Force-TLS does not force TLS

Robert Graham from Errata Security tested Force-TLS and found that it does not protect against Firesheep.

First of all, the plug-in “Force-TLS” does not protect you, as some have suggested. I proved this with Twitter, where I was able to sidejack the connection with both FireSheep and Hamster. I’m not sure what Force-TLS does, but it doesn’t force a connection to be TLS/SSL. I configured * (the domain and all subdomains), and the URL “” still appeared in the address bar.

In addition, Firesheep’s ability to successfully sniff traffic depends on your network adapter.

FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody’s traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).

Rob provides extensive details and screenshots on his test methods. » Forcing HTTPS with NoScript » Forcing HTTPS with NoScript.

Looks like those of you already using the NoScript Firefox add-on, you do not need another add-on to enable/force SSL when it’s available.

Fortunately NoScript, for more than two years now, has also allowed us to manually select the web sites which we want to browse via HTTPS only, by adding them in the NoScript Options|Advanced|HTTPS panel. Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your are probably great candidates to be added in NoScript’s “force HTTPS” list right now and the aforementioned are probably great candidates to be added in NoScript’s “force HTTPS” list right now.

Security alert: New Trojan Horse apps said to attack the Mac

Security alert: New Trojan Horse apps said to attack the Mac.

Some security mavens have long theorized that as the Mac becomes more popular, we’d start to see malware that would start targeting the platform. Sure enough, this morning’s crop of email blasts from PR firms included a few notices of trojans that are affecting Mac users.

Two Mac oriented security companies SecureMac and Intego are reporting attacks targeting Mac users. They both seem to be legitimate.

Easy fix for Firesheep creates a problem for enterprises

Using SSL encryption to connect to social networks like Facebook and Twitter mitigates the risk of your credentials being stolen when you are using public WiFi networks to connect to the Internet. But it creates a problem for enterprises attempting to control the use of social networking because most firewalls and Intrusion Prevention Systems are blind to SSL traffic.

The recent publication of Firesheep, and the subsequent download of over 104,000 copies of the Firefox plug-in in the last 24 hours, highlights this well understood security flaw in the way social networking sites communicate with their users. Firesheep sniffs the WiFi network traffic to capture your user name and the established session ID for any of 26 sites including Facebook, Twitter, Amazon, and the NYTimes. This allows the Firesheep user to access any of these sites as you!! This not only will reveal your personal information to the Firesheep user, but allow him/her to impersonate you.

This article, Firefox Add-on Firesheep Brings Hacking to the Masses, provides a very good detailed explanation of how Firesheep works. The article also describes several readily available tools which enable or force the use of SSL for all traffic to sites that accept SSL. In other words, rather than just encrypting the exhange of identification and password credentials, all traffic is encrypted.

There is no doubt that using SSL is a good privacy protection control. However, SSL encrypted sessions will make it more difficult for enterprises to control the use of social networking because most firewalls and IPSs are not capable of decrypting SSL traffic. In other words, most firewalls and IPSs are blind to SSL traffic. An exception is Palo Alto Networks, the industry leading Next Generation Firewall.

Burning question: How can VM sprawl be prevented?

Burning question: How can VM sprawl be prevented?.

VM sprawl, or virtual machine sprawl, is just what it sounds like: too many VMs sprawled across a virtual infrastructure, taking up processing power and storage space even if they are rarely used. Since spinning up a new VM can be done in a matter of minutes, users come to expect a new machine, on-demand, whenever they want it.

The issue is not necessarily to prevent VM sprawl, assuming all these VMs are serving valid business purposes. The issue is managing them and providing security. We recommend the following solutions:

  • Management AccelOps automatically discovers new VM instances and new VMWare hosts. It then continues to monitor availability and performance and collect the appropriate logs and flows they generate.
  • Network and Server Security Altor Networks provides a VMSafe-certified firewall/IPS which is embedded in the VMWare hypervisor. It protects the hypervisor itself, controls and protects all communication into and out of the associated VMs, and monitors the services running in each VM.
  • Database Security – Specifically for virtualized database servers, we recommend Sentrigo. It runs in the database VM to (1) protect the database from targeted database attacks like SQL Injection and (2) provides complete user access monitoring and control including activity generated by privileged users, stored procedures and triggers.

Facebook Insecurity as a Microcosm of All The World’s Security Problems

Facebook Insecurity as a Microcosm of All The World’s Security Problems.

Gartner’s John Pescatore weighs in on the latest chapter in the ongoing Facebook privacy controversy.

Basically, what you see is Facebook taking several steps to protect its customers – advertisers. If they were trying to protect Facebook users, they would have taken very different steps. Because what you don’t see is any real attention to actually addressing the real vulnerabilities.

So, the key takeaway: make sure that you are the actual customer when you trust your data or your customers’ data to a social network or cloud service provider, or any other 3rd party for that matter. A cloud provider can claim they are better at running a data center than you are, but if they are focusing on protecting their advertising revenue, not your data, that claim is meaningless.

SpyEye v. ZeuS Rivalry Ends in Quiet Merger — Krebs on Security

SpyEye v. ZeuS Rivalry Ends in Quiet Merger — Krebs on Security.

Brian Krebs today is providing an update on banking Trojan activity. While ZeuS has been in the public eye, another banking Trojan SpyEye seems to be ascending.

In the last several years, it is estimated that the ZeuS Trojan enabled the theft of more than $70 million from nearly 400 organizations.

Facebook Advertisers Can Glean Private Data –

Facebook Advertisers Can Glean Private Data –

Privacy vulnerabilities continue to be revealed on social networking sites like Facebook and MySpace reports the NYTimes. The Times describes two research papers which discuss how unethical advertisers can game social networks to determine people’s private profile information like sexual orientation.

Facebook counters that it has tools in place to prevent unethical advertiser behavior. However, Facebook realizes it needs to do more. In fact, Facebook announced that it proposing encrypting user IDs as a way to prevent the sharing of IDs with data brokers. But Facebook admits this will only “address the inadvertent sharing of this information on Facebook.”

Mashable weighs in with the obvious question, “Frankly, we think that encrypting the UID parameters within an iFrame is a good idea and a good first step towards accountability. Our big question is: Why is this only happening now?”

If you are looking for a clearer technical explanation of what the fuss is all about and the limited step Facebook is proposing read Ars Technica’s, Facebook touts encryption as solution to security flaw.

Microsoft: ‘Unprecedented Wave of Java Exploitation’ — Krebs on Security

Microsoft: ‘Unprecedented Wave of Java Exploitation’ — Krebs on Security.

Microsoft is confirming a huge increase in attacks against Java vulnerabilities. Why is this important? Java is installed on the majority of the world’s desktop computers.  In fact, the attack volume on Java dwarfs that of Adobe, which is saying something. Java may not be quite as ubiquitous as Adobe, but it’s close. For example, Java is required for Webex and GoToMeeting, the two most popular web meeting applications. To get an idea of the Java to Adobe proportion, see the graph below, courtesy of Microsoft via Krebs on Security.

According to Microsoft, the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions.

Krebs claims the reason for this spike is the inclusion of Java exploits in the commercial crimeware kits sold in the hacker underground.

Java surely falls into that set of PC applications which must be kept up-to-date.

Study: Electronic theft surpasses physical theft | Security – CNET News

Study: Electronic theft surpasses physical theft | Security – CNET News.

Kroll just released its fourth annual worldwide fraud survey. For the first time “Information theft, loss, or attack” surpasses “Theft of physical assets or stock,” 27.3% to 27.2% respectively. In addition overall fraud increased by 20%.

What accounts for this dramatic increase?

The fast pace at which technology changes poses a huge challenge in combatting electronic theft–28 percent of the companies polled said this is the one factor that raises their vulnerability to fraud. But still, only 48 percent said they plan to spend more money on IT security over the next year, down from 51 percent last year.
Here is the link to the complete Kroll Global Fraud Report.