Beware of this new Chrome “font wasn’t found” hack!

Today while browsing a (compromised) WordPress site that shall remain unnamed, I came across a very interesting “hack” that was pulled off with a bit more finesse than most of the drive-by-infection attempts. This one relies on using JavaScript to change the text rendering, causing it to resemble mis-encoded text with symbols and rubbish in place of the content, then prompts the user to update “Chrome’s language pack” to fix the problem.

Continue reading

SecureStore: a .NET secrets manager

SecureStore is our open-source (MIT-licensed) solution to secrets management for .NET developers. It’s intended to be dead simple and boldly embraces the KISS principle. We’ve been using it in production for a while now (years, actually!), but hadn’t gotten around to officially releasing it despite its public availability on our GitHub page.

Continue reading

PSA: PayPal.com rejecting connections from Internet Explorer 10 and below!

PayPalThis is just a small public service announcement for any web developers or eCommerce website owners using PayPal Express Checkout to accept payments on their websites: don’t redirect your users to paypal.com, make sure you use www.paypal.com instead!

The reason is quite simple (and stupid): PayPal uses different SSL security configurations for the vanilla paypal.com domain and the www.paypal.com subdomain – and the former is incompatible with a lot of older PCs and operating systems, meaning your users will get an error message instead of being presented with the checkout options!

Continue reading

Answers to password reset questions are passwords too — so why aren’t we treating them that way?

identity-theftIf you’re a developer working on or maintaining a website catering to the general public, chances are you’ve implemented some form of password reset via security question-and-answer into your site. How are you storing the answers to these questions in your database? Are you encrypting them? Storing the (hopefully cryptographic, salted) hashes? Or are you storing them plain text?

I can’t answer for you, but I can tell you that I’ve never used a system that didn’t leave tell-tale signs of storing these answers in plaintext. Here’s the thing – if it’s possible to use these answers to reset a password, then these answers, by extension, are passwords too.

In some ways, answers to password reset questions are more important than the password itself. With the password, an attacker can compromise and gain control of a user’s account. With the answers to security questions, an attacker can compromise a user’s entire online and offline security, steal their identity, and quite-literally ruin their lives. Think about it, these same questions (mother’s maiden name, childhood best friend, street you grew up on, where you were on New Year’s Eve of 2000) are the same questions every site asks you to confirm your identity and reset your password. They’re the questions your telephone banker asks before divulging account info or letting you wire money to an international account. They’re the questions that you’ll be asked when applying for a credit card to prove you’re who you claim to be.

Continue reading

Life in a post-database world: using crypto to avoid DB writes

CryptoPossibly one of the biggest hurdles that stands in the way of fostering innovation and discovering newer and better techniques of doing old things is the ease with which developers and designers today can quickly research and find so-called “best practices.” While a quick Google search for “user table structure” or “best way to design password reset” can reduce (but never extinguish!) outlandish practices and horrific mistakes, it does nothing to encourage developers to think outside the box, and results in the perpetuation of less-than-optimal approaches.

To that end, there’s one thing in particular that virtually all documented approaches get wrong, and that’s writing to the database when you should be using modern cryptography instead. It might sound like a bit of a non-sequitur — after all, what does storing information have to do with cryptography when one usually exists only to supplement the other? Which is exactly right. Too often, you’ll find software writing to the database not because it needs to store something, but because it needs to guarantee something. Which is what cryptography is for.

Continue reading

Apple finally locks down the USB port in iOS 7

One of the basic principles of computer security is that if someone has physical access to a machine, compromising it is simply a matter of time (yes, even technologies like whole-disk encryption via GPG/PGP, BitLocker, or TrueCrypt are often still susceptible to “Evil Maid” attacks). But while all devices are vulnerable to hands-on attacks, some devices are more vulnerable than others.

Innocuous-looking USB accessories for both PCs and smartphones have long been a preferred for attacks aiming to gain unauthorized access to a machine. Devices that look like USB sticks can easily direct a computer they’re plugged into to dump data to an external device or online file storage by mimicking a keyboard/mouse, an attack no antivirus or antimalware software can prevent. Smartphones have been susceptible to similar attacks, even from something as seemingly-innocent as a regular phone charger. These hardware-based attacks have been well-documented, and while a passcode on the device can mitigate such attempts, it’s no cure-all.

Continue reading

Malware Warning

It’s our unfortunate duty to inform our readers and users that for a period of several hours some resources on the neosmart.net domain were compromised by one or more attackers unknown. By means of a vulnerability that we were not able to track in one of the scripts on our site, attackers were able to inject malicious JavaScript into resources on our site, leading to visitors to our domain being redirected to a webpage elsewhere online that instructed them to download and install a malicious plugin.

The malware has been purged from our site and resources and there is no longer any threat to our visitors. We’re still working on getting more information, but the malware in question is labeled as JS/BlacoleRef.J and JS/Blacole.A by Microsoft Security Essentials. It’s important to note that visitors to our site could not be infected without their knowledge. The malicious JavaScript in question triggered the browser to display a “do you want to install this plugin” dialog (the exact text differs by web browser make and model), and some browsers were not susceptible to the redirect attack. Users with antivirus software should also not have been at risk, as the malware in question has been blacklisted by the various companies for several weeks now.

Continue reading

Verified Accounts: Twitter’s Next Attempt at Making Money?

How much would you pay for people to know you’re really you? That the updates coming in every 2 minutes on that twitter page come from yours truly and not someone else… someone else pretending to be you?

If you’re like most people, the answer is not much. But there are people out there that really care, and with good reason. If you’re the FBI, Oprah Winfrey, or one of the million other celebrities currently on Twitter, you probably don’t want someone out there passing themselves off as yourself while posting fake updates to an account literally millions are watching.

Some people to whom money is not an issue already pay thousands of dollars for meaningless SSL certificates – something tucked away in the corner of your browser window that no one pays much attention to. But imagine if Twitter were to start offering “verified accounts” that have been authenticated as belonging to a particular person or institute… how many of these celebrity accounts would suddenly turn into cash cows for Twitter?

Continue reading

Google Abandons Standards, Forks OpenID

A couple of hours ago, the Google Security Team posted an article claiming that Google’s made the switch to OpenID, joining Yahoo! and Microsoft in the ranks OpenID providers.

But it looks like someone may have been a bit to hasty to pull that switch (perhaps itching to get some of the limelight Microsoft has been receiving for adding OpenID to all Live ID accounts just the day before yesterday)… because whatever it is that Google has released support for, it sure as hell isn’t OpenID, as they even so kindly point out in their OpenID developer documentation (that media outlets certainly won’t be reading):

  1. The web application asks the end user to log in by offering a set of log-in options, including Google.
  2. The user selects the "Sign in with Google" option.
  3. The web application sends a "discovery" request to Google to get information on the Google authentication endpoint. This is a departure from the process outlined in OpenID 1.0. [Emphasis added]
  4. Google returns an XRDS document, which contains endpoint address.
  5. The web application sends a login authentication request to the Google endpoint address.
  6. This action redirects the user to a Google Federated Login page.

As Google points out, this isn’t OpenID. This is something that Google cooked up that resembles OpenID masquerading as OpenID since that’s what people want to see – and that’s what Microsoft announced just the day before.

It’s not just a “departure” from OpenID, it’s a whole new standard.

Continue reading