Security Watch

Numerous Critical Flaws Fixed in Latest Firefox Update

Firefox security update fixes five critical vulnerabilities, a hacker is arrested for cracking VoIP networks, Circuit City's Web site is hacked, and more.

• By Russ Cooper
• 07/10/2006

Firefox has been frequently touted as a secure alternative to Internet Explorer. but without getting into a discussion of how many more vulnerabilities one has versus the other, remember that all products have vulnerabilities.

Hacker cracked Net phone networks for gain, feds say: U.S. federal authorities arrested Edwin Pena on charges he fraudulently forwarded Voice over IP traffic from his customers through others to avoid having to pay the charges required to fulfill the connections. One VoIP completion provider completed 500,000 calls from Pena's customers, it's claimed.

It's difficult to determine from the story whether the attack exploited a weakness in VoIP itself, or servers used to route VoIP calls to completion providers (companies that link the VoIP traffic to the Public Switched Telephone Networks).

According to reports, Pena "modified" the identifier used in VoIP packets to tell VoIP completion providers who to bill for the call. However, the story also refers to Pena compromising the VoIP servers of a New York company and using that server to re-route his calls.

It would seem to us that it is not a compromise of VoIP as a protocol, but instead a compromise of a VoIP server implementation. In fact, it could be likened to having your SMTP server open to SMTP-relay. If you are allowing VoIP clients to use your server to route calls to completion providers, you must ensure adequate steps have been taken to prevent any client other than your own trusted clients from connecting to your server.

Circuit City warns of online forum attack: Part of the Circuit City Web site was hacked and used in an attempt to install malicious code on PCs of unwitting visitors, the electronics retailer said Thursday.

We at Cybertrust Inc. have cited PHP as a problem vector numerous times in the past. In general, we do not believe our customers are using PHP widely on their own Web sites. In this case, Circuit City itself was not using PHP, but the third party that provided it with the forum site did use PHP. More importantly, that company used PHP insecurely on behalf of Circuit City. It is important to remember that when using third parties to host your brand, ensure you have performed a reasonable audit of their security practices to prevent your brand from being associated with such a security story.

Millions in danger from chip and pin fraudsters: According to experts in the United Kingdom, chip and pin bank cards in the U.K. have been deployed using Static Data Authentication. SDA reuses authentication information to sign transactions, as opposed to Dynamic Data Authentication (DDA), which provides a unique signature for each transaction. This fact, coupled with the fact that shop terminals have a 1 in 5 chance of not actually connecting with the issuing bank during the transaction, mean that cloned SDA cards could go unnoticed.

Well, the story would certainly seem to be reaching for a point. Given that criminals will have no way of knowing whether their use of a cloned card will or won't trigger a fraud alert, or in other words be one of the 4 out of 5 times a fraud alert would be generated for a cloned card, we can hardly imagine that millions of card holders are going to be subjected to cloning crime. Yes, theoretically the experts are right, however, in practice would you take the risk? Unmanned terminals are the only places where such risk could be deemed reasonable, but one might assume such terminals will be backed up with cameras adequate to get some other form of identification of the fraudster.

However, that all said, the only justifiable reason to opt for SDA instead of DDA is if a terminal had to provide such a high volume of transactions that the delay of having to repeat an authorization attempt could not be tolerated. We're hard pressed to think of a good example of such a terminal.