According to Engadget, researchers in Japan have demonstrated that any WPA-protected connection using the TKIP algorithm can be broken into within a minute. The details will apparently be revealed September 25th at a tech conference. If you’re running WPA or a WEP/WPA2 combination maybe it’s time to revisit your wifi setup? More…
It’s not a good day to be using Internet Explorer. As reported today by the BBC, if you’re using the world’s most used web browser you’re being advised to switch to an alternative until a reported serious security flaw has been patched. More…
Some of you may remember that back in May we blogged asking for some volunteers to come and trial a safe surfing system called Aladdin.
We are now several months down the line and it’s time to bring the trial phase to an end. We’ve asked those involved in the trial to give us feedback on how the trial went and how it could be improved as a service.
Performing this trial has helped us identify that this type of service is one which would offer great value to our customers, although there is still plenty of work for us to do on aspects of the product before we are in a position to fully launch it.
We’ll let you know as soon as we have further information about how and when we plan to launch our Parental Control product.
Thanks
Chris Parr
If, like me, you’ve seen a recent increase in spam emails relating to ‘breaking news’ from both CNN and MSNBC you might be interested to know they are related to a potential flaw in how Firefox displays Flash based adverts.
If you click the URL in the email, you’ll be taken to a website aiming to exploit this by putting a rogue URL in your clipboard, so next time you paste a link in and click ‘go’ you’ll be taken to a site advertising rogue anti-virus software.
More details available at the Beeb: http://news.bbc.co.uk/1/hi/technology/7567889.stm
After a royal ’sphericals skyward’ by Matasano the other day, Metasploit have finally released an auxiliary module to their framework which exploits the flaw in the DNS protocol*. This is the same flaw that we rolled a fix for (ok, really a workaround, but fixing an entire protocol isn’t something which can be done in a matter of months, let alone weeks or days) recently, but as you already know we’re not like other companies. We have a very quick turnaround on things of this nature, and for other projects in general. No sooner had the flaw been disclosed (without PoC), NetOps were all over it like a swarm of bees around a honeypot.
That’s great for us, of course, but what about larger companies? Having had experience of big corporate, red-tape is often a hindrance to security rather than a help. Sure, the guys on the ground would have been chomping at the bit to roll out the fix, but there’s every chance it’s been held in testing/approval. That being said, considering the nature and severity of the flaw and the potential impact to customers – not to mention any possibility of liability should any of their customers fall victim to a live exploit – their Ops might very well have dodged the red-tape and gone straight in with a fix. If there’s one thing red-tape can’t stop, it’s a boulder hurtling toward you at a hundred miles an hour – and this really was a potentially huge boulder.
So, are you safer here than anywhere else? Potentially, yes. Because we’re a transparent ISP, we let you know what we’re doing to fix the problems we have – often before you even realise we have a problem. Because of our fast turnaround on rollouts, fixes and security updates especially we’re in a somewhat unique position in the ISP market to ensure our customers are as protected as they can be. Sure, we’ve had our problems in the past, but we’ve learned our lessons well, put measures in place to prevent recurrence of past woes, and generally put our house back in order – and then some. We’re in a better place now than we’ve ever been. All in all PlusNet is a really good place to be, and the recent release of the exploit code into the Metasploit framework, for me, reinforces that opinion.
* The exploit is available as an auxiliary module to the Metasploit Framework in the form of a ruby script. Interesting to note, too, that in one of the change reports they used ‘doxpara.com’ (Dan Kaminsky’s domain, the guy who released the information on the flaw) as a default target, but changed it to ‘example.com’. The change was logged with the comment ‘Be nice to Dan’s server 
‘. See, even hackers have a sense of humour 
Much has been made lately of information security breaches… TJX, HMRC, HSBC to name a few have all come under the media spotlight – and they’re just the ones we get to hear about. Behind every high-profile data loss there are a hundred or more that slip by under the radar, and most of them are people at home, blissfully unaware that their computer has been compromised and their identity stolen. Blissful, that is, until their next credit card or bank statement comes through. By then, it’s too late.
So how do we protect ourselves in the Digital Age? Well, there are a few things we can all do – both to protect our identities on-line, and the more sensitive data we own. First, though, it’s worth a quick review of what your identity is. More…
Each year, we publish what we plan to do over the course of the year. You can see what we set out to do last year in our Plans for 2007 post and what we actually did in our update. We might have bitten off more than we could chew…
Here is a quick review of last year and a view of our plans for the next 12 months. So read on to find out what’s coming up More…
Clickpass has just launched a new OpenID offering which aims to make single sign-in easy enough for the masses. It takes a rather different approach to OpenID than other sites I have tried. The first obvious difference is that sites must, in addition to supporting OpenID, add a special Clickpass button to their sign-in screen. Behind the scenes it also generates a new, unique OpenID URL for each site you use. This is an interesting extra layer of privacy as it makes you completely unidetifiable to the relying party (i.e. the website you are signing in to). I gave it a whirl with Plaxo but was shocked to find that upon clicking the Clickpass button I was taken to a page on clickpass.com which asked me for my Plaxo username and password!
Carsten Pötter has a more in depth post on this bizarre behaviour of Clickpass. He ends with this thought:
There have to be better solutions for making the OpenID experience more comfortable for mainstream users. OpenID is here to overcome the password dilemma of many people, even trying to be more secure. Giving away passwords to third party sites is contradictory and is giving the wrong signal to users.
A comment on that post from Clickpass boss Peter Nixey goes some way to explaining why they chose to do it that way:
We spent a lot of time talking about the ‘asking users for passwords’ problem. In actuality we don’t even pass the credentials through our server – they are submitted directly to the relying party but nonetheless is would be better not to ask for them at all.
It’s true that the form goes direct to the server of the relying party (it is used to send them the randomly generated OpenID URL) but how is anyone to know that? Half the point of OpenID is avoiding sharing passwords between sites. Most users probably wouldn’t think twice about entering their private login details into a third-party site (especially when presented as part of a login process) but that is exactly the kind if blind trust that we, as conciencious web developers, should be educating against.
Ultimately though I think Clickpass’s biggest problem will be getting sites to implement their special button. There are few enough sites that accept standard OpenIDs.
Here at Plusnet we're always trying to use clever open source things to make our lives easier. Sometimes we write our own and make other people's lives easier too!
We sell broadband, phone, VoIP and more to homes and businesses in the UK. Winner of 9 out of 11 Categories in the 2008 USwitch survey. Winner of "Best Consumer ISP" at 2008 ISPA awards. Voted number 1 in the Broadband Choices 2008 survey.
© Plusnet plc All Rights Reserved. E&OE
Community Site News is powered by WordPress
