SERIES: Security Now!
DATE: January 9, 2013
TITLE: Disconnect WidgetJacking
SPEAKERS: Steve Gibson & Leo Laporte
SOURCE FILE: http://media.GRC.com/sn/SN-386.mp3
FILE ARCHIVE: http://www.GRC.com/securitynow.htm
DESCRIPTION: After catching up with a very busy week of interesting security news and events, Steve and Leo examine the growing privacy and security problems created by the ever more pervasive social widgets - Facebook's LIKE button, Google's +1, Twitter's Tweet!, and others - and they offer an easy-to-use free solution!
SHOW TEASE: It's time for Security Now!. Did you know, did you know that those Facebook Like widgets, the other social share widgets, are actually revealing your identity to anybody who's on the same network? This is a problem, but Steve explains how to fix it in a very simple explanation, coming up, along with all the security news, next on Security Now!.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 386, recorded January 9th, 2013: Disconnect WidgetJacking.
It's time for Security Now!, the show that does its best to protect you online. It's a never-ending struggle. Fortunately the Explainer in Chief is here, Steve Gibson, the man behind Security Now!. I met so many people at the New Media Expo and at CES, Steve, who said, “Tell Steve hi. We listen religiously.” And it's usually the high-end geeks. They want to know more. You can never get too much security or too much geekness or too much good information. And they love how geeky we get on this show.
STEVE GIBSON: Well, we've got more today. There's a whole bunch of interesting stuff that happened this week we will catch everyone up on. And something happened in November with an interesting project that I've had my eye on which achieved critical mass. And so I'm going to discuss it later, but first talk about the problem that has been growing known as WidgetJacking…
STEVE: Which people have not been talking about. This is essentially, it's related to the so-called “sidejacking,” which is what Firesheep was doing. Then this involves leveraging the lack of security of social widgets. There's a privacy aspect, but there's a serious security aspect to it. And the good news is - so anyway, we're going to explore it, and explain it, and everyone will understand it. And the good news is there's a solution for it.
STEVE: Yeah. But before we go, you need to type that first URL into your machine.
LEO: Okay. You don't want to say it out loud because obviously we're afraid it will bring the site down, as you are wont to do.
STEVE: Correct, although I tweeted it last night, and I've never had so many responses I think to anything. It is beyond cool. Now watch it. And it took me a while to get what it was doing. I created a memorizable bit.ly shortcut, bit.ly/factorizer. So again, that's http://bit.ly/factorizer. It is just - it is spectacular.
LEO: So it just looks like things are doubling here.
STEVE: Well, no. Look in the upper left. It's incrementing.
LEO: Oh, okay, it's incrementing. Okay.
STEVE: So it's incrementing one by one.
LEO: It's dots on a dice, kind of, sort of.
STEVE: Well, but keep watching because you'll begin to sense what it's doing. Primes that cannot be factored show as…
LEO: Oh, as a circle, I see.
STEVE: …as a circle.
LEO: I see.
STEVE: Because there's no way to subdivide them.
LEO: So what you're doing is you're going through the numbers one by one of dots and factoring them into their factors - fours, twos, threes.
STEVE: Yes. And also then threes of fours of sevens, and sevens of, I mean, so all of the - it basically does a complete factorization of each number and animates it. And I have…
LEO: I'm going to speed it up because I've got it on slow play. There's a fast-forward that's a little bit faster. Maybe we'll just keep that running for a while. How far does it go?
STEVE: Somebody said it goes to 10,000.
LEO: It's very cool.
STEVE: It's just mesmerizing. I thought it was, you know, of course it applies to what we're doing, too.
LEO: And I do like it that it's HTML5. And I'm sure you like that.
STEVE: Yes. It's code running in the browser. And, in fact, Firefox 18, which was released yesterday and which we'll be talking about, runs at 25 percent faster.
LEO: Oh, well, I'll have to download it. We have to give that a try. How funny. This is the fastest I can do it on Safari. Let's see how fast Firefox will do it. All right. How fun.
STEVE: Yeah, it's beautiful. So the big security goof is one of those that is really painful because it is incredibly widespread, incredibly old, that is to say, six years old, which is in this timescale it's infinitely old. A six-year-old flaw was just found in all versions of Ruby on Rails from version 2.0 on.
LEO: Oh, no.
STEVE: So, and this is bad. A security-focused Rails contributor, Aaron Patterson, posted in a Google Groups thread: “The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately, the type casting code supported certain conversions which were not suitable for performing on user-provided data, including creating Symbols and parsing YAML” - that's Y-A-M-L, and that's one of those recursive acronyms, “YAML Ain't Markup Language.” Anyway, continuing, he says, “These unsuitable conversions can be used by an attacker to compromise a Rails application.”
LEO: So, as always, sanitize your inputs, baby.
STEVE: Yeah. Well, and the problem is this. Because this use of user-provided data wasn't expected, you were probably not sanitizing for it because you wouldn't think there was any problem. He said: “XML Parsing Flaw, which was first introduced in version 2.0 six years ago” - that is, the GitHub commit for that is six years ago - “allows an attacker to bypass authentication systems, inject arbitrary SQL code, inject and execute arbitrary code, or perform a DoS attack on a Rails application.”
So in the RubyonRails.org weblog for 1/8/2013, which was yesterday, the updates were announced. The guy posted, “Hi, everybody. I'd like to announce that” - and then the current version numbers like 3.2.11, 3.1.10, 3.0.19, and 2.3.15. So those are the latest versions of the various sub-versions - 3.2, 3.1, 3.0, and 2.3 - have been released. “These releases contain two extremely critical security fixes, so please update IMMEDIATELY,” he had in all caps. And Patterson suggested, if for whatever reason, for any reason you cannot update, disable XML parsing completely or remove support within the parser for Symbols and YAML because those are the two weaknesses that he found.
So I wanted to immediately let, I mean, presumably anybody, hopefully, who's maintaining Rails-based systems will be on a mailing list and will already know this. But this is fresh. And of course the hackers, the malicious guys are going to be on this fast because, I mean, so many sites, as we've discussed many times in the past, are now running on Ruby on Rails.
LEO: Yeah. I love Ruby on Rails. And Ruby is wonderful. So it's Ruby, though, not Ruby on Rails that has the problem.
STEVE: Well, he's a Rails contributor. So I don't know where you divide this.
LEO: Oh, well, Rails is a framework. Ruby is the language.
STEVE: He's calling it a Rails application, yeah.
LEO: Okay. So it's a Rails issue, then. That's actually better than if it were a Ruby issue because Ruby's a…
STEVE: Oh, it's not language intrinsic.
LEO: Got it. It's in the framework.
STEVE: It's packages on top, yeah.
LEO: And we've seen, actually we've seen problems with the framework before. So that's okay. Okay, good.
STEVE: So also in the news…
LEO: By the way, let's just check in real quickly. We're up to 1,305. That's Safari. This is Firefox. Catching up. It is appreciably faster.
STEVE: Oh, and you got Firefox 18?
LEO: Yeah, this is 18. So Safari, Firefox. Yeah. I would say, I mean, 25 percent is not as huge as it might sound.
STEVE: No, it's not two times or anything. There was a bunch of news also, actually this was late, this was just after our podcast last week that Chrome detected a phony Google certificate in the wild. And that really upset everybody because here we're back to a trusted, in the root, certificate authority. This was Turktrust, a Turkish CA, which when they started doing the research - this was not malicious. This was not a break-in or a compromise of their system. But it's also a little disturbing because two years ago they inadvertently issued one of their customers a pair of intermediate certificates rather than an end SSL cert.
So what that means is, of course, an endpoint SSL cert is signed by the CA, and all you can do is assert your own identity with it. If you ever get an intermediate certificate authority, you are a certificate authority that has been signed by the root certificate authority. So for two years this entity that inadvertently received these two intermediate CAs - and of course we're having to take all this on trust, that this wasn't some secret dark entity of the Turkish government that got an intermediate CA from Turktrust and so forth. So if we take this on face, what we do know is that for two years there has been an intermediate CA that could issue trusted certificates for any domain it chose.
LEO: That's wild.
STEVE: I know.
LEO: Two years.
STEVE: Yeah. So this is the, as we've discussed, the Achilles heel of our entire SSL trust system. Somewhere in any system there has to be an anchor of trust. And so that's where you're going to be weakest. And our long-time listeners will probably well remember that podcast [SN-104]. It was maybe, what, five or six years ago, where I had happened to check in, to look at the block of trusted CAs in whatever browser it was, I don't remember, because I'm old school. And once upon a time there was five. There was VeriSign and Equifax and, I mean, it was like a handful. I looked at it, and it was 800. And of course that's where the famous Hong Kong Post Office came from. It was like, wait a minute, what are they doing signing certificates that I trust?
But anyway, so immediately Google updated Chrome to remove trust from that one certificate that was known to be a problem, immediately informed Turktrust that something was wrong, and please find out what, and informed the other browser vendors that there was a malicious intermediate CA in the wild. And so now - we're okay now. That intermediate CA and anything it might have ever signed that has also been trusted but never warranted our trust, they're dead now. So none of our browsers will use them, and this happened last week. But that's the story behind that, for people who sent me notes and tweets saying, uh-oh, what does this mean? So we're okay. But again it's like, oops, a little glitch in the system.
Also, yesterday was Microsoft's Patch Tuesday. And it's another important set of patches. Unfortunately, and we'll remember that last week we wondered whether Microsoft would have time to fix the zero-day flaw which had just been, I think it was the prior weekend, found in the wild. Remember it was being used for targeted attacks on IE6. But it's also known to affect 7 and 8, not 9 and 10. So if you need to use IE first - because it's funny, whenever I tweet anything about IE, I get back the predictable, well, who's using IE? It's like, yeah, I know, I know. But I also get lots of people saying, hey, I have no choice. My company makes me, my bank makes me, my whatever it is makes me. So there are - and, I mean, I have it because - for Windows Update, and there are some things where it still has to be around. And it's around by default, of course, in a Windows environment. So it was not fixed yesterday.
So, and Brian Krebs reported that it has, as we also predicted last week, now been added to the Metasploit Framework. So it is trivial for script kiddie level malicious hackers to go starting to exploit this. So we can expect to see its use expanding in the wild because now the hackers think, well, we may have a month before the next Patch Tuesday. Of course if it goes really crazy, Microsoft may be induced to issue an out-of-cycle patch.
Now, Part 2 of this is that, almost immediately after Microsoft's Fixit tool was put out, and we talked about it last week, it was discovered that there was a way around it. So even Microsoft's Fixit tool is only partially effective against this exploit. So really the only advice I have is, more than you might have already been avoiding the use of IE 6, 7, and 8, if 6, 7, and 8 are what you're using, try to minimize your use of it. Or I would say go to really trustworthy sites.
The problem is it's not the sites that are going to be malicious. But in the attacks we've seen, remember we were describing them as “watering hole sites” because the way these attacks were working is that not secure, not sufficiently secure sites were being modified to attack their visitors. And so it was a sort of a - the idea was being that the actual targets of the attack, the companies that the attackers wanted to get into, would go to this so-called watering hole site, get themselves infected there, give the attackers the access they want, and be compromised as a result.
So we don't have any fix for this, not one that apparently works. And having been dropped into the Metasploit Framework means that it's completely understood. The hackers know how to exploit it. It's now in the open source mode where anyone can get at it, and we have no fix for it. So it's about as bad as it gets. And it's, of course, being actively exploited in the wild.
Aside from that unhappy news, Microsoft this Tuesday issued seven patches, two of which were critical and addressed, like, 12 or 13 security problems. One of those only affects Windows 7 and Server 2008 Release 2 only. So rather narrow. But the other one is another XML Core Services problem. We've seen those before. This affects everything Microsoft has ever touched, even something I've never heard of. I was looking down through the list of stuff. And I thought, what is the Groove Server 2007? Does anyone even know?
LEO: That sounds like a Microsoft code name.
STEVE: No, it's the official name. It's, like, in their list.
LEO: No, it would be, yeah. But, I mean, it would be what they called it. Maybe not what…
STEVE: Yeah. Oh, I see, and they decided not to change the name when they put it out.
LEO: Microsoft, doesn't it sound like Microsoft Groove? Groove products, let me see, I don't see anything. What is Microsoft Groove?
STEVE: Groove Server 2007.
LEO: Yes. It's something Ray Ozzie did. It's part of Office. And a number of our people in the chatroom use it.
STEVE: Well, folks, update your XML Core Services immediately.
LEO: Microsoft Office Groove 2007 creates dynamic workspaces to hold all digital information related to any task. So it's like, you know, Ray Ozzie did it. It's a collaboration space.
STEVE: Just drop the data in the groove, I guess.
LEO: Yeah, yeah.
STEVE: They already used Suitcase. They can't use that again.
LEO: It does sound like a Microsoft name. An old Microsoft name.
STEVE: Oh, god. And the other thing was an important update to the .NET framework and a few other things. So anyway, update your Windows, and don't use IE.
LEO: They call it - I think they just call it SharePoint now.
STEVE: Oh, okay.
LEO: Well, it was part of SharePoint. I went to the Groove page, and it brought me to the SharePoint page, so I don't…
STEVE: Because SharePoint is strictly cloud-based; right?
LEO: Yes, yes. As would Groove be.
STEVE: Oh, I see. You went to Groove, and it bounced you to SharePoint.
STEVE: Ah, okay. But back in 2007 we still called it Groove.
LEO: We had Groove, and it was groovy.
STEVE: So speaking of same old, same old, we have Adobe, who simultaneously issued security fixes for all of their things also - Acrobat Reader and the Flash Player plugin. And in my notes here I just put “blah blah blah.” Which is to say, just go update yourself.
LEO: Ditto. Ditto ditto ditto.
STEVE: Yeah. And big news. Yahoo! Mail finally gets HTTPS.
LEO: Oh, finally.
STEVE: Yes. And they've continued to have break-in problems. I've seen some notes about people getting spam from Yahoo! Mail people, and I got some myself yesterday.
LEO: Yeah, it's notorious, yeah.
STEVE: Yeah, from like a week ago, I mean, from years ago, somebody who had an old email address of mine that I kind of monitor sort of for this purpose. And it's like, oh, look at that, something coming in here. Oh. Anyway, so what that means is that if you sign into Yahoo! Mail with your ID and password, hover over the Settings icon, and from the dropdown menu which you'll get select Mail Options. Scroll down to the bottom of that page. And then, under Advanced Settings, select the checkbox opposite to Turn on SSL. Then a dialogue will be shown, and a refresh is required to change the setting. Click Okay, and then click on the Save button.
So they're a long way away from on by default, but at least they do allow you to maintain persistent security. And, boy, in this day and age, it's amazing that this is so late in coming, when we know now that, if you only are secure during logon, and then you're in Starbucks or any other open WiFi hotspot, an airport or anything, then all of your non-secure transactions, which is everything subsequent, will be in the clear. Which means the cookie which you were given in order to establish your session at logon is there, and you can be hijacked.
So it's not surprising Yahoo! is having these problems. This is how hijacking happens. Exactly like this. So lord knows why it took them so long to make it happen. And they really need, unfortunately, it being buried like that, who's going to find it? So our listeners will. And if you get email from anybody who's got Yahoo!, listeners, drop them a note and say go find out - go to Advanced Settings and turn on SSL. It's not going to break anything anywhere because we know how, we can all do SSL now.
LEO: I remember when you discovered Firesheep [SN-272], which was a hack that allowed you to do this kind of thing at an open WiFi access spot. And you celebrated it because, as you said, this will force everybody - how many years ago was this, two or three years? - this will force everybody to do HTTPS all the time. And it's taken this long.
STEVE: Yeah. The responsible people did.
LEO: Facebook and Gmail.
STEVE: Yes, exactly.
LEO: Well, now Yahoo!. Join the club.
LEO: It's powerful.
STEVE: I mean, this is - it's really clear that the browser is the platform, the application platform of the future. Speaking of which, one of the things also newly supported at the preliminary level is something called WebRTC. This is in Firefox 18. RTC stands for Real Time Communications. The WebRTC is a forthcoming HTML5 generation W3C and IETF standard to support real-time Internet communications: phone calls, video chatting, sharing, peer-to-peer file sharing. So again, here's another example of, due to the standards moving forward and the power that we're developing in our browsers, we're talking about moving what is currently standalone apps or plugins into the HTML, into the web standard. So our browsers won't need Skype to be downloaded and installed, or Google Talk, or anything. They'll have it natively, in the same way, for example, that they now can play video without needing a Flash plugin or anything else in order to play video because the browsers are able to do that on the fly. And speaking of which, Google has donated their VP8 video codec to the WebRTC effort. This is the one that they got from…
STEVE: …On2, that's right, and are claiming that it is unique in that it is license free. There are some people who aren't quite sure that that's the case.
LEO: Yeah, including the H.264 Consortium, who doesn't want it to be license free.
STEVE: Exactly. And in fact there is pressure for H.264 support in this same standard, in this WebRTC standard. But the resistance, of course, from people like the Mozilla Foundation, is they don't want to put license-encumbered technologies in the browser. They're just fundamentally against that. So I think we'll probably always be in a position where there are a couple different video standards, in the same way that we have JPG, PNG, and GIF image files. I mean, those are established. They're not going to go away. So there isn't just one way to show a picture. There's a few ways. And there won't be one way to play a video, there'll be a couple, depending upon what platform you're on.
Also with Firefox 18 we have full retina display support on the new Macs with the retina screen, which prior Firefoxes did not support. So that's here for, like, super-crisp retina font-rendering and so forth. And over on the Android side, Firefox 18 adds support for on-the-fly search suggestions in their so-called Awesome Bar. And those search suggestions are transacted over secure channel, even if you're not, so that no one can see what's going on. And there is a malicious site warning system built in for Android, which is certainly handy to have.
And I promised that I would take a look a couple weeks ago at what “Extended Security” meant for Universal Plug & Play. Remember that I saw, I think it was a couple tweets, said, hey, well, what about the extended security? Well, it's completely useless.
LEO: Oh, dear.
STEVE: First of all, it's not widely available. I could only see really that Thompson was using it in some of their routers. And all it does is lock down some ridiculously wrong things that Universal Plug & Play should have never been allowed to do in the first place. But it provides virtually no security. So no malware would be at all slowed down if you had extended security turned on. And I didn't even write down and bother enumerating it because I just thought I would tell everyone, eh, you know, don't…
LEO: Or don't worry about it.
STEVE: Yeah, don't worry, it's not going to help.
LEO: Plenty of holes left.
STEVE: And apparently it even does mess things up.
LEO: Oh, no.
STEVE: I mean, despite doing nothing for you, I ran across a lot of advice saying, oh, if you have that turned on, turn that off because that's the problem. So, you know. Now, also in the “I'm not going to go into it in detail,” I wanted to just say to Jungle Disk users, maybe there's hope, because there have been so many unhappy people with Jungle Disk. They got bought by Rackspace, which is why Rackspace is the cloud service of choice for Jungle Disk, although it still works with Amazon and so forth. But the support's been really lousy. They recently changed their philosophy where it's no longer essentially free, the way it used to be, which really upset people. People used to use it, for example, to create a private network to an unattended server, for example, so they would be able to get to that server.
Well, Jungle Disk, or rather Rackspace as parent, in the quest for more revenue, decided that they would only allow the nonpaid versions to interoperate between logged-on people. So you can use it, for example, as it is used often, to set up a private little gaming network, in which case everybody would be logged onto their machines that are connected into this little Jungle Disk subnet across the Internet. But you can no longer use it in its free version, the way you have always been able to use it, to hook to an unattended machine where you don't have somebody actively logged on and using the system.
Now, the ray of hope is that, at blog.jungledisk.com, for any holdout users of Jungle Disk, they had a “What the new year holds for Jungle Disk” entry. There's a new CTO. And apparently they sent out questionnaires to some subset of their users, and the questionnaires came back polarized. There were people who were completely happy and wanted nothing more. And on the other side there were people who probably feel about Jungle Disk the way we feel about PayPal. I mean, they're only using it because they have to, because there's absolutely nothing else that they've found that does what they want. So this was apparently a bit of a wakeup call, and they're promising that they're going to fix these problems. They're going to be better with support, they're going to communicate more, and they're going to fix things. So for what it's worth, people who are using Jungle Disk, it might get better. And anyone who's interested can check out blog.jungledisk.com for the details.
And in my backlog of stuff to get to is a rather sobering analysis that an R&D company did of the silicon of a chip used in networking products where they discovered a hardware backdoor in the design. We've talked about this. We've touched on it a few times. It is a worry. Because there's obviously tension between, for example, the U.S. and China of various sorts. And we're getting a lot of fabrication being done there. And how do you know what's in the chip? The chip's got legs, but it's got a lid on it, and it's incredibly complicated. And you just can't look at it and know what the design is. It takes a huge amount of effort to reverse engineer the design of a chip from looking at it.
Now, in the old days, microprocessors were reverse-engineered. “Popping the lid” was something that was jargon in the industry, and it was the way designs got stolen. But with this insane ramping up of complexity that we've had, it's just - that's vastly more difficult. Yet the Los Alamos National Laboratory here in the United States just removed all of its Chinese network switches. A Congressional Report found that Huawei, H-u-a-w-e-i…
LEO: I think it's Huawei. I think you pronounce it Huawei. By the way, they had a massive booth at CES.
STEVE: Were they waving American flags?
LEO: Well, they dispute this. Yeah, this is a while ago that the Commerce Department came out with this. And it's reasonable. But Huawei disputes it.
STEVE: Yes. So what the Congressional Report said was that the company had ties to the Chinese military and intelligence services. They deny any connection to the military and say that their products are completely safe to use. So who knows. I will, as soon as I get to it, take us through the details of reverse-engineering the hardware, which did find a backdoor, so they are known to exist. We don't know that this is an instance of it. But it is something that we need to keep in mind.
LEO: Yeah. And if I were running Los Alamos Labs, where they make atomic weapons, I might be prudent. I might act in terms of prudence. It's the router that they're worried about, right, because who knows what code's in there. Not just the chips.
STEVE: Yeah. Or they said switches. And “switches” is sort of a generic term.
LEO: They make phones, too, and I don't know, I mean, this was a pretty broad report.
STEVE: So I did ask for the tweeter who tweeted me a week ago or two weeks ago that he had come up with a cool synopsis page of my Twitter stream related to Security Now! podcasts. So that when I say, oh, I just tweeted this link, for anyone who's listening, the observation was made in our last Q&A, it was like, well, Steve, that might have been a year ago, that I'm listening to Episode 206. So that's a problem. Anyway, so I created a shortcut. It's bit.ly/sggrc, all lowercase, because bit.ly is deliberately case-sensitive so that it's able to encode more links in a short string. So it's bit.ly/sggrc. And it was Simon Paarlberg in Copenhagen who…
LEO: It's amazing.
STEVE: Yeah, isn't that great?
LEO: Thank god for Scandinavian winters, that's all I can say [apps.simonpaarlberg.com/x/sn_twitter.html].
STEVE: He called it a “hack,” so I think he must have a bot which is just pulling the stream in. I did see that it's always up to date. So it has my latest tweets from yesterday in it at the top. It is in reverse chronological order. And so what I think he does is he, like, inserts a place marker for every Security Now! podcast and nicely formats it. So anybody who is listening to a podcast, and I mention a tweet that has a link, you can go to bit.ly/sggrc, which I came up with that because that's the same as my Twitter handle, and scroll back and find it.
LEO: Boy, if this is code, this is impressive.
STEVE: That's very cool, Simon. Thank you.
LEO: It can't be code. This is somebody - unless he's…
STEVE: No, it's code because…
LEO: How's he getting the time codes?
STEVE: I'm sure that's all in the Twitter stream.
LEO: Oh, I see. I see what he's doing. It's not the timecode into the podcast. This is the tweet.
STEVE: Right, right, right.
LEO: I get it. So he's just saying - oh, yeah. I can see how he'd do this. So he'd say, well, the week of January 1st through 8th, these are the tweets.
LEO: Yeah, that had links on them.
STEVE: And by the way, Elaine also replied, listening to the podcast as she is forced to do every week, that she has been putting - she's been expanding and putting the links in the show notes all along in her transcripts. So they're also in the transcripts, for anyone who is looking.
And you're going to like this one, Leo. Go to that next link before I mention it, although I also tweeted it, so you can find it right there in my Twitter stream. Mark Thompson turned me on to this, and I thought it was really interesting. If you dig down, you can see the chart of - okay. I should, for people who aren't seeing the feed right there - but click on some of those languages, Leo, like click on Java, No. 2.
LEO: So this is from TIOBE.com.