Tuesday, March 22, 2011

Adobe fans - get ready for the patch

Adobe fans - get ready for the patch but watch out for the scams.



Don't pay for free software. You're giving scammers money and undermining the reputation of the free software.

Amplify’d from nakedsecurity.sophos.com

Adobe fans - get ready for the patch but watch out for the scams

Adobe has been in the news this week after alerting Flash, Acrobat and Reader users about a forthcoming out-of-band patch for its products.

By wrapping a Flash file in an Excel spreadsheet, potential attackers have demonstrated a remotely-exploitable vulnerability.

(The attack doesn't seem to be in-the-wild, and the exploit files I've heard of seem to rely on a sequence of already-known and already-detectable malicious operations, so there is no cause for alarm. But do look out for the Flash patches when Adobe publish them next week.)

One of the side-stories to this Flash-in-Excel risk is the suggestion that the creators of the exploit chose Excel as the container, instead of the more common PDF, because the exploit couldn't be made to work on computers running Adobe Reader X.

The good news, says Adobe proudly, is that the new Adobe X security sandbox would prevent this attack. On Windows, anyway. Mac and Linux users aren't sandboxed yet.

The bad news is that any broadly-publicised good news about product Y is easily exploited by scammers. If people are positive about Y, and a new version of Y is being talked about in the same breath, then scammers rush to offer you Y, but under false pretences.

And that's just what Naked Security reader Wez reported to us today. He received an email offering him the very latest releases of the amazing Acrobat X:

The email explicitly claimed to come from Adobe in Ontario:

It didn't, of course. This scam is similar to a Fake Anti-Virus (FakeAV) ripoff, except that the hokum product is a program to process PDF files.

Like FakeAV, the site is very thin and shallow, consistingly of little more than a home page, a generic "privacy policy" which gives no company information at all, and a range of download options that all lead to the same page:

The next page, of course, is where you pay:

Who knows what you'll get? You certainly don't get a download link if you don't pay, so there's no evaluation period for this product. But if you do pay, you're promised - for two days only - a FREE GIFT!!!

Guess what? The free gift software you're being offered is OpenOffice. It really is free. Always. In fact, you can download it free right now from the openoffice.org website.

It's no big leap to assume, in fact, that the whole deal you are being offered is OpenOffice. After all, OpenOffice itself lets you edit and create PDFs. In that case, you'd be buying OpenOffice and getting it for free at the same time.

Don't pay for free software. You're giving scammers money and undermining the reputation of the free software.




About the author


Paul Ducklin is Sophos's Head of Technology, Asia Pacific. He won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. (Try saying that quickly.)

Email him in the Sydney office or follow him on Twitter at @duckblog.

Read more at nakedsecurity.sophos.com
 

Twitter goes secure

Twitter goes secure - say goodbye to Firesheep with "Always use HTTPS" option



Good news on the social networking security front is that Twitter has finally got its act together to offer an Always use HTTPS option.

Amplify’d from nakedsecurity.sophos.com

Twitter goes secure - say goodbye to Firesheep with "Always use HTTPS" option

Good news on the social networking security front is that Twitter has finally got its act together to offer an Always use HTTPS option.

If you turn on this option, all of your personalised interaction with Twitter will be encrypted - not only while you are logging in, but also while you are posting tweets.

A lot of people fail to recognise the value of using HTTPS on Twitter. As long as your username and password are sent over HTTPS, so no-one can sniff them out of the ether, who cares if your tweets go over plain HTTP? After all, a tweet is meant to be public.

The problem is that once you have logged in, Twitter sends your browser a session cookie. This is a one-time secret. It is unique to your account and the current session.

Because your browser retransmits this session cookie in all future requests to the Twitter site, Twitter can see that it's you coming back for more. So you don't need to put in your username and password for every single tweet you send. You login once, and the session cookie identifies you for the rest of the current session.

Unfortunately, if you login to Twitter over unencrypted WiFi - e.g. at a coffee shop or an airport lounge - then anyone who can sniff your session cookie can pretend to be you. That means they can post tweets as you. And you don't want that. (It happened to Mr Demi Moore, a.k.a. Ashton Kutcher, recently, no doubt to his considerable embarrassment.)

Turning on full-time Twitter HTTPS keeps your session cookie encrypted throughout your login session. This is definitely what you want.

Don't forget that it's not just experienced hackers who can sniff Twitter cookies and use them to impersonate you.

The infamous Firesheep plugin to Firefox automates this cookie-stealing process - known as "sidejacking" - so that anyone who can use a browser can do it.

To enable this new Twitter option, go to your Settings page.

At the bottom is the new Always use HTTPS option. Turn it on and click [Save], and then [Save changes].

Do it today.

(Note: as a commentator below points out, it's not clear if, or how, non-web-browser Twitter clients will support this new option. If in doubt, please ask the vendor of your Twitter client, or follow the Simplicity Principle and stick to using your browser when tweeting.)





About the author


Paul Ducklin is Sophos's Head of Technology, Asia Pacific. He won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. (Try saying that quickly.)

Email him in the Sydney office or follow him on Twitter at @duckblog.

Read more at nakedsecurity.sophos.com