SPLASH'11 Compilation - Proceedings of OOPSLA'11, Onward! 2011, GPCE'11, DLS'11, and SPLASH'11 Companion | Year: 2011
News Article | March 15, 2016
A large number of the internet’s major websites still don’t use encryption, or haven’t implemented it correctly, potentially exposing their users to hackers and spies. Despite a widespread movement toward more encryption on the web, which is commonly referred to as HTTPS and signalled with a green lock pad on your browser’s address bar, only 25 of the world’s top 100 websites use it by default, according to a new survey published by Google on Tuesday. The internet giant published data on other websites, as well as its own services, in an effort to encourage—and perhaps even shame—more site owners and webmasters to adopt better practices to protect users privacy and security. “As more people spend more of their time on the web, [encryption] is an increasingly essential element of online security,” Google employees Rutledge Chin Feman and Tim Willis wrote in a blog post. Among the sites that still don’t use any encryption, or don’t implement it with all modern protections and by default, there’s major news sites, such as those of the BBC, The New York Times, and CNN, as well most major porn websites, or retailers like eBay or Amazon. While another kind of encryption, that protecting data on people’s phones, is on everyone’s minds, web encryption is also important for regular people’s lives. Without that extra “S,” which signals the use of the encryption standard Transport Layer Security (TLS), everything you do on a site isn’t fully private or secure, allowing anyone that has access to data flowing through the internet to not just see it, but also intercept and manipulate it. Not using an encrypted connection means a hacker using the same Wi-Fi at your favorite coffee shop could steal your passwords or banking information, and that your internet service provider can better track your online activity and sell your private data to advertisers. But it also means that a repressive government can know exactly what articles or sites you’re visiting, and could even censor only certain pages within a website. Government spies could also take advantage of the lack of encryption to infect your computer with malware or spyware, or use your connection as part of a cyberattack on somebody else. “HTTPS provides confidentiality (traffic is unintelligible to those without [encryption] keys) and integrity (traffic is verified when it arrives at its destination as being the same traffic that was sent),” Joseph Hall, the chief technologist with the Center for Democracy and Technology, told Motherboard in an online chat. “Integrity is increasingly the value the entire Crypto War is missing, ensuring that any middleman between the browser and the destination cannot add, subtract, or modify content in transit.” That’s why privacy and security advocates have been pushing for the whole internet to be encrypted, and not just login portals or pages containing users’ private data. “This planet is going to need a secure medium of communication, and that’s going to have to be a secure version of the web,” Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation, told Motherboard. Google has been one of the big companies and organization pushing for more encryption, but others, such as Apple, Mozilla, and the EFF, has all been part of the movement. There have been several challenges that have been slowing down a fully encrypted web. First of all, getting a TLS or SSL security certificate for a website was expensive and involved considerable bureaucracy. But that’s not the reality anymore, thanks to recent initiatives such as Let’s Encrypt, and CloudFlare’s Universal SSL, which make it easy and free to implement encryption on websites. Last week, the Let’s Encrypt project announced that in just three months since its public launch, it has already provided HTTPS certificates for 2.5 million web domains. However, for websites with a complex infrastructure, and content served by third-parties, such as ads, moving to HTTPS isn’t like just flipping a switch. That’s why websites, especially news ones, can only be encrypted if the ads they are serving are also encrypted. In the past, Google has called for more encryption across the internet (including emails) and recently hinted that it wanted to shame all websites that didn’t use it. But even Google itself hasn’t achieved the dream of going full HTTPS. Across Google services, 75 percent of user requests now travel over an encrypted connections, up from 52 percent at the end of 2013, according to the company's own data, published in a new section of its transparency report. But that’s excluding YouTube, which obviously represent a huge amount of traffic to Google servers. Google for now isn’t releasing statistics on the video site, only saying they’re working on it. (A company spokesperson declined to comment.) It’s unclear what this means exactly, but it’s possible that some parts of YouTube still aren’t fully encrypted, or that Google is still surveying the video site’s infrastructure. Google reportedly implemented some HTTPS encryption on YouTube back in 2014, when a researcher revealed that governments using tools from surveillance companies such as FinFisher and Hacking Team were taking advantage of unencrypted YouTube video streams to infect targets with spyware. One thing is clear, while it may be slow, the movement toward a more encrypted web seems unstoppable. “In 2016 every website needs to be HTTPS, whether it’s a new website coming online, or an old one,” Eckersley said.
News Article | September 7, 2016
Soon, Google Chrome will phase out full support for Flash, meaning that, on most sites, users will have to manually activate the aging software if necessary. The move is largely for security reasons: Researchers regularly find dangerous vulnerabilities in Flash. On Tuesday, porn site Pornhub said it would be ditching all Flash content from its site, opting instead for HTML5, the most recent version of the web language that offers more support for multimedia content. Since hackers have had a number of successes at compromising porn sites, it’s notable that one of the largest is taking this step, albeit when Flash is already on its last legs. “It was just a matter of time until we switched, as HTML5 is becoming the standard across platforms. Now makes the most sense as Google and Firefox are slowly pushing Flash support out of their browsers. Plus HTML5 has improved security, better power consumption and it’s faster to load,” Corey Price, vice president of Pornhub, told Motherboard in an email. “All adult sites should make the transition to HTML5. Flash is nearly dead,” he added. In January, hackers took advantage of two Flash vulnerabilities to deploy malware on Windows machines, which, according to the Guardian, led Mozilla to disable Flash in its Firefox browser until users had updated to a current version. That same month, YouTube announced it would stop serving its videos via Flash for anyone using a modern browser. The attacks keep coming. In June, Adobe patched a critical vulnerability in Flash that was being exploited in the wild, after fixing other issues in March, April and May of this year as well. In July, Adobe fixed a staggering 52 vulnerabilities in Flash. At the time of writing, other porn sites including YouPorn, xHamster, and RedTube are all serving their content over Flash in a fully up-to-date Google Chrome browser. RedTube, which is an affiliate of Pornhub, is expected to make the switch in a few weeks, according to a company spokesperson. YouPorn and xHamster did not respond to a request for comment. “Support for new technologies is critical to stay ahead of the competition but also to keep up with new performance and security standards imposed by web browsers,” Jérôme Segura, lead malware intelligence analyst at cybersecurity company Malwarebytes, told Motherboard in a Twitter message. “The Flash Player is very much like Windows XP in that its lifespan was extended way past its prime.” “Contrary to some beliefs, these top adult sites are very concerned about their security and spend considerable resources to keep malicious ads (malvertising) out and also invest in proactive research to secure their infrastructure,” he added. Pornhub was only serving Flash to a minority of its visitors. According to Pornhub spokesperson Chris Jackson, 70 percent of the company's traffic comes from mobile. However, Price said that, “This transition will affect close to 20 million daily visitors”—so still a relatively large number of users. “We expect the transition to be seamless for our users. Our new player has been tested for several months on numerous browsers and platforms,” he said. Want more Motherboard in your life? Then sign up for our daily newsletter.
News Article | April 13, 2016
In February, the FBI was ordered to provide the full malware code used to hack visitors of a dark web child pornography site to the defense in an affected case. Then the Department of Justice pushed back, and asked the judge to reconsider the decision. But experts feel the FBI may be sitting on something much worse than a tool used to just catch suspected criminals: a vulnerability in the Firefox browser, a piece of software used by hundreds of millions of people all over the world. “The Tor Browser is simply Firefox running in a hardened mode,” Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, wrote on the Lawfare blog last week. Because the site the FBI took over was on the dark web, visitors typically had to use the Tor Browser to access it. “While many Firefox exploits will not work against the Tor browser—particularly those relying on Flash—the converse is not necessarily true. To the contrary, any Tor browser exploit is almost certainly a Firefox exploit too,” Weaver added. In February 2015, the FBI seized child pornography site Playpen, and for 13 days ran it from a government facility in Virginia. During this time, the agency deployed what it calls a network investigative technique (NIT), or in other words, a hacking tool. According to testimony provided by FBI Special Agent Daniel Alfin, “The NIT was deployed against users who accessed posts in the 'Preteen Videos—Girls Hardcore' forum because users accessing posts in that forum were attempting to access or distribute or advertise child pornography.” In a more recent affidavit, in response to claims from a technical expert held by the defense, Alfin wrote that, “As used here, a computer 'exploit' consists of lines of code that are able to take advantage of a software vulnerability,” and added that “an 'exploit' allowed the FBI to deliver a set of instructions—the NIT—to Michaud's computer.” Michaud is one of at least 137 people charged with child pornography offenses in the US as part of the investigation into Playpen, codenamed "Operation Pacifier." The specifics behind NITs have been disclosed in the past: in a 2012 investigation also targeting suspected child pornography visitors on the dark web, the FBI used a Flash applet from the popular hacking suite Metasploit. But this case is seemingly different, with the Department of Justice fighting to keep details of the technique used on Playpen under wraps, even though the code would only be provided to the defense and under a protective order. “The FBI's strenuous efforts to shield their exploit from disclosure to me suggests that it likely still works,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an encrypted phone call. (Soghoian has been called as an expert by the defense in an affected case.) If the vulnerability used to hack visitors of Playpen does affect Firefox as well as the Tor Browser, and it has yet to be plugged, “The government is essentially choosing to keep hundreds of millions of people vulnerable in case a few of them turn out to be criminals later,” he said. Indeed, software vulnerabilities can be discovered by other parties, such as researchers, foreign governments, or criminals. In an NSA presentation published by The Guardian in 2013, the presentator indicated that the agency needed a “native Firefox exploit” to target Tor Browser users, because of the add-ons bundled with the software, and the general security advice given to users. But it's important to stress that it is not totally clear whether the FBI did use a zero-day vulnerability. There is the chance that the Department of Justice is trying to avoid revealing extra information about an already public issue or technique, although it's not immediately clear why that would be the case. Using its NIT, the FBI obtained over a thousand IP addresses for US-based users of Playpen, according to a plea agreement in an affected case. A Europol presentation uncovered by Motherboard claims the agency has generated 3,229 cases as part of Operation Pacifier, including 34 in Denmark. Motherboard also found cases in Chile, Greece and the UK, and potentially related arrests in Turkey and Colombia. An average of 11,000 unique visitors accessed Playpen each week, according to court documents. “We are in discussions with Mozilla to find solutions to the problem,” Kate Krauss, spokesperson for the Tor Project, told Motherboard in an email. A spokesperson from Mozilla said, “We are always looking for potential vulnerabilities in Firefox but, without more information, we cannot investigate whether the FBI used a specific vulnerability. When we become aware of vulnerabilities, we aim to fix them in a timely fashion.” “The Tor Browser is based on Firefox but also has some Tor-specific code. As said, without more information, we have no way of knowing whether a specific issue in the Tor Browser also affects Firefox,” the spokesperson added. Mozilla said it has never received a vulnerability disclosure from the FBI, and the Tor Project said it has not received a disclosure from any US agency since March 2015, when the Playpen operation ended. “I cannot comment at all on potential vulnerabilities,” Christopher Allen, a spokesperson for the FBI, told Motherboard in an email.
News Article | January 24, 2016