Bad Timing

A method of cracking passwords called a "timing attack" may be much easier to pull off than most security experts believe, according to an article Computerworld ran July 15.

A timing attack works by judging the amount of time it takes for a website to reject an incorrect password. By repeatedly trying to log in, using different configurations of characters and measuring how long it takes the computer to respond, hackers can eventually arrive at the correct password. Since some systems check passwords one character at a time, a password that's wrong from its first letter will be rejected faster than one that only begins to be incorrect at its fourth letter.

"Cryptographers have known about timing attacks for 25 years, but they are generally thought to be very hard to pull off over a network" because of how precisely the password rejections must be timed, the article said. "The researchers aim to show that's not the case."

Such attacks work when the hacker has physical access to the computer being cracked but are thought to be more difficult over a network because the network itself can slow website responses, making the interval at which a password is rejected hard to measure.

Nate Lawson, the founder of the security consultancy Root Labs and one of the researchers who discovered this vulnerability, said the concern about network timing is based on a false assumption. Algorithms can be used to avert the delays attributable to the network, he wrote.

Part of the reason timing attacks can work is that many Web applications are written in interpreted languages that are slower to respond to queries, Lawson wrote in the article.

The fix for this problem is easy, he said: Add six lines of code that instruct the website to return failed login notices after the same interval regardless of which character in the password proved false.

Stinky Sniffer

An add-on for the Web browser Firefox called "Mozilla Sniffer" may have stolen the passwords of 2,000 people.

Mozilla Foundation, the nonprofit that makes the popular Firefox browser, said the Sniffer slipped through its screening for add-ons that Mozilla makes available for users to download, Computerworld reported July 14.

The add-on has since been removed from Mozilla's servers, and the Firefox browser should automatically disable the Sniffer without user intervention.

Mozilla typically scans add-ons for known malware, the article said, and is developing a way to take a deeper look at any add-ons it receives to prevent sneakier programs like Sniffer from being distributed.

Sniffer was already categorized as an "experimental" program, which meant users were required to view an extra warning before installing it.

Mozilla is also advising anyone who installed Sniffer to change any of the passwords the program might have observed.

Another add-on, CoolPreviews, was discovered to have a vulnerability that attackers could use to take over computers running it, Computerworld said. The current version of CoolPreviews, which displays a preview of a Web page when users hover the mouse cursor over a link, does not have this flaw; Mozilla has disabled the earlier versions of CoolPreviews that did.

Malicious Shortcut

USB drives are becoming an even more perilous virus carrier.

The devices are already commonly used to spread malicious code because Windows computers can "autorun" any program on a USB device. In response, many security-minded computer users disable the Windows autorun feature. However, a new way has been discovered to launch malicious code without launching a program in the conventional way, Brian Krebs reported July 15 at "Krebs On Security."

Hackers have found a way to launch malicious code by hiding it in — but not actually running — a Windows "shortcut," file, which is normally just a link to a file stored elsewhere.

"Ideally, a shortcut doesn't do anything until a user clicks on its icon," Krebs wrote. "But VirusBlokAda," an antivirus company in Belarus, "found that these malicious shortcut files are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer," the file navigation system built into Microsoft Corp.'s Windows operating system.

Though this method has not yet been observed in use to steal bank passwords, "it could soon become a popular method for spreading malware," Krebs wrote. "But … this threat seems fairly targeted."

An independent security researcher, Frank Boldewin, said the malware samples he examined seem to target computers used to run manufacturing and power plants.

"Looks like this malware was made for espionage," Boldewin told Krebs.

Droid Control

Motorola Inc. says a security feature of its new Droid X phone is being misinterpreted as a way to exert excessive control over how its customers can use the phone.

The Droid X phone, which runs Google Inc.'s Android mobile operating system, includes a technology called eFuse that prevents the phone from running if it detects any flavor of Android that Motorola has not yet approved — such as the most recent version, nicknamed Froyo — the tech news blog Engadget reported July 16.

"It amounts to a really, really hard slap on the wrist for anyone trying to hack … Froyo onto it," Engadget wrote.

Motorola defended its use of eFuse as a security precaution. "Checking for a valid software configuration is a common practice within the industry to protect the user against potential malicious software threats," Motorola told Engadget.

It stressed that the phone would work again if the user restored its original software.

"So in other words, yes, eFuse will shut down a phone with an unapproved" operating system, Engadget wrote, "but it won't brick the phone."

The blog stressed that this may be only a temporary setback for anyone hoping to tinker on the Droid X handset.

"Knowing the wealth of talent in the Android development community, we're still really hopeful this nonsense is going to get circumvented," Engadget wrote.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.