Security Advisor

Microsoft Voices Concern About Competing Browsers Running WebGL

The company says the 3D Web standard is a security risk. Plus: Hackers breach Sega's database, resulting in the loss of customer data; Symnatec warns of online currency scam; Attackers taking to the phones to get you to install malware.

• By Jabulani Leffall
• 06/20/2011

Microsoft's high-profile "diss" last week (as in disapproval not disrespect) of graphics standards used by the Mozilla Firefox and Google Chrome browsers is what those in the Windows IT security community are buzzing about to begin the week.

At issue is what's called WebGL, (Web-based Graphics Library) an application programming interface (API) function that allows 3D capabilities during supported browsers sessions -- in this case Firefox and Chrome, with other versions in development for Safari and Opera (all direct competitors of Internet Explorer).

WebGL allows 3D graphics to launch without the need for plug-ins, and Microsoft has labeled such architecture a security risk. Microsoft views this practice as a direct exposure to hardware functionality, an over reliance on third-party monitoring and what it called "problematic denial of service (DoS) scenarios."

On its face it would seem that pointing out a flaw in the applications of competitors would be the motivation, but both Microsoft and US-CERT (U.S. Computer Emergency Response Team) have pointed to studies from Context Information Security that were critical of WebGL technology. Whatever the impetus for the WebGL bashing, the two reports, WebGL -- A New Dimension for Browser Exploitation and WebGL -- More WebGL Security Flaws, make compelling cases for further insight and research on the issue.

For its part Mozilla, the open source collective behind Firefox, responded through Mike Shaver, the group's VP of technical strategy who said Microsoft's concerns "were reasonable" and part of continued discussions but that the same trepidations and concerns could also be leveled at "whatever hardening (Microsoft) applied to the low-level D3D API wrapped by Silverlight 3D," which Shaver said points to the same issues in a "Microsoft WebGL implementation as well."

Who is right at this point is both guess work and relatively a non-starter. But when it comes to graphic standards and user safety, an impartial third party to monitor and amend the standard as needed might not be such a bad idea.

No Longer Playing Games
It's game on for hackers, but video game and media companies don't think a recent slew of hack attempts and incursions into databases are anything to play with. Joining Sony, which recently took millions in special charges related to a large-scale hack, is Sega. As the week began, different accounts from Reuters and other news outlets report that hackers grabbed sensitive information affecting 1.3 million customers off Sega's database. Other reports say the Sega customer data is, at the very least, compromised. Sega finally responded in a widely released statement saying Sega Pass members' names, e-mail addresses, dates of birth and encrypted passwords were "obtained," but that no financial information was part of those data subsets.

This latest digital smash and grab will certainly add more fodder to the conversation about cyber security in the public and private sector alike.

Symantec: Online "Currency" Vulnerable to Attack
In theory, cashless payments are more convenient and safer. Conventional wisdom dictates that if you lose 50 bucks in cash, it's gone until you can earn it back. But if it's stolen from a payment card or online account, you can bargain with your financial institution to recover it. Well, what about other forms of payment such as BitCoins, which amount to digital credits or peer-to-peer currency used for online gaming, virtual trading and (ahem) on the old Silk Road of Central Asia, which is now a key drug and contraband route between the Middle East western China and India.

Get this: Bitcoins are currently trading at an exchange rate of about 19.2 against the U.S. dollar, with about a $120 million valuation on the currency's circulation, according to this CBS report.

This is yet another example of the foray into the virtual world by hackers and something that may affect the future of online payments, according to Symantec Security Response, which has indentified the Trojan Infostealer.Coinbit.  The security group says the virus has one motive: "to locate your Bitcoin wallet.dat file and e-mail it to the attacker."

You know it's a brave new world when hackers are already taking money that isn't even in wide circulation yet. Talk about following the money. Sheesh.

Hackers, reaching out and touching people
If you think only the network, e-mail and application-level vectors are the only avenues for a threat to computer security and the loss of personally indentifiable info (PII), think again. As a matter of fact there's a call from you on line one.

Microsoft Trustworthy Computing Group has released results of a survey conducted in the spring of 2011 of 7,000 computer users in the U.K., United States, Ireland and Canada, and the resulting study revealed that phone scamming -- that's a regular old call on a landline or mobile phone -- is increasingly a new tool in the bag of tricks and treats for cybercriminals. According to Redmond, 15 percent of more than 1,000 users had been contacted by a phone scammer.

Particular challenges arise when high-tech criminals use low-tech means, and the only defense is common sense and vigilance. In the case of the phone scam, the hackers pretend to be "Microsoft" or "Windows tech support" to make "courtesy calls." If the scammer is slick enough they can trick you into going to a Web site and installing malware. Some of the more sophisticated talkers will first take you through a survey or invoke the name of actual units of Microsoft or security employees. Unfortunately with these types of scams the programs in reference are most often Windows of Redmond's ubiquity on PCs.

"The security of software is improving all the time," said Richard Saunders, Director of International Public & Analyst Affairs at Trustworthy computing in a statement about the report. "But at the same time we are seeing cybercriminals increasingly turn to tactics of deception to trick people in order to steal from them. Criminals have proven once again that their ability to innovate new scams is matched by their ruthless pursuit of our money.”