Security Quest #2: PayPal Security Key & Weekly Update

Paypal Key FobPayPal is piloting a new feature that more financial institutions should consider and every PayPal client should use. They are making Verisign security key fobs available to PayPal users for a nominal cost of $5 each. The cost includes shipping.

The key fob generates a new six digit password every thirty seconds. You enter this, along with your password, when signing onto PayPal. Even if someone gets your password they cannot access the account without the key fob (well, there is an exception).

PayPal’s Security Key FAQ sums up it’s benefits:

Because it gives you an extra layer of security when you log in to your PayPal or eBay account. Most websites keep your online account safe by only asking for your user name and password to verify your identity. The PayPal Security Key gives you an additional security code that only you know about. That makes your account more resistant to intrusion. Plus, the Security Key’s easy to use.

PayPal does allow access if you lose the key or it breaks. The FAQ states they’ll ask you to confirm account ownership. After entering your password you’ll be asked to verify account information (by providing the full account numbers) or by answering your security questions. This method can be used to access your account when you don’t have your security key or to deactivate the key if it’s lost or broken.

Since PayPal is owned by eBay it’s no surprise that the key can also be used with eBay. While key fobs are a great security idea, one key fob per account isn’t feasible. The key fob is issued by Verisign and can be used their Personal Identity Provider (PIP) service which is in beta. PIP is OpenID enabled and can be used at sites that are OpenID enabled.

For information about the PayPal security key logon to your PayPal account and go to http://www.paypal.com/securitykey.

Security Updates

Firefox 2.0.0.7 has been released. The only patch in the update is to fix a critical security vulnerability when dealing with Quicktime media files. The vulnerability bulletin only mentions Windows as an affected OS but the update is for all platforms. The update is being sent through Firefox update and is available for direct download.

Security Software

AVG Antivirus Free Edition has been upgraded to version 7.5.487

Security News, Information & Discussion

The Unofficial Apple Weblog has a good article on using the OS X keychain application to store and locate passwords.

Ars Technica, among others, is reporting that spammers seem to be turning their botnets against anti-spam sites. Speculation is the attacks are from those controlling the Storm worm botnets although it may be customers paying for the attacks.

The Washington Post Security Fix blog is reporting that the RightMedia ad network was serving banner ads trojans. Rightmedia has banned the ads which were served by Photobucket, MySpace and others. RightMedia was recently purchased by Yahoo.

The Spyware Guide brings an update of spammers use Skype for a rogue anti-spyware scam.

There were a couple recent articles about managing spam comments in WordPress blogs:

  • Internet Duct Tape talks about use Akismet Auntie Spam, a Greasemonkey script for Firefox, to manage spam in WordPress.

TD Ameritrade issued a press release concerning an internal audit of their systems. They were investigating stock-related spam and found “unauthorized code” in their systems which has now been removed. They say only contact information was stolen. Ameritrade customers might want to think about new email addresses – and a new broker.

Media Defender, an anti-P2P company, made news recently after over 700MB of their emails were made public. The emails directly contracted the companies public statements over questionable tactics the company was accused of using. Media Defender employee Jay Mars forwarded all his company email to a GMail account. The GMail account was used as the conduit to get the emails. The lesson here is no matter how secure a company tries to make it’s systems employee actions are always the weakest link.

Security Quest #1b: Microsoft Patch Tuesday

MS Security AlertAnother month and another Microsoft Patch Tuesday so there’s another set of patches from Microsoft. This month is relatively mild. The only OS Security update is for the old Windows 2000 SP4, nothing for Windows XP or Vista. The Visual Studio and MSN Messenger updates are only rated as “important”. These should still be installed as the rating indicates an exploit that could have serious repercussions. It just means the exploit can’t be used to spread malware without user action.

None of these updates apply to my Windows PCs or VMs so all I got was the malicious software removal tool which doesn’t require a reboot.

MS07-051 is a “critical” update for Windows 2000 SP4.

MS07-052 is a “important” update for Visual Studio .Net 2002, 2003, and 2005, including those versions updated with SP1.

MS07-053 is a “important” update that applies to various versions of Windows Services for Unix. If you run Windows Services for Unix check the bulletin, you probably need to update.

MS07-054 is an “important” update for MSN Messenger 6.2, 7.0, 7.5 and 8.

Security Quest #1a: Introduction and Catching Up

Dead at ComputerI’ve been running another site called the Spam Chronicles which was last updated after Patch Tuesday in August. I’ve accepted that I don’t have time to keep both sites up to date. So, long story short – I’ll stop even thinking about updating the Spam Chronicles and will instead incorporate the new content here when it’s appropriate. The current Spam Chronicles will stay up, no reason to pull it down. When winter sets in I may find time to do a redesign.

A new feature here will be the Security Quest postings. I plan to do these every Wednesday (or so) since that gives me one easy topic each month – Microsoft Patch Tuesday. Today’s patch Tuesday information is in Security Quest #1b which will follow shortly. This one will serve as a round-up for news and information.

Software Updates

WordPress 2.2.3 is a security and bug fix release.

iTunes 7.4 (now 7.4.1) contained a security update which wasn’t mentioned in the download notification. If you get music files from unknown sources you should apply the update. If you only rip commercial CDs or download from iTunes you can hold off.

Lavasoft recently update Ad-Aware to work with Windows Vista. This includes the free version.

BitDefender recently updated the free version of their anti-virus software to version 10.

Security Information, News and Discussion

Skype is reporting that a worm is being spread through Skype for Windows. The worm spreads through the chat feature. via Wired Compiler Blog

Ars Technica has the story of Swedish security researcher that used TOR (The Onion Router) to collect password for embassy employees. TOR is used for anonymous Internet communication. He ran a sniffer on some tor exit nodes operated by his company. Unfortunately tor users probably didn’t realize their traffic was exposed to tor operators. A little encryption would help.

Ars Technica is also reporting an increase in botnet attacks on eBay users with the goal of stealing their eBay identity.

Mac OSX Hints tells us how to secure our Wireless connection at Starbucks. (Haven’t tried this myself, not being a T-Mobile user) via Lifehacker.

Tech.Blorg.com has the story of the Quechup social network using questionable techniques to get users. They want to make YOU the spammer. They will ask for you email address and password (for common email systems like GMail) and then send invites to every member of your address book and send them under your name. First, never give anyone your password. Second, avoid Quechup. Hopefully the company will fail.

It’s legal to call spyware “spyware”. Techdirt has an article about a lawsuit against anti-spyware vendors being dismissed.

Slashdot has a discussion of the Ophcrack opensource Windows password cracking program.

Microsoft Patch Tuesday news will be in the next post.

MacLockPick: Mac Hack Tool (not such a hack)

I first read about the MacLock Pick a little over a week ago. It was described as a USB thumbdrive that could be plugged into a Mac to extract passwords from a keychain along with other system information. The keychain is an app that holds passwords so a user doesn’t have to enter them all the time. While encrypted and password protected the keychain usually automatically opens and loads when a user logs on, although this behavior can be changed. The MacLockPick is sold by SubRosaSoft.

SubRosaSoft makes a big deal on their website that they’ll only sell it to licensed investigators and law enforcement officers. It sells for $500 with a 10% discount to law enforcement. This just didn’t seem right, and if it was right it was eventually going to be a big problem since it would only be a matter of time before the technique fell into the wrong hands. It’s a USB key so physical access is needed. But there must be more to it.

The SubRosaSoft website has this information…

MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep.It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers.

and it adds

Recovers files from sleeping computers – Once awakened a Mac will return it’s keychain access levels to the default state found when it was initially put to sleep. Suspects often (and usually) transport portable systems in this sleeping state.

and the usage instructions begin

  • Insert the MacLockPick flash drive into your suspect’s computer
  • Double Click on the MacLockPick Application

So if we break this down:

Yes, the default state of the Apple keychain is open. For true security this can be changed so it closes after 30 minutes of non-use or even close after each access. Those settings can be annoying so it’s likely that the default of “open” would be used unless the person was truly security conscious. And, yes, if you have physical access to the computer you can read various log files and the unemptied trash. OS X does have a secure delete which overwrites files that are deleted. It doesn’t seem like MacLockPick deals with secure delete. It’s also unclear if the software actual tries to read the physical sectors of the hard disk to get the contents of the files. It sounds like it just reads the history of files used and deleted. All this will give is the file names.

But then we hit the real weakness of the product. All you need to do to stop anyone from using this product is enable the option

The require password option

or enable the two lock options.

Keychain options screen

Any of these will require a password before giving access to the Mac so at this point there no way to double-click that icon until a password is entered. Oh wait, one more way to thwart the MacLockPick – turn off the Mac. Unless autologon is enabled the tool can’t be used. (And if autologon is enabled the tool isn’t needed.)

The program does the usual forensic stuff like not writing to the hard disk when it does it’s thing. It also automatically does everything so no OS X knowledge is needed. But is that worth $500? What their really seem to be promoting is a way to bypass security, just look at the name. They aren’t cracking any passwords or doing any magic. A non-security professional can get the same info under the same conditions.They just need to know how to start the keychain app and where files are located. Sure they automate it, but $500?

Sure, if the “suspect” isn’t security conscious at all you’ll be able to collect the information, but enabling any of these options makes the Mac more secure that that door you have to break through to secretly get to the Mac. Oh wait, maybe the door key is under the mat. I’m heading back to their website to see if they sell a tool to crack a doormat.