuesday. Perhaps Apple is moving in that direction, and their patches just happen to come at the end of the month? Will this affect Apple’s security? Probably not, unless you have a release as huge as the DNS flaw. Because vulnerabilities that affect Microsoft don’t necessarily affect Apple, so there is no issue with the delay between Microsoft’s release and Apple’s.

Apple has known about this flaw for as long as everyone else has, and since they run BIND, they’ve even had the patch, so their delay in patching their systems is a little concerning. What else have they delayed so long on that we don’t know about?

In my last article [link] I outlined a few of the hardships we are facing with the constant uprising of technology and how it’s affecting our privacy and security. Hopefully I can shed some light on it, and reassure you that not all hope is lost.

Previously I talked a lot about how technology is making it easier for us to obtain information. This really only applies when the proper measures aren’t taken to protect that data. I mentioned how it’s only a matter of time before cryptographic keys can be broken. Well the real question isn’t how secure do you want your data to be, but how secure do you need it to be for what length of time? With RSA 1024 you’re still looking at a good 5-10 years before even the simplest of keys can be brute forced. Even longer before it’s a main stream breakthrough. Nothing is ever going to be 100% secure, this is a fact, but usually we only really ever need to secure things for a extended amount of time.

Those areas where human error come into play. We are starting to build an arsenal of tools and methodologies to help us automate and reduce the risk of mistakes. Whether it be a coding framework, more strict policies, with harsh penalties for those who don’t cohere to them. We really are trying, and I think we are making a good stand. The goal isn’t to lock down everything, but simply protect it long enough that those who are trying to get it give up.

When it comes to personal privacy, it really comes down to training the users/individuals. It’s a new world, you wouldn’t go leaving your wallet full of cash lying around anywhere would you, you keep it protected. The same goes for protecting your identity or credit information. Clean up after yourself if you use public computers. Secure your wireless. Don’t give out personal information. Be smart about it, and you’ll continue to stay on top.

We have a fighting chance, no one said it would be easy, but don’t go getting paranoid either. There are people looking out for you too.

I hate being advertised to. I can’t watch cable TV (which I already pay for), listen to the radio (even subscription satellite radio has ads now), goof off on the internet, play a video game, drive in my car, read a magazine, buy groceries, or check my e-mail/snail mail/answering machine without being bombarded by coupons, billboards, commercials, in-game ads, Google AdWords, spam, telemarketing, and third class junk mail. The sad fact is, advertising is everywhere.

Opinions and research vary widely on the question of how many advertisements Americans see during a typical day, with estimates ranging from a few hundred to a few thousand. (via Google Answers) So, it’s no surprise that the advertisement industry is always trying to come up with new and innovative ways to get you to see or listen to their pitch.

One new approach in the internet arena is behavior tracking – a system in which the advertisers work with your ISP to analyze your online behavior to target ads at you (Read about the debate in Congress here). I understand the need of ISPs to maintain logs for legal reasons, but sharing this type of information with anyone, least of all for the purpose of more ads is extremely distasteful to me.

The security problems surrounding spam (another annoying, ubiquitous form of advertising) are difficult enough to deal with. Now I have to deal with (more) privacy implications of ISPs tracking browsing behavior and sharing this with third parties? I wonder how much more degraded the state of security and privacy on the internet has to get before I have to scale back my activities to the essentials, like e-mail and online banking.

And now, for some Futurama:
Leela: Didn’t you have ads in the 21st century?”
Fry: Well sure, but not in our dreams. Only on TV and radio, and in magazines, and movies, and at ball games… and on buses and milk cartons and t-shirts, and bananas and written on the sky.
But not in dreams, no sirree.

The following will be a two part post on the current state of security. It will mostly be a self opinionated rant. But I’ll try to make some insightful comments. If you’ve followed the media for any amount of time lately you’ve heard countless stories about data leaks, data breaches, identity theft, all those uber scary things that keep you up at night.

It almost seems like the very technology we are creating and utilizing, is only making it easier for thefts to take place. Fifty years ago, if you wanted to try and purchase something in someone else’s name, you needed a physical ID, and a check. That check could be counter fitted or altered through check washing or whatever, but in order to use it, you still had to make a physical appearance. There was a personal touch to it. In order for a company to loose one million records or customer information, it would have required a truck to haul off boxes and boxes of paper records. Today these same tasks can take place with as little as a five second transaction online, or as simple as loosing a laptop or even a USB thumb drive.

With more and more people holding onto almost endless amounts of data, the responsibility of this has sky rocketed. And many people just can’t keep up. That’s why it takes teams of individuals to manage this data. It’s no long boxes of paper records, but terabytes of data. It’s becoming more common for threats to come from inside companies then for actually attacks or network breaches. Finding the right people to handle this data, and having the right amount of protections is almost as key. But can we really trust anyone?

Even those that are saying “my data is encrypted, it’s secure” – well how secure is it really. Computers are getting faster, and more numerous. It’s only a matter of time before encryption keys are broken. That’s assuming the code implementing them is correct (as we’ve discovered in a recent OpenSSL flaw [LINK]).

Software itself isn’t even reliable anymore. How many patches have you applied to your computer this month alone? No code is 100% secure. Back doors are found, limitations are reached, unexpected data is loaded. As great as technology can be, it still comes down to the one common source, human error. We will always make mistakes, and there will always be someone to find them.

So as I see it, we are a society built around laziness. We are slowly building up to our own demise, the gifts we continue to give ourselves, we also use to hurt each other. In the end, we are screwed.. ..or are we?

Stay tuned for my counter-rant, as I shed some light on all the dark little monsters that keep you up at night.

I “grew up” surrounded by web application security – from a time when Achilles was the only useful proxy and everything was done by hand, to the current state of affairs, where automated tools and proxies are used on a regular basis. OWASP and WASC have been formed, and web application security is taken seriously. However, there are still many web applications that existed before this explosion in security awareness, and they’re still out “in the wild”.

Unlike the thick client area where the majority of “major” applications are controlled by larger development firms (Windows, Oracle, etc) with security departments, web applications are written by everyone and their brother Joe. There are some large development houses writing web apps, but a good majority are developed “in-house” by developers that may have not have any kind of security training. I suspect that this will start to change as it did with thick client development as well. Until then, at least security is on people’s radar and most development groups have at least one person who is familiar with security, or they hire companies that are familiar to help them with the development.

The landscape has certainly changed as I’ve “grown” along with it.

Blizzard offers a One Time Password device for it’s European customers but not the North American or Asia Pacific customers? Blizzard is using a One Time Password device (it appears to be event based) to allow for strong authentication to it’s EU servers. There’s no indication on what manufacturer they’re using, or if it’s OATH compliant, but it is still a “real” two factor authentication, as users will need to have their device with them to log into the account management web pages or to the game servers.

It’s optional, and available for 6 euros to EU customers.

There are three things that makes this interesting:
1) real two factor authentication is available in a game before it’s available in some banks
2) Someone at Blizzard feels that users will appreciate the extra authentication (for a game!)
3) It’s not available in North America

I’d get one just to play with it – not that I think my WoW account needs that kind of protection – but it’d be fun to see what it’s like and how they implemented it. Unfortunately, I have a North American account (although, I can play on EU servers, so maybe?). The EU is a smaller market than North America, so perhaps this is a “pilot” program that may eventually make it to the US?

What I still find incredulous is that while banks and financial companies (which do have information I’d like to protect with strong authentication) are using a fake two factor login while a video game is using real two factor authentication. The contents of a WoW account are (arguably) worth less than my bank account – depends on your feelings of the game – my account is certainly worth a lot less to me than my bank account.

UPDATE 7-1-08: Blizzard seems to be offering them for NA servers as well (at least they claim that it can only be shipped to the US).

One of the most annoying website you find when searching for a solution to a problem on Google is http://www.experts-exchange.com some how someone already asked the same exact question you have. But unfortunately when you go to the page you get something like “Experts Comments are for Premium Members Only” Example you know they have the answer, but is it worth paying? Well they are using an absurd security by obscurity method to ensure you will pay for their services. See any regular Internet user that sees the “For Premium Members Only” sign will immediately hit the back button frustrated and continue on googling. But if you had a bit of curiosity you may find yourself with the answer you were looking for. What is the secret? SCROLL if you scroll down past all the warning and announcements you will find yourself in front of the answers you were seeking. Use it while you can because I am sure after this post hits the web they will promptly close their “Security Hole”

I just closed on a new home last week. One of the first things I had to do was change out all the locks. Mainly because I didn’t have keys to any of the deadbolts nor the utility room on the back of the house, which stores the furnace, hot water heater, all that good stuff.

So I went to my local hardware store. At first I was very tempted to get something like this Kwikset SmartScan but I decided at $100 a pop I could hold off. After looking through the selection one thing became very apparent to me. Because I was going to need 3 complete sets (knobs / deadbolts), I wanted them to share the same keys. To do this you need to match up the codes on the packages that way you can get the same sets. Upon picking out a design, style, and type I quickly looked through all the sets only to realize that every package on the shelf had the exact same key code. This meant that the key in any package would work in any of the other locks.

So what are the chances that someone else would come in right behind me, purchase the same set, and now they’d have a key that would work in my house as well. Now I know with such a densely populated area here in DC that the actual chances of someone stumbling upon my house and knowing they have a key that fits is completely low. But someone could just as easily prey on someone who was in the exact same scenario as myself (notice their selection, follow them home, and later wreak some havoc) – maybe a far stretch, but hey, IT COULD HAPPEN.

My solution was somewhat simple, the lock sets I decided to buy feature a smart key system, where I could change the actual key pattern at anytime. So I simply went over to the key cutter, had 3 keys made up of the same style but at a completely random pattern. That way the chances of my new key pattern matching anything that is provided from the factory is very slim.

Lets just hope my new locks can withstand some degree of key bumping

Maybe it’s just me, maybe I’ve just been busy with work, and not taking the time to scour over all the many news blogs, maybe there’s something there, and I’m just not picking up on it. But it seems lately, at least over the past couple weeks, it’s been pretty slow in the InfoSec news departments all around the net.

Some could even look at this as a good thing, as no news about bugs, exploits, vulnerabilities, and viruses, could be interpreted as good, meaning we’ve been doing our jobs and all is safe in the world.

I generally try to stay on top of everything, mostly for personal interest, but also for the self education process that usually comes with learning anything else about one’s field of profession. And in InfoSec, staying on top can be a job in itself. With vulnerabilities being discovered everyday, new viruses being created (we’ve topped 1 million now), and ensuring all customers/clients are protected from all of this, one can stay pretty busy.

So in all this, it’s hard to keep track of everything, on a good given week, I could literally spend all day learning about what’s been exploited, what’s been patched, who’s done what to help whom here and there. But learning is nothing if you never take time to implement what you’ve learned.