Chad's News

You don’t have to be a hard-core geek to know how some websites use cookies to identify your computer and track your internet browsing habits. But it’s just too easy to disable and/or delete browser cookies, so the organizations involved have been looking for better methods. The goal is to save information across page visits and browser sessions, and there are quite a few ways to accomplish this. Flash cookies use the local storage capabilities of the Adobe Flash Player. These have given rise to zombie cookies, where a deleted browser cookie is recreated from the Flash cookie. HTML 5 has a client-side database storage capability that makes me wonder just what they were thinking when they developed the standard. And finally there’s the Evercookie, which uses every trick in the book and is quite hard to remove. My favorite is how it encodes the cookie data as an image file, which is stored in the browser’s cache to be later read back and decoded.

Update: Ars Technica tells us that it’s technically possible to kill the Evercookie.

Microsoft released a record-breaking number of security updates on Tuesday, and it sounds like it’s a good idea to run Windows Update if you haven’t already done so.

Link #1: http://www.google.com/…
(via Kim Komando)

Link #2: http://blogs.techrepublic.com.com/…

Given the massive parallel processing power available in today’s video cards, a 7-character password is “hopelessly inadequate,” and even an 8-character password can be cracked in a couple hours. This is regardless of the the mix of letters, numbers, symbols, upper/lower case, etc. So the recommended minimum length for passwords is now 12 characters. But don’t think you’re completely safe with a longer password—you also need to make sure it’s not susceptible to a dictionary attack.

Link #1: http://www.gtri.gatech.edu/…

Link #2: http://www.theregister.co.uk/…
(via engadget)

Link #3: http://dailycaller.com/…

A far-reaching Windows application exploit has been making the news recently, and I’m here to tell you that it’s no big deal if you’re careful.

The core issue is this: when opening an application, Windows has a list of locations that it searches for the various executable library files needed to run the program. For versions of Windows prior to XP SP2, the very first location it searches is the “current” working directory. For XP SP2 and later, the current directory is searched last.

The exploit is simple: a hacker provides a document and, in the same directory as the document, places a malicious library with the same name as a library used by the application that will open the file. When the user double-clicks on the document, Windows will load and execute the malicious library instead of the correct one—because it comes first in the search list. Thus the hacker gets you to run malicious code of his choosing, which is the holy grail of hacking. Obviously this is more difficult in post-XP SP2 versions of Windows, because the current directory is searched last, but the exploit is still possible.

An example of how this could occur would be if you found a flash drive on the ground and plugged it into your computer. Another would be if you downloaded a directory with some movies from the Internet and double-clicked on one to watch it. A third possibility is opening a document over a network, where the other computer has already been hacked. With knowledge of this issue, however, and if you are careful about what files you download and open, this vulnerability becomes manageable.

Unfortunately this is not a Windows bug that can be fixed. It’s a design decision from the early days of PC operating systems, and it’s so deeply embedded in the architecture that it won’t be changed. Doing so would break a great many applications. Microsoft has done what it can to make things safer. They modified the search order, so that the current directory is searched last instead of first. Applications can specify that the current directory not be searched at all. There are hundreds of popular programs that don’t do this, and it’s up to each individual program to enable that setting.

That being said, Microsoft has released a patch that enables you to change how code libraries are loaded on your computer.

Link #1: http://www.infoworld.com/…
(via Kim Komando)

Link #2: http://arstechnica.com/…

Here at Chad’s News, we’ve previously written about the lack of internet privacy and wireless security. Now we can extend that realm to include cell phones, especially ones that use GSM. At last month’s DEF CON convention, security researcher Chris Paget demonstrated a home-brewed cell phone tower setup that was able to easily intercept calls from members of the audience. The total cost of the hardware was about $1500.

This type of equipment, known as an IMSI catcher, has been available to law enforcement for years, but at the cost of hundreds of thousands of dollars.

Link: http://www.wired.com/…
(via engadget)

There’s a new security vulnerability in Windows, where your machine can be taken over by simply viewing a shortcut icon. So be very careful about untrusted USB drives, shared files, and anything you’re asked to download (files with “.lnk” and “.pif” extensions are highly suspect). Microsoft has a temporary workaround which changes all the icon images to be identical, but this may be a cure that’s worse than the problem.

Link: http://www.computerworld.com/…
(via Kim Komando)

Many photocopiers use hard drives to store scanned images of the originals. And many people don’t think about wiping that hard drive before selling, trading, or ending the lease on the copier. Which leaves a gold mine of personal and intellectual property information for those who do think about these things.

Link: http://arstechnica.com/…

We’ve all heard the advertisements for LifeLock, where CEO Todd Davis freely gives out his Social Security number because he’s so confident that LifeLock’s service will protect him. Kudos to whoever came up with the idea for such an innovative marketing campaign, but the reality is that Davis’ identity has been successfully stolen 13 times since the ads began airing.

Link: http://www.wired.com/…
(via Kim Komando)

Adobe has released Flash Player 10.1, which includes critical security updates. Adobe products are well known for their susceptibility to malicious hackers, in part because of their ubiquity. Note that you’ll need to install two copies of Flash Player, one for Internet Explorer and one for all other browsers. No, seriously.

Link #1: http://get.adobe.com/…

Link #2: http://news.bbc.co.uk/…
(via Kim Komando)

It’s normal to think of hackers as highly-talented individuals working from a basement in some foreign country. The reality, as indicated in the linked article, can be much different. Innovative Marketing Ukraine was a business—with a human resources department, holiday parties, and call center—that created malicious programs for use by hackers. The majority of the software was scareware, where it infects your computer, disables your anti-virus software, makes it almost impossible to use the internet or run programs, tells you that you have a virus, and offers to remove the virus for a fee. But it gets worse. For the people who actually pay, there’s a good chance that someone will sell the credit card information.

Thanks to Josh for this topic.

Link: http://www.reuters.com/…

Every so often a business or government entity will attempt to release “anonymized” data only to find that the anonymization process fails miserably (AOL, Netflix). The problem is not so much with the actual data itself, but is in how it can be combined with other data sources to identify specific individuals. A researcher has shown that 87 percent of Americans can be uniquely identified with just their ZIP code, birthdate, and gender.

Link: http://arstechnica.com/…

Security researcher Christopher Tarnovsky has managed to hack Infineon’s SLE66 CL PE chip, which the company had claimed was unhackable. Despite this, we shouldn’t be overly concerned. Tarnovsky used acid to reveal the chip’s circuitry, and he also required an electron microscope—not something that your average person has sitting around the house. Once he reverse-engineered the chip’s logic, he modified the circuitry to bypass its (formidable) defenses. Tarnovsky then used tiny probes to view the chip’s internal data signals, allowing him to read its stored memory. This just goes to show that unlimited physical access can break almost any security scheme.

Link #1: http://www.darkreading.com/…

Link #2: http://localtechwire.com/…