There were two unrelated things today that prompted this post:
- Firefox 2.0 Password Manager Exploit
- A great post on how to recover forgotten (but still stored) passwords.
Firefox Password Exploit
As I understand the poorly written vulnerability summary: you can have all of your passwords stolen if you visit a trusted site (trusted = you have a password saved there). This can be done without your knowledge. The places to be cautious are forums, blogs, myspace, etc. where users can affect the web page.
Recovering Lost Passwords:
Last time my dad forgot his Comcast email password, the Comcast rep convinced him that he needed a new account. They did re-setup Outlook Express for him, but in doing so they deleted his email store.
The tool, Cain and Abel, is a fairly sophisticated program that can help dig passwords (and plenty of other things) out of network traffic. It is worth noting that it only works with Ethernet adapters (no wireless), so you’ll need to convince Dad to plug in to make any use of this. I found it very easy to set up and run and was able to test sniff an FTP password in under five minutes.
And how many people are searching for ways to steal passwords?
I frequently test search volume for keywords when I stumble upon something that I hadn’t thought about in the context of SEO. I find it gives me a good perspective about the general interest level in the topic. Check out the keyword discovery stats for the top 20 ‘password’ terms:
To put this in perspective, the same number of people that searched for “password crackers” also searched for “hp computer”. It’s a hostile world beyond the firewall…
Although this action has been expected for some time, this is the first time that cyberspace has been raised to command-level visibility in the military (and in the US government for that matter). Richard Bejtlich has good coverage of the evolution of the new command, and a good take on why it makes sense to centralize this skillset within one of the services.
Our nation’s warfighting capabilities are incredibly dependent on networks, and despite all sorts of training with alternatives, there is not doubt that those capabilities would be degraded significantly without them. The creation of this command is an indication that the government is finally beginning to acknowledge that we are woefully unprepared for asymmetric warfare on the net.
One of the more interesting debates within national security circles revolves around the legal definition of many cyberspace activities. Is hacking considered an offensive activity? How about viruses and worms? How about DOS of an attacking machine? When are offensive activities interpreted as acts of war? Under what legal authority can the US take ‘offensive’ actions? Important doctrine involving things like “Rules of Engagement” are just beginning to be developed. This will be a fun arena to watch.
Comments Off on Air Force launches new cyberspace command
Phishing is a favorite topic of mine (1, 2). Great article on the efficacy of the user toolbar to flag phishing sites:
http://www.linuxsecurity.com/content/view/122761?rdf
The highlights:
- 52% of untrained users gave up their login info to a red light site
- 28% of trained toolbar users gave up their login info
As much as I love the idea of educating users about the dangers online, users cannot be relied upon to
protect themselves from online fraud. The ultimate responsibility needs to fall on the financial institutions. On a related note,
41st Parameter, an anti-fraud/phishing company, recently raised an $11.2M B round from Kleiner and Norwest.
Comments Off on Users are the weakest link
Done by an organization with an SSL certificate issued to mountain-america (different from mountain america credit union).
http://isc.sans.org/diary.php?storyid=1118
Tons of issues that the industry hasn’t even begun to address. When will banks and credit card companies realize that users will always be duped.
Authentication is the bank’s responsibility, and needs to be done at the bank login. They must start with the expectation that every user has given their password away. Several interesting companies helping banks fight this:
http://www.guardiananalytics.com
http://www.41stparameter.com
I’ve been following the anti-phishing market recently (there are few good solutions), and was forwarded an article on a new pop-up exploit that enables a malicious site to take advantage of any ‘friendly’ popups on a bank’s website.
Check out this demonstration of the exploit on Citibank’s website:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
There will always be either technical (keyloggers, browser expoits, etc) or social engineered solutions to nab people’s login information. You can’t stop phishing by protecting users from themselves, you need to stop it at the bank’s website.
