|
|
| |
|
| |
Security
By Jake Edge
August 29, 2012
Data about us—our habits, associates, purchases, and so on—is
collected all the time. That's been true at smaller scales for hundreds or
even thousands of
years, but today's technology makes it much easier to gather, store, and analyze
that data. While some of the results of that analysis may make (some) people's
lives better—think tailored search results or Amazon's
recommendations—there is a strong temptation to secretly, or at least
quietly, use the collected data in other, less benign, ways.
Because the
data collection and analysis is typically done without any fanfare, it
often flies under the radar. So it
makes sense to stop and think about what it all means from a privacy
perspective.
A recent essay
by Alistair Croll does exactly that. He notes that we have reached a time
where the constraint of "big, fast, and varied—pick any two" for
databases is no longer valid. Because of that, it is common for data to be
collected without any particular plan for how it will be used, under the
assumption that some use will eventually be found. It doesn't cost that
much to do, which leads to the rise of "big data".
There are some eye-opening things that can be done using big data. It is
not difficult to determine someone's race, gender, and sexual orientation
using just the words in their Twitter or Facebook feeds, for example. Much
of that
information is completely public, and could be mined fairly easily by
banks, insurance companies, prospective employers, and so on. Those
attributes that can be derived could then be used to set rates, deny coverage,
choose to interview or not, and more.
It is easy to forget that the data collection is even happening. "Loyalty"
cards
that provide a discount at grocery and other stores gather an enormous
amount of information about our habits, for example. Deriving race,
gender, family size, and other
characteristics from that data should not be very difficult. If that
information
is used to give
discounts on other products one might be likely to buy, it may seem
relatively harmless. But if it is being sold to others to help determine
voting patterns, foreclosure likelihood, or credit-worthiness, things are
definitely amiss. But, as Croll points out, that is exactly what is
happening with that data at times.
Croll notes several different examples in his essay, but examples are not
hard to come by. Almost every day, it seems, there are new abuses, or
worries about abuses of big data. People in Texas are concerned about the
kinds of data that would be collected by "smart" electricity
meters—to the point of running off the smart meter installers. Mitt
Romney's campaign for the US Presidency is using a secretive organization
to analyze data to find
potential donors—President Obama's
campaign is certainly doing much the same.
Another example is the "anonymized" data sets that have been released for
various purposes over the past few years They show that it is quite
difficult to truly
anonymize data. When trying to derive a signal from the data (movie
recommendations for Netflix, for example), surprising correlations can be
made. This shows the power of big data even when someone is
trying not to
reveal our secrets in a data set. A new
technique may help by providing a way to release data without compromising
privacy.
The real problems may come when these disparate data sets are combined. Truly
personally identifiable information correlated from multiple sources is
likely to give a distressingly accurate picture of an individual. It could
be used by companies and other organizations for a wide range of purposes.
Those could be relatively harmless, even helpful, or downright malicious
depending on one's
perspective and privacy consciousness. One organization that is likely
quite interested in this kind of data is the same that some would like to
turn to for protection from abuses of big data: government.
There are clearly good uses that such data can be put to. Croll identifies
things like detecting and tracking disease outbreaks, improving learning,
reducing commute times, etc. But the "Big Brother" overtones are worrisome
as well. It's not at all clear how regulations would impact the collection
and analysis of big data, and governments' interest in using it (for good
or "bad" purposes) makes
for an interesting conundrum. Until and unless a solid chunk of people
are concerned about the problem—and express that concern to their
governments and to other organizations in some visible way—things
will continue much as they
are. In that, the problem is little different than many other privacy
issues; those who truly care are going to have to jealously guard their
privacy themselves, as best they can.
Comments (12 posted)
Brief items
L. If your community is pressuring you to be more restrictive, that’s when
it’s time to educate, not capitulate. Overzealous blocking and filtering
has real and significant negative impacts on information access, student
learning, pedagogy, ability to address required curricular standards, and
educators’ willingness to integrate technology. It also makes it awfully
tough to prepare students for a digital era.
[...] V. Don’t abdicate your teaching responsibility. Students do not
magically gain the ability at the end of the school day or after graduation
to navigate complex, challenging, unfiltered digital information spaces. If
you don’t teach them how to navigate the unfiltered Internet appropriately
and safely while you have them, who’s going to?
-- Scott
McLeod gives "26 Internet safety talking points"
"Security" is now a catch-all excuse for all sorts of authoritarianism, as
well as for boondoggles and corporate profiteering.
-- Bruce
Schneier (Thanks to Paul Wise.)
Comments (10 posted)
New vulnerabilities
amsn: denial of service
| Package(s): | amsn |
CVE #(s): | CVE-2006-0138
|
| Created: | August 27, 2012 |
Updated: | August 29, 2012 |
| Description: |
From the CVE entry:
aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denial of service (client hang and termination of client's instant-messaging session) by repeatedly sending crafted data to the default file-transfer port (TCP 6891). |
| Alerts: |
|
Comments (none posted)
drupal6-ctools: multiple vulnerabilities
| Package(s): | drupal6-ctools |
CVE #(s): | |
| Created: | August 29, 2012 |
Updated: | August 29, 2012 |
| Description: |
ctools 6.x-1.9 fixes multiple vulnerabilities. See the ctools advisory for details. |
| Alerts: |
|
Comments (none posted)
flash-plugin: multiple vulnerabilities
| Package(s): | flash-plugin |
CVE #(s): | CVE-2012-4163
CVE-2012-4164
CVE-2012-4165
CVE-2012-4166
CVE-2012-4167
CVE-2012-4168
|
| Created: | August 23, 2012 |
Updated: | August 29, 2012 |
| Description: |
From the Red Hat advisory:
This update fixes several vulnerabilities in Adobe Flash Player. These
vulnerabilities are detailed on the Adobe security pages APSB12-18 and
APSB12-19, listed in the References section. Specially-crafted SWF content
could cause flash-plugin to crash or, potentially, execute arbitrary code
when a victim loads a page containing the malicious SWF content.
(CVE-2012-1535, CVE-2012-4163, CVE-2012-4164, CVE-2012-4165,
CVE-2012-4166, CVE-2012-4167)
A flaw in flash-plugin could allow an attacker to obtain sensitive
information if a victim were tricked into visiting a specially-crafted web
page. (CVE-2012-4168) |
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2012-3520
|
| Created: | August 23, 2012 |
Updated: | February 10, 2013 |
| Description: |
From the Red Hat bugzilla entry:
A flaw was found in the way Netlink messages without explicitly set SCM_CREDENTIALS were delivered. The kernel passes all-zero SCM_CREDENTIALS ancillary data to the receiver if the sender did not provide such data, instead of including the correct data from the peer (as it is the case with AF_UNIX). Programs that set SO_PASSCRED option on the Netlink socket and rely on SCM_CREDENTIALS for authentication might accept spoofed messages and perform privileged actions on behalf of the unprivileged attacker. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla, firefox, thunderbird, seamonkey, xulrunner |
CVE #(s): | CVE-2012-1970
CVE-2012-1972
CVE-2012-1973
CVE-2012-1974
CVE-2012-1975
CVE-2012-1976
CVE-2012-3956
CVE-2012-3957
CVE-2012-3958
CVE-2012-3959
CVE-2012-3960
CVE-2012-3961
CVE-2012-3962
CVE-2012-3963
CVE-2012-3964
CVE-2012-3966
CVE-2012-3967
CVE-2012-3968
CVE-2012-3969
CVE-2012-3970
CVE-2012-3972
CVE-2012-3976
CVE-2012-3978
CVE-2012-3980
|
| Created: | August 29, 2012 |
Updated: | January 8, 2013 |
| Description: |
From the Red Hat advisory:
A web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2012-1970, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974,
CVE-2012-1975, CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958,
CVE-2012-3959, CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963,
CVE-2012-3964)
A web page containing a malicious Scalable Vector Graphics (SVG) image file
could cause Firefox to crash or, potentially, execute arbitrary code with
the privileges of the user running Firefox. (CVE-2012-3969, CVE-2012-3970)
Two flaws were found in the way Firefox rendered certain images using
WebGL. A web page containing malicious content could cause Firefox to crash
or, under certain conditions, possibly execute arbitrary code with the
privileges of the user running Firefox. (CVE-2012-3967, CVE-2012-3968)
A flaw was found in the way Firefox decoded embedded bitmap images in Icon
Format (ICO) files. A web page containing a malicious ICO file could cause
Firefox to crash or, under certain conditions, possibly execute arbitrary
code with the privileges of the user running Firefox. (CVE-2012-3966)
A flaw was found in the way the "eval" command was handled by the Firefox
Web Console. Running "eval" in the Web Console while viewing a web page
containing malicious content could possibly cause Firefox to execute
arbitrary code with the privileges of the user running Firefox.
(CVE-2012-3980)
An out-of-bounds memory read flaw was found in the way Firefox used the
format-number feature of XSLT (Extensible Stylesheet Language
Transformations). A web page containing malicious content could possibly
cause an information leak, or cause Firefox to crash. (CVE-2012-3972)
It was found that the SSL certificate information for a previously visited
site could be displayed in the address bar while the main window displayed
a new page. This could lead to phishing attacks as attackers could use this
flaw to trick users into believing they are viewing a trusted site.
(CVE-2012-3976)
A flaw was found in the location object implementation in Firefox.
Malicious content could use this flaw to possibly allow restricted content
to be loaded. (CVE-2012-3978)
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 10.0.7 ESR. You can find a link to the Mozilla
advisories in the References section of this erratum.
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Gary Kwong, Christian Holler, Jesse Ruderman, John
Schoenick, Vladimir Vukicevic, Daniel Holbert, Abhishek Arya, Frédéric
Hoguin, miaubiz, Arthur Gerkis, Nicolas Grégoire, Mark Poticha,
moz_bug_r_a4, and Colby Russell as the original reporters of these issues. |
| Alerts: |
|
Comments (2 posted)
mozilla: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2012-1971
CVE-2012-1956
CVE-2012-3965
CVE-2012-3971
CVE-2012-3973
CVE-2012-3974
CVE-2012-3975
|
| Created: | August 29, 2012 |
Updated: | October 11, 2012 |
| Description: |
From the Mandriva advisory:
Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code (CVE-2012-1971).
Security researcher Mariusz Mlynski reported that it is possible to
shadow the location object using Object.defineProperty. This could
be used to confuse the current location to plugins, allowing for
possible cross-site scripting (XSS) attacks (CVE-2012-1956).
Security researcher Mariusz Mlynski reported that when a page opens a
new tab, a subsequent window can then be opened that can be navigated
to about:newtab, a chrome privileged page. Once about:newtab is loaded,
the special context can potentially be used to escalate privilege,
allowing for arbitrary code execution on the local system in a
maliciously crafted attack (CVE-2012-3965).
Using the Address Sanitizer tool, Mozilla security researcher Christoph
Diehl discovered two memory corruption issues involving the Graphite
2 library used in Mozilla products. Both of these issues can cause
a potentially exploitable crash. These problems were fixed in the
Graphite 2 library, which has been updated for Mozilla products
(CVE-2012-3971).
Mozilla security researcher Mark Goodwin discovered an issue with the
Firefox developer tools' debugger. If remote debugging is disabled,
but the experimental HTTPMonitor extension has been installed and
enabled, a remote user can connect to and use the remote debugging
service through the port used by HTTPMonitor. A remote-enabled flag
has been added to resolve this problem and close the port unless
debugging is explicitly enabled (CVE-2012-3973).
Security researcher Masato Kinugawa reported that if a crafted
executable is placed in the root partition on a Windows file system,
the Firefox and Thunderbird installer will launch this program after
a standard installation instead of Firefox or Thunderbird, running
this program with the user's privileges (CVE-2012-3974).
Security researcher vsemozhetbyt reported that when the DOMParser is
used to parse text/html data in a Firefox extension, linked resources
within this HTML data will be loaded. If the data being parsed in
the extension is untrusted, it could lead to information leakage and
can potentially be combined with other attacks to become exploitable
(CVE-2012-3975). |
| Alerts: |
|
Comments (none posted)
phpmyadmin: information leak
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2012-4219
|
| Created: | August 29, 2012 |
Updated: | August 29, 2012 |
| Description: |
From the CVE entry:
show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message, related to lack of inclusion of the common.inc.php library file. |
| Alerts: |
|
Comments (none posted)
phpmyadmin: cross-site scripting
| Package(s): | phpmyadmin |
CVE #(s): | |
| Created: | August 27, 2012 |
Updated: | August 29, 2012 |
| Description: |
From the phpmyadmin advisory:
Using a crafted table name, it was possible to produce a XSS : 1) On the Database Structure page, creating a new table with a crafted name 2) On the Database Structure page, using the Empty and Drop links of the crafted table name 3) On the Table Operations page of a crafted table, using the 'Empty the table (TRUNCATE)' and 'Delete the table (DROP)' links 4) On the Triggers page of a database containing tables with a crafted name, when opening the 'Add Trigger' popup 5) When creating a trigger for a table with a crafted name, with an invalid definition. Having crafted data in a database table, it was possible to produce a XSS : 6) When visualizing GIS data, having a crafted label name. |
| Alerts: |
|
Comments (none posted)
roundcubemail: cross-site scripting
| Package(s): | roundcubemail |
CVE #(s): | CVE-2012-3507
CVE-2012-3508
|
| Created: | August 29, 2012 |
Updated: | October 11, 2012 |
| Description: |
From the CVE entries:
Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject. (CVE-2012-3507)
Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. (CVE-2012-3508) |
| Alerts: |
|
Comments (none posted)
rubygem-actionpack: three cross-site scripting vulnerabilities
| Package(s): | rubygem-actionpack |
CVE #(s): | CVE-2012-3463
CVE-2012-3464
CVE-2012-3465
|
| Created: | August 23, 2012 |
Updated: | March 29, 2013 |
| Description: |
From the Red Hat bugzilla entries [1, 2, 3]:
CVE-2012-3463: When a "prompt" value is supplied to the `select_tag` helper, the
"prompt" value is not escaped. If untrusted data is not escaped, and
is supplied as the prompt value, there is a potential for XSS attacks.
CVE-2012-3464: The HTML escaping code in Ruby on Rails does not escape all
potentially dangerous characters. In particular the code does not
escape the single quote character. The helpers used in Rails itself
never use single quotes, so most applications are unlikely to be
vulnerable, however all users running an affected release should still
upgrade.
CVE-2012-3465: There is an XSS vulnerability in the strip_tags helper in Ruby on
Rails, the helper doesn't correctly handle malformed html. As a
result an attacker can execute arbitrary javascript through the use of
specially crafted malformed html. All users who rely on strip_tags
for XSS protection should upgrade or use the work around immediately. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|