21th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 21th week of 2010. I am Jay Johnson and these are the headlines:

New phishing attack exploits which effects tabbed browsing (pause)
Google secures their search engine with SSL encryption while
IBM hands out infected USB drives at security conference (pause)
FIFA warns over World Cup ticket scams and Finally
A flaw in Facebook lets hackers delete your Facebook friends

And now for this week's newswire details
Aza Raskin, Creative Lead for Mozilla's Firefox, has demonstrated a new phishing attack which exploits tabbed browsing. In the attack, a normal page, with the attack script embedded, is loaded and displays as expected. But, when the user selects another tab or window in their browser, the attack script detects the shift in focus. As the focus changes, it substitutes the favicon and title of the page and then loads a fake login page into the tab. In Raskin's example with Gmail's icon, title and login page, the user, viewing their tabs, would see a Gmail favicon and title and upon returning to the tab would be faced with what looks like a Gmail login page. The attacker then hopes that the user will assume they have been logged out and need to log back in again. Raskin suggests a number of ways the attack could be improved, for example by using CSS history mining to present fake pages and favicons that the user might regularly visit, detecting if a user is logged into a service or modifying the presented page to suggest that the user has been timed out by a service. The attack is described by Raskin in a blog posting that includes a safe example of the attack. In the post he suggests that this type of attack could be mitigated by developments such as Firefox Account Manager where the browser takes a more active role in protecting the user's identity and credentials.

(pause)
Google has announced that it has an alternate homepage that supports SSL encryption to secure the information transmitted from a user's browser to the company's servers. Users can access the secured search page by simply visiting https://www.google.com URL uses the https scheme name. The standard search page is http, however, will continue to transmit data as clear text. According to a post on the Official Google Blog by Software Engineer Evan Roseman, the service is currently labeled "beta" for a few reasons, the main reason being that it only covers the company's core web search product. Additionally, links to several of Google's other offerings, such as Image Search and Maps, will not be shown as they don't currently support SSL. Roseman says that, as SSL connections require additional time to set up the encryption between your browser and the remote web server, searching over SSL may be slightly slower than your regular Google search experience. It is also important to note that, clicking search results or links to other Google services will take users out of SSL mode. Unlike its Google Mail email service, which enabled SSL connections by default in January, the Google SSL search beta is an alternate page rather than a default. The company is also quick to point out that this doesn't mean that it won't be collecting search data, saying that Searching over SSL doesn’t reduce the data sent to Google it only hides that data from third parties who seek it.

(pause)
At this week's Asia Pacific Information Security Conference in Australia, IBM handed out infected USB Flash drives to attendees. The incident is revealed in an email sent by IBM to all delegates to the conference which has been published on the Beast Or Buddha blog. The email suggests that all USB drives handed out from the IBM booth are infected with a piece of malware that was first detected in 2008. The malware is contained in the setup.exe file and unless detected and blocked by anti-virus software, runs automatically when connected to a Windows workstation or server. In case of infection, the email includes instructions for disinfecting systems. IBM says that it regrets any inconvenience that may have been caused. The company has not revealed how the malware came to be on the USB drives and has not responded to speculation that it wanted to test the security measures employed by visitors to the conference.

(pause)
World football body FIFA has underlined stern warnings to anyone buying last minute tickets for the forthcoming World Cup tournament in South Africa: buy from a non-authorized source and you stand a good chance of being scammed. Ticket scams are now a major headache for almost any event with music and sporting events the commonest targets, but that hasn't stemmed the tide of willing victims for one of the simplest crimes going. Specifically, FIFA draws people's attention to a recurrent email which claim users have won tickets in a prize draw and which require upfront payment. Other scams include bogus websites, fraudulent travel package firms, and individual touts trying to offload tickets they almost certainly do not possess. According to FIFA, tickets other than those sold through packages can only be bought from the organization's website, fifa.com, or in South Africa from the national football association. An official list is available on the organization's website, though unhelpfully the supplied link led to a 404 when Techworld tested it. A list of authorized tour operators for each country is available online. Alternatively, if in doubt, the organization can be emailed at enquiries@2010fwctc.com. What users should do only at their peril is buy from eBay sellers.

(pause)
The Facebook security gaffes keep coming, with the latest being a bug that allows hackers to delete all of user's site friends without permission, according to IDG News. The flaw was reported Wednesday by college student Steven Abbagnaro, but some 48 hours later it could still be exploited to delete an IDG reporter's Facebook friends. Abbagnaro has written proof-of-concept code that uses publicly available data from Facebook to systematically delete all of a user's friends. The CSRF, or cross-site request forgery, bug that makes all this possible is the same one reported earlier this week that exposed user birthdays and other sensitive data even when they were designated as private. Facebook representatives had said company engineers had closed the hole, but that pronouncement was premature. The flaw could still be exploited to control the sites like feature, a button user's click to endorse ads and other types of content.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.