SSL Hole Cracks Open Secured Web Traffic

Nov 5, 2009 - A critical new flaw in SSL, or the Secure Sockets Layer used to protect Web traffic for online banking, shopping, and any other https connection, allows an attacker to break into any theoretically secured connection and add malicious commands.

Taking advantage of the flaw requires accessing the specific network traffic between a client, such as a Web browser, and a Web or other server. That means most home users probably wouldn't be specifically targeted by one of these potential man-in-the-middle attacks, according to discoverer Marsh Ray, a security researcher at PhoneFactor, which provides phone-based two-factor authentication solutions.

However, businesses and organizations are likely targets. Per Ray, any SSL-protected traffic could potentially be vulnerable, whether it's for an https site, secured database communications, or a secured e-mail connection. The problem doesn't allow for decrypting and stealing SSL-encrypted data outright, but instead allows for inserting any command into the communications stream.

That would be bad enough for https traffic, where a victim Web browser could be made to post data to an attacker-controlled site. And it could prove devastating for a database server.

Ray says PhoneFactor originally found the flaw in August while performing internal security testing and kept it quiet while affected vendors and software groups worked on a fix. But in the meantime, an independent researcher also found the flaw and the news broke.

Patches are underway but not yet available. The currently proposed fix will require patching all client and server applications, including Web browsers, e-mail programs and any other programs using SSL libraries, according to Ray.

PhoneFactor's post on the problem is up on the company's site , and a security researcher named Chris Paget has posted his thoughts on the subject (scroll down to the comments to see some back-and-forth between Ray and Paget). The IDG news service also has a good story up on the topic.

<< Back to Top

Advertisers face resistance to on-line tracking

Nov 7, 2009 - MADRID (AFP) - Campaigners are stepping up efforts to curb online tracking of Internet use by firms that deliver adverts tailored to the specific interests of consumers, as polls reveal widespread unease with the practice.

Corporations have always collected personal data on the people who buy their products but in the past this information came from sources such as magazine subscriptions and warranty cards, experts at a three-day privacy conference that wrapped up Friday in Madrid said.

Now it is flowing at breakneck speed into databases from multiple online sources, from dating services to newspaper websites, giving companies the unprecedented power to create detailed profiles of their customers, in many cases without their being aware of it, they added.

"There are so many grey areas in advertising that if the end user knew about it all, it would make their hair grey," said Jorg Polakiewicz, the head of the law reform department at the Council of Europe, a European rights watchdog.

The body is working on a new legal instrument on consumer profiling that it hopes will assist its 47 member states to better protect individuals from abuses, he added. So far only a few member states have legislation in place.

In the United States, Rick Boucher, the Democratic chairman of the House of Representatives' Energy and Commerce Subcommittee on Communications, Technology and the Internet, announced in September that he planned to introduce privacy legislation to regulate this so-called behavioral targeting of consumers.

The move towards greater regulation comes as surveys in the United States and Europe show that a majority of consumers on both sides of the Atlantic are against corporations are monitoring their Internet use for marketing purposes.

Two-thirds of Americans object to targeted online ads, according to one of the first independent survey to examine the issue carried out by the University of California and University of Pennsylvania and published last month.

In the European Union 60 percent of people are concerned about the commercial use of data, according to a European Commission survey carried out in April, said Willemien Bax, the deputy director general of European Consumers' Organization BEUC which is pushing for tougher restrictions.

"It is very important that consumers are firmly in control of their personal data. I think it is unacceptable that our profiles are built up and we cannot see what they are," she said.

Some major corporations have reacted to the concerns by imposing their own limits on the use of online tracking of consumers.

Visitors to Web pages belonging to Procter & Gamble, the world's largest household products maker, "must opt in to have an online relationship" with the company, according to the firm's global privacy executive, Sandra R. Hughes.

The company also has set up a privacy education Web page and it provides consumers with examples of what kind of adverts and discounts they will receive if they agree to provide personal details.

But Jeffrey Chester, the executive director and founder of the Center for Digital Democracy, a US consumer watchdog group, said such efforts to self-regulate are largely a failure and stricter legal safeguards are needed.

"Self-regulatory schemes are inadequate, they fail to address the key issues," he said.

<< Back to Top

Internet, Cell Phones Don't Increase Isolation, Study Says

Nov 8, 2009 - If you're worried that your employees or children are disengaging from the world by using the Internet and cell phones, relax. A new study from the Pew Internet and American Life Project found that these technologies have not increased social isolation in the U.S.

The Personal Networks and Community Survey is the first to examine this issue. It found that the amount of "severe isolation" has hardly changed since a previous study, which was conducted in 1985 before these technologies emerged. About six percent of adults, roughly the same as in 1985, report they have no one in their life that they consider "especially significant" and with whom they can discuss important issues in their lives.

Larger Discussion Networks

The study found that Internet-based activities and cell-phone ownership led to "larger and more diverse" discussion networks. And the use of social media is more likely to lead to discussion networks among people from different backgrounds, such as those of another race or a member of another political party. Facebook and blog writing were specifically cited as helping a person have a more diverse social network.

In spite of worries that using a global Internet would tend to limit people's local activities, the study found little or no such impact. Internet users, for instance, are as likely to visit neighbors as non-Internet users, and cell-phone users, people who use the Internet often at work, and bloggers are more likely to belong to a young group, a charitable organization, and the like.

Some kinds of social networking, such as MySpace or Facebook, have become a kind of neighborhood involvement, according to Pew. Any frequent Facebook user, for instance, can describe using the service to keep up with friends, even if they live nearby. In fact, the Internet is used as much for contact with people in one's local community as with people far away.

'Expand People's Social Sphere'

Pew also said the Internet doesn't discourage people from going to public places, like parks, cafes and restaurants, where a more diverse social network can be found. In fact, many public places, such as libraries and some coffee shops, now offer Internet access.

Next to in-person contact, contact by mobile phone is already the second most popular way of staying in touch with friends and family. In order of average frequency of contact with one's core network, in-person contact is 210 days annually, contact over mobile phones is 195 days, and landline is 125. Other means, in descending order, are text messaging, e-mail, instant messaging, contact through social-networking sites, and cards or letters.

Michael Gartenberg, a vice president at industry research firm Interpret Research, wasn't surprised by the survey's results. Internet-based social media, he pointed out, are intended to "expand people's social sphere," and they often end up helping users to "reconnect to people with whom they might have lost touch."

At this point in history, he noted, "we have an unprecedented ability to communicate with people in real time, anywhere on the planet, from any place we are," and we have tremendous capabilities to extend our social presence beyond the physical. Gartenberg said the bottom line is that "we're in uncharted territory."

The Pew study was based on telephone interviews of a nationally representative sample of 2,512 adults in the continental U.S., using a combination of landline and cellular random dialing.

<< Back to Top