ISPs accused of tampering with web pages

About one percent of the Internet web pages are being changed in transit, sometimes in a harmful way, according to researchers at the University of Washington.

In a paper, set to be delivered Wednesday, the researchers document some troubling practices. In July and August they tested data sent to about 50,000 computers and discovered that a small number of Internet service providers (ISPs) were injecting ads into web pages on their networks.

They also found that some web browsing and ad-blocking software was actually making web surfing more dangerous by introducing security vulnerabilities into pages.

“The Web is a lot more wild than we originally expected,” said Charles Reis , a PhD student at the University of Washington who co-authored the paper.

The paper, which was co-written by a researcher at the International Computer Science Institute, will be delivered at the Usenix Symposium on Networked Systems Design and Implementation in San Francisco.

To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington’s website was viewing HTML that had been altered in transit.

In 16 instances ads were injected into the web page by the visitor’s ISP. “We’re confirming some rumours that had been in the news last summer, that ISPs had been injecting these ads.”

Read the rest of this story…

Posted in Coding, Internet, Privacy, Security | No Comments

Why Small and Medium Enterprises don’t use 802.1x

With JJ blogging about 802.1x, I thought it would be timely to talk about why I think small and medium sized enterprises (SMEs) do not and probably never will deploy 802.1x for wired networks.

I make a point of meeting with customers whenever I can. Amongst the small and medium enterprise customers I’ve met, none have shown an interest in deploying 802.1x. The reason is simple – the problems solved by 802.1x do not justify the time and pain involved to setup and maintain it. Many of these customers would love to require everyone to identify themselves prior to joining the network, and want to keep risky machines off their network. They know this makes their networks healthier and easier to maintain. But I’ve yet to meet the customer willing to endure the complexity of 802.1x to get there.

There are two security functions that 802.1x brings to the table: authentication and access control. Authentication is pretty straightforward. Prior to a device gaining access to the network a user must authenticate. (There is also an option to do device authentication, but I’ll disregard that for this post). Access control is more involved. Generally, when people talk about using 802.1x to do access control they mean assigning a device to a particular VLAN depending on the “health” of the device connecting. In the case of Microsoft NAP, this health information is sent via the 802.1x protocol.

Multiple characteristics of 802.1x make it undesirable for most SME networks. First, setting up all the components for 802.1x is an exercise only for those with time, patience and MacGyver-like IT skills. The second and more significant obstacle to 802.1x is the unfriendly end user experience that results when problems occur.

Read the rest of this story…

Posted in Hardware, Internet, Networking, Privacy, Security | No Comments

Researchers uncover undetectable chip hack

For years, hackers have focused on finding bugs in computer software that give them unauthorised access to computer systems, but now there’s another way to break in: hack the microprocessor.

Researchers at the University of Illinois at Urbana-Champaign demonstrated how they altered a computer chip to grant attackers back-door access to a computer. It would take a lot of work to make this attack succeed in the real world, but it would be virtually undetectable.

To launch its attack, the team used a special programmable processor running the Linux operating system. The chip was programmed to inject malicious firmware into the chip’s memory, which then allows an attacker to log into the machine as if he were a legitimate user. To re-program the chip, researchers needed to alter only a tiny fraction of the processor circuits. They changed 1,341 logic gates on a chip that has more than 1 million of these gates in total, said Samuel King, an assistant professor in the university’s computer science department.

“This is like the ultimate back door,” said King. “There were no software bugs exploited.”

King demonstrated the attack on Tuesday at the Usenix Workshop on Large-Scale Exploits and Emergent Threats, a conference for security researchers held in San Francisco.

Read the rest of this story…

Posted in Hardware, Privacy, Security | 1 Comment

PayPal Outlines Strategy to Slow Phishing

Over the last few years, security researchers have estimated that fake messages from PayPal and its parent company, eBay, make up more than half of all the spam sent over the Internet. So why, you may ask, isn’t PayPal doing something about it?

Last week at the RSA 2008 conference in San Francisco, the popular payment company quietly revealed what it’s doing to stop — or at least slow — the proliferation of phishing attacks. In a paper published without fanfare at the show, PayPal outlined a multi-pronged approach that might make an impact on the huge volume of “phishmail” currently transmitted over the Web.

The paper begins with a practical premise: that phishing will never stop as long as there’s potential profit in it and that there will never be a single tool, technology, or strategy that can completely prevent it.

“We have not identified any one solution that will singlehandedly eradicate phishing; nor do we believe one will ever exist,” the paper says. Instead, PayPal offers a multi-layered strategy: “While no single layer can defeat phishing on its own, in tandem they can make a huge difference, with each layer shaving off some percentage of crime.”

In a nutshell, PayPal proposes a combination of strategies to identify and block phishmail from ever reaching the user while also warning and blocking users from accessing phishing sites. The paper also addresses other strategies such as user education, law enforcement, authentication, and phishing site shutdowns, but its primary proposal is to focus on the first two areas.

Read the rest of this story…

Posted in Internet, Privacy, Security | No Comments

RegToy: All-purpose utility for Windows

It used to be that you would need four or five different programs to optimize your system, clean the registry, rename files, capture screens, etc…

That was before RegToy.

RegToy is a freeware utility that is basically a collection of utilities. The program sidebar is broken up into three main categories: System, User, and Others.

The System section allows you to perform seriously arcane apothecary, such as enabling a large system cache, forcing Windows to unload DLLs from memory, setting prefetch and MFT settings, tweaking your video card settings, and more.

In the User section, you have a whole screen dedicated to tweaking Windows Explorer, as well as different customization options for your Taskbar and Start Menu, Icon settings, Logon settings, and more.

In fact, if there’s a statement that best personifies RegToy, it has to be “and more.”

We’ll let you search out what else RegToy has to offer, but if you’re looking for a window manager, registry cleaner, file renamer, screen capturer, memory and disk cleaner, and more…then you should give RegToy a shot.

One warning: the home page loads very slowly. But trust us: it’s worth the wait.

Source: Download Squad

Posted in Software, Windows | No Comments