Malicious URLs Pose Mobile Hijacking Risk

The security of mobile devices may be at risk for Web borne attacks because of loose policies for processing URLs (Uniform Resource Locators), according to a report by security researcher Nitesh Dhajani.

New FireSheep-Style Tool Hijacks Twitter Sessions

Days after researchers at the ToorCon Security Conference in San Diego released a tool to hijack insecure Web sessions on Facebook, iGoogle and Flickr, a developer has released a similar tool, dubbed “Idiocy” that does the same for insecure Twitter sessions. 

In a variety of ways, experts at this weekend’s ToorCon Conference warned that the tidal wave of new devices and Web based services is straining an already aging Internet infrastructure, with privacy and security as the first victims.  

Call it the ‘schizophrenia of now’: a tidal wave of new applications and mobile devices promise to connect us and enable us in ways technologists only dreamed of a decade ago. At the same, the Internet itself strains under the demands of hundreds of millions of new users, and aging protocols that offer only the barest security and privacy protections. 
That was the picture that emerged from two days of sessions at the ToorCon Conference in San Diego. An ecclectic event, discussions at ToorCon ran the gamut – from social engineering, to the moral and ethical implications of zero day vulnerabilities, to the evolutionary impact of technology. But in talk after talk, top security experts returned to a common theme: that fast evolution of new applications and platforms, and the glacial pace of change for the decades old protocols and infrastructure to support them. 
That was the message beneath the keynote address on Saturday, in which security excpert Dan Kaminsky lamented the lack of progress in securing e-mail communications and verifying the identities of legitimate sendors – an endeavor now in its second decade. With the vast majority of e-mail communications still “in the clear” and without the benefit of encryption or other data security, Kaminsky extolled the virtues of Domain Key Infrastructure (DKI) technology for proving the identity and authenticity of e-mail communications. 
Existing, user-driven options like SMIME require individual management of public keys and accompanying certificates for message authentication and non-repudiation, have proven too complicated for all but the most technical users to manage, Kaminsky said. 
“We’ve created a self licking ice cream cone,” Kaminsky said of current, user driven e-mail security options. “There’s too much technical detail in certificates and users can parse all that information. We’ve go to do better.” 
That was the message from security researchers Ian Gallagher of Security Innovation and Eric Butler, an independent security consultant. The researchers talked about the threat to privacy posed by modern social networking applications like Twitter and Facebook, as well as Web e-mail, which run on unencrypted HTTP, leaving users susceptible to various forms of session hijacking that could allow malicious hackers to view their personal details. The fix, according to the two, is for more Web 2.0 providers to deploy end to end encryption using SSL, but concerns about the cost and impact on performance have kept that needed change from happening. In an effort to turn up the heat around vulnerable Web apps, the two used ToorCon to release a Firefox browser plugin, FireSheep, that allows users to canvas and then hijack Web 2.0 sessions from users on the same wireless network. 
If decades old tools like the Web and e-mail are problems, the situation is no better – and possibly worse – in the burgeoning world of mobile devices, as numerous ToorCon presenatations illustrated. 
Researcher David Kane Parry used his talk to talk about the security implications of popular location based services such as FourSquare and Facebook Places, which allow mobile users to report their location to their followers. Such services have an obvious appeal and utility, but too little time has been spent to discuss the security implications, while developers have few tools to secure such transmissions or allow granular application of GPS data for applications, Kane Parry said. Geocoding APIs, he notes, don’t yet use SSL encryption, while GPS data can easily be spoofed on mobile devices, complicating repudiation, he said. 
Eric Monti, a Senior Security Researcher with TrustWave’s Spider Labs, raised similar concerns about the security of applications for mobile devices like iPhone and Android. Monti developed a stripped down rootkit for iPhones, leveraging work done by the Jailbreakme team over the Summer. Modern mobile devices are “just as complicated as dekstops and laptops or servers,” Monti warned. And, rather than being a special case, the operating systems that manage these devices are variants of modern operating systems – OS X, Linux and Windows – about which much is known, he said. That’s a problem, as third parties rush to design all manner of applications for these platforms, including those handling sensitive data, such as credit card processing and SCADA control tools, he said. 
And, without proper protections, even seemingly innocuous devices can potentially be leveraged for users well afield of that for which they were designed. Researchers Travis Goodspeed and Michael Ossmann proved this with the IM-Me wireless text messaging toy from Girl Tech – a little recognized mobile device that has suddenly become very popular amongst hardware hackers for its flexibility, powerful radio (and cute, pink case). The two showed how, with a modicum of effort, IM ME could be transferred into a spectrum analyzer, garage door opener, keyless entry device or TV remote. 
Experts and speakers at the show were generally pessimistic about the ability of the industry to avoid the painful mistakes made in earlier generations, when the lure of cool functionality and the growth of the global Internet led to covulsive waves of virus and worm attacks and, ultimately, organized cyber crime and state sponsored hacking. 

HED: New Tool, FireSheep, Lays Open Web 2.0 InsecurityDEK: The Browser Plug In Offers One Click Session Hijacking for Popular Social Networking Apps. Creators call for better session security. It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is  how much information is floating out there in the either, especially with the rise of “Web 2.0” and rich social networking applications and other Web based sharing tools. But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature. Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP. The researchers, Ian Gallagher of Security Innovation in Seattle Washington, and Eric Butler, an independent security consultant, also of Seattle, demonstrated Firesheep before an audience at ToorCon on Sunday: surveying and then hijacking audience members’ Facebook and iGoogle sesions. They warned that, without wider use of secure transaction tools for end-to-end Web encryption like SSL, more users were likely to fall victim to such attacks. The problem isn’t new, Butler said, but has been the “elephant in the room” since the birth of the Web and the HTTP protocol that is its lingua franca. While technologies like virtual private networking tools (VPN) can help deter snooping, but don’t provide end to end encryption of Web sessions and, thus, just “move the problem around,” Butler said. Concerns about the ability to scale session encryption to the level needed to support traffic on  massive social networks like Facebook is a likely obstacle, but both Gallagher and Butler argued that security and scalability can both be achieved. Search giant Google implemented SSL for its Gmail Web based e-mail service without any noticeable change in service and without having to deploy massive new infrastructure to support it, the two noted. Other Web mail and software as a service vendors should do the same. The two posted a version of the Firesheep tool for Mac OS X and Windows for download ( and encouraged others to download and try it out. The tool is also extensible, allowing users to add additional Web services to those detected by Firesheep with a few lines of Javascript. It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is  how much information is floating out there in the ether, especially with the rise of “Web 2.0” and rich social networking applications and other Web based sharing tools. 

Companies that make supervisory control and data acquisition (SCADA) and industrial control software are still dangerously lax when it comes to application security and vulnerable to attack, according to a researcher from security firm Tenable Inc. who warned that the use of coded administrative “backdoor” passwords of the type used by the Stuxnet worm isn’t uncommon. 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.