Apple pulls iForgot password recovery system over security bug

Giving customers their own online accounts, secured with a user id and password, can get tricky, especially if you have to rely on third party vendor software to do the management.

At the school I work at, we instituted a new Online Application for potential students. We also created a new Online Reenrollment form that parents can fill out to update information that may have changed since last year.

Applicants have to create their own username and password just to be able to create an Online Application. They SEND their information TO us to be imported into our database.

For the Reenrollment site, on the other hand, we email parents their username and password – they don’t get to create their login credentials because we are giving them access to data that is already in our database and which they will be able to update.

In both cases, we ALWAYS have parents or applicants who have trouble logging into the respective websites. I’d say at least 15% of our users experience some kind of issue. In many cases, they type a lower case “L” instead of an upper case “i”, or type the number “0″ instead of the letter “O”. In other cases, they’ve forgotten their username or password. And in some cases, I’ve forgotten to initialize parent accounts before sending them an email with their login information.

In short, online account management gets complicated, and I’m not sure how we can make the experience easier for applicants and parents without making their information more vulnerable.

DDOS Suspect used ‘attack van’ as mobile HQ

According to theverge.com, The Spanish Interior Ministry has charged a 35 year old Dutch national with the Cyberbunker Distributed Denial of Service (DDOS) attacks against Spamhaus last month. This attack is reported to have been one of the largest DDOS attacks ever, generating 300 gigabits of traffic per second, and may have had a negative impact on Internet traffic in Europe.

According to the story, “the suspect used a van ‘equipped with various antennas to scan frequencies’ as a mobile command center, which reportedly enabled him to hack into networks from virtually anywhere in the country.”

Toshiba USB portable hard drive is also online file server

According to an article on Wired.com, today’s super fast processors, used in places like Apple and Facebook’s data centers, have begun to outstrip hard drives and main memory capacity. The hard disk is to slow, and memory is too small.

The company Fusion-io has built a card which slots into servers and blurs the line between the storage world and the memory world. It’s packed with hundreds of gigabytes of flash memory, and can act like the standard hard drive. However, the same card can also act like a beefed up version of a server’s main memory subsytem.

This means data can be delivered faster, and uses less energy doing so.

Bitcoin Company Hacked

Farhad Manjoo has a good article on Slate about the Bitcoin bubble we just recently witnessed. He originally purchased 7 bitcoins for $138 each.

Within days of the purchase, the value of bitcoins had risen to $200.00 each, then to $262.00 each.

However, shortly after that, their value began to plummet. To make a long story short, he pulled out of the bitcoin market and made about 15% profit.

The huge price drop was in large part due to the fact that the companies offering to buy and sell bitcoins for people had trouble meeting demand, and were unable to process their transactions. Oh yeah, I think one of those companies had been hacked.

Today’s Most In-Demand Certifications

I have mixed feelings about certifications.

On the one hand, they show an individual’s willingness to learn something and take a test about it. In some cases that individual spent thousands of dollars on classes aimed at the certification test. I’m not saying they are capable of doing what the certification says they can do, but at least they took the initiative and put some effort into it.

That being said, I don’t have any certifications at all. Most of the jobs I have gotten have been because I had skills I taught myself “on the job” at previous jobs. The times I have been in a position to interview candidates, and had input into the job hiring process, I was far more interested in what candidates could do skill wise, what they had done at their previous job or in school, than whether they had a certification or not.

Does anyone reading this feel that their certifications led to higher paying jobs?

Java Renaissance Begins?

An article on Darkreading.com discuses Oracle’s change in it’s strategy towards Java.

Oracle has decided to focus it’s efforts on making the current version of Java more secure, at the cost of delaying the roll out of the new version of Java, Version 8.0, until 2014.

Security experts believe this is a good first step for Oracle, considering that 2012 and 2013 were not good to Java. A number of zero-day attacks and vulnerability disclosures tarnished Java’s reputation, and lead to many organizations disabling Java on their client computers. Apple removed it’s Java plug-in from Safari.

Rik Ferguson, vice president of security research for Trend Micro said, “This definitely won’t be the last zero-day vulnerability in Java and it won’t be the end of the vast attack surface that it currently offers to criminals.”

Oracle’s chief architect of the Java Platform Group, Mark Reinhold, said in his blog post, “We’ve also upgraded our development processes to increase the level of scrutiny applied to new code, so that new code doesn’t introduce new vulnerabilities.”

However, the biggest challenge for securing Java is that it runs on multiple operating systems. Oracle wants the Java Virtual Machine to run across all platforms in a consistent manner. Unfortunately, this makes it harder to secure.

Time to setup that Honeypot?

According to an article by John H. Sawyer at Darkreading.com, many companies are securing the outer perimeter of their networks, but they’re neglecting the interior, and have no idea what’s going on inside the internal networks.

This leads to the problem that many companies don’t know if they’ve been breached until days, weeks, or months after the attack.

The article states that companies need to develop better detection measures using a combination of Network Security Monitoring (NSM), active defense tools and honeypots, which have seen recent advancements.

Honeypots are designed to be attacked. Honeypots can come in different flavors: HTTP, SMTP, SSH, FTP, etc. The basic idea is that they exist to be attacked, and the person responsible for the honeypot can better understand what the attackers are doing. Honeypots become early warning systems that can identify attacks that other systems may have missed.

There is an increased interest in honeypots, and as a result, there are several products on the market.  One product is Artillery from TrustedSec. It can be deployed on a server, or a standalone system. It listens to network ports that are commonly attacked, and will report once it detects an attack.

Project Nova is another honeypot, based on honeyd, which is no longer developed. It has made it easy to deploy many honeypots at one time from the same host. It also has a learning algorithm that helps determine whether a system is hostile or benign.

The author of the article also mentions the Active Defense Harbinger Distribution (ADHD) project (ADHD) which is a Linux based Live CD distribution. ADHD contains the two honeypots mentioned above, as well as active defense tools designed to slow down attackers, or annoy attackers to the point they make mistakes and get caught. The author cautions that this could lead to an angry attacker maliciously attacking your system and causing massive system failure and data loss.

Overall, honeypots look like a good addition to your security toolset that should be considered when upgrading the security of your networks.

SSH File Transfer Protocol

I discussed the File Transfer Protocol in an earlier post. As convenient as FTP is, it is an insecure form of communication. Data is transmitted in the clear, unencrypted. Anyone with a packet sniffer can discover the credentials used to connect to the FTP Server.

There are alternatives to FTP. One is the SSH File Transfer Protocol (SFTP). Unlike the FTP protocol, SFTP encrypts the command and data channels. Indiana University’s IT Services has a nice web page dedicated to SFTP located here.

Be aware that FTP Clients do not necessarily support SFTP, and SFTP clients don’t have to support FTP. Although FTP and SFTP sound very similar, the technologies used by both are fundamentally different.

I personally like Filezilla. It’s got a nice, simple GUI, and it supports the FTP and SFTP protocols. It’s also free. You can download it from filezilla-project.org.

FTP Explained

I found a good article that discusses how the FTP protocol works.

The File Transfer Protocol is typically used to transfer files between a client and a server. You should also understand that FTP is not a secure protocol because data is transmitted unencrypted. Anyone using a packet sniffer could find the username and password used to connect to an FTP server.

FTP actually utilizes two ports: a command port and a data port. The command port transmits commands and replies to those commands, while the data port transfers data.

FTP can be used in active mode or passive mode. Active mode is the older method, and was introduced when security was not a priority for most organizations. The client sends the PORT command, telling the server which port to connect to on the client side. Here’s a simplified version of how it works:

What is FTP

What is FTP

Image courtesy John V. from Jscape.com

  1. Client connects from a random port on the client side to port 21 (command port) on the server. Client sends the PORT command to specify which client side port the server will use to send data to.
  2. The server connects from its port 20 (Data port) to client port that was designated as the data channel. Data transfer are made through these ports.

In passive mode, client still initiates contact with the command port. However, the client sends the PASV command, which basically asks the server which port it can connect to on the server side to transfer data. The FTP server replies, indicating which port the client will connect to for data transfer. Here’s a simplified version of how it works:

FTP Image

FTP

Image courtesy John V. from Jscape.com

  1. Client connects from a random port on the client side to port 21 (command port) on the server. Client sends the PASV command. The server replies, indicating which port it opens on itself for data transfer.
  2. Client connects from another random port to the random port specified in the server’s response. Once connection is established, data transfers are mde through these client and server ports.

One of the biggest problems with the File Transfer Protocol is that the entire transmission is sent in plain text between the client and the server. Anyone with a packet sniffer can intercept every detail needed to log into the FTP server.

FTP is a convenient way of transferring files, however it is an unsecure form of communication.

Pro-CISPA groups Out spend and Out Lobby Anti-CISPA groups

I found this article about Pro-CISPA companies outspending and out-lobbying Anti-CISPA companies. The Pro-CISPA companies have already spent $605 million to lobby for the bill’s passage, according to a watchdog group.

The main reason there is so much more money and support for CISPA than there was for SOPA is that a number of large technology firms (including Microsoft and Facebook) have switched sides and are endorsing it.

Supporters of CISPA argue that legal immunity was necessary to encourage companies to freely share data with the government.

However, the American Civil Liberties Union and internet privacy groups like the Electronic Frontier Foundation fear that customer and client data will be vulnerable during the data exchange, exposing private data.