IE6 ‘More Security’ than Chrome/Opera … Really? – comverse techApril 29, 2021
The Register had an interesting article the other day noting how Chase will no longer support Chrome and Opera because “creaking Internet Explorer 6 is more secure and popular than either Google’s Chrome or Opera.” Of course various versions of Firefox and Safari will be supported but the point that I can’t move past is that IE 6 is “more secure” than than any versions of Chrome or Opera. Did they miss the whole Google-China thing? Even Microsoft agrees…
“Micosoft’s Australian business unit recently equated using IE 6 to being as risky as drinking – or maybe, eating – a carton of nine-year-old milk as it lacked up-to-date cross-site scripting and anti-malware protection among other defenses.”
Determining which of anything is “more secure” is a very difficult task. For years people have noted Macs are more secure but the common counter-argument is that they are just less targeted. The same thing was said of Firefox in it’s early days. The newer browsers offer a range of built-in technologies that help protect against many of the threats users face today on the web.
I don’t know how they determined “more secure” in this case but common sense says that an old “creaking” browser is NOT more secure than the state of the art from Google or Opera.
Cookie Use … How Agencies Should Set Example for Broader Industry – comverse tech
I came across an article yesterday discussing the Office of Management and Budget’s (OMB) recent guidance allowing the government to use “persistent cookies.” For over a decade they have not been able to use such technologies to track user website visits. The new guidance, M-10-22, permits the use of “web measurement and customization technologies, including cookies – small pieces of browser software that track and authenticate web viewing activities by users.”
One of the more interesting points I noticed in the article is the decision to leave the choice of using an “opt-in” versus an “opt-out” model up to the individual agencies. I wish OMB would have set an example here and made a cross-the-board statement that users MUST opt-in. Instead they danced around the subject and passed the decision onto the individual agencies for better or for worse.
I know as a website operator how “neat” these statistics can be however the most important stats (e.g., total hits or page views) can often be collected without the use of tracking cookies or similar techniques. We are all tired of commercial companies taking advantage these technologies at the expense of our privacy. Each of the individual agencies need to take a stand and choose the “opt-in” model as a small step in showing the commercial world how it should be done.
I know this opinion may not be popular in some circles … but in the end, it’s just the right thing to do!
Recent Vulnerabilities in Adobe Reader Due to Scripting – comverse tech
Somewhere, the creators of Adobe Reader are weeping.
And if they’re not, it won’t be long until they do; with all of the recent vulnerabilities swirling around Adobe Reader, things are going from bad to worse.
But just how bad is bad?
According to CNET, at the RSA security conference earlier this month, F-Secure Chief Research Officer Mikko Hypponen said that users should go so far as to switch their .PDF readers altogether due to the security issues with Adobe Reader. (You can check out a list of alternate .PDF readers here.)
While swearing off Adobe Reader altogether might seem a bit a bit extreme, it’s gotten to the pointwhere avoiding it might be the best thing to do. Since the beginning of this year, more than 47 percent of attacks exploit holes in Acrobat Reader, while six vulnerabilities target Adobe Reader specifically (CNET).
The question that many people are asking is, “how did it get this bad?” We’re going to risk beating a dead horse when answering this question, since a lot of the problems with Adobe Reader can be traced back to an issue that we’ve talked about frequently during the past few months: Disabling scripting by default. We’re constantly advocating the disabling of scripting by default, and the recent vulnerabilities found in Adobe Reader offer yet another reason why it’s a good idea to go no-script.
While the obvious answer to the “getAnnots()” problem is to disable scripting, we can accept (albeit reluctantly) that having scripting disabled by default might never happen. That’s why an alternative solution would be to have a white list. Creating a white list is not only more effective, but also less time-consuming than creating a black list. Providing users with the ability to augment the white lists in their profile would afford them the flexibility to view non-mainstream sites like NovaInfosecPortal.
But this is one of those topics where we really want to put a call out to all of you about what can be done to help fix the current problems associated with scripting, and how some of these problems can be avoided in the future. What are you currently working on (whether at work or at home) to make sure that you, your family, and your workplace isn’t taken advantage of due to scripting? Leave a comment or send us a tweet @grecs.
If you’re looking for some additional ways to keep your company—and yourself—a little safer, we’ve put together a handy list of books that might do the trick.
Psyb0t Worming its Way into Home Routers – comverse tech
Well, it’s finally arrived: A way to hack into consumer routers and DSL modems via malware. Called the “psyb0t,” worm, psyb0t it is the first (documented) piece of malware to focus on attacking home networking technologies.
According to DroneBL (a real-time monitor of abusable internet addresses), attackers have used psyb0t to carry out DDoS attacks on approximately 100,000 hosts. In addition to the DDoS attacks, DroneBL says that the psyb0t worm has also been used to collect usernames and passwords.
Needless to say, psyb0t is extremely dangerous (and effective) since attackers are using the psyb0t worm to target general consumers who have limited knowledge about internet technology. (Which is exactly why it’s so effective.)
Companies make router set-up seem so easy; you set up the router, get it to work, and *boom* you have internet access. But what people don’t realize is that unless you manually change the settings, you’re leaving your router’s password and settings as the default. And let’s face it: Default passwords usually aren’t very creative, making it fairly easy for an attacker using the psyb0t worm to exploit the people using the default settings on their router.
So what can an attacker do with something like psyb0t?
Create malware sites, of course. For example: If your mom set up her router and it’s successfully infiltrated by the psyb0t worm, it wouldn’t be hard for an attacker to create a malware site for something like her bank. Assuming the attacker wants her financial information, the next time she goes to check her back balance, the attacker can get her username, password, and account information all in one relatively simple swoop.
While some manufacturers have recently started requiring consumers to choose a password other then the default when setting up their router, many people choose easy passwords, defeating the purpose of choosing a password other then the default. And for the most part, the majority of of the most frequently purchased routers on the market don’t require users to change the default password that comes with the router. In short, both scenarios take us back to step one with users being susceptible to the psyb0t worm.
So is there a solution? Yes and no. There are hypothetical solutions, but many of them require compromises that companies aren’t willing to make. One of the proposed solutions consists of using a randomly-generated default password of a specified length for newly purchased routers, but that would present problems for non-technical users. It would also present a ‘problem’ for companies that don’t want to shell out additional money for hiring people to help with router set-up.
Sadly, this is a classic case of companies choosing usability over security, which is, without a doubt, one of the most common issues in the security field. Using the ever-popular Microsoft as an example, it’s easy to see the costs of choosing usability over security.
While Microsoft programs are arguably some of the most usable on the market, most users only require 10% of the features provided on their Microsoft operating system. This leaves non-technical users wide-open for attack if a vulnerability comes up in the code behind unused features.
There’s a popular (but little used) principle in security that says you should run features and programs only if they’re necessary, and get rid of everything else you don’t use. This means that if you never print at home, you shouldn’t have the printer setting on your computer turned on because it gives you an attack surface. Even though you never use your printer, an attacker can still exploit the printer settings on your computer.
It’s a lot like a target: The bigger a target is, the easier it is to hit it. Users who keep 100% of their computer settings when they only need 10% create a large “target” for attackers.
While you can’t keep every non-technical user from making this mistake, be sure to be conscientious of yourself and those you know when it comes to choosing usability over security. Just because we know a lot about security doesn’t mean we’re immune (as shown in the “Gentleman’s Agreement Talk” at this year’s ShmooCon).
If you’d like to read more about the psyb0t worm, click here.
Keep the local security community going strong by becoming a subscriber of our site. You can also spread the word about NovaInfosecPortal
by passing this post along to a friend.