OK Internet, it's time we had a talk. Not every controversy has to end in the word "gate". Seriously, it's getting so annoying.
Firstly, not every little piece of news that is a tad controversial (which is practically all of them) deserves its own name. Learn to tone it down.
Secondly, the only scandal that ends in "gate" is The Watergate Scandal. Everything else can be and should be named after something else. It is named thus as the scandal revolved around a robbery of the Democratic Party Headquarters in the Watergate Complex.
Everything else that doesn't have a "gate" ending object central to it, should be named something else. Bigotgate, Chicanegate, Digggate, Cablegate, Whitewatergate, etc need to stop now.
Sunday, 12 December 2010
Wikileaks
So, I've been away for a while. Between having minimal to no Internet and having no electricity, I have been less than connected to the Internet. That and I am fairly lazy, but still TIA. Now on to business.
I'm sure you have all heard of Wikileaks, the purported whistle blower website. It provides people with an anonymous "drop boxes", where they can submit documents detailing any wrongdoing. The site then goes on to state "our accredited journalists assess the submission. If it meets the criteria, our journalists then write or produce a news piece based on the document." It goes on further to describe ways of ensuring your anonymity when sending it via post and so forth. In theory this has provided whistle blowers with a way to expose wrongdoings. In theory.
I say purported as I do not believe it is a whistle blower site. Firstly, let us examine the concept of whistle blowing. It derives from the practice of policemen blowing a whistle to alert people around of the commission of a crime. It refers to a person who highlights something wrong that is happening, most in an organisation. Now, when I say wrong I mean illegal, but some people consider it includes immoral wrongdoings. So the site first came to prominence when it published Iraq/Afghanistan War Diaries. These gave details of operations and on the ground realities of the wars. They did bring to light some, for lack of a better term, disconcerting revelations. These could be considered whistle blowing, but there are many grey areas, which we overlook for the sake of argument and say this is valid whistle blowing. That, my friends, is where it all ends.
The next major publication was swiftly dubbed Cablegate (hate that name, cf.this post for the explanation). This was the leak of several secret diplomatic cables between Washington DC and diplomatic missions in several countries. Here's where we go from the legally ambiguous to outright illegal and the legitimacy of these leaks as whistle blowing is a little more than questionable.
To explain, let us detail the job of a diplomatic mission to another country. Most of us are familiar with the consular services, that is issuing visas, passports, etc, but that is only their public facing role. Diplomatic envoys are representatives of their sovereign government in a, presumably, friendly nation. It is their duty to not only represent their country, but also provide their country with information about the people, mainly politicians, of that country. As part of this duty, they send back profiles, if you will, on politicians to their government. These are sent in cables, which are private communications.
Notice the emphasis on private. Not only are these communiques private, but some of them are even classified. Granted, they may not be highly classified, but classified all the same. Only a limited number of people have access to these cables and presumably such access comes with a "do not tell anybody about this" clause. This is where the illegality comes in.
Whomsoever gave these cables to Wikileaks is guilty of a few crimes, depending which way you spin it. These range from the banal mail fraud to my personal favourite espionage. It's not even debatable if what these people did is wrong, it just is. Most of these cables do not expose any sort of wrongdoing at all.
As stated before diplomatic envoys report on local politicians. Although I would like to believe that these people are trained for and/or good at judging people, most of what they report is still personal opinion and conjecture. It is just inherent in this type of data. This is essentially office gossip at an international level. I'm pretty sure that someone somewhere has called their new Head of PR an "mistake-prone control freak" (my personal favourite quote out of all of the cables) and that is considered to be normal. Hence, no wrongdoing and thus no whistle blowing.
Furthermore, some of the "data" sent in the cables in nothing more than well crafted misinformation (this is completely ignoring the false cables that were released). Governments are aware that diplomats report back to their capital, as they have their own diplomats doing the same. So they may choose to feed a diplomat false information in the hope that their parent country will believe it and thus be manipulated into behaving a certain way. I will swiftly avoid any ethical or political debate by saying that all of that falls outside my purview.
Yes, I agree that there may be some cables whose leaking may have proved beneficial, but they are a minority. There is a saying in the security industry: "Even f you secure 99% of the system, you have still failed." The cables that potentially have a detrimental effect, though small in number, will have the greatest impact. Barring these, most of the cables' leakage and then release lead to nothing more than embarrassment for the governments involved.
And thus we see that the recent Cablegate (*shudder*) was basically neither legal nor legitimate whistle blowing. Effectively, Wikileaks are just fences for stolen digital data. Now this leaves us with the question of where the blame/responsibility lies. For that, I will put up another post, as it is quite a lengthy matter. That and you are probably really bored of reading this by now.
***SIDENOTE***
Just found this. No real relevance, but it's funny!
I'm sure you have all heard of Wikileaks, the purported whistle blower website. It provides people with an anonymous "drop boxes", where they can submit documents detailing any wrongdoing. The site then goes on to state "our accredited journalists assess the submission. If it meets the criteria, our journalists then write or produce a news piece based on the document." It goes on further to describe ways of ensuring your anonymity when sending it via post and so forth. In theory this has provided whistle blowers with a way to expose wrongdoings. In theory.
I say purported as I do not believe it is a whistle blower site. Firstly, let us examine the concept of whistle blowing. It derives from the practice of policemen blowing a whistle to alert people around of the commission of a crime. It refers to a person who highlights something wrong that is happening, most in an organisation. Now, when I say wrong I mean illegal, but some people consider it includes immoral wrongdoings. So the site first came to prominence when it published Iraq/Afghanistan War Diaries. These gave details of operations and on the ground realities of the wars. They did bring to light some, for lack of a better term, disconcerting revelations. These could be considered whistle blowing, but there are many grey areas, which we overlook for the sake of argument and say this is valid whistle blowing. That, my friends, is where it all ends.
The next major publication was swiftly dubbed Cablegate (hate that name, cf.this post for the explanation). This was the leak of several secret diplomatic cables between Washington DC and diplomatic missions in several countries. Here's where we go from the legally ambiguous to outright illegal and the legitimacy of these leaks as whistle blowing is a little more than questionable.
To explain, let us detail the job of a diplomatic mission to another country. Most of us are familiar with the consular services, that is issuing visas, passports, etc, but that is only their public facing role. Diplomatic envoys are representatives of their sovereign government in a, presumably, friendly nation. It is their duty to not only represent their country, but also provide their country with information about the people, mainly politicians, of that country. As part of this duty, they send back profiles, if you will, on politicians to their government. These are sent in cables, which are private communications.
Notice the emphasis on private. Not only are these communiques private, but some of them are even classified. Granted, they may not be highly classified, but classified all the same. Only a limited number of people have access to these cables and presumably such access comes with a "do not tell anybody about this" clause. This is where the illegality comes in.
Whomsoever gave these cables to Wikileaks is guilty of a few crimes, depending which way you spin it. These range from the banal mail fraud to my personal favourite espionage. It's not even debatable if what these people did is wrong, it just is. Most of these cables do not expose any sort of wrongdoing at all.
As stated before diplomatic envoys report on local politicians. Although I would like to believe that these people are trained for and/or good at judging people, most of what they report is still personal opinion and conjecture. It is just inherent in this type of data. This is essentially office gossip at an international level. I'm pretty sure that someone somewhere has called their new Head of PR an "mistake-prone control freak" (my personal favourite quote out of all of the cables) and that is considered to be normal. Hence, no wrongdoing and thus no whistle blowing.
Furthermore, some of the "data" sent in the cables in nothing more than well crafted misinformation (this is completely ignoring the false cables that were released). Governments are aware that diplomats report back to their capital, as they have their own diplomats doing the same. So they may choose to feed a diplomat false information in the hope that their parent country will believe it and thus be manipulated into behaving a certain way. I will swiftly avoid any ethical or political debate by saying that all of that falls outside my purview.
Yes, I agree that there may be some cables whose leaking may have proved beneficial, but they are a minority. There is a saying in the security industry: "Even f you secure 99% of the system, you have still failed." The cables that potentially have a detrimental effect, though small in number, will have the greatest impact. Barring these, most of the cables' leakage and then release lead to nothing more than embarrassment for the governments involved.
And thus we see that the recent Cablegate (*shudder*) was basically neither legal nor legitimate whistle blowing. Effectively, Wikileaks are just fences for stolen digital data. Now this leaves us with the question of where the blame/responsibility lies. For that, I will put up another post, as it is quite a lengthy matter. That and you are probably really bored of reading this by now.
***SIDENOTE***
Just found this. No real relevance, but it's funny!
Tuesday, 10 August 2010
P vs. NP solved?
Again, I have been away for a while. I have been engulfed in my Master's Thesis (will possibly post that up as soon as its finished), which is taking up all my time. Despite that I had to come here and write a quick post about this (It will not be to my usual standard because it is rushed). Apparently we have a solution to a Millennium Problem. Just for those who are unaware, the Clay Institute of Mathematics set up the Millennium Problems, which are 7 open questions in Mathematics. These are not just any questions, but problems that have remained unsolved for hundreds of year. These are the hardest problems in Mathematics.
Previously, A proof of The Poincaré conjecture has be presented by Grigori Perelman, a Russian Mathematician. He did in fact refuse the $1M prize that goes with the Fields Medal, but the point remains, he was the first to solve a Millennium Prize Problem.
Of the 6 remaining, a proof has now emerged to the P vs. NP problem. Vinay Deolaiker of HP Labs has presented a proof that P !=(read not equal) NP. This Prof, if correct will have a massive effect on several areas of mathematics, but especially computer science and indeed cryptography. The proof is said to be 100 pages, but I cannot confirm nor deny this. I have not yet read it, but it is bound to be long. It is currently undergoing peer review, i.e. being checked and rechecked from very angle and being torn to bits by other Mathematicians.
I will try and keep you apprised of the developments and post more details about the problem and solution when i have time. Promise.
*EDIT*
So, If you follow the Link below in the comment posted by Jack, you will see some of the potential flaws in the proof. These may or may not hold and are being raised and addressed to check that the proof is robust. It may also be that there is a problem with the proof and it does not hold in its current form, but may hold with some modifications. As said before, time will tell.
Previously, A proof of The Poincaré conjecture has be presented by Grigori Perelman, a Russian Mathematician. He did in fact refuse the $1M prize that goes with the Fields Medal, but the point remains, he was the first to solve a Millennium Prize Problem.
Of the 6 remaining, a proof has now emerged to the P vs. NP problem. Vinay Deolaiker of HP Labs has presented a proof that P !=(read not equal) NP. This Prof, if correct will have a massive effect on several areas of mathematics, but especially computer science and indeed cryptography. The proof is said to be 100 pages, but I cannot confirm nor deny this. I have not yet read it, but it is bound to be long. It is currently undergoing peer review, i.e. being checked and rechecked from very angle and being torn to bits by other Mathematicians.
I will try and keep you apprised of the developments and post more details about the problem and solution when i have time. Promise.
*EDIT*
So, If you follow the Link below in the comment posted by Jack, you will see some of the potential flaws in the proof. These may or may not hold and are being raised and addressed to check that the proof is robust. It may also be that there is a problem with the proof and it does not hold in its current form, but may hold with some modifications. As said before, time will tell.
Saturday, 17 July 2010
Password Storage
As you may or may not know, I have previously had a few not so pleasant words for people's activities on Facebook (cf. this post). I'm sure most people will agree that some people post unbelievable things on Facebook. Granted some of it user error, some of it is the interesting phenomenon called "Facebook rape" or simply "frape", but most of it is intentional. This has lead to the development of two very similar sites lamebook and failbook. The content is not all about people posting inexplicable things, but that is the gist of it. These sites have provided me with many hours of entertainment.
Now, you may be wondering what this has to do with password storage. This post is the link. So Ally stored all her passwords in a file, which I will for the sake of argument call pwd.doc. Now at this point that's a really bad idea. But then Ally thought about securing this file so she password protected it. Of course the most brilliant part is putting the password into the file itself, which as stated in the comments is like locking a copy of the key into a treasure chest. The pointlessness of that aside, Ally has now forgotten the password for pwd.doc, which is a bad thing.
What Ally has done is essentially a quick and easy password locker. The security of it debatable as Word document passwords can be relativly easily cracked. That aside, it is an excellent solution for what is just a bad situation. A recent study has shown that people have about 25 accounts requiring passwords and an average of 8 passwords. Each of these accounts has varying specifications for length, characters used, frequency of change and so on. This leads to sheer overload for the human brain.
The instant response is for people to write down all these passwords (as shown in the comments on the posts) which then creates a security threat. So the natural solution the that is a password locker. Instead of writing it all down on a piece of paper, you store it digitally and encrypt it. Which is is a password locker. There are several of these available on the net, ranging from free to £15 to any amount somebody thinks they can get away with. There are several issues to consider when creating a password locker, but that is for a later post. So Ally has essentially got a DIY password locker, which is now locked.
However, this was posted on Facebook, so that means that either:
a) Ally's Facebook password is stored in the browser,
b) Ally has the "Remember me" option ticked,
c) Ally remembers the password.
Going through each option one at a time, first up we have browser storage. Most people use their browsers password storage system, which stores passwords and then fills them in automatically to forms in web pages. This is an issue because a browser exploit could find all your passwords and we all know where that leads to. So door 1 has a goat behind it (for those of you unfamiliar with that reference cf. The Monty Hall Problem)
Lets look at the next option, "Remember me" which was covered in a previous post, in the 6th paragraph. So another goat
Finally, we assume Ally remembers the password. Well then, we can safely say it is more memorable that the password for pwd.doc. If we assume both passwords are equally memorable, then we can rule out this option. So we have a car, sort of. Lets say a goat-pulled car.
I could go on and on at length about passwords and their implications, but let's be honest, you'd rather hear it from someone. Bruce Schneier has several posts about passwords on his blog. Have a read through there if you are interested.
---NOTE: I will still post something about password lockers---
Now, you may be wondering what this has to do with password storage. This post is the link. So Ally stored all her passwords in a file, which I will for the sake of argument call pwd.doc. Now at this point that's a really bad idea. But then Ally thought about securing this file so she password protected it. Of course the most brilliant part is putting the password into the file itself, which as stated in the comments is like locking a copy of the key into a treasure chest. The pointlessness of that aside, Ally has now forgotten the password for pwd.doc, which is a bad thing.
What Ally has done is essentially a quick and easy password locker. The security of it debatable as Word document passwords can be relativly easily cracked. That aside, it is an excellent solution for what is just a bad situation. A recent study has shown that people have about 25 accounts requiring passwords and an average of 8 passwords. Each of these accounts has varying specifications for length, characters used, frequency of change and so on. This leads to sheer overload for the human brain.
The instant response is for people to write down all these passwords (as shown in the comments on the posts) which then creates a security threat. So the natural solution the that is a password locker. Instead of writing it all down on a piece of paper, you store it digitally and encrypt it. Which is is a password locker. There are several of these available on the net, ranging from free to £15 to any amount somebody thinks they can get away with. There are several issues to consider when creating a password locker, but that is for a later post. So Ally has essentially got a DIY password locker, which is now locked.
However, this was posted on Facebook, so that means that either:
a) Ally's Facebook password is stored in the browser,
b) Ally has the "Remember me" option ticked,
c) Ally remembers the password.
Going through each option one at a time, first up we have browser storage. Most people use their browsers password storage system, which stores passwords and then fills them in automatically to forms in web pages. This is an issue because a browser exploit could find all your passwords and we all know where that leads to. So door 1 has a goat behind it (for those of you unfamiliar with that reference cf. The Monty Hall Problem)
Lets look at the next option, "Remember me" which was covered in a previous post, in the 6th paragraph. So another goat
Finally, we assume Ally remembers the password. Well then, we can safely say it is more memorable that the password for pwd.doc. If we assume both passwords are equally memorable, then we can rule out this option. So we have a car, sort of. Lets say a goat-pulled car.
I could go on and on at length about passwords and their implications, but let's be honest, you'd rather hear it from someone. Bruce Schneier has several posts about passwords on his blog. Have a read through there if you are interested.
---NOTE: I will still post something about password lockers---
Wednesday, 7 July 2010
Another side-note
Well, I have previously pointed out how TV tries use cryptography as a plot point and fails massively, but I found a counter-example. I have recently started watching Numb3rs, and by recently I mean I'm only on Season 1 Episode 5. Which is the exact episode I want to talk about, well not really talk about in as much as I want to mention that they pretty much got the details of how cryptography works. There was a slight lack of finesse in it, but overall the general idea was conveyed. Needless to say this made me happy. Apart from that, as far as I can tell most of the math they do/show/explain on the show is fairly accurate. Looks like I have a new TV show to watch.
*EDIT*
Season 1 Episode 6, same as above.
*EDIT*
Season 1 Episode 6, same as above.
Sunday, 6 June 2010
Really, Google? Really?
So it has recently come to light that Google will, according to this article, phase out Microsoft Windows in favour of Mac OS-X or Linux on the company machines. They are claiming that this is a security measure, citing the attacks on Google's Chinese operations recently. At this point in time I really have to wonder, what in the name of the seven deep dark pits of Hell are you not thinking Google? you could not be more wrong if you tried (yes, this annoys me so greatly my grammar is out the window.)
If you will allow me to explain for a moment. A few months ago, Google, amongst other large tech companies, was attacked by what became known as the Aurora Attack. An employee in Google China clicked on a link he received in an e-mail. I will assume it claimed to be an amazing picture of the Aurora Borealis or something of that nature. By clicking this link, he then infected his system and this spread throughout Google's network.
Now if we focus on the attack itself. Aurora is a Windows-based IE6-specific buffer overflow attack. This gives us 3 things that are needed for this attack to work:
Next point is IE6, the all too famous Internet Explorer 6. The Bane of all web developers and the love of all its users. As with XP, it does not have any real security features built into it. in IE7 and IE8, there are some security features added in, but I am not sure what they are as I have not done a proper study, nor have I looked for any details. The point remains both IE7 & 8 were available at the time, as were Mozilla Firefox, Opera and of course Google's own Chrome browser. So not only were they using an unpatched OS, they were using an old outdated internet browser, despite having a browser of their own, which they will smugly tell you is more secure. It is undoubtedly more secure, so as to why it was not used escapes me totally.
Then we move on to buffer overflow attacks, which are well explained by my colleague in his blogpost. Also would recommend his post on ASLR/DEP.
There is also the matter of the Chinese activists getting their GMail accounts hacked. Well, what happened there is simple. Ever wonder how websites "remember you" and all your details? Simple, when you check the "Remember me" or "Keep me logged in" box, what the website does is store a small text file, called a cookie, with all your details on your computer. When you next visit the website, the browser loads up the cookie, passes on your details to the site and thus in a manner of speaking does the log in or you. Until recently GMail was based on HTTP and not HTTPS, meaning all cookies were passed around in the clear, as were all other communications. Given this situation it is fairly easy to intercept the packets going between GMail and your target and thus hack into their accounts.
Now, if we look at the choices of OS the employees have, we see Mac OS-X and Linux. Google seems to think there are more secure. Well, here's news for you Google, THEY'RE NOT!!! Honestly! As much as Apple advertisements would like to convince you that there are absolutely no viruses/malware for Mac, there are, just not as numerous as for Windows. "Why?" you ask me? Well, it's simple 80% of OS's out there are Windows, so its a numbers game, more targets means a larger chance of succeeding. Its pure and simple statistics. The same applies for Linux. Linux, on the other hand has a more unique problem. Since all the code is open source and freely available, someone could use the code to find a really nasty vulnerability. Granted that the code is a gajillion pages long, but the possibility still exists.
So, all in all, it really doesn't matter what Operating System Google uses, they all have vulnerabilities. Furthermore, if they don't keep up to date with the software patches and use secure versions of software, well then in my opinion they deserve to be attacked. Repeatedly. Citing "security reasons" for changing from Windows is the worst possible excuse Google could have come up with. Really, Google? GROW UP!
If you will allow me to explain for a moment. A few months ago, Google, amongst other large tech companies, was attacked by what became known as the Aurora Attack. An employee in Google China clicked on a link he received in an e-mail. I will assume it claimed to be an amazing picture of the Aurora Borealis or something of that nature. By clicking this link, he then infected his system and this spread throughout Google's network.
Now if we focus on the attack itself. Aurora is a Windows-based IE6-specific buffer overflow attack. This gives us 3 things that are needed for this attack to work:
- Windows
- IE6
- Buffer overflow attack
Next point is IE6, the all too famous Internet Explorer 6. The Bane of all web developers and the love of all its users. As with XP, it does not have any real security features built into it. in IE7 and IE8, there are some security features added in, but I am not sure what they are as I have not done a proper study, nor have I looked for any details. The point remains both IE7 & 8 were available at the time, as were Mozilla Firefox, Opera and of course Google's own Chrome browser. So not only were they using an unpatched OS, they were using an old outdated internet browser, despite having a browser of their own, which they will smugly tell you is more secure. It is undoubtedly more secure, so as to why it was not used escapes me totally.
Then we move on to buffer overflow attacks, which are well explained by my colleague in his blogpost. Also would recommend his post on ASLR/DEP.
There is also the matter of the Chinese activists getting their GMail accounts hacked. Well, what happened there is simple. Ever wonder how websites "remember you" and all your details? Simple, when you check the "Remember me" or "Keep me logged in" box, what the website does is store a small text file, called a cookie, with all your details on your computer. When you next visit the website, the browser loads up the cookie, passes on your details to the site and thus in a manner of speaking does the log in or you. Until recently GMail was based on HTTP and not HTTPS, meaning all cookies were passed around in the clear, as were all other communications. Given this situation it is fairly easy to intercept the packets going between GMail and your target and thus hack into their accounts.
Now, if we look at the choices of OS the employees have, we see Mac OS-X and Linux. Google seems to think there are more secure. Well, here's news for you Google, THEY'RE NOT!!! Honestly! As much as Apple advertisements would like to convince you that there are absolutely no viruses/malware for Mac, there are, just not as numerous as for Windows. "Why?" you ask me? Well, it's simple 80% of OS's out there are Windows, so its a numbers game, more targets means a larger chance of succeeding. Its pure and simple statistics. The same applies for Linux. Linux, on the other hand has a more unique problem. Since all the code is open source and freely available, someone could use the code to find a really nasty vulnerability. Granted that the code is a gajillion pages long, but the possibility still exists.
So, all in all, it really doesn't matter what Operating System Google uses, they all have vulnerabilities. Furthermore, if they don't keep up to date with the software patches and use secure versions of software, well then in my opinion they deserve to be attacked. Repeatedly. Citing "security reasons" for changing from Windows is the worst possible excuse Google could have come up with. Really, Google? GROW UP!
Tuesday, 1 June 2010
Yes, I know I've been gone for a while, but I was busy. My apologies. Now that I am back, I will update more frequently. Now down to the matter at hand.
I'm sure most, if not all of you use or are aware of Facebook. Just as a brief recap, Facebook is a social networking site that allows you to add friends, communicate with them, play games, blah, blah, blah. To explain the problem at hand, we need to discuss some features of Facebook. The first one is Groups. Now a Group is basically a group of people brought together by some common theme, such as this group about potatoes. What people soon did was make groups for celebrities, fictional characters, TV Shows, movies and so on and so forth. Facebook thought "Well, this can't be right!" Thus were born fan pages. Its essentially a group with limited functionality, such as no messaging to all members.
Now, when a friend becomes a fan of something you get a message in your newsfeed saying "Friend is now a fan of Something." With your friend's name as a hyperlink to their profile page and similarly the name of the page links to the page itself. Of course Facebook changed "Become a Fan" to "Like", thus making it "Friend now likes Something."
However Facebook did not stop there. No, that would be easy and the sensible thing to do. They then went and did possibly the worst thing possible. They allowed the fan page hyperlink to direct to you to an external website!!! So now you can click on a page and you would be whisked of Facebook and taken to some other website.
Now where's the problem you ask? Surely Facebook checks all of these sites and ensures that they are safe and all that jazz. Sadly not. A large number of sites exsist where simply visiting the site makes you Like it on Facebook and publishes that your friends newsfeed, who the click on the link and so a worm is born. This has a non-destructive payload, but it is definatly proof of concept.
What's even worse, in a reaction to exceptionally long page names, somebody posted a page on how to remove them from your newsfeed. This lead to site, which then issued a pop-up saying "I don't know either!" Really funny right? Yes, because these sites can actually execute arbitrary code and do essentially anything. The main concerns here are Clickjacking and Cross-Site-Scripting. These can be used to do well potentially anything to your system.
Ironically as I am writing this post, I have come across this blog post from Sophos' Graham Cluely. This shows that it is possible and it has been done. I will leave you to read that, as well, his post is probably better then mine will ever be.
Right, so having been a bit scared, what do we do? Simple:
I'm sure most, if not all of you use or are aware of Facebook. Just as a brief recap, Facebook is a social networking site that allows you to add friends, communicate with them, play games, blah, blah, blah. To explain the problem at hand, we need to discuss some features of Facebook. The first one is Groups. Now a Group is basically a group of people brought together by some common theme, such as this group about potatoes. What people soon did was make groups for celebrities, fictional characters, TV Shows, movies and so on and so forth. Facebook thought "Well, this can't be right!" Thus were born fan pages. Its essentially a group with limited functionality, such as no messaging to all members.
Now, when a friend becomes a fan of something you get a message in your newsfeed saying "Friend is now a fan of Something." With your friend's name as a hyperlink to their profile page and similarly the name of the page links to the page itself. Of course Facebook changed "Become a Fan" to "Like", thus making it "Friend now likes Something."
However Facebook did not stop there. No, that would be easy and the sensible thing to do. They then went and did possibly the worst thing possible. They allowed the fan page hyperlink to direct to you to an external website!!! So now you can click on a page and you would be whisked of Facebook and taken to some other website.
Now where's the problem you ask? Surely Facebook checks all of these sites and ensures that they are safe and all that jazz. Sadly not. A large number of sites exsist where simply visiting the site makes you Like it on Facebook and publishes that your friends newsfeed, who the click on the link and so a worm is born. This has a non-destructive payload, but it is definatly proof of concept.
What's even worse, in a reaction to exceptionally long page names, somebody posted a page on how to remove them from your newsfeed. This lead to site, which then issued a pop-up saying "I don't know either!" Really funny right? Yes, because these sites can actually execute arbitrary code and do essentially anything. The main concerns here are Clickjacking and Cross-Site-Scripting. These can be used to do well potentially anything to your system.
Ironically as I am writing this post, I have come across this blog post from Sophos' Graham Cluely. This shows that it is possible and it has been done. I will leave you to read that, as well, his post is probably better then mine will ever be.
Right, so having been a bit scared, what do we do? Simple:
DO NOT LIKE RANDOM PAGES!!!
DON'T DO IT!!!
DON'T DO IT!!!
Seriously, don't!
Subscribe to:
Comments (Atom)
Subscribe To
Posts
All Comments