Week in Security: Toorcon and SecTor Wrap-up, Bugs and Stuxnet Stances

Autumn conferences grabbed the headlines this week as presentations at the Toorcon Conference in San Diego and SecTor in Toronto wrapped up October, with revelations about the vulnerability of social networking sessions and critical infrastructure headlining. 

Autumn conferences grabbed the headlines this week as presentations at the Toorcon Conference in San Diego and SecTor in Toronto wrapped up October, with revelations about the vulnerability of social networking sessions and critical infrastructure headlining. 

In San Diego, talks at Toorcon came with one common thread:
The Internet is getting older. A host of new Web-based services and Internet enabled mobile devices are combining to make it more and more difficult for
the Internet – built on 30 year old technology – to keep up.
A tool as basic as e-mail which has been around
for decades still lacks proper security while mobile phones are causing
headaches of their own.

Social networking looked especially vulnerable this week as Firesheep,
an extension for Firefox, showed it could easily hijack users.
 Unveiled
at Toorcon by Ian Gallagher of Security Innovation and independent security
consultant Eric Butler, the attack exploits unencrypted wireless connections to
spy on users on Facebook, Flickr and iGoogle.

Firesheep was followed, later in the week, by a
tool named Idiocy that could hijack unsecured Twitter
sessions.
Unlike Firesheep however, when hacked it merely warns users of
their unsafe browsing, tweeting: “I browsed twitter insecurely on a public
network and all I got was this lousy tweet.”

In Toronto, a
talk at SecTour taught us that attacks don’t always have to be directed at users

but can be more successful by targeting benign websites and then their users.
By generating a specific session cookie, hackers can glean additional
information to better own their victims, according to researcher/Evercookie
creator
Samy Kamkar.

Kamkar
highlighted these techniques in depth with Dennis on Wednesday
and also discussed
a new exploit that uses cross-site scripting and Google geolocation
information.

The sanctity of user generated information was also the subject of a series of class action lawsuits filed in Federal district court in California in recent days, Threatpost reported. The suits, which target social networking giant Facebook, social gaming firm Zynga and Google claim the companies are violating the terms of their own user agreements and federal and state laws by leaking sensitive information via http referrer – those long, complicated URLs that are generated as you fill out forms online or surf from one Web site to the next. 

The topic of critical infrastructure security was back in the headlines
this week. At Toorcon, Jeremy Brown of security firm Tenable warned that many
supervisory control and data acquisition (SCADA)
companies need to step up their security game
.

Stuxnet, which wormed its
way through SCADA security in July, was also the focus of a talk at SecTor. On
the other side of the coin, security consultant James Arlen reasoned that much
of Stuxnet’s hype has been overblown
and in the end, encouraged
professionals to just “take a deep breath.”

The week wouldn’t be complete without a few vulnerabilities
to report. On Wednesday Mozilla
confirmed a bug in their Firefox browser
and claimed they were working to
patch it. This particular bug, originally found on the Nobel Peace Prize
website, was planting malware on user’s computers.

Adobe’s security woes continued. The company disclosed yet another zero-day bug in their Flash platform on Thursday. Already exploited in attacks
against Reader on Android and Reader for Windows and Mac, the bug won’t be
addressed until a patch is released on Nov. 9.

What piqued your interest this week? Andrew
Storms talked Firesheep
and easy pwnage while we took a look into Bredolab,
the latest botnet crackdown
.

Suggested articles