A)Mozilla might add Tor encryption to its Firefox web browser
MOZILLA HAS JOINED the list of technology companies to raise the US National Security Agency’s (NSA) hackles after letting slip that it is considering incorporating Tor encryption technology into its web browser.
The proof of concept for this is already out in The Pirate Browser, a product of The Pirate Bay, which offers a Firefox Tor bundle designed to access banned websites, though not specifically to protect anonymity. Tor’s web browser, too, is a version of the open source Firefox web browser.
The Daily Dot reports that several technology companies are in talks with Tor, with Mozilla said to be exploring the idea of a “private browsing mode” powered by the Tor Project. The description given of one company suggests strongly that it is, indeed, Mozilla that is looking at adding to its existing private browsing facility.
Mozilla declined to confirm or deny this, saying in a statement, “Mozilla and the Tor Project share many of the same values and goals, such as building user trust in the web and giving users more capabilities to navigate the web on their own terms. We have a long-standing relationship with the Tor Project and regularly discuss ways we might collaborate to strengthen the open seb and deliver a better browsing experience for Firefox users, but have no specific projects to share at this time.”
Of course, if this does turn out to be true, it will drive the NSA, CIA and other security agencies around the world absolutely barmy, as Tor implementation would make it nigh on impossible to harvest data transmitted over the internet in the clear, as they have been doing with the Prism, Tempora and no doubt other initiatives.
Already, the FBI has spoken out against Apple’s and Google’s decisions to add encryption to their products as a barrier to its ability to solve crimes. The new Apple iPhone 6 is fully encrypted, and Google has said that encryption will protect mobile phones running the upcoming Android L.
So, at present there is nothing concrete to report, but the indication from both Tor and Mozilla is that we might see a Tor button in a future release of Firefox.
B)Why Linux Needs Malware Protection
“This is very embarrassing.” So began a post by the developers of UnrealIRCd server after finding that their software was infected with a Trojan. Another example of why enterprises should consider the safe haven of Linux? Just the opposite: The Trojan infected only the Linux version of the server software, but its Windows counterpart was clean.
Although Linux malware is relatively rare compared to attacks on Windows, it exists, and it’s steadily increasing. In fact, as far back as 2005, the amount of known Linux malware had already doubled over the course of a year to 863 programs. As Linux’s popularity grows among consumers and enterprises, so does its attractiveness to hackers.
In the process, the strategy of security by obscurity becomes less viable. So far, Linux servers appear to be targeted more frequently than Linux PCs partly because there’s a larger installed base. The risks aren’t limited to servers and desktops, either. One recent example is Backdoor.Linux.Foncy.a, which attacks smartphones running the Linux-based Android operating system. Kapersky Lab callsBackdoor.Linux.Foncy.a “the most striking example of a malicious program used by cybercriminals to remotely control an infected device by sending a variety of commands.”
In a sense, Linux malware today is like mobile malware circa 2002: Many businesses, consumers and analysts scoffed at warnings simply because attacks were so few and far between. But as the attacks mount, so does the need for a strategy that’s more robust than simply betting that the odds are in your favor.
Developing a Security Strategy
The good news is that many successful strategies from the Windows world are applicable to Linux.
1. Think twice about downloading free software and content even when it, the source or both appear innocuous. Ignoring that advice has facilitated hacks such as screensavers that use Ubuntu PCs for distributed denial-of-service attacks. Backdoor.Linux.Foncy.a passed itself off as the “Madden NFL 12” game.
2. Run a Windows antivirus program. Because Linux PCs are still a minority, there’s a good chance that a file is headed for a Windows machine. Windows antivirus software minimizes the chances that the Linux PC or server will facilitate malware’s spread.
3. Borrow from Ronald Reagan: Trust, but verify. For example, many Linux users trust Ubuntu’s Personal Package Archives. The potential catch is that although there’s a code of conduct, there’s no guarantee that a secretly malicious signatory won’t leverage that trust. Verification could include using only entities that have proven themselves to be trustworthy, or inspecting the files in a package for anything suspicious before installation.
There’s also a growing selection of books and Web tutorials for developing an enterprise Linux security strategy. For example,CyberCiti.biz advises: “Most Linux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall.”
4. Explore vendors offering Linux security services and products.There’s a good reason why they’re worth paying attention to: They wouldn’t have those lines of business if there weren’t enough threats already out there.
5. Don’t let managers and other supervisors blindly sign off on the wireless portion of expense reports. This advice is as low-tech as it gets, but it’s also highly effective — not just for Android malware, but types that target all other mobile OSs, too. Although a lot of malware is designed to harvest credit card numbers and other personal information, Backdoor.Linux.Foncy.a is an example of the types that send messages to premium-rate text message and other data services. By simply questioning why an expense report has an unusually high wireless bill that month, you could catch an infected smartphone before it has several months or more to incur unnecessary charges. In the case of Backdoor.Linux.Foncy.a, only about 2,000 Android phones were infected, but that was enough for the hackers — later arrested — to run up an estimated 100,000 Euros in unauthorized charges.
Tim Kridel has been covering all things tech and telecom since 1998 for a variety of publications and analyst firms. Based in Columbia, Mo., he still enjoys the childhood hobby that led to a career writing about technology: ham radio.
C)Google, Microsoft, or Facebook: Who Dropped The Ball With Your Online Privacy?
Google, Microsoft, and Facebook are locked in a precarious blame game about who failed with your online privacy. First, Google gets caught bypassing a security feature in Safari that allowed the company to track users despite the no-tracking settings in Safari. Then yesterday, Microsoft charged Google for doing a similar thing with Internet Explorer users. Lots of smoke so far, but is there a fire?
Google responded today to Microsoft’s accusation that the search engine company was not acting unscrupulously by tracking IE users and, instead, said that it’s Microsoft’s fault for not addressing a known flaw in their browser. To strengthen their argument, Google cited Facebook’s ubiquitous “Like” button found on websites and said that feature uses the same method to track user info so, therefore, this isn’t a Google problem but a Microsoft problem. Facebook basically shrugged at Google’s attempt to drag it into the mix because the social networking site insouciantly confirmed today that it is in fact using the same bypass as Google.
Consider this: Is it okay for companies like Google and Facebook to be aggressively looking for ways to exploit browsers in order to continue raking in browsing information from users as long as it falls into the fuzzy parameters of legality? Or does Microsoft have a responsibility to protect Internet Explorer users by updating their privacy protections to block aggressive info-vampires like Google and Facebook? Have your say below in the comments.
As mentioned above, Microsoft revealed that Google’s been sidestepping a privacy setting in Internet Explorer in order to continue tracking users’ browsing habits despite the users selecting a feature to block websites from collecting data on them. Basically, the exploit that Google found involved a P3P policy statement that checks the intent of websites like Google. While the P3P policy should reject cookies from sites that don’t clearly express their purpose, Google intentionally used a vaguely defined cookie in order to bypass the P3P policy and still track the browsing habits of Internet Explorer users. Microsoft vilified Google after the revelation and, as you can imagine, Google was quick to defend itself.
But Google’s defense is basically to point the fault back at Microsoft for using outdated security settings. In a response provided to WebProNews, Google’s Senior Vice President of Communications and Policy, Rachel Whetstone, shared the following:
Microsoft omitted important information from its blog post today.
Microsoft uses a “self-declaration” protocol (known as “P3P”) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known – including by Microsoft – that it is impractical to comply with Microsoft’s request while providing modern web functionality. We have been open about our approach, as have many other websites.
Today the Microsoft policy is widely non-operational. A 2010 research report indicated that over 11,000 websites were not issuing valid P3P policies as requested by Microsoft.
Here is some more information.
Issue has been around since 2002
For many years, Microsoft’s browser has requested every website to “self-declare” its cookies and privacy policies in machine readable form, using particular “P3P” three-letter policies.
Essentially, Microsoft’s Internet Explorer browser requests of websites, “Tell us what sort of functionality your cookies provide,
and we’ll decide whether to allow them.” This didn’t have a huge impact in 2002 when P3P was introduced (in fact the Wall Street Journal today states that our DoubleClick ad cookies comply with Microsoft’s request), but newer cookie-based features are broken by the Microsoft implementation in IE. These include things like Facebook “Like” buttons, the ability to sign-in to websites using your Google account, and hundreds more modern web services. It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality.
Today the Microsoft policy is widely non-operational.
In 2010 it was reported:
Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies…..
Thousands of sites don’t use valid P3P policies….
Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure.
A 2010 research paper by Carnegie Mellon found that 11,176 of 33,139 websites were not issuing valid P3P policies as requested by Microsoft.
Microsoft support website
The 2010 research paper “discovered that Microsoft’s support website recommends the use of invalid CPs (codes) as a work-around for a problem in IE.” This recommendation was a major reason that many of the 11,176 websites provided different code to the one requested by Microsoft.
Google’s provided a link that explained our practice.
Microsoft could change this today
As others are noting today, this has been well known for years.
Privacy researcher Lauren Weinstein states: “In any case, Microsoft’s posting today, given what was already long known about IE and P3P deficiencies in these regards, seems disingenuous at best, and certainly is not helping to move the ball usefully forward regarding these complex issues.”
Chris Soghoian, a privacy researcher, points out: “Instead of fixing P3P loophole in IE that FB & Amazon exploited ……MS did nothing. Now they complain after Google uses it.”
Even the Wall Street Journal says: “It involves a problem that has been known about for some time by Microsoft and privacy
So here’s one thing I’m still unclear on. That last bit from Chris Soghoian that asserts Facebook and Amazon have previously “exploited” the same P3P loophole and yet Microsoft did nothing to fix it. While I agree with the gist that Microsoft should have fixed the flaw in order to protect Internet Explorer users, that doesn’t make what Google and Facebook have done okay to do.
Facebook’s response is coy but make no mistake: these are companies led and maintained by highly intelligent people that didn’t get to where they are by happenstance. It wasn’t an accident that Facebook and Google just happened to be running loops around Microsoft’s privacy settings.
Consider this: Suppose two of my friends both get away with stealing cars from an auto dealer. My larcenous pals say they took the cars because the dealer left the keys in the them. My friends don’t get in trouble, fine, but the auto dealer continues the practice of leaving the keys in the cars. So does that make it okay for me to come around and steal a car just because the dealer didn’t change their policies and then defend myself by saying, “Well, my friends did it and you didn’t do anything about it.” Who’s at fault in this scenario?
Honestly, it doesn’t matter because all companies are at fault for something in this hot potato-blame game. Google and Facebook definitely knew of the Internet Explorer exploit and, even though they shouldn’t have taken advantage of a possible flaw in IE, they did it anyways. Microsoft also knew of the possible exploit in Internet Explorer and, whether naively or stubbornly, did nothing about it to protect IE users from sites like Google and Facebook.
Regardless of who ends up wearing the blame, it’s the people who use these services that are going to lose. Google and Facebook don’t respect your privacy enough to politely acknowledge you probably don’t want them to become your online shadow; if there’s a way for them to stab their digital proboscis into the vein of your browsing info, they’ll do it. Alternately, Microsoft doesn’t prioritize the protection of Internet Explorer users high enough to update the browser in order to prevent the Facebooks and Googles of the world from stalking people across the Internet.
To paraphrase a quote from a movie I saw recently: It’s all there, black and white, clear as crystal. You lose, internet users.