A Django site.
June 30, 2009

Inside Security News
insecnews
is about »
» Masked man or masked password?

I was reading this article[1] on theregister.co.uk about the usability of masked (i.e., hidden) password fields on GUI forms and webpages. It is just crazy to even think that showing the password field is a good thing compared to current practice that has the password fields masked with dots or asterisks.
My arguments:

  1. Attackers will be fine with screenshots of when you login to webpages instead of keyloggers
  2. What about remote screen sharing and when you have to login to a service or webpage?
  3. What if I have a colleague looking at my screen and I need to login somewhere? Sorry can you please leave till I login because you can see my password.... everyone can see it really (even the person across the street with the telescope(not that you should).

There are probably more but I can not think of any right now. I think you get the point. It is a just a bad idea. Maybe they should make the field UV and no one can see it unless they are wearing special glasses (a bit better solution, I think).

Link Used:
[1] Reported by out-law.com - "Masked passwords must go" - http://www.theregister.co.uk/2009/06/30/masked_passwords_usability/

October 7, 2008

Inside Security News
insecnews
is about »
» Google Chrome is here! ..any tips?!

Google Chrome, another Internet browser has arrived to provide another alternative to surfing the web. We think that it is just great to have different options and new technologies introduced into this field. Sure making the project open source will help drive it into different areas in the future but for now it is in beta mode. Let us look at some disadvantages associated with browser’s functionality. A valuable and helpful feature from the Google Chrome Options is the “Restore the pages that were last opened”.

However Google Chrome doesn’t allow you to get rid of the last tab just before you exit the Web Browser. In other words, hitting the close button, which is in the tab area, will exit the browser without totally closing that tab. What this means is that the tab will open again when the browser re-opens.This is the behaviour that you would expect to happen when you hit the close button on the browser and not that of the tab.

Furthermore, the “Clear Browsing Data” option will clear the browsing and download history logs, empty your cache, discard any cookies and clear any saved passwords but still wont get rid of this last tab left there in your browser.

So, the only option you are left with, to be on the safe side and keep the “Restore the pages that were last opened” option true, you need to navigate to another random webpage (i.e., google.com) manually then do a “Clear Browsing Data” and finally close your Chrome Browser. From a more technical point of view, the browser has a behaviour that could be taken advantage of in order to produce confusion to a user.

By creating a script that removes the files that start with the letter f from the userprofile\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache any web sites you are trying to access that you already have visited in the past will simply start coming up in a weird format (i.e, cached images are missing) and maybe completely inaccessible. The only way to solve this problem is to go to your browser and perform a “Clear Browsing Data”. This will solve the browsing problem but it will also get rid of data that you did not actually want to delete from your cache.

Closing the browser and re-opening it will not solve this problem either as the caching mechanism does not check to see if the cache files exist.

*Thanks goes to K.Xynos for his feedback on the article and light editing it.

August 1, 2008

Inside Security News
insecnews
is about »
» Is your DNS secure? Not much you can do anyway!

With the patch for the DNS exploit (US-CERT's Vulnerability Note VU#800113 [3]) being rolled out, The Register reports[1] of users being redirected to fake google sites. At the end of the article there are two test sites. I tried both tests and both had good news. The Uni.’s domains check out to have a GREAT (in green) source port randomness and GREAT transaction ID randomness.



1. tested 2. tested

At least I won’t be getting any dodgy ad-based obscene material in my searches for journal articles and conference papers.

Don’t forget to test your ISP: https://www.dns-oarc.net/oarc/services/dnsentropy , Keep an eye out if they are vulnerable and tell us the results.

Update: Sure you could change your DNS entry and have your requests directed to OpenDNS. That is up to you, and how paranoid you are.

Links Used:
[1] theregister.co.uk - Black hats attack gaping DNS hole -http://www.theregister.co.uk/2008/07/31/dns_cache_poisoning_goes_wild/

[2] DNS-OARC - Web-based DNS Randomness Test - https://www.dns-oarc.net/oarc/services/dnsentropy

[3] US-CERT's Vulnerability Note VU#800113 - http://www.kb.cert.org/vuls/id/800113

December 5, 2007

Inside Security News
insecnews
is about »
» There are malicious websites in my soup(ed) up results.

As reported [1], security companies Sunbelt Software and Trend Micro have singled out webpages, with malicious content (in most cases targeting MS Internet Explorer vulnerabilities), that were trying to raise their presence on most of the search engines. Google has made efforts to remove the sites, yet sponsored links sometimes can be misleading. MSN search engine has a history of serving websites with malicious content, be aware!

Yes, that innocent looking site that you use to find a lost, unknown, recommended, much needed, etc. website is being taken advantage in order to assist in the spread of malicious content. This content is then used to extract much need information from the users surfing, to finally help organised crime to defraud people/banks from money.

This is the globalized world we live in! Where everyone and everything is connected to the Internet and no matter how much we like it or not, we have to start becoming more aware of the security implications when using online software to conduct and manage private/sensitive personal information.

One must be sure not to get too anxious about using these technologies or they may end up with security-anxiety [2] and no one wants that!

Links Used:

[1] - 'Hackers hijack web search results', Mark Ward (BBC) -
http://news.bbc.co.uk/1/hi/technology/7118452.stm

[2] - 'Gartner: Web security fears cause $2 billion online commerce loss in 2006', Ericka Chickowski (SC Magazine) -
http://www.scmagazine.com/uk/news/article/606686/gartner-web-security-fears-cause-2-billion-online-commerce-loss-2006/