Google Chrome Will Block Out-of-Date Plugins in Future

Google has introduced a feature for automatic updates in its latest Chrome browser but that does not seem to be enough to Google. Therefore, it has gone a step further to add a technology that blocks out of date plugins in Google Chrome, forcing users to upgrade them if they wish to continue using these plugins.

Google has not announced any official time for the release of this feature but it is expected sometime in the next few months. According to this feature, the browser will also show warnings to inform users of lesser-used plugins.

Google Chrome already provides support for an Adobe PDF and Flash by default. Now, Google has taken a step towards security by issuing these updates automatically, which makes Chrome a safer browser. There are some other security features in store for Google Chrome, about which Google says,

There are more ways we are attacking the problem:
Integrated, sandboxed PDF viewing: We have announced an integrated PDF viewer plug-in running inside Google Chrome’s sandbox. This will make it harder for PDF-based vulnerabilities to result in the persistent installation of malware.
Protection from out-of-date plug-ins: Medium-term, Google Chrome will start refusing to run certain out-of-date plug-ins (and help the user update).
Warning before running infrequently used plug-ins: Some plug-ins are widely installed but typically not required for today’s Internet experience. For most users, any attempt to instantiate such a plug-in is suspicious and Google Chrome will warn on this condition.
A next generation plug-in API: Peppermakes it easier to sandbox plug-ins.

Currently, this level of security is offered only by Firefox, which shows update notifications and will auto-update plugins in future.


Adobe Does What it is Best at: Fixing More Security Holes in Adobe Reader

This Tuesday, Adobe released a slew of updates to fix security holes numbered at 17, all of them critical. One of these was used widely to take control of computers using social engineering and PDF documents. The same vulnerability was present in Flash and was fixed on 10th of June.


This clearly indicates that Adobe uses reusable code across multiple products and given the kind of security vulnerabilities it carries, a hole in one of the Adobe software can easily be present in others as well. Thankfully, hackers Didier Stevens and a researcher at NitroSecurity found these security holes in two separate attempts as a proof-of-concept hack.

Adobe made a statement on this saying,

We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks.

To counter its vulnerable codes and to improve the security of users, Adobe rolled out a new update system in April this year. It seems to be effective but we all know that patchwork is not the best practice in software development. Adobe should try making its products more secure at the core.


Is it the Information Highway to Hell?

agent-ico As many of you know, the Internet is sometimes called the Information Superhighway. What most of you have not heard, is that the destination of this superhighway may not be what you had hoped. Where is it leading us?

What do you consider as threats to our privacy today?

• Cookie tracking
• Shopping data
• Search data
• Personal info from registrations
• Business info from credit agencies
• Medical data
• Government data
• Comments, Forums, Social sites
• GPS location tracking
• Cameras in Streets and Stoplights
• Cameras in Stores
• Cameras in Public Areas
• Nanny Cameras
• Home Security Cameras
• Satellite tracking cameras
• and more …

redlight-camera satellite

Doesn’t it make sense that someday, these will all be linked into the net and someone or something will be tracking your every movement? Who’s going to be watching? Governments are the obvious answer. For an example of this idea, watch “Enemy of the State“.

Another group to consider is the hacker community. They’ve discovered the profit in stealing your personal data.

If the governments and the hackers aren’t enough for you, let’s add more for you to worry about.

Your personal information is already a valuable commodity to businesses wanting to sell you products. What’s going to happen as those companies get access to ever more increasing amounts of data about you, where you are and what you are doing? Stephen Saunders at InformationWeek thinks the Internet will become:

… a sophisticated targeting system for companies to sell “stuff” to consumers, for governments to keep track of citizens, and for law enforcement to track illicit activity. In commercial terms, it will be an Internet where the user becomes the used.

I think Stephen may not be paranoid enough. After all, many are predicting the introduction of true machine intelligence by 2025. What could super-intelligent computers could do with all that information about us? I’m not afraid that Skynet will nuke us, but how long can we retain any illusion of freedom when our machines know everything about us and they’re smarter than we are? Watch the movie Eagle Eyefor a hint.

Bill Joy, co-founder of Sun Microsystems, expressed the same concerns ten years ago, in his post “Why the Future Doesn’t Need Us“. I remember his question:

Can we doubt that knowledge has become a weapon we wield against ourselves?

Now you might understand why I’m a little paranoid about the future. I think we’ll have a choice to become “one with the machine”, like the Borg, or become useless slaves to our technology. The governments, corporations and hackers will be the least of our worries. Welcome to the machine.

Comodo Successfully Demonstrates VeriSign SSL Exploit, VeriSign Denies in Response

VeriSign, as we all know is one of the most popular signing authorities for secure pages. Its SSL security is relied upon by thousands of businesses and it is extremely popular with worldwide banking services.

The renowned Firewall manufacturer Comodo has made an announcement today saying that they have discovered an exploit in the VeriSign SSL certification and has informed VeriSign of this but apparently, their words fell on deaf ears. VeriSign has blatantly denied the presence of any such exploits and has replied to Comodo saying,

We thank you for bringing this to our attention, but the information you have accessed is public information that can be found in a multitude of ways. The pages you have accessed are merely pubic portals for our customers authenticated work to be performed.

A good reason as to why VeriSign responded in this weird manner might be because this is a part of VeriSign’s strategy. First, they make this news seem unimportant and save the panic amongst their customers. Next, they will probably roll out a fix for this quietly. Given the top notch businesses VeriSign has as its clients, this move can either put it in jeopardy or could save it from a lot of trouble.

Another reason why VeriSign is shying away from this is because Comodo is VeriSign’s competitor in the digital certificate business. Accepting the presence of this exploit will raise questions about VeriSign’s position as the unchallenged certification authority.

Comodo has successfully demonstrated the exploit to Ms. Smith from Networkworld. Read more at this exclusive report.

Dangerous Bug in Windows XP Turns Windows Help into Windows Hell

red-x-ico If you haven’t already, you need to fix your Windows XP or Windows Server 2003 machines to protect you against a recently discovered flaw. It’s called the HCP Flaw.


Is it dangerous? Yes, all you have to do is view a specially coded page on the net, and your control over your PC can be stolen right out from under you.

Here’s what the problem is. A flaw in the Windows Help and Support Center (helpctr.exe) was discovered recently, and shortly after that, the information telling people how to take advantage of it was also published. It’s good when Windows flaws are reported, but it’s very bad when the information on how to use those flaws is also broadcast. You can bet that there are some black hats out there already infecting PCs with this new flaw.

There is a fix out from Microsoft. Go to this page and click on the Fixbutton to download the fix (KB2219475).


This fixisn’t a real solution. It disables the Help and Support Center in Windows, but if you are like me, you never use it anyway. Some time after Microsoft offers a real update to solve this problem, I’ll go back and re-enable the help center.

People running running Windows 7, Vista, 2000 or Server 2008 are safe from this bug. The affected operating systems are:

Microsoft Windows Server 2003 Service Pack 2, when used with:
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows XP Service Pack 2, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows XP Service Pack 3, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Here’s a good place to find more information on the HCP Flaw if you need it.

Many thanks to Terry’s Computer Tips for this tip.

Reddit Comes to Rescue in Car Theft Case

The Internet is a wonderful place as it has something for everyone out there. We have seen Internet help people in their real lives as well. We have seen Facebook unite parents with lost kids, Twitter updates put as evidence in court cases but this case I found is the best so far.


A Reddit user,  maltokyo has lost is car and is harnessing the uber geek mind of Reddit to get it back. All he has in hand is a series of surveillance videos of the person entering the parking area in his own car and then taking driving away with our victim’s car. Maltokyo here wants the folks at Reddit to zoom in on the video, enhance it the Jack Bauer style and get him a match for the number plate on the car.

He has taken this amount of pain after he was sent away by the police for lack of evidence. This data, if collected successfully will be his evidence in the case. The incident has already made him sort of a local hero and has featured in the local newspaper.

The guys at Reddit are trying all sorts of filters on the videos and have narrowed down the search to a few number plates in a mere one days. You can follow the investigation at this thread.

Facebook Uses Potentially Insecure Encryption for Email

It seems like everyone in every nook and corner of the world is after Facebook. Starting with privacy controversy to the recent death warrant against Zuckersberg, Facebook is having a tough time. And to add worries to these woes, we have John Graham-Cumming at, who has  written a post to show how vulnerable the Facebook mail system is.


Facebook emails are signed using DKIM.

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit.   The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

John Graham-Cumming has taken the header of a mail from Facebook. He has then successfully found that it is a RSA public key. On passing this to openssl, he successfully obtained the bit level of the encryption which stands at 512 bit. That makes this technique and the emails sent from Facebook easy to tamper with, sign and send back to the user. Not only that, a hacker can send an email signed with that key making it appear from Facebook.

Facebook has been informed of this and it is expected that they will make some changes to prevent this exploit.

We have kept Facebook really busy over the last few months! The good old saying of “With Great powers comes great responsibilities” is so much true.

Linux Version Of Unreal IRC Servers Contained Trojans Since 2009

In a startling revelation, the administrators of  UnrealIRCD, one of the most popular IRC servers revealed that the Linux version of UnreadlIRCd version contained a backdoor in it. The backdoor could be executed by user, regardless of security privileges on the server. To rub salt on the wounds, the file was replaced on certain mirrors, way back in November 2009 and went unnoticed till yesterday.

The backdoor works by examining and parsing any incoming packets, looking specifically at the string “AB”. Any Linux command, followed by the string “AB” would be parsed and executed using system() function call, making it a very dangerous combo in the hands of a malicious user.

The administrators state that the following versions of UnrealIRCD are safe:

  • Official  precompiled  Windows (SSL and non-ssl) binaries
  • CVS versions
  • 3.2.8 and any earlier versions are not affected
  • Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe

Verifying that the version you have is not the backdoor version:

There are couple of ways to verify that you have legitimate version –

  • Calculate the MD5 sum

Running ‘md5sum Unreal3.2.8.1.tar.gz’  will calculate the md5 sum: The official version has a md5 of 7b741e94e867c0a7370553fd01506c66 , while the Backdoored version has a md5 of  752e46f2d873c1679fa99de3f52a274d

  • Examine struct.h h

Running  grep DEBUG3_DOLOG_SYSTEM include/struct.h will perform a regex search for the pattern.  If it outputs two lines, then you’re running the backdoored/trojanized version.  If it outputs nothing, then the version is clean.

What to do if you’re running the backdoored version ?

If the above steps indicate you have a backdoor version, then following steps must be taken:

Verified md5sums

Below are the verified md5 checksums:

  • 7b741e94e867c0a7370553fd01506c66 for Unreal3.2.8.1.tar.gz
  • 5a6941385cd04f19d9f4241e5c912d18 for   Unreal3.2.8.1.exe
  • a54eafa6861b6219f4f28451450cdbd3 for  Unreal3.2.8.1-SSL.exe

Could anything have been done to prevent this ?

Perhaps. Fact that the md5sum was published on the site, and and yet nothing was done indicates that nobody bothered to verify the md5sum. You might argue that md5checksums could be altered, but this would be the case if the server was broken into, but in this case, the source files were altered, so the md5sum difference would have shown up.

The files could’ve been signed using PGP, but again, not sure how many people would be bothered to verify the signatures.

Response from UnrealIRCD team

The UnrealIRCd admins have come out full with a full disclosure, and they should be applauded for doing that, rather than covering up the matter. They have released an advisory, so keep an eye for any updates to this file. They have also stated that they will start PGP/GPG signing of releases.

Learnings from the incident

Most of these have been said  ad nauseam, yet it needs to be repeated:

  • Never download files from unverified sources.
  • Always rely on files packaged by your distribution’s package manager.
  • If you’re downloading sources, ensure that you’ve verified the authenticity. Most publish the md5/SHA1 checksums,  if there’s any deviation then do inform the site admins.

AT&T and Apple Security Lapse Exposes iPad Users and Their Data

The year so far has proven to be ruthless for Apple. It is suffering a series of setbacks. First it loses an iPhone, then it goes on to upset Adobe , next a Wi-Fi mishap at WWDC and has finally restored to what it does best, make false claims and boast of its #fail browser Safari. Recently, Apple added one to this list by exposing user data of all iPad users.

Well, in reality, Apple did not expose the data but it surely did not care enough to hide it properly. A hacking group which calls itself Goatse Security has claimed that it has access to a list of all iPad users and their data. This includes top figures from multiple industries like the armed forces, music and movie industry, politics and others.

The hacker group has claimed data access to over 114,000 accounts and has made this successful attempt on an AT&T network. This has given them exclusive access to a list of authentication ID and email addresses. This was achieved by simply changing the user agent to iPad and the hacker group has already a PHP script sucking user data out of the AT&T. This clearly is more of an AT&T fault than Apple’s.

This exposure is being taken in different perspectives. Although it cannot be of any potential harm instantly, these email addresses can be victims of phishing scams and fall prey to spammers. This is equally annoying and AT&T has a lot of top officials at various agencies to answer to. AT&T should act responsibly in this matter if it wants to evade the heat.


iPhone Hardware Data Encryption is #fail

Apple has more than once, boasted about the hardware data encryption used on its flagship iPhone. The hardware encryption uses a 256-bit AES and is an in your face feature as it cannot be disabled by users even if they want to.

An iPhone can be connected to a PC just like any other device though the connection requires the standard methods of authentication by a passcode and an initial pairing. Further, connecting a locked iPhone to a computer is also not possible.

However, all this falls under common and conventional realms. Bernd Marienfeldt, a security officer at UK internet node LINX, has discovered something interesting treading beyond these boundaries.He saw that if he connected his iPhone to his Ubuntu based system and rebooted it, he could gain a full read/write access to all internal files and folders since Ubuntu auto-mounts the file system. This process does not even require the iPhone to be paired to that computer.

Although Apple has been informed of the matter, it is not sure if they will release a fix to this.  Apple has started investigating into the matter and is under the assumption that this is caused by a race condition between the iPhone turning on and it’s file system being identified on USB.

It is funny to see how Apple has always shunned Linux and now, the simplest of the Linux makes its state of the art defense mechanisms look completely stupid.