Defcon Talk Exposes Disclosure Divide

A court order put a stop to a planned presentation at the Defcon hackers convention by three MIT students who found security flaws in the electronic ticketing system used by the mass transit authority in Boston. But the ruling reopened the schism in the IT security community over the issue of how vulnerabilities should be publicly disclosed.
Critics of the temporary restraining order issued last Saturday by a federal judge in Boston have labeled it an infringement of the students' First Amendment rights and an example of "prior restraint" on free speech. Many said such actions leave vulnerable systems open to attackers and put a chill on security research, driving legitimate researchers underground.
Others, though, see the case involving the students and the Massachusetts Bay Transportation Authority (MBTA) as another example of publicity-hungry security researchers driven more by ego and the desire for fame than by any sincere interest in improving security.
The always-simmering disclosure debate boiled over again after the MBTA obtained the 10-day gag order barring the MIT undergrads - Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa - from publicly disclosing information about the flaws in its e-ticketing system. The order was handed down the day before a scheduled Defcon session in which the students planned to detail the holes, which they say they found during independent penetration testing.
In an affidavit, the MBTA claimed that the students didn't give it sufficient information about the vulnerabilities beforehand. The transit authority added that it wasn't trying to permanently gag the students and that it just wanted some time to determine the validity and seriousness of the flaws and a course of action for addressing them.
But the Electronic Frontier Foundation (EFF), a high-tech civil rights group that is representing the three students in court, contended that the gag order was unconstitutional and wholly unnecessary. Some of the material that the students planned to present had been previously published elsewhere, the EFF noted. And, it said, the students hadtold the MBTA that they wouldn't release technical details that hackers could use to take advantage of the flaws.
Bruce Schneier, chief security technology officer at BT Group PLC, joined 10 computer science professors and researchers in signing a letter opposing the restraining order that the EFF included as part of a motion to reconsider the decision (download PDF). Schneier said this week that publicly disclosing vulnerabilities is often the only way to prod businesses to address them.
"Companies won't make [their systems] better by themselves," Schneier said। MBTA officials, he claimed, "are counting on the legal system to protect their shoddy work" on IT security।


Forewarned Is Forearmed
Schneier agreed that it's good practice in general to give organizations some advance notice before publicly disclosing flaws in their systems. But, he said, it's often hard to determine exactly what might be construed as "reasonable disclosure" and what might not be.
Steven Bellovin, a computer science professor at Columbia University who also signed the letter, said it's a fallacy to assume that a security problem goes away or remains hidden from view "simply because you don't talk about it" in public.
"I'm not saying the first thing you do when you find a vulnerability is to post it on your blog," Bellovin said. "But getting injunctions against people is like saying [to them], 'If you didn't find it, this problem wouldn't exist.'"
As long as the students didn't plan to use what they had discovered for malicious purposes, they had every right to talk about it, asserted Jim Kirby, a senior network engineer at DataWare Services, an IT services firm in Sioux Falls, S.D. "Anyone who says otherwise is invited to read the Constitution," Kirby said, adding that the restraining order was an effort "to enforce security by obscurity."
Other critics pointed out that much of the information has already become public anyway, since the students' slides were included on a CD given to Defcon attendees. In fact, the MBTA this week asked the court to modify the gag order so it covered only "nonpublic" information. A hearing on that motion, and one by the EFF seeking a reconsideration of the restraining order, was held on Thursday by a different judge in U.S. District Court in Boston. But he declined to take any action on the motions.
On the other side of the disclosure debate, David Jordan, chief information security officer for Virginia's Arlington County, said the reasonable course of action would have been for the students to help the MBTA address the flaws before disclosing them publicly.
"When you discover major flaws in a system that society relies on, you go to the people who own the system and work with them," Jordan said "You don't stand up on a podium and say, 'Look how clever I am.'"
He added that in such cases, the goal of security researchers often seems to be to further their own agendas instead of helping others fix problems. "It's all about improving one's own self-absorbed ego," Jordan said.
The students did meet with an MBTA police officer and an FBI agent on Aug. 4 and then delivered a short report on their findings to the MBTA prior to Defcon, according to a court document filed by the EFF (download PDF).
But Gartner Inc. analyst John Pescatore said the MBTA wasn't given a reasonable amount of time before the scheduled Defcon presentation to fix the problems or develop work-arounds for them.
The intent of disclosing flaws should be to make software and systems more secure, "not to make headlines or sell tickets to security conferences," Pescatore said. In this case, he added, "the students went for publicity."
In doing so, they didn't follow well-understood principles of responsible disclosure, according to Pescatore। "Responsible vulnerability disclosure really does clean up the software equivalent of dead wood," he said. "But releasing vulnerability info for sport or publicity does not."

Reference : http://www.pcworld.com/article/149860/2008/08/.html?tk=rss_news

Hackers mull physical attacks on a networked world

LAS VEGAS - Want to break into the computer network in an ultra-secure building? Ship a hacked iPhone there to a nonexistent employee and hope the device sits in the mailroom, scanning for nearby wireless connections।
How about stealing someone's computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits slightly different sounds that can be used to reconstruct the words the target is typing.
Hackers at the DefCon conference here were demonstrating these and other novel techniques for infiltrating facilities Friday.
Their talks served as a reminder of the danger of physical attacks as a way to breach hard-to-crack computer networks. It's an area once defined by Dumpster diving and crude social-engineering ruses, like phony phone calls, that are probably easier to detect or avoid.
As technology gets cheaper and more powerful, from cell phones that act as personal computers to minuscule digital bugging devices, it's enabling a new wave of clever attacks that, if pulled off properly, can be as effective and less risky for thieves than traditional computer-intrusion tactics.
Consider Apple Inc.'s iPhone, a gadget whose processing horsepower and cellular and wireless Internet connections make it an ideal double agent.
Robert Graham and David Maynor, co-founders of Atlanta-based Errata Security, showed off an experiment in which they modified an iPhone and sent it to a client company that wanted to test the security of its internal wireless network.
Graham and Maynor programmed the phone to check in with their computers over the cellular network. Once inside the target company and connected, a program they had written scanned the wireless network for security holes.
They didn't find any, but the exercise demonstrated an inexpensive way to perform penetration testing and the danger of unexpected devices being used in attacks. If they had found an unsecured router in their canvassing, they likely would have been able to waltz inside the corporate network to steal data.
To keep the phone running, the researchers latched on an extended-life battery that lasts days on end. But they only really need a few minutes inside a building to test the network's security.
"It's like saying, once you get into Willy Wonka's Chocolate Factory, and you're in the garden where everything's edible, you have it all," Graham said in an interview.
The attack won't work, of course, if a company's wireless network is properly secured. In that case, Graham and Maynor said there's likely no big loss: the package that had been sitting in the mailroom would probably be mailed back to them so they could try it again elsewhere.
Another talk focused on new twists to Cold War-era espionage tactics that could allow criminals to sidestep the locks on computer networks.
Eric Schmiedl, a lock-picking expert and undergraduate at the Massachusetts Institute of Technology, outlined several surveillance methods long used by government intelligence agents that have become more accessible to garden-variety criminals because of the falling price of the technologies.
For example, Schmiedl said even low-budget criminals now have a way to eavesdrop on conversations through a window. It involves bouncing a beam from a laser pointer off the glass and through a light sensor and audio amplifier.
If the people inside the room are close enough to the window, their conversation creates vibrations that the equipment can translate into a crude reconstruction of the conversation, Schmiedl said.
"We're burning the candle at both ends," he said। "The technology is becoming easier and cheaper and anybody can do it. And at the same time there's more incentive now to do it. These are two trains on a collision course. The question is when they're going to collide."
Reference : http://news.yahoo.com/s/ap/20080808/ap_on_hi_te/tec_hacking_facilities

Open Typed URLs in New Tabs

Everyone is probably aware of how to open links in new tabs in your favorite browser--just Command-click the link, and it will open in a new tab, instead of replacing your current window's contents. (This is a great way, for example, to browse the Macworld news page and open all the stories you'd like to read without losing the news page.)
But what if you're typing a URL, and you'd like it to open in a new tab? If you're using Safari, Camino, or OmniWeb, all you need to do is hold down the Command key prior to pressing Return after typing the URL. All three browsers will open the typed URL in a new tab, and will respect your preferences settings relative to new tab behavior--if you've got the preferences set to open new tabs in the background, then that's what will happen, and vice versa. (You can use this same trick in the Google search box, too.)
Firefox, however, is different. Instead of using Command-Return, you'll need to hold down Option and then press Return. This will force the URL to open in a new tab. Unfortunately, that new tab will open in the foreground, regardless of your preference settings. As I much prefer new tabs to open in the background (so I can continue reading the foreground tab), I went looking for a solution. I found that solution in a Firefox add-on called Tab Mix Plus. Unfortunately, that linked version won't work in Firefox 3, so I had to do further digging. Over in the Tab Mix Plus forums, this thread contains links to developer builds that work with Firefox 3.
As of today, the top post in that forum links to Tab Mix Plus Dev Build 0.3.7pre.080721, which works fine on my Firefox 3.0.1 installation. To install it, just click the Dev-Build link in that first forum post. Firefox will display a message stating that installation has been blocked. Click Allow to go ahead and install the extension, then restart Firefox.
Once Firefox restarts, open its preferences and select the Tabs tab. Click the Tab Mix Plus Options button, then click on the Tab Focus tab in the new window that opens. In the section labeled 'Focus/Select tabs that open from,' remove the checkmark next to Address Bar. If you'd like to use this same trick in the Google search box, also remove the checkmark next to Search Bar. When done, click OK and close Firefox's preferences panel.
From now on, when you press Option-Return after typing in the URL bar (or search box), Firefox will open the resulting web page (or search results) in a new background tab।
Reference : http://www.pcworld.com/article/148870/2008/07/.html?tk=rss_news

Hands On: 12 Quick Hacks for Firefox 3

Think you've seen all there is to see of Firefox 3's new features? Wait, there's more -- check out these cool and useful hacks FireFox ३.० has been out for two weeks now, so get with the program: It's time to hack it. The newest version of Mozilla's browser has plenty of new features, including the site identification button, the Bookmarks Library and what has become known as the "Awesome Bar" -- and I'll show you how to hack them all.
You can also force the browser to use Gmail for mailto: links, discover a hidden "Easter egg" and more. So fire up your browser and get ready to teach it some new tricks.
A note before we begin: One of the best ways to hack Firefox 3 is via about:config, which lets you change a wide variety of Firefox settings and preferences. Many of the hacks in this story make use of this nifty and practical utility.
To use about:config, you'll always repeat a few basic steps:
1. In the address bar, type about:config and press Enter.
2. A message will appear reading "This might void your warranty!" Ignore that nonsensical warning and click "I'll be careful, I promise!"
3. In the filter box, type the name of the setting you want to adjust. You'll see that entry appear in the area below. (If the name of the setting is very long, typing the first part of it will generate a list; you can then pick the setting you want.)
4. Make changes to the setting as instructed.
1. Klaatu Barada Nikto!
You may not know it, but Firefox has a mascot -- a robot that you can find in a hidden Easter egg in Firefox 3. In the address bar, type about:robots and you'll see the cheerful metal guy. The robot-related quotes displayed are from books and movies in which robots play a significant role, such as Blade Runner and The Hitchhiker's Guide to the Galaxy .
If you look at the title for the page, you'll find what at first glance may seem to be gibberish: Gort! Klaatu barada nikto! In fact, that's the phrase used by Helen Benson in the science fiction classic The Day the Earth Stood Still , ordering the robot Gort not to destroy the Earth।

2। Tell Firefox 3 to Have Yahoo Mail Handle mailto: Links
Until Firefox 3, if you used a Web-based e-mail account such as Yahoo Mail or Gmail, you were left out in the cold when you clicked a mailto: link. Mailto: links automatically begin an e-mail message to a specific sender, using your default e-mail handler. But with previous versions of Firefox, those links worked only with client-based e-mail software, and not with any Web-based e-mail programs.
With Firefox 3, that changes. The browser includes built-in integration with Yahoo Mail -- if you know where to look. And although it doesn't have the same integration with Gmail, there's a way to hack it to make it do so.
1. Select Tools -- Options and click the Applications icon at the top of the page.
2. Click mailto, and select Use Yahoo! Mail.
3. Click OK.
From now on, when you click a mailto: link, you'll be sent to your Yahoo! Mail account and a new e-mail will be created, to be sent to where the mailto: link directed it। (If you're not already logged into Yahoo Mail, you'll have to type in your username and password first.)

3. Tell Firefox 3 to Have Gmail Handle mailto: Links
Gmail, surprisingly, doesn't show up in the Firefox list of mailto: handlers. But you can add it. Just follow these steps:
1. In the address bar, type about:config and press Enter. Ignore the warranty warning.
2. In the filter box, type gecko.handlerservice.
3. From the entries that appear, double-click gecko.handlerServiceAllowRegisterFromDifferentHost. This will change its value from false to true.
4. In the address bar, copy this code, exactly as you see it, then press Enter:
javascript:window.navigator.registerProtocolHandler("mailto","https://mail.google.com/mail/?extsrc=mailto&url=%s","GMail")
5. Below the address bar, you'll get a message asking if you want to add Gmail as the application for mailto: links. Click the Add Application button.
6. Next time you click a mailto: link, a screen will appear that lets you choose an appropriate application. Select Gmail, check the box next to "Remember my choice for mailto: links," then click OK.
From now on, Gmail will handle the links. As with Yahoo Mail, if you're not currently logged in, you'll first have to type in your e-mail and password, and then Gmail will create the e-mail.

4. Use the Site Identification Button to Download All Graphics and Media
One of Firefox 3's niftiest new features is the site identification button, the button just to the left of the Address Bar that displays an icon representing the site that you're currently visiting. The button is far more than mere decoration -- it can tell you a great deal of information about the site you're visiting and lets you do some nice tricks as well.
If you click the button, then click More Information from the dialog box that appears; you'll come to a Page Info screen with multiple buttons on the top. Once you get there, there are plenty of tricks you can try. Here are two of them:
Before Firefox 3, one of the most popular extensions was DownloadThemAll, which, among other things, let you download all of a Web page's graphics and media simultaneously. With Firefox 3, you can throw that extension away, because a similar capability is built right into the browser.
Just click the Media button on the Page Info screen for a list of the page's various elements. You can scroll to any graphic to see a preview, then click Save As to save it. Download multiple files by holding down the Ctrl key and selecting them, and then clicking Save As. To download them all, press Ctrl-A, which will highlight all the files, and click Save As.
If for some reason you want to block images from a site from being displayed in Firefox, check the Block Images box, and the site won't display images।

5. Get Web Page Details
If you're in the Web business, there's plenty of information you may want to know about a given Web page. What metatags are your competitors using, for example? How "heavy" are the pages you create -- in other words, how large are they in kilobytes?
The General tab of the Page Info screen tells you that and more। Click the General tab, and you'll see page size, the date the page was modified, metatags and more.

6. Shrink the Back Button
Firefox 3's Back button looks like an arrow on steroids। If that bothers you, you can shrink it down to normal size. Right-click an empty spot on the toolbar, select Customize, and check the box next to Use Small Icons. Click Done. The Back button will now be smaller -- and the same size as the forward button. Keep in mind, though, that all the other icons on the toolbar will be smaller as well.

7. Find All Your Passwords
If you're like most people, you have plenty of passwords associated with Web sites. And most likely, you've forgotten most or all of them. Firefox remembers your passwords, so you'll be logged into your sites automatically. But what if you need to log into the sites on another PC? Or what if you'd like to keep a record of your passwords, in case they get wiped out?
Firefox 3 gives you an easy way to find all your passwords and user names associated with Web sites:
1. Select Tools -- Options and click the Security icon.
2. In the Passwords section, click Saved Passwords. A screen appears with a list of Web sites and usernames associated with each site.
3। Click Show Passwords. A warning screen will appear, asking if you want to show your passwords. Click Yes. You'll now see all your passwords, along with site URLs and usernames. Write them down or take a screen capture to print out, and put them in a safe place.

8. Change the Maximum Number of Awesome Bar Results
The address bar in Firefox has gotten such a makeover and has been given so many new capabilities that many people now refer to it as the Awesome Bar. (Mozilla refers to it as the Smart Location Bar.) No matter what you call it, though, it's eminently hackable.
First, a little background about the Awesome Bar's new features. In earlier versions of Firefox, when you typed text into the address bar, it showed you a drop-down list of URLs you'd recently visited and narrowed down the list as you typed in more text. So, for example, if you typed the letter "c" by itself, you'd get a long list of sites you'd recently visited that start with "c," and then as you typed additional letters, the list would shorten. You could scroll to any URL on the list and press Enter to visit there.
The Awesome Bar adds some oomph to that. First off, it not only lists recently visited sites as you type, but it grabs URLs from your bookmarks as well. And it doesn't just look for URLs that match the first letter -- it also looks at page titles and tags. What's more, it uses an algorithm to figure out what are the most likely sites you want to visit and puts those first on the list. And it shows you not just a list of URLs, but much more for each URL, including the site's favicon, its full title and whether you've bookmarked the page.
By default, the Awesome Bar returns a list with a maximum of 12 entries. You can change that maximum to another number:
1. Type about:config into the address bar and click "I'll be careful, I promise!" when you get the security warning.
2. Type (or paste) this text into the filter box: browser.urlbar.maxRichResults. You can also just type browser.urlbar and pick out browser.urlbar.maxRichResults from the resulting list.
3. Double-click the browser.urlbar.maxRichResults entry. In the "Enter integer value" pop-up, type the maximum number of results you want to appear and click OK. From now on, that will be the maximum number.
Note that even after you do this, you will only see the default six results as you type। To see more, scroll through the list.

9. Ban Bookmarks from the Awesome Bar
If for some reason you don't want bookmarks to appear in the Awesome Bar, there's an easy way to ban them. Download the Hide Unvisited 3 add-on, and only recently visited pages will appear. Keep in mind that if you've recently visited a page that you've bookmarked, that page will appear in the Awesome Bar. It will only keep off bookmarks that you haven't recently visited.
If you'd prefer to do the same thing by yourself rather than relying on an add-on, here's what to do:
1. Type about:config into the address bar.
2. Type this text into the filter box: browser.urlbar.matchOnlyTyped (or type . browser.urlbar and choose from the list).
3. Double-click the browser.urlbar.matchOnlyTyped entry so that the value changes from false to true.
4. Clear your history list.
From now on, only sites you've visited recently will show up; bookmarks won't।

10. Kill the Awesome Bar ... Sort Of
If you're a retro kind of person, you can kill the Awesome Bar, and make it look and work somewhat like the old reliable address bar in earlier versions of Firefox. The oldbar add-on will make the Awesome Bar look like the Firefox 2 location bar। But the changes are only skin deep -- even when you use this add-on, the Awesome Bar will still use its algorithms to determine what sites it shows. It just won't show all the details.

11. Force Old Extensions to Work in Firefox 3
When you install Firefox 3, it checks to see if your old extensions have been updated for the new version of the browser. If it finds they haven't, it disables them.
If you like living on the edge, you can change a couple of settings to force Firefox to use your old extensions. Be forewarned, though, that doing this can cause compatibility problems and other woes.
Go to the following settings in about:config, and change both to false by double-clicking them:
extensions.checkCompatibility
extensions.checkUpdateSecurity
If you don't want to muck around with about:config but still want to force old extensions to work in Firefox 3, download and use the Nightly Tester Tools extension. For instructions on how to use it, check out my blog entry about some of my favorite Firefox 3 add-ons।

12. Hack Firefox's New Zoom Feature
Firefox 3 adds some very nice capabilities to Zoom, which now magnifies images as well as text. But if it doesn't do everything you want it to, or you don't like some of the features, they can be hacked. Here's how to do it with about:config.
You can zoom in and out of pages with Firefox using the Ctrl + and Ctrl - combinations, or by selecting View -- Zoom. When you zoom pages in a Web domain (such as computerworld.com), the next time you visit any page in that domain, Firefox 3 will remember your zoom level and display it at that level.
You may, however, prefer that Firefox always display a page at a normal zoom, no matter how you displayed it the last time you visited। If so, you can change the following setting from true to false by double-clicking it in about:config: browser.zoom.siteSpecific.
Reference : http://www.pcworld.com/article/id,147823-pg,1/article.html