Can the WebRTC standard rid users of browser security concerns?
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
June 25, 2013
There's a new kid on the block and not too many people have heard of him yet, except some people in the internet security segment of the industry.
It's called 'WebRTC' and it may very well sound like yet another Internet acronym, but what it promises to bring to web browsers could simply be the death knell for those eternal plugins. And WebRTC is now available with the latest version of Mozilla's Firefox.
WebRTC is a new protocol and it stands for Web Real-Time Communications. Following the recent introduction of the protocol to Google's Chrome browser, today's update to Firefox makes it the second browser to support the plugin-free protocol.
Ask just about any internet security expert and he or she will tell you that browser plugins are generally one of the most abused software when it comes to internet security issues.
The debut of WebRTC in Firefox version 22 is quite a big deal, and some have been waiting for it for many months already.
"Browser plugins are the single largest source of internet security problems and of various stability issues that we see," said Johnathan Nightingale, Mozilla's vice-president of engineering for Firefox.
WebRTC is planned for Firefox for Android, which also updated today, but it has yet to be added to the mobile browser.
On its surface, WebRTC sounds a bit like Skype. It lets you conduct voice and video calling one browser to another via its PeerConnection component, but it also lets you transfer data directly between two browsers, thanks to a component called DataChannels. These were both added in today's new stable version of Firefox.
"Actually, how is it different from Skype misses the point of it," said Nightingale, who nearly bounced with enthusiasm in his seat while talking about WebRTC. "It's a lot bigger than that. It's eight million developers who have access to the Web camera, or one of those audio remix tools, online."
"ASM.js plus is fast," said Nightingale. So fast, he explained, that developers at the gaming company Epic were "jumping up and down," he said.
During a quick demonstration of ASM.js last month, we saw the code powering a first-person shooter that appeared to render in Firefox nearly as smoothly as native code on a console.
Other changes in Firefox for desktops include better WebGL performance thanks to asynchronous canvas updates, which means that your browser will use your hardware's graphics chip more efficiently. There's also better memory management when loading images.
There's also support for the Web Notifications API, which will let Web updates appear in browser tabs. And, last but not least is adding a download progress indicator to the Dock icon on Macs.
Firefox for Android v. 22 doesn't yet have WebRTC or ASM.js support, although eventually both will come to the mobile browser, Nightingale added.
Tuesday's update to Android Firefox does include the WebGL improvements, the Web Notifications API, and smaller Android tablets will now see the tablet version of the interface, as opposed to the phone version.
For now, it's still not clear yet how or even if the browser differentiates between phones or tablets, though.
In other internet security news
Edward Snowden, the NSA whistleblower against the U.S. government, left Hong Kong for Moscow this morning, challenging several attempts by the United States to extradite him back to the U.S. under espionage charges.
According to a few unconfirmed reports, Snowden has already left Hong Kong yesterday, went to Russia, stayed there for a few hours and is now on his way to Cuba. There's no question that he's on the run, but there's still conflicting reports that he might still be in Russia as of this morning.
In a statement issued this morning, the Hong Kong government confirmed that Snowden had left the country on "his own volition for a third country through a lawful and normal channel".
According to the statement, Hong Kong had no legal basis to stop him from leaving the country, as "documents provided by the U.S. government didn't fully comply with Hong Kong's laws".
And to complicate matters even more, Hong Kong has formally requested clarification on "earlier reports about the hacking of computer systems in Hong Kong by U.S. government agencies."
"The Hong Kong government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong," the message read.
On Friday June 21st, the U.S. Department of Justice (DoJ) formally charged Snowden with spying against the United States government.
Snowden, a former security contractor, leaked the existence of The PRISM Project to The Guardian Newspaper and The Washington Post, which published several details of this NSA secret surveillance program two weeks ago.
The U.S. government had also asked Hong Kong to issue a provisional arrest warrant for Snowden, the Hong Kong Special Administrative Region said in a statement. But HKSAR officials said there were issues with the request.
Hong Kong's lack of intervention came after Snowden told the Souh China Morning Post that U.S. intelligence agents have been hacking computer networks in Hong Kong and mainland China for years.
Hong Kong said it wanted to have some words with the United States about that. "The HKSAR government has formally written to the U.S. government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by U.S. government agencies," Hong Kong officials said in the same statement.
U.S. federal prosecutors have charged Snowden with theft of government property, unauthorized communication of national defense information, and willful communication of classified communications intelligence to an unauthorized person or group of people.
The latter two allegations amount to espionage under the federal Espionage Act. News of Snowden's departure followed a day of intense speculation over whether Hong Kong would extradite him back to the United States.
Hong Kong Executive Council member Regina Ip said authorities could arrest Snowden if his actions qualify as criminal under Hong Kong law, China's state-run Xinhua news agency reported earlier Sunday. The executive council decides on policy matters for Hong Kong, a special administrative region of China.
But if the charges against him were deemed to be political in nature, the 30-year-old would not be extradited, Ip told the Xinhua News Agency.
Snowden has admitted in several interviews that he was the source behind the leaking of classified U.S. government documents about the NSA's surveillance programs. Those leaks were the basis of reports in Britain's Guardian newspaper and The Washington Post two weeks ago. The Guardian revealed Snowden's identify at his request.
The documents revealed the existence of programs that collect records of domestic telephone calls in the United States and monitor the Internet activity of overseas residents.
The revelation of the leaks rocked the White House and U.S. intelligence community, raising questions about secret operations of the NSA and whether the agency was infringing on American civil liberties or not.
President Obama, top legislators and U.S. national security officials defend the surveillance programs as necessary to combat global terrorism and argue that some privacy must be sacrificed in a balanced approach.
Last week, Snowden threw a curve at GCHQ, the U.K.'s counterpart to the NSA, when he exposed massive data leaks by the security agency.
In other internet security news
A nasty IT oversight released hundreds of photos of suspected criminals on the web. But it got a lot worse when the details of the British citizens who reported them over the internet got published as well.
The Facewatch website, which allows police and businesses in Britain to upload and share evidence of alleged petty crimes, was left wide open thanks to a nasty web server misconfiguration.
The error allowed anyone to easily access a huge trove of CCTV footage, including images and information about companies that sign up to the service.
We were able to look through about 4,250 records containing photos and videos of suspects dating back to March 2011.
We saw shoplifters stealing various merchandise from department stores, a man waving a long stick inside a check cashing service outlet, and people looking rather suspicious in some packed pubs presumably just before a crime took place.
Some of the images even had names on them, which would be legally problematic for the site's owner (s) if those pictured turned out to be innocent.
We also saw long lists of stores around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any potential criminal wishing to intimidate a witness or cause some kind of revenge on the person who reported them to the police.
Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of various betting offices.
Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court. Publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or it could simply ruin their reputation for a very long time.
Blighty's privacy watchdog - the Office of the Information Commissioner - told us it was beginning inquiries that could lead to a formal investigation.
A spokesman said-- “We have recently been made aware of a possible data breach which appears to involve the Facewatch website. We will be making enquiries into the potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.”
The website boasts it was declared "secured by design" by a police-run body that recognises products or businesses that meet the "Police Preferred Specification" on security. This badge of honour is normally given to secure buildings or products, such as window locks and burglar alarms, but Facewatch was awarded the online equivalent.
But now with a gaping security hole in its website, this could make businesses think again about how stringent this standard actually is.
Worse-- you didn't have to be a small time thief or an expert hacker to get into the sensitive files. All that was required was changing "http" to "https" in the website's address and all the information was there to be accessed.
Specifically, the Nginx software running the HTTPS site was incorrectly configured to list the contents of file directories on the web server rather than serving the intended web pages. Visiting http://facewatch.co.uk/ redirects to http://facewatch.co.uk/cms/ but this didn't happen on the HTTPS site, which instead revealed the index of the server root directory, which could be explored to find a lot of website code, databases of users and various folders packed with hundreds of images.
We were told about the security flow by a source who was trying to report a crime. While trying to find the address of a HTTPS-encrypted server to send the images to, we found https://facewatch.co.uk/ and it gave us full read-only access to Facewatch's file tree.
We reported the security flaw to Facewatch, which closed the hole immediately. The organization's chairman told us the "accessible code was related to a previous version" of its website software. And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crimes to contact those who reported a crime on their behalf."
The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety".
He continued-- "We have undertaken some strong penetration testing to ensure that the data stored in the Facewatch systems is very secure and we can confirm that all personal data is secure and that our systems are safe. The URL to which you referred us has been closed as this is no longer in use."
No names of any crime victims were hosted on the site due to ICO rules that state they should be deleted within 36 hours of recording them.
The chairman added that some 63,000 people have downloaded Facewatch's smartphone app and its images have been viewed nine million times. As far as allowing officers and authorizeed people to upload files, Facewatch authorizes British citizens to use their mobile phones to view CCTV still shots and other images of people wanted for questioning by the police.
Facewatch's Gordon claimed that some of the images we found on the server were part of that public mug-shot gallery.
"Some residual photos of individuals that the police would like to contact in relation to certain reported crimes were in fact available. Those images had been made available to see if members of the public would be able to help with their identification," Gordon added.
In other internet security news
According to a new study from the University of Erlangen in Germany, Apple's iPhone devices being used as Wi-Fi hotspots are open to hacker's attacks because of weak security protocols in the automatic password generation system Apple has in place.
Called "Usability vs. Security-- The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots," the paper reveals that the seemingly random password iOS generates for hotspots is very simple to hack into.
It consists of only four to six characters followed by a four-digit number string. As a test, the team downloaded a 52,500-word dictionary from an open source version of Scrabble, added number-generating code, and cracked the iOS password system every time, although the team points out it isn't suggesting Apple used the same dictionary.
Using an AMD Radeon HD 6990 GPU, the average time to crack was just 59 minutes. So the team then reverse-engineered the iOS word list used for password generation, using "static and dynamic analysis," tools like GNU Debugger, and by manually going through the ARM disassembly of the relevant iOS frameworks.
They discovered that Apple uses English-language words of between four and six letters from a dictionary made by Lernout & Hauspie Speech Products.
"Only 1,842 different entries of that dictionary are taken into consideration," the paper states. "Consequently, any default password used within an arbitrary iOS mobile hotspot, is based on one of these 1,842 different words. This fact reduced the search space of our initial brute force attack by more than 96 percent and thus increased the overall cracking speed significantly."
Additionally, the selection of words picked for passwords was skewed. For example, the word "suave" was used 0.08 percent of the time, while "subbed" cropped up 0.76 percent of the time and "head" 0.53 percent-– ten times the frequency they should have had under a random selection.
By frontloading these selections into any attack code, the chances of cracking the system quickly are greatly increased.
The team also decided to upgrade their hardware to bring down search times and built a box with four AMD Radeon HD 7970 units that could burn through 390,000 guesses per second. This cut the time to crack automatically generated passwords down to 24 seconds, or 52 seconds using a single AMD Radeon HD 6990 GPU. Users should specify their own, the team recommends.
As a test case, the security team built an iOS application dubbed "Hotspot Cracker" which could be used to try out an attack of the target phone. This was limited by the processing power of the smartphone, but can be used in conjunction with a cloud password cracking service.
Once the password has been compromised, the operator can piggyback on the hotspot's bandwidth, stage a man-in-the-middle attack for eavesdropping, and then get access to files stored on the device.
Jailbroken iPhones are extra risky since they could even allow access to the basic iPhone system services code. While the researchers concentrated on Apple, they noted that other mobile operating systems could also be affected as well.
To be sure, Microsoft's Windows Phone 8 uses a similar password system that doesn't even use words, relying instead on eight-digit number strings alone.
Android is somewhat better, but there have been cases of manufacturers such as HTC dumbing down password generation for some handsets, the University says.
"The results of our analysis have demonstrated that the mobile hotspot feature of smart devices increases the attack footprint in several ways," the team concludes.
"As the default password of an arbitrary iOS hotspot user can be revealed within seconds, attacks on mobile hotspots might have been underestimated in the past and might be an attractive target in the future," the report added.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
You can link to the Internet Security web site as much as you like.