HTTP Status Code Harvesting

January 26, 2011

An excellent example of using http status codes to determine what other pages a web user is currently logged in to. This would be useful in many environments – say, adding a “Check out our Facebook Page!” link to a corporate home page when determining that the user is currently logged into their own Facebook account.

In-App Purchases on Android

January 26, 2011

Google has announced that they are adding the capability for purchases from inside of an application to the Android operating system. For example, if a video game company wants to sell additional content to players, that will be doable from inside of the game itself rather than some kludgey additional app download.

I can’t wait to see what the scammers come up with to exploit this idea.

Student Intellectual Property

January 26, 2011

It’s a given in the world of research universities that the school is at least a partial owner of new patents or products created by its faculty. But with students creating more and more “apps” for platforms like iOS and Android, and with those apps often being worth big money, policies on university ownership of student creations are getting more attention.

From the article:

Missouri relented in Brown’s case. It also wrote rules explicitly giving student inventors the legal right to their unique ideas developed under specific circumstances. If the invention came from a school contest, extracurricular club or individual initiative, the university keeps its hands off. If the student invention came about under a professor’s supervision, using school resources or grant money, then the university can assert an ownership right – just as it does for faculty researchers.

This is an important trend that needs to be watched – in your organization, are there policies governing what intellectual property rights belong to the company for work performed by employees? If one of your call center workers invents The Next Big Thing while taking a support call, what happens?

If you haven’t thought about this yet, it’s probably time. Writing policies as they are needed is never a good idea.

File Transfer Via DNS Query

January 25, 2011

The always-resourceful Johannes Ullrich has posted an excellent step-by-step tutorial on the Internet Storm Center outlining a method for performing file transfers using DNS queries and tools built into a typical Linux installation (specifically, xxd and dig).

If you start seeing lots of hexadecimal A record queries showing up in your named.log — you might have a problem.

Domain Blocking 2010

January 25, 2011

OpenDNS has released a report [warning: PDF file] on the white- and blacklisting of domains in 2010. Interestingly, Facebook was the single most commonly blocked site – but it was also the second most commonly whitelisted site. This means that networks that disallowed social networking sites in general were still likely to make an exception for Facebook, likely owing to its popularity as a legitimate marketing tool.

Apparently the bad guys were also aware of this. The report indicates that Facebook is the second most commonly spoofed site for phishing attacks, behind only Paypal.

iPhone NFC

January 25, 2011

Apple is planning on introducing NFC, or “Near Field Communications”, in the next generation of iDevices. This means that users will be able to pay for purchases at NFC-compliant kiosks using their smart phone as an authentication token.

It will be interesting to see how Apple secures this functionality; I would hope that there is some sort of PIN or other unlocking required. Otherwise, losing a phone would be equivalent to losing a phone and a credit card. In fact, since NFC payment is generally a direct bank account debit rather than a credit transaction, it would be even worse.

Facebook and Tunisia

January 25, 2011

A fascinating story in The Atlantic about the cat-and-mouse game between the Tunisian government and Facebook during the recent political unrest. Ammar, the governmental security apparatus, strongarmed the ISPs that Tunisian citizens were using into running domain-level keylogging. Essentially, they were stealing an entire country’s worth of passwords.

The Facebook developers responded with an ingenious technical hack to get around the key capture. All password submissions were pushed over an encrypted channel, and also required the user to identify a friend from his or her accounts. Ingenious – the passwords as a single authentication token were rendered useless.

AOL Profits On Ignorance

January 24, 2011

Apparently, something like 60% of AOL’s profits are coming from customer ignorance. About 80% of their income is from subscription fees, and 75% of those subscribers have cable or other broadband connections – meaning, essentially, they’re paying AOL for nothing but an email address and a backup dialup account, presuming their computer has a modem.

That’s an interesting business model. But I don’t think it’s all that unusual – I can’t tell you how many times I’ve heard of things like maintenance or support contracts being paid for years after the specified hardware or software was taken out of service. If you’re in charge of that sort of thing at your business, it might be smart to take an audit of everything that’s still being billed and make sure that it’s still relevant.

Credit Union Breach

January 24, 2011

The Pentagon Federal Credit Union, the third-largest Credit Union in America, has suffered a security breach exposing the personal data of an unknown number of members. Their explanation is malware brought in on an infected laptop.

There was a time when you could depend on a firewall to protect your network, when data and work would stay in one place and something like this couldn’t happen. There was also a time when a city had a huge wall around it, with one or two gates. Now people have locks on their individual houses, but apparently, the computing world hasn’t caught up yet.

Resume of a Trojan Horse

January 24, 2011

The Internet Crime Complaint Center has a cautionary tale for prospective employers. An email attachment on a response to an online job posting was actually a Trojan Horse program, used to steal the financial credentials of the hiring company and defraud them of over a hundred thousand dollars.

It might be wise to have a dedicated machine or VM for handling untrusted attachments like that; at the very least, make sure that your antivirus software is up-to-date and use it to explicitly scan unknown attachments before opening.