It’s even more dangerous if you’re not making secured connections to the websites themselves. Sites that use a secure, encrypted connection have https in their Web address – rather than just http – and show a lock icon in most browsers.

In the past, you could take some comfort in the fact that it requires some skill to launch one of these attacks. Most people are honest, and even more people are clueless as to the hackery needed to access someone else’s online accounts.

From the San Francisco Gate article: 
Firesheep: Making Web-connection hijacking easy : Hot Topics

Firesheep changes all that. It’s a Firefox extension that makes it ridiculously easy to log into certain sites as another user. It’s as simple as this:

1. Launch the Firesheep extension in a Firefox sidebar.
2. Click the Start Capture button.
3. See who’s connected to which sites.
4. Double click on one of those connections.
5. You’re logged in as someone else on that site.

Ian Paul at PCWorld has a good explanation of how Firesheep works.

Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep’s database. When you log in to Amazon, for example, your browser’s Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.

As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access.

Read the rest of the article at the link: 
Firesheep: Making Web-connection hijacking easy : Hot Topics

Find suggestions for use at:
Firesheep, A Day Later
or the forum at:
Firesheep | Google Groups

Other links:
http://brakertech.com/firesheep-wifi-hacking-facebook-twitter-google-flickr/
http://github.com/codebutler/firesheep/downloads
http://techie-buzz.com/tech-news/google-switch-ssl-cost.html 

[Addendum] At this moment, it seems that Firesheep is unavailable for download. The author seems to have made his point though. Free, open access WiFi hotspots are bait shops for predators. 

---

 

There are tools to help prevent this type of invasion. Large corporations will have a VPN that places all data through an immediately made and constantly used pipe through their servers. Private access by non-corporate users can be made through companies like proXPN and simple extensions like Hotspot Shield.

Encrypt the Web with the HTTPS Everywhere Firefox Extension – An EFF and Tor Project

 

 

Read the entire ITPro article at:
Infected USB caused biggest US military breach ever | IT PRO
By Tom Brewster, 26 Aug 2010 at 14:57

An infected USB drive was at the heart of the most serious breach of US military networks ever in 2008, a senior US Government figure has confirmed.

US Deputy Defense Secretary William Lynn explained how the provenance of the infection stemmed back to a drive being inserted into a laptop at a US base in the Middle East.

“The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the US Central Command,” Lynn noted in an article on theForeign Affairs website.

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.”

This incident led to the creation of Operation Buckshot Yankee, a Pentagon initiative designed to help counter the cyber threat facing the US.

Lynn admitted even since Operation Buckshot Yankee was set up, foreign enemies have managed to acquire thousands of files from US networks and from allies’ systems, including weapons blueprints, operational plans and surveillance data.

“When an organisation, such as the US military holds sensitive information, it is important that they ensure the security of all devices entering the network,” Ash Patel, country manager for UK and Ireland at Stonesoft, told IT PRO.

Patel stressed the importance, especially for bodies such as the US military, to completely lock down USB ports.

“Never leave a USB lying about unattended, this can lead to a quick win for a hacker but leave devastating consequences for an organisation. Never insert a USB stick into a company machine unless you know exactly what it contains and where it has come from,” he added.

Earlier this year, McAfee reported spreading malware on USBs was a technique being used heavily by cyber criminals, even though many would have been forgiven for thinking it was a dying art.

Users of Internet Information Services (IIS) < 6.0 in default mode are not affected by potential man-in-the-middle attack…kinda…must use workarounds…Microsoft advises not to use their workarounds though. In fairness to MS, this is old SSL exploit news that they are acknowledging affects all their current OSs. 

Read the ars technica report…and read a newspaper instead of using wifi at the coffeeshop, or at your clients…or on the trian.

Microsoft warns of TLS/SSL flaw in Windows

By Emil Protalinski | Last updated February 9, 2010 4:12 PM

Microsoft has issued Security Advisory (977377) to address a publicly disclosed vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The TLS and SSL protocols are implemented in several Microsoft products, both client and server. Currently Microsoft has concluded that it affects all supported versions of Windows: Windows 2000 SP4, Windows XP (32-bit and 64-bit), Windows Server 2003 (32-bit and 64-bit), Windows Vista (32-bit and 64-bit), Windows Server 2008 (32-bit and 64-bit), Windows 7 (32-bit and 64-bit), and Windows Server 2008 R2. Microsoft says it will update the advisory as the investigation progresses.

This is from the H-Online Article:
NIST-certified USB Flash drives with hardware encryption cracked
Yes; DCI specifies that the euqipment meets FIPs Level 3, not level 2. But 3 huge companies making the same mistake? Hmmm. Plus, this is not just a DCinema issue, this affect everyone who tries to keep their personal or work computer safe, trusting devices and technology of this type. My guess is that there was an Application Note that specified how to make a particular chipset work (which all the manufacturers used.) It was the Application Note that everyone followed and which had the implementation flaw. Just a guess.

The article continues, excepted below. There is also some fine commentary about this issue at: Schnieier on Security.

The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. … the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers’ nets. … the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations…

Cracking the drives is therefore quite simple. The SySS experts wrote a small tool … The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.

When notified by SySS about this worst case security scenario, the respective vendors responded quite differently. Kingston started a recall of the affected products; SanDisk and Verbatim issued woolly security bulletins about a “potential vulnerability in the access control application” and provided a software update.

Security and Privacy are parallel tracks. Letting someone into your computer for purposes that you are not allowed to control, or even know about, is fraught with potential points of failure down the line. Do I, or you, need to know how or why right now? Is there always someone who is trying to exploit was to find hidden files to do something nefarious? Just allowing someone, anyone, to put 100k (the standard setting, not a limit) of info on your computer without asking, without allowing you to see what it actually does or says, is wrong.

CCleaner, FlashCookiesView and Flash Cookie Cleaner get good reviews. If you are using Firefox, you can use Foxit and flashblock, but remember, these files are ubiquitous – they are shared by all browsers on your system.

Here is the link for the settings manager at Adobe — feels like fox in the henhouse, and is not easy to use…

[Update: I just used a nice program from MacHacks named Flush.app – Flash Cookie Removal Tool For OS X. Quick to download and simple to use, for Mac users it seems a nice way to go.]

Read ArsTechnica; 768-bit RSA cracked, 1024-bit safe (for now)—768-bit RSA cracked, 1024-bit safe (for now)

Researchers have posted a preprint that describes their method for factoring a number used for RSA 768-bit encryption. By John Timmer | Last updated January 7, 2010 5:20 PM

With the increasing computing power available to even casual users, the security-conscious have had to move on to increasingly robust encryption, lest they find their information vulnerable to brute-force attacks. The latest milestone to fall is 768-bit RSA; in a paper posted on a cryptography preprint server, academic researchers have now announced that they factored one of these keys in early December.

Most modern cryptography relies on single large numbers that are the product of two primes. If you know the numbers, it’s relatively easy to encrypt and decrypt data; if you don’t, finding the numbers by brute force is a big computational challenge. But this challenge gets easier every year as processor speed and efficiency increase, making “secure” a bit of a moving target. The paper describes how the process was done with commodity hardware, albeit lots of it. 

Their first step involved sieving, or identifying appropriate integers; that took the equivalent of 1,500 years on one core of a 2.2GHz Opteron; the results occupied about 5TB. Those were then uniqued and processed into a matrix; because of all the previous work, actually using the matrix to factor the RSA value only took a cluster less than half a day. Although most people aren’t going to have access to these sorts of clusters, they represent a trivial amount of computing power for many organizations. As a result, the authors conclude, “The overall effort is sufficiently low that even for short-term protection of data of little value, 768-bit RSA moduli can no longer be recommended.” 1024-bit values should be good for a few years still.

Given that these developments are somewhat inevitable, even the authors sound a bit bored by their report. “There is nothing new to be reported for the square root step, except for the resulting factorization of RSA-768” they write. “Nevertheless, and for the record, we present some of the details.” Still, they manage to have a little fun, in one place referencing a YouTube clip of a Tarantino film following their use of the term “bingo.”

[Another good article at: New Record in the Area of Prime Number Decomposition of Cryptographically Important Numbers – not that the article gives more, but the Related Stories are interesting.]

[Editor’s Note: At first glance, this story looks a lot like last September’s and last August’s stories of SSL vulnerabilities. In fact, this is far worse. It is not our purpose to make your life harder by forcing you to know how often SSL encryption is used in your life. Suffice to say, this is not going to get handled by a simple patch a week later Firefox or Apple. And now, even worse, is that it is in the open…the bad guys know where to attack.

How does it affect you as the above average user? First off: Everything that you learned about trusting the little lock on the browser window is no longer valid.

1. Make certain that your employees are extra vigilant with all computers, and with all USB sticks. We don’t know how the BlackHats are going to exploit this yet.
2. Don’t download anything that doesn’t come directly from someone that you know.
3. Don’t trust any email that says that “We are helping you, just click here.”
4. Don’t trust any email with a link where the link isn’t showing and where the section of the address immediately before any slashes isn’t .com or .org or .co.uk. For example, http://www.ebay.com.hacker.ru shouldn’t make you feel comfortable that it came from ebay.com – the end of the URL (Uniform Resourse Locator) just before the / is the controlling item.
5. And, of course, right now —

• a) make certaint that your back up system is working, and it makes several iterations of the back-up, and
• b) make certain that your virus software is up to date, and
• c) make certain that all wifi signals are using WPA2 security with a password that doesn’t have any dictionary word, and
• d) systematically reformat the USB sticks that are being used to take keys to your Digital Cinema Servers.

My suggestion:

• If you have a computer network in your office, hire a security expert to come and train your employees on security for an hour or two, in addition to checking our your network for vulnerabilities and un-updated software (including Flash/Shockwave, Reader, Firefox and all virus software. They’ve all been updated recently for multiple security reasons.)
• Wait one week, then have the expert return and answer any questions that the employees now have since they learned what to look for.

For the ultra techs, here is the links for the basic research on this:
MITM attack on delayed TLS-client auth through renegotiation
Renegotiating TLS

End Editor Note]

For the original article, please read:
Major SSL encryption flaw hits the web | IT PRO
By Asavin Wattanajantra, 6 Nov 2009 at 15:53

Researchers Marsh Ray and Steve Dispensa are believed to have shown the flaw to a working group of affected vendors, which included Microsoft, Intel, Nokia, IBM, Cisco and Juniper.

In a statement, PhoneFactor said: “[We] volunteered to delay disclosure on the vulnerability until early 2010 to allow time for vendors to make the necessary patches available.”

“However, an independent researcher discovered the vulnerability and posted it to Internet Engineering Task Force (IETF) mailing list on November 4th… News of the vulnerability quickly spread through the IT security community,” it added.

PhoneFactor added that this was a protocol vulnerability rather than an implementation flaw, so the impact was far reaching.

“All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products,” the firm said.

“Most users will eventually need to update any software that uses SSL.”

Andrew Clarke, senior vice president for Lumension, said in a statement that the SSL flaw was likely to bring a large number of patches in the near term from vulnerable vendors.

See the full article at: Adobe fixes five critical Shockwave flaws | IT PRO
By Asavin Wattanajantra, 4 Nov 2009 at 15:51

Nicolas Joly of VUPEN security was credited for reporting the four issues and working with Adobe to protect customers.

The update also solves a boundary condition issue that could have lead to Denial of Service (DoS).

Shockwave Player is described as the ‘web standard for powerful multimedia playback’ by Adobe, and allows users who download it to see interactive web content such as business presentations, advertisements, entertainment and games.

The flaws can be patched by downloading the latest Shockwave update.

The latest upgrade to Firefox, dated 27 October, in particular for the Mac 3.5.4, has 6 “Critical Vulnerabilitioes” listed sine the September 3.5.3 update – See: Security Advisories for Firefox 3.5 – This rounds out to 25 Critical fixes since the June release of 3.5

Should you update? No question. Just look at the definition of Critical – Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

There will be confusion by those who have heard that there is a new release that is a beta. Do not be confused. A beta of 3.6 is iminent – it was expected on the 28th, but has been delayed.

=-=-=

Reader Update: 2 weeks ago Adobe Reader was upgraded to 9.2 – This release of Reader is mandatory as well. 9.1 was plagued with vulnerabilities and required many updates to stay current and secure. It is best that you and that everyone you know is upgraded.

Spread the word.