Saturday, September 06, 2008

But are voting machines really dangerous in practice? 

Spokesmen for the voting machine manufacturers like to say that the reported vulnerabilities are unrealistic in the context of an actual election, with all its tests and security procedures.

This is plausible. There are lots of cases in security work where it's OK to work around a problem with a cross-check instead of eliminating the problem altogether.

Are they right?

Princeton researcher Dan Wallach rebuts vendor claims in detail. He explains how an attacker or a corrupt official could do the same things his team did, and throw an election without getting caught.


View your online banking records without your password 

This is a good example of how a simple feature change can create a security issue, and why security features that seem unnecessary can be important in practice.

Google's Chrome browser has a feature I've dreamed of for a long time. You can search the text of pages you've visited before. If you remember that you looked at a great recipe using arugula but can't remember where you found it, you can type "arugula" into Chrome's do-everything bar and it will find the page in your history with the word "arugula" in it. Nifty. Useful.

OK, but what about your online banking activity? It turns out that if you search for words like "balance" or "Visa" you'll bring up copies of pages that your online bank showed you, with potentially sensitive information on them. Humphrey Cheung reports on Chrome indexing banking records. You can't transfer money or anything like that, but it's an information leak.

If you want your banking activity to be confidential from other users of your computer, there is an answer. Use Chrome's "incognito" window, which turns off storing pages into your history. This is a good idea for any security-sensitive activity.

Also, turn off Chrome's autosuggest feature if you don't want Google to know everything you type into the do-everything bar.


Friday, September 05, 2008

Alarming security bug in Google Chrome 

Some security experts, whose names I can't find offhand, have discovered a bug in Google's new "Chrome" browser that could sidestep all of Chrome's security measures and take over your computer.

The good news is that it can only happen while you're saving a web page, there's no evidence of bad guys trying this in the wild, and it's unlikely that they will given how few Chrome installations there are.

What's alarming is that it's a kind of bug ("stack based buffer overflow") that can usually be avoided by checking a program with well-known tools, and which can usually be blocked from taking over your computer if the programmers use appropriate options when they translate the program from a human-readable computer language into an executable program.

Without the details, it's impossible to tell whether this is just the kind of accident that could happen to anybody, or whether Google has been overlooking precautions that should be standard procedure these days. If the latter, we'll know because there will be a flood of security bug reports in short order.


Thursday, September 04, 2008

More thoughts about Google Chrome 

Chrome will save passwords for you, but unlike Firefox it doesn't let you define a master password that protects all your stored website passwords.

This could be OK. I worry about future occurrences of a problem that happened in 2006, in which malicious code could put up a login form and fool a browser into entering a saved password silently without asking you first. With a master password in place, you'd get a reminder that your browser was about to retrieve and send a password. A master password also makes password storage more secure.

I've been reluctantly coming to the conclusion that the AdBlock Firefox extension is a security measure. Bad guys have figured out that they can expose zillions of people to malicious code by putting that code into an ad. Don't expect to see anything like AdBlock for a browser that comes from an advertising company.

My other favorite way to reduce my exposure, which is to minimize the number of pages I allow to run Javascript, isn't likely to find a home in Chrome. One of Chrome's main design goals is to have a better, stronger, faster Javascript engine.

This could all work out OK. Google has taken steps to limit the harm that web-based malware can do to you. If Google's paid enough attention in the right places, they might be producing a browser with fewer security bugs for bad web pages to exploit.


Wednesday, September 03, 2008

Latest word about Google's "Chrome" browser 

Someone's already found the first security bug! It was a researcher named Aviv Raff, and it's not a biggy, but it sure is embarrassing. It's a bug in code that Google reused for their browser, that had already gotten fixed elsewhere. It allows a bad site to fill up your desktop with icons for potentially unwanted software.

Chrome will be both good and bad for your privacy. It has a mode where it stops logging your history on your local machine. On the other hand, and Google is commendably up-front about this, in order to generate suggested sites and searches, it's constantly sending information about every place you visit to Google. You can turn this off, but how many people will?


Monday, September 01, 2008

What you're up against 

A software developer's blog has an example of a malicious web page displaying fake buttons and controls that look like part of Windows to trick you into downloading what they claim is an antivirus program.

It all started from a legitimate web site, too, which apparently got taken over somehow by scammers.

I'm not completely happy with the suggestions the blogger and the people in the comments had to offer. They suggest changing the way your real Windows interface looks so that imitations will look strange. Instead I'd suggest NoScript, which would have halted the example attack in its tracks, and one other thing. The point of all the deception was to trick you into downloading an executable file. You get a real warning at that point, which asks if you really want to save and run a file from the Internet. Say "no" to those unless you set out to download something that you have some reason to trust.


First reaction to Google's browser announcement 

Google accidentally pre-announced a Google-brand web browser. It's not available to try out yet.

It's going to do some encouraging things about security. Google plans to "sandbox" the web applications running in their new browser, so that even if/when you browse to a malicious page it won't be able to do widespread damage to your computer. If I'm reading their claims correctly, they say they can stop keystroke loggers from working (not sure how that's possible).

Popups will be tied to the tab they came from and can't cover up other tabs.

There will be a few problems to watch out for, and things they can't possibly prevent and still be useful. The big issue is that they want their browser to be a place where sophisticated web apps can run. That means the browser has to be able to do all the sophisticated things the web app is supposed to do. Google tries to make sure the browser can't overwrite things on your hard disk, but by definition it has to be able to overwrite your Google Docs.

"Sandboxes" have been used before. What usually happens is that when they're new, clever people find a few ways that bad code can escape from them and do bad things that the sandbox was supposed to prevent. Then after a little while the holes in the sandbox get fixed and it works as designed.

Plugins are the area most likely to cause security problems for Google's browser. Plugins like Flash are designed to do a wide range of things, wider than the browser's normal security policy would permit. Plugins like Flash have had security problems time and again.


How to recognize an attack 

I ran into a suspicious web page the other day.

It opened from an unrelated search result. That's not a sign of a legitimate web page. What really gave it away was that it claimed to offer an antivirus product. Legitimate companies do legitimate advertising. If you see something unexpected suddenly offering you security software, be suspicious: it's like someone walking into your store off the street and offering you "protection".

A really good scam would have shown a web page that looked like a real business. This one didn't even have that much, not that there was any way to trust it at that point.

I looked at the page's inner workings briefly. It looked like it was set up to display all kinds of scary warnings and trick me into downloading a program from them. I didn't even see the scary fake warnings, because I'm running the NoScript extension to Firefox.


This page is powered by Blogger. Isn't yours?