Friday, January 6th, 2012

Why Aren’t Chromebooks Saving Password Changes?

chromebooks

There’s something weird going on with Chromebooks – the Google-branded laptop computers powered by the company’s web-based operating system Chrome OS. They’re not saving the password changes you make to your Google account. Basically, if you change your password, shut down your machine, then reboot, the Chromebook will ask you for your old password instead of the new one.

The problem has to do with Google’s sessions being persistent (that is, they don’t log you out), and leads to a relatively minor security threat. Meaning, if someone was to take advantage of this threat, they would need physical access to your Chromebook. In the grand scheme of things, that puts this threat on the low-end of the risk spectrum. However, because Chromebooks are pitched as low-cost, secure, easy-to-use alternatives to traditional laptops for businesses and educational institutions, it’s important to highlight issues such as this to make the community aware.

Also, I just think it’s annoying.

Having experienced the problem myself after a tip from my former colleague Audrey Watters who covers the edu-tech space at Hack Education, I reached out to security professionals to determine its severity.

Roel Schouwenberg, the Senior Researcher at Kaspersky Lab, who will also be speaking on the topic of Chrome OS security at the upcoming RSA Conference 2012, looked into the problem. He found that the reason this is occurring is because your Google password is used for local authentication, too.

“This is why you can log onto your Chromebook even when it has no Internet connection,” he explains. But when you change your Google password, that change is not immediately communicated back to the Chromebook, even though the new password is active for all your online services.

This is the case even if you change your Google Account password on another device. The old password is stored in Chromebook’s local authentication, so the computer will  ask for the old one. In order to workaround this issue, you have to sign out of your Chromebook session on the device while you’re online, then sign back in to force the sync of the new password that’s already active elsewhere.

But security-wise, an attacker would have to know your old password and have physical access to your Chromebook in order to be a threat. And even then, there isn’t much of a threat: you still have to re-authenticate with any Google service before getting connected to, say, your Gmail or Google Docs, for example.

So while you could call this a security issue, it’s really more of an annoyance. From an I.T. support standpoint, however, I could see this being a hassle for Google App admins who have to help users who can’t figure out why their new password doesn’t work. (One thing I learned from my handful of years in I.T.: no one is immune from experiencing password reset issues. Having passwords that don’t immediately update even when you’re online, would only compound the problem.)

In online discussions of the issue, folks who didn’t force the refresh on their own (you know, normal people), reported seeing sync delays of 24 hours even up to four days or a week. That seems high, though, and it’s hard to know how long these delays are normally without further investigation (underway now).

For what it’s worth, much of this behavior (using the password for local authentication, for example) is by design. That’s why Chromebooks work offline. And a lot of the confusion here could be minimized simply by having a better UI (user interface) and flow for walking you through the password change process.

But really, if you change your Google password, and your Chromebook requires your Google password, then the end user’s expectation is to use their current Google password.

It’s kind of one of those non-issue issues, but something that’s indicative of how far Chrome OS still has to go to be a competitive alternative to traditional operating systems: they’re still working on the login, folks. The login!



Comments Closed

Wednesday, January 4th, 2012

DNSSEC gains traction – Q&A about why you should care

Swedish hosting provider Binero has announced that it has DNSSEC-signed all of its customers’ .se domains. This brings the total amount of signed .se domains to more than 100,000 from the previous total of 5,000.

“Nearly one in ten Swedish domains are now validated against attacks with manipulated dns-information, like phishing,” Binero’s press release said.

It’s hard to find any worldwide numbers to compare to but ICANN reported yesterday that 88 TLDs (Top-Level Domains) are DNSSEC signed.

But what is DNSSEC (Domain Name System Security Extensions) and why should you care whether your domains are signed with it or not?

DNS was created in an era when the Internet was a bit friendlier

We spoke to the guys at Atomia, a Swedish company providing a high-performance hosting and server automation platform, about exactly those issues.

Pingdom: What is DNSSEC?

Atomia: DNSSEC stems from some of the problems that DNS has had for many years. It’s a good catalogue service for relatively small amounts of data – things like IP addresses – but DNS was created in an era when the Internet was a bit friendlier.

There’s not much security built in to the DNS system we have been using so it’s open – it’s not encrypted and there’s nothing to certify where data comes from, who is the sender of a piece of information. If you’re connecting to www.pingdom.com there’s no way of verifying that the DNS data you get back, which your computer needs to be able to connect to your site, is the true data and that it hasn’t been compromised.

Normally when you browse to a site, your computer sends a question to a DNS resolver, which checks the public catalogues that are DNS for the domain. If it’s pingdom.com you browse to, the resolver then checks with the DNS root server that handles .com domains, and then the one that handles pingdom.com specifically. Eventually it gets an IP address that is then sent back to your computer and the browser connects.

In that scenario it’s then quite possible that someone in the middle captures the request from your computer and returns a fake IP. It could possibly even look like the site you wanted to connect to but it’s not the real thing. This is usually referred to as DNS cache poisoning.

And that’s the problem that DNSSEC tries to address.

Pingdom: Sounds like it works the same way like if we were to digitally sign an email before sending it.

Atomia: Exactly the same, except DNSSEC only deals with signing the information, whereas solutions for securing email often also supports encryption.

Pingdom: It seems like DNSSEC was first discussed and developed in the mid to late 1990s. Why has it taken so long to be put into actual use?

Atomia: Well, first of all DNS is a rather critical infrastructure so we’ve been very careful not to upset anything that works. It’s also a bit like the chicken or the egg: for there to be any use for DNSSEC we need a number of zones to be certified and that the Internet operators’ resolvers validate the domain data. Alternatively, the Internet client applications, like web, email, chat, etc. could validate the data. So it’s like everybody has been waiting for everybody else to do something, passing the buck, if you like.

Then some have said that the root, the bottom of the DNS tree, which is handled by a U.S. organization, has not been signed so why should we worry about it? [The first gTLD signed was .org in 2009] Other top-level domains like .com and .net came later and now it’s all starting to roll.

In Sweden we’ve had a head start since .SE [the organization responsible for the .se domain] and the Swedish Internet operators have been involved and almost all operators now validate the signing of domains.

But it’s still been quite few domains that have been signed, at least until now, when Binero has signed all domains it hosts.

Pingdom: So this is something that is rolling out across the world now?

Atomia: Yes, it is, but ever so slowly. The big top-level domains have DNSSEC now and many country domains as well. There are still many who don’t support it yet, mostly for country-specific domains.

Pingdom: As a typical SME with a domain and a website, is this something you should care about?

Atomia: The slow rollout shows that it’s tough to get people to care about this, it’s not something they immediately think about and put time into, especially when they see that not many others are doing it.

Then it’s hard to see the value.

But anyone that has a domain should check with their registrar and provider to see if they support DNSSEC. A bit of push from customers will probably make providers move a bit faster.

Pingdom: What is the natural extension of DNSSEC, what will come next?

Atomia: So we have this system, DNS that has worked well for 30 years or more and DNSSEC is rolling out over the world. If you could add to that system that you can trust the system in the same way we trust SSL sites, then you can start looking at adding more information. We trust SSL for trade in billions per day and if we can trust DNS in the same way things can get interesting.

If you can say “this certificate is valid for my website” you can tell customers who want to connect to www.pingdom.com, which certificate they should trust. Basically you won’t need a third party other than the DNS root.

Today browsers have lists of Certificate Authorities and that responsibility can be transferred to individual administrators. So the result would be increased flexibility and less cost, and that’s something we see happening now, since about a year or so.

DNSSEC is coming – get ready

We’d like to say a big thank you to Atomia for setting us straight with regards to DNSSEC.

Although it may not be a topic you’ve had to deal with before, get ready, because sooner or later DNSSEC will come your way. Even if the registrar and Internet provider you currently use don’t currently offer DNSSEC signing of domains, you should get in touch with them and see if it’s in their plans.

It seems to us that spreading awareness of DNSSEC and increasing the adoption of this technology can only benefit us all.

After all, better security on the Internet is a good thing, right?

Photo by Ralph Aichinger.

This was a post from the guys at Pingdom, a site monitoring service that makes sure you're the first to know when your site is down. Check it out for free.

Comments Closed

Friday, December 30th, 2011

Security in 2011 by the numbers

As 2011 draws to a close we wanted to take a look at computer and information security in the twelve months that have passed.

What will probably stick in most people’s minds is the Sony PlayStation Network and Qriocity hack, which resulted in an outage lasting 23 days. In other developments, hacktivist groups like Anonymous and LulzSec took to social media to further their causes, and mobile malware got more attention than ever before.

All in all, there’s no doubt that 2011 was a very busy year for IT security professionals.

Malware

  • 76.76% – Trojans accounted for this share of new malware samples.
  • 49.97% – The top 10 most prevalent malware specimens accounted for almost half of all infections.
  • 26% – This much more malware was created in the first month of 2011 compared to the same month the year before.
  • 150,000 – The number of new malware samples per day.
  • 73,000 – The average number of new threats created and released every day.
  • 62.6% – China had the highest rate of infections of any country around the world.
  • 4 million – The number of machines spread over 100 countries that the malware DNSChanger was estimated to have infected.
  • 41,000 – The number of computers in the Kelihos botnet, taken down by Microsoft in September.
  • 3.8% – The percentage of emails in which malicious files were found in June.
  • 44.7% – The share of all malware that was hosted in the U.S.
  • 38.03% – The share of .txt, the most common malware file extension, out of all malware in January.
  • 87% – This percentage of websites used to spread malicious programs were concentrated in just 10 countries
  • 25% – The percentage of malware-infected websites that used video and multimedia as bait.
  • 89% – The number of users who would recommend to friends and family using Macs to install antivirus software.

Social networking

  • 72% – Percentage of companies that restrict access to social networking for employees.
  • 23% – The percentage of phishing out of all attacks in social media.
  • 97% – The share of respondents on FaceBook and Twitter that said they clicked on links without checking for malware.

Hacks and breaches

  • 9,651 – The number of active credit card details stolen when Anonymous hacked Stratfor, which affected 50,000 people.
  • 1.3 million – Sega had this many customer accounts exposed in June.
  • $2.4 billion – The estimated cost of the Sony PSN hack.
  • 77 million – Number of user accounts being compromised in the Sony PSN hack.
  • 17 – This many Sony websites may have been hacked during 2011.
  • 37,608 – The number of SonyPictures.com passwords released by LulzSec.
  • 2/3 – A majority of the passwords from SonyPictures.com were found to have been used on at least one other site as well.
  • 1.8 million – The number of video gamers affected after hackers penetrated Square Enix servers.
  • 32% – The increase in healthcare breaches.
  • $6.5 billion – The estimated cost of healthcare breaches.
  • $3,000-$4,000 – The going rate for a botnet-based attack toolkit on the black market.
  • 531 – The number of rogue certificates generated when DigiNotar’s certificate authority servers were hacked.
  • 210,000 – The number of Citigroup customers (about 1% of the total customer base), which had account information compromised in June.

Mobile

  • 40% – The share of mobile malware targeting Android.
  • 10,000-14,000 – The estimated number of downloads of 22 SMS malware apps published to Android Market and later pulled by Google
  • 85% – The share of smartphone threats during August 2011 that targeted Android.
  • 34% – At least this much of Android malware was stealing users’ personal data.
  • 472% – The increase in Android mobile malware from July to November.
  • 273% – The increase in mobile malware in the first half of 2011.
  • 55% – Spyware was the main mobile malware threat.
  • 2.5 million – The estimated number of mobile malware strains in 2011.

Spam

  • 79.55% – The percentage spam out of all messages in January.
  • 20x – The increase of fraudulent spam.
  • 50% – The share of spam traffic originating in the top five source countries in October 2011.
  • 70% – The level spam dropped to from 90% in 2009.
  • 47% – Percentage of attempted submissions to prominent social bookmarking sites that were spam.
  • 14.8% – Percentage of spam that originated in India during the third quarter, the highest of any country in the world.
  • 8 million – The number of people mistakenly spammed by the New York Times.
  • 12.5 million – The number of spam messages needed to sell $100 worth of Viagra.
  • 20% – The market share of the most common spambot type.
  • 53.6% – The most common spam category was pharmaceuticals.

Phishing

  • 146 – This is how many new phishing sites hosted on government domains around the world that Netcraft found in July.
  • 43% – The percentage of employees that received a simulated phishing email with fake Facebook or Twitter updates from a reputable and trusted server that clicked on a link in the email.
  • 2,500 – McAfee found this many new phishing sites per day in the first quarter of the year.
  • 48.77% – Percentage of phishing attacks in January that abused the .com TLD.

Vulnerabilities and exploits of software

  • 80% – This percentage of WordPress vulnerabilities involving plugins.
  • 95% – This percentage of Drupal and Joomla vulnerabilities involving plugins.
  • 2 – For the first time ever, the top 10 rating of vulnerabilities included products from just two companies: Adobe and Oracle.
  • 7 – Adobe Flash Player’s share of the top 10 vulnerabilities.
  • 99 – The number of Microsoft patches during the year (down from 106 in 2010).
  • 30% – The percentage of Microsoft’s security patches during 2011 that were critical (compared to 70% in 2006).

DDoS attacks

  • 250,000 – The number of computers taking part in a DDoS attack on an unnamed Asian e-commerce company, producing 45 Gbps of traffic.
  • 5% – U.S. and Indonesia each accounted for this percentage of DDoS attacks.
  • 88.9% – The percentage of HTTP flood out of all DDoS attacks.

Miscellaneous

  • $7.7 billion – The price Intel paid for McAfee (the deal was announced in 2010 but completed in 2011).
  • 91% – Share of companies that experienced at least one IT security threat from an external source in the last 12 months.
  • 30% – Share of companies that felt they were being specifically targeted by cyber-attacks.
  • 64.21% – The top intrusion mechanism detected in the second quarter was generic SQL injection.
  • 56 MB – The size of the compressed file released by LulzSec, supposedly containing the source code for the Sony Computer Entertainment Developer Network.
  • 82% – Symantec found that security is the top concern for participants in its State of Cloud Survey 2011 [PDF].

Let’s hope for a better 2012

That just about wraps up our summary of the state of security in 2011.

Trying to encompass a complete year in one post like this is certainly not easy. Did we miss any significant security-related numbers for 2011? Tell us in the comments below.

This was a post from the guys at Pingdom, a site monitoring service that makes sure you're the first to know when your site is down. Check it out for free.

Comments Closed

« Older Entries