Software Security – Tales from the bits

Google Bypassing User Privacy Settings

George Bagropoulos — Wed, 22 Feb 2012 08:00:02 +0000

According to Julia Angwin and Jennifer Valentino-Devries, reporters of The Wall Street Journal, Google bypassed user privacy settings for the Safari web browser. In simple words, Google was able to drop tracking cookies even when the user has set Safari to block cookies. Microsoft confirmed that Google was using similar techniques to bypass privacy settings for IE. Google has released a statement for this issue stating that the cookies were not collecting private information. Google also stated that has stopped using the bypass.

VOIP and P2P privacy flaws

George Bagropoulos — Sun, 30 Oct 2011 16:16:34 +0000

Skype and other Internet-based phone systems have flaws that could potentially disclose the identities, locations and even digital files of the hundreds of millions of users of these systems.

The research was conducted by Chao Zhang and Keith Ross of NYU-Poly; Stevens Le Blond of the Max Planck Institute for Software Systems (MPI-SWS), Germany; and Arnaud Legout and Walid Dabbous of the French research institute I.N.R.I.A Sophia Antipolis.

It is important to mention that even when a user blocks callers or connects from behind a Network Address Translation (NAT) , it does not prevent the privacy risk.

By using commercial geo-location mapping services, the researchers, found that they could construct a detailed account of a user’s daily activities even if the user had not turned on Skype for 72 hours. In one example, they accurately tracked one volunteer researcher from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France. “If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when,” the authors said.

How do we value our privacy?

The researchers has informed Skype and Microsoft for these vulnerabilities.

Details of major DNS flow

George Bagropoulos — Thu, 24 Jul 2008 09:53:00 +0000

On July 21, Zynamics.com CEO Thomas Dullien (aka Halvar Flake) made a guess about the bug, admitting that he knew very little about DNS, but his findings were quickly confirmed by Matasano Security, a vendor that had been briefed on the issue.[2] According to Matasano Security, which briefly published the details of the security hole in its blog, an attacker with a fast internet connection would only need 10 seconds to carry out such an attack. The blog entry has since been removed – even from the Google cache. [1]
“The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat.” Matasano said in a blog posting that was removed within five minutes. You can find the original post here.
An attacker could use a fast Internet connection to launch what is known as a DNS cache poisoning attack against a Domain Name server and succeed, for example, in redirecting traffic to malicious Web sites within about 10 seconds. [2]

References
[1] http://www.heise.de/english/newsticker/news/113228
[2] Robert McMillan, 2008, Details of major Internet flaw posted by accident Available at: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam__malware_and_vulnerabilities&articleId=9110418&taxonomyId=85