Wednesday, December 31, 2008

A Triple-Play of Security Vulnerabilities

Taken individually, these all seem like isolated security holes. But when viewed together, these three separate stories make me question the safety of online data, the state of user privacy, and the immediate future of cloud computing.

Adobe’s Flash and Apple’s Safari Fail a Privacy Test - Bits Blog
In a paper published Tuesday, Ms. McKinley found particular problems with Safari and concluded that none of the four major browsers extends its privacy protections to Adobe’s immensely popular Flash plug-in, which is used to display Web animations and video.

Apple’s Safari fared the worst of the browsers in Ms. McKinley’s tests. When used in “private browsing mode” on a Macintosh running OS X, Safari was “quirky,” Ms. McKinley wrote, accessing some of the cookies previously stored on her computer, but not others. When used on a machine running Windows XP, Safari’s private browsing mode was not private at all -– it accessed previously set cookies and did not delete any new ones.
Outdated Security Threatens Web Commerce - Bits Blog
A team of United States and European computer security researchers have used a cluster of several hundred Sony PlayStation 3 video-game machines to exploit a basic weakness in the software system used to protect commercial transactions made via the Internet.

The attack is possible because a handful of commercial organizations that provide components of the basic security infrastructure of the Internet are using an older security technology — despite years of warnings that it is now potentially obsolete. The flaw would make it possible for a criminal to redirect a Web surfer to a fake bank or online merchant without being detected by the security mechanism embedded in today’s Web browsers. It could also be used to subvert e-mail communications and other applications that use cryptographic software for authentication and security.

The demonstration underscores that the commercial infrastructure of the Internet, as well as its privacy and security, are based on an advanced branch of mathematics that in the future may become vulnerable to more powerful computing systems and more clever attackers.

Today’s browsers display a tiny image of a padlock when a user has a secure connection to a Web site. This is intended to provide evidence that the Web site is legitimate, as the browser and the site exchange digital certificates provided by a certificate authority — a trusted third party.

Researchers have proved they can create fake certificates that will be accepted by the security system.
Your Google Docs May Be Open to Hijacking
In July of this year, Google finally gave webmail users a way to make sure that Gmail always used SSL - the protocol that encrypts connections to prevent hijacking. Through a flip of switch in Gmail's settings, users could rest assured that their email was at least less vulnerable, if not totally secure from hackers. However, Gmail is not the only Google-based web application where you may be storing personal data. Your files stored in Google Docs should be protected, too. But are they?

Who Has Secure Docs?

For many users of Google Docs, that answer is "no." According to Google's Help Topic on SSL as well as their Google Apps Edition comparison guide, SSL is a feature only made available to users of Google Apps Premier and Education Editions. However, in some informal testing on our part, it appears that users of Google Apps for Your Domain were given that option as well, despite the fact that their Google Apps edition clearly reads "Standard." For everyone else, though, Google Docs remains an unencrypted HTTP session.

No comments:


Related Posts Plugin for WordPress, Blogger...