Category: Computer Security

Posted on
by

IE7On Thursday I stumbled across a campaign to Trash All IE Hacks. The idea is that people only stay on the ancient, buggy, feature-lacking, PITA web browser, Internet Explorer 6, because we web developers coddle them. We make the extra effort to work around those bugs, so they can actually use the sites without upgrading.

Well, yeah. That’s our job.

And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?

Slapping the User in the Face

It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.

Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. Continue reading

Posted on
by

Forklift Driver Klaus (a.k.a. Staplerfahrer Klaus)- a parody of work safety films in which a forklift driver blunders through his first day on the job, maiming fellow employees left and right. German with English subtitles. (via TV Tropes: Scare Em Straight)

And, on a more serious note, the Internet Storm Center is reporting on people finding malware pre-installed on digital picture frames, memory cards, etc. Something to watch out for with portable devices that can connect to your computer.

Posted on
by

The Internet Storm Center has an insightful response to the statement, “There is nothing on my computer that a hacker would be interested in.” Let’s leave aside the question of your personal data for the moment. Just the fact that you’ve got a computer with an internet connection could prove very useful to someone who wants to cover their tracks or just add more power to their own distributed system.

Posted on
by

ISC is reporting a new type of vulnerability in web browsers that the discoverer has termed as “Reverse Cross-Site Request,” or RCSR.

Basically, on a site with user-generated content—like a hosted blog—it’s possible to add a form that looks like the site’s login form. If the victim has an account on the same site, and has asked their browser to save their password, it will auto-fill the form. If the attacker can somehow trick the visitor into submitting the form—say, with an invisible image submit button (ever clicked randomly? Or to get back to the page after looking at another window?)—the attacker gets the visitor’s password.

What’s new about this is that all it requires is plain HTML, not scripting, which most blog hosts and similar sites already block.

Chapin Information Services discovered the bug in Firefox 2, and reported it to Mozilla. It turns out that Internet Explorer 6 and 7 are also vulnerable, but only if it’s on the same page as the real login form. Mozilla is currently trying to determine the best way of resolving the problem without breaking all the passwords people have already saved. The ISC article links to the bug report, so you can follow the discussion. Microsoft has only said that they’re “aware of the issue.”

At the moment, I’m glad I don’t let web browsers save my passwords.

Posted on
by

Received the replacement battery for the PowerBook yesterday. It was shipped out via DHL, with a prepaid return label for shipping the old battery back via regular mail.

Last night I drained the old battery, plugged the new one in, and packaged up the recalled one in the box. At lunch today I went to the post office to send it off.

As I was walking up the steps, I remembered the “Does this package contain anything liquid, explosive, or otherwise hazardous?” question that postal clerks are required to ask. If you’re mailing a defective battery that could theoretically burst into flames, how exactly are you supposed to answer?

I figured it would be best not to joke about it.

As it was, I just said it was a laptop battery straight out, so the question didn’t come up.

Posted on
by

I just spotted a rather disturbing phishing message in (of all places) our abuse contact mailbox:

Subject: Fraud Prevention Measures

Dear customer!

Due to high fraud activity we constantly increasing security level both for online banking and card transactions. In order to update our records you are required to call MBNA Card Service number at 1-800-[removed] and update information on your MBNA card.

This is free of charge and would not affect any transactions with your card. Please note this is necessary to provide highest security level for all transactions with your card.

No HTML tricks. No links to fraudulent websites. Just a phone number.

I can only assume this is a response to high-profile inclusion of antiphishing features in Internet Explorer 7 and in Firefox 2. If there’s no website, there’s nothing for a web browser to check.

And of course by not using sneaky technical tricks in the message, it’s harder for tools like ClamAV, spam filters, or mail clients to detect.

Incidentally, does anyone else find it ironic that one of the most common phishing techniques is to exploit people’s fear of being phished?

Further reading: Anti-Phishing Working Group.

Posted on
by

Remember how LiveJournal, TypePad, and related sites were down the other day? The official line was that “Six Apart has been the victim of a sophisticated distributed denial of service attack.”

It turns out that the DDOS wasn’t aimed at 6A, LJ, or any other part of their network. It was aimed at Blue Security, an anti-spam company, who decided to re-route their web traffic to their blog—a blog hosted on TypePad. So instead of their own site going down, it took out Six Apart’s entire network of millions of bloggers.

Classy move, guys.

I do admire Six Apart’s restraint in not pointing fingers themselves. If it had been my site (though in a way, I suppose it was, since I’ve got an LJ blog, even if I don’t update it very often), I would have been royally pissed off.

Sure, Blue Security didn’t launch the attack—but they did choose where to redirect it. Maybe they thought Six Apart would be able to handle it. Maybe they thought the attackers were targeting them by IP and not domain name. Maybe they were panicked and didn’t think. Maybe they thought things through, but 6A got bitten by the now-all-too-familiar law of unintended consequences. They could easily have pointed their domain name at empty IP space, or to localhost. Redirecting it to a third party was less like deflecting a punch and more like the “Do it to Julia!” moment in 1984, or the classic joke, “I don’t have to outrun the bear, I only have to outrun you.”

(via Spamroll)

Update: Additional articles at Computer Business Review and at Netcraft, and a Slashdot story.

Update 2: According to Blue Security, the DDoS was not targeting their website by name, and the DDoS didn’t attack their blog until after they had already redirected the website. So it looks like it was less a case of them redirecting the attack and more a case of the attackers chasing them.

*Sigh* Must remember to collect all facts before engaging in righteous anger.

Update 3 (May 9): Apparently “all the facts” as reported by Blue Security don’t add up… (via Happy Software Prole)

ยปAll pages site-wide with this tag