Wednesday, August 27, 2008

The iPhone NDA

So last night I pre-ordered a copy of Erica Sadun's "iPhone Developer's Cokbook" from Amazon. The expected ship date is sometime late in October, but I'll be surprised if that's even vaguely accurate considering the ongoing problems with the NDA. Developers are now resorting to paying each other US$1 so they can be a sub-contractor, and presumably have some sort of legal protection against Apple's legal team and the NDA, before sharing information about developing against the official iPhone SDK.

So I doubt Erica's publisher will let her release the book until the NDA is lifted, and she isn't alone in having that problem, there are no doubt a bunch of books, tutorials and other such things waiting in the wings, waiting for Apple to lift the NDA.

However it currently seems to be a case that it's not when the NDA is lifted, but if it's going to be lifted at all. In what is now being called the fourth age of software distribution, might yet more companies adopt this bullying approach? That's a faintly scary prospect for independent developers like me...

Border Gateway Protocol

Close on the heels of the publicity surrounding cookie hijacking there is now another potentially much more serious problem, this time with the Border Gateway Protocol the core routing protocol underlying the Internet...

Wednesday, August 20, 2008

Cookie Hijacking

Things are looking a bit grim on the security side. Close on the heels of the DNS cache poisoning flaw discovered by Dan Kaminsky last month, there is now a new bogie man, automated HTTPS cookie hijacking...


Time progression showing vulnerable DNS servers: Red dots represent unpatched servers, yellow dots patched servers with NAT problems, green dots are patched servers.

The problem has gotten a lot of attention with respect to unencrypted GMail sessions, in fact there is now a widely available automated tool which allows you to steal session cookies on HTTP and HTTPS sites that do not set the cookie secure flag.


Surf Jacking Gmail demonstration from Sandro Gauci on Vimeo

However the problems is more widespread than just GMail, although there are still problems even there, and potentially affects a much broader range of sites.

Since so many sites are likely vulnerable, the actual reporting process is probably going to fall on the shoulders of users. To check your sites under Firefox, go to the Privacy tab in the Preferences window, and click on "Show Cookies". For a given site, inspect the individual cookies, and if any have "Send For: Encrypted connections only", delete them. Then try to visit your site again. If it still allows you in, the site is insecure and your session can be stolen. You should report this to the site maintainer. - Mike Perry

Of course we can't all go hide in a darkened room and realistically, unless you're a high profile target, your chance of getting caught by this vulnerability is fairly low. However potentially at least, this is serious. You email, merchant account, banking and other personal information are potentially at risk. Right now it's not clear how widespread this problem actually is, so be careful out there...

Tuesday, August 12, 2008

Poor indexing?

Nick Carr passes on James Evan's argument in a recent issue of Science that the chief advantage of print media is "poor indexing". How bizarre...

Ironically, my research suggests that one of the chief values of print library research is its poor indexing. Poor indexing—indexing by titles and authors, primarily within journals—likely had the unintended consequence of actually helping the integration of science and scholarship. - James Evans in the Britannica Blog

Friday, August 08, 2008

Paper Phishing

So we're all used to identifying and avoiding phishing attempts via email, but what about when it happens on paper? Today I received an actual paper letter, purporting to be from one of my banks, advising me that they had contacted me some time ago and hadn't had a reply, and that the due to a change in the law they needed to update the information about my extra card holder.

The letter looked genuine and included a 'Extra Cardholder Information Form' and a prepaid envelope to provide the details, and a freephone number that I could alternatively call to provide them. It went on to advise me that if I still needed my extra cardholder I must provide the information within 28 days or they would remove the extra card from my account.

So it looked genuine, except it sort of didn't. My finely tuned spider sense was tingling, if this was an email it wouldn't have even made it past my spam filter.

Despite the fact the letter had my account number on it, and was sent to my address, I was suspicious. So I called the fraud division of the bank in question, they had no record on my account of sending out such a letter, and the freephone number didn't, as far as they knew, belong to them. I'd just been the (almost) victim of a paper-based phishing attack.

Both of us were surprised, this is the first example of a paper-based phishing attack that I, and perhaps more worryingly the bank, had come across. If you get a letter that doesn't look quite right from your bank and is asking for personal information that, as far as you know, they should already have, call your bank on a number you know is genuine to confirm that it was actually from them.

It looks like the bad guys just raised the stakes, and we're now playing a new game entirely. It also looks likely that there has been some sort of major compromise with this specific bank, there were too many details in the letter to have come from a retail source. So this is your warning, keep your guard up...