Tuesday, 25 January 2011

Security Digest #16

A Time Of Contrasts

The first story from January's Security and Privacy archives is reminiscent of a certain Wikileaks / Facebook platitude, recently memed via Saturday Night Live's Bill Hader, speaking in the persona of Julian Assange (emphasis mine):
I give you private information about corporations.
For free.
And I'm a villain.
Mark Zuckerberg gives your private information to corporations.
For money.
And he's Man of the Year.

Honour Among Hackers

All of which leads us to consider these several and various attitudes towards device jail breaking, as recently exhibited by Apple, Sony, and Microsoft.

Apple tried first in 2009 to have the jail breaking of the iPhone ruled illegal under America's Digital Millennium Copyright Act (DMCA). The land of the free disagreed, and in July 2010 went further by declaring there was "no basis for copyright law to assist Apple in protecting its restrictive business model." The iPhone was of course first hacked by George Hotz...

Next up came Sony, in the wake of the 27th Annual Chaos Communication Congress and the comprehensive obliteration of its PS3 security system, at the hands firstly of the fail0verflow group, and the subsequent samurai sword strike from the hand of... George Hotz. Sony's response, described by the Electronic Frontier Foundation as "sending a dangerous message to researchers and gamers", was to sue everyone involved. Not only with the DMCA hammer, but also with a highly creative slew of Computer Fraud and Abuse claims.

Finally, having already leaked details of their upcoming fix for the ChevronWP7 hack, Microsoft - predictably enough - reacted to a post by who-else-but George Hotz, threatening next to break Windows Phone 7 "in a way they won't like". The reaction of this particular giant multinational corporation was...

...to offer the hackers free T-shirts. And a free phone. Also, to offer a meeting, for the purpose of discussing how Microsoft might in future support “homebrew” apps, in a way that benefits all parties.

This just might turn out to be a very shrewd way to start building a much needed, fiercely loyal, customer base.

Photo source: istartedsomething.

The Hack List 2010

PCWorld Magazine's Business Center carries Tim Greene's report on the Top 10 Web Hacking Techniques of 2010, as voted by a panel of experts and open voting:
  1. Padding Oracle Crypto Attack
  2. Evercookie
  3. Hacking Autocomplete
  4. Cache Injection HTTPS Attack
  5. CSRF Bypass via ClickJacking / HTTP Parameter Pollution
  6. IE8's Universal XSS
  8. JavaSnoop
  9. Firefox CSS History Grab
  10. Java Applet DNS Rebinding
#1 was covered previously in my Twenty Questions post. For useful details on the rest, see Tim's article. The list was sponsored by Black Hat, OWASP and White Hat Security, and will be the subject of a presentation at IT-Defense 2011 conference in Germany next month.


M'learned colleague Scale This! draws attention to the ITProPortal story, Microsoft Suffers Cloud Data Breach, with the comment that it's really about web app security. Backtrack to PCWorld, where we find Microsoft Cloud Data Breach Heralds Things to Come.

The issue, it emerges, has nothing to do with hacking, legal or otherwise. It's been a simple matter of misconfiguration of BPOS. Nothing uniquely cloudy about that, aside from the prevailing weather conditions above the head of some poor IT guy somewhere.

It may indeed be a herald of things to come. Maybe in today's computer journalism, "The Cloud" is already interchangeable with "The Server"?

That's January's wrap.

No comments:

Post a Comment