Google Plug-in Opts you Out Of It’s Analytics

Posted on May 26, 2010 by sophieparker

A browser add-on that opts you out of Google Analytics has been released by Mountain View. The service is currently used by 71% of the top domains.

The plug-in was announced by Google on Tuesday in a post to it?s Public Policy Blog. The plug-in, currently running as beta, was promised back in March.

The post says: "You can download and install an add-on for your desktop browser that will stop data from being sent from your computer when you visit websites that use Google Analytics Javascript to track usage. This means the information from your visit will not be sent to Google Analytics or included in its reports."

A study from Berkley University, California, shows that 71% of the top domains use Google Analytics, that?s about 40,000 as of March 2009. In the mean time, over 35 per cent of the top domains Google used AdSense, and 26 per cent used Google DoubleClick. If these stats are combined, Google?s services were tracking on 92 out of 100 of the webs top sites, and at about 88% of 400,00 others.

There is already an opt-out plug for AdSense that stays configured even when you clear out you cookies. It?s ad network uses the same cookie to track as DoubleClick, but the data is not being shared between then according to Google. Google?s Analytics Opt-out plug-in is available for IE7 and 8, chrome 4.x and up and Firefox 3.5 and up.

Google’s SSL Bad News For Web Analytics

Posted on May 25, 2010 by sophieparker

The addition of SSL to Google?s main search engine will not only protect netizens networks from being sniffed, it will prevent 3rd party webmasters from tracking the search terms used to reach their site. It will be great for those who want to lock down their privacy, but it may well make a webmasters life a hard one.

Founder Daniel Brandt pointed out that when using the SSL search, your browser will stop sending referral data to any none-SSL sites that you visit through Google:

"If you click on a link to some non-SSL page…then when you arrive at that page you will arrive with your referrer stripped. The webmaster on that site won’t know that you came from Google, and won’t know what search terms you used to get there. He won’t even know if you used a search engine (you could have just keyed in the URL in your address bar, which would also cause no referrer)."

Google?s help centre article also says that SSL may affect what you see when browsing through Google. "Web browsers typically turn off referrers when going from HTTPS to HTTP mode to provide extra privacy. By clicking on a search result that takes you to an HTTP site, you could disable any customizations that the website provides based on the referrer information."

A Google spokesperson has pointed out that this behaviour is not just specific to Google?s SSL feature, "This effect is the result of the way browsers interact with HTTPS generally,"  Which is a good point, but Google control up to 70% of the US search market according to allot of the big research firms. Some claim that SSL search will destroy web analytics.

Web master firm, Clicky, announced the death of analytics in a blog post: "Say goodbye to search analytics. Google just announced their new secure search beta…the search term is not passed through the referrer, and hence no analytics tool (not even a good old log analyzer) will have any idea of what a visitor searched for to reach your site."

Google?s SSL search is currently in the beta stage, and optional, but that have indicated that they are considering  making it default. Clicky says: "I really hope Google never considers making this the default, because that would be very irritating for web masters ? we would have no idea what people were searching for to get to our site, which is arguably the #1 reason to run analytics in the first place. Yes, someone ‘snooping’ your connection won’t be able to tell what you’re searching for, but the sites you click through to will probably have a good idea, based on your landing page ?- not to mention they can also see their IP address and every page they have ever viewed on my site, ever. And yet somehow, not knowing this visitor’s specific search term is protecting their privacy? Please. The only thing it does is make the life of a web master a much bigger pain in the ass than it was before."

It seems that Google will have access to these search terms however. Which raises the question what will they do with it. Will it be offered up to webmasters  through an analytics service of it own. Google has not made any suggestion that it plans to do so and points out that:

?Analytics is no different from other third party services in terms of not receiving referrer information when users come from HTTPS sites. We have a lot of feedback about our beta feature that we need to gather and interpret before we make any decisions about how next to proceed. As it stands, this referrer effect applies only to users who elect to use the encrypted search offering each time."

The whole thing raises some very poignant questions, you can read more about the feature in one of our earlier articles.

Safari Still Vulnerable To “Carpet Bombing” 2yrs On

Posted on May 25, 2010 by sophieparker

Apple?s browser, Safari, is still vulnerable to attacks after more than 2 years. It?s vulnerability allows websites to litter a users HDD with thousands of malicious files.

This vulnerability named the ?carpet bomb?, was disclosed to the public in May 2008. At the time Apple?s security team dismissed the vulnerability as they didn?t feel it posed a security issue. Microsoft then advised it user not to use safari on Windows systems. In response Apple issued a patch for Windows versions but not for OS X.

the researcher who discovered the vulnerability wrote: "This means that if you use the Safari browser on OSX, a malicious entity can drop any amount of binaries or data files into your ~/Downloads/ folder. this issue is caused because, while most sane web browsers warn the end user and ask for explicit permission before saving a file locally, Safari goes ahead and saves the file into the default download location without asking the user – even if hundreds of files are served up by the malicious website simultaneously."

For a machine to be hijacked by this vulnerability the user would have to double click on a download file and enter an admin password, so this is probably why it was dismissed by Apple. But even so, it?s not ideal for outsiders to have control over what is downloaded to a user machine

Mozilla Firefox and Google Chrome have been updated to protect against this vulnerability since the flaw was disclosed. Apple?s security team agreed that user authorisation for downloads was the way to go and said that a fix "could take quite a while, if it ever gets incorporated." which has been the case.

SSL For Google Search

Posted on May 24, 2010 by sophieparker

Google has now added SSL encryption to it main search engine.

Google posted a blog a few days ago that announced it has given users the option of using https when using google.com. The service is available under explicit use only meaning you have to go to https://google.com. You may not be able to get to it just yet as it is being rolled out gradually. You?ll know your on the SSL search if you see the following logo:

google_ssl_search_logo "The service includes a modified logo to help indicate that you?re searching using SSL and that you may encounter a somewhat different Google search experience, but as always, remember to check the start of the address bar for ‘https’ and your browser lock indicators," Says Google.

SSL has not been extended to Google Maps or Google Image, and because of this and the slowness SSL can cause it?s been given the beta tag. Google explained:

?When you search using SSL, you won?t see links to offerings like Image Search and Maps that, for the most part, don?t support SSL at this time. Also, since SSL connections require additional time to set up the encryption between your browser and the remote web server, your experience with search over SSL might be slightly slower than your regular Google search experience."

Google made a promise of https after the debacle of the Wi-Fi payload capture, saying that: "This [Street View] incident highlights just how publicly accessible open, non-password-protected Wi-Fi networks are today," and went on to say that  "Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search."

Google also has SSL for it?s Calendar, Docs and Site services. It has also recently added it to Google Web History and Google Bookmarks. This was done after a security vulnerability was found in the search personalization service that taps Web History. Google is hoping to add https to other services too. Other search engine are yet to offer SSL so extensively, Yahoo and Bing only use it when logging in. Hotmail has plans offer always-on SSL, but this will only be available after it is launched in a few months.

A spokesman for Google has indicated plans for SSL as default: "We hope to expand the functionality once we better understand how it affects users’ search experience. We expect that encrypted SSL search will slow down Google searches by a small degree, and we don?t like the idea of rolling this out to everyone before we?re able to test the performance effects and gather feedback from our users."

Google’s Uncertain About Deletion Of Wi-Fi Data

Posted on May 24, 2010 by sophieparker

Google has now stopped the deletion of data that was collected from open Wi-Fi networks by it?s Street View cars. This is due to the Company having ?some uncertainty? about the deletion process.

The Street View cars collected Wi-Fi payload data from 30 different countries over a period of 3 years. Some countries have asked for the data to be deleted, and in some cases Google has complied. Other?s have asked that the data be stored for the time being.

Google has decided to retain all remaining data after UK-based watchdog Privacy International threatened to go to the police if it didn?t stop deleting the data by Monday. A  letter from Privacy International to the European privacy commissioners said: "On the instructions of the Irish data protection commissioner, Google destroyed all Wi-Fi data relating to collection in Ireland. This action has the effect of removing any chance of further legal action of investigation. The action could be seen as collusion to destroy evidence."

Google had previously said that it was collecting SSIDs and MAC addresses only, but when German data protection authorities requested an audit Google discovered it has collected a little more than it anticipated. Google insists the collection of payload data was a mistake, and has brought in third party to review the software it used and that the data is deleted appropriately. And promised it would review  "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future."

Google has since released a statement saying that it has deleted data from Ireland, Austria, and Denmark after their request to do so. It will retain data from Belgium, France, Italy, Spain, Germany, Switzerland, and the Czech Republic, after their request to do so. And will also keep all remaining data as well.

"Given that there is some uncertainty about deletion generally, for example one DPA [data protection authority] changed its instruction from delete to retain in the last 24 hours, we think it makes sense to keep the remaining country data while we work through these issues,"

Google was apparently under pressure from Privacy International and Brussels to stop deleting the data. Germany has already begun it?s preliminary criminal investigation, while other countries are considering the same. The FTC has been called on to investigate the matter in the US, and may include the Department of Justice. And two American individuals have filed a class action suit against Google.

Google?s blog post on the issue has been updated to include a letter from the independent third party who will be overseeing the matter. The letter was in regards to the deletion of all Irish data. Security company iSec Partners confirmed the deletion:

"Before my arrival, Google staff had consolidated the Wi-Fi packet captures onto four hard drives. This data was organized into folders corresponding to the countries of origin. Upon my acquisition of the drives from Google staff, I noted that the drives had been stored in a secure manner within a secure portion of the facility.? The letter was signed by Alex Stamos who went on to say that all data, with the exception of Irelands, was copied onto a new set of HDDs and the originals destroyed. Google has confirmed that around 600GB worth of data had been collected Globally. You can read more about the matter in one of our previous blogs.

Security Conference Freebie From IBM Malware Riddled

Posted on May 21, 2010 by sophieparker

Apologies have been made by IBM after accidently handing out Malware-infected USB stick to delegates at the IBM AusCERT security conference.

The freebie was handed out to delegates who visited the IBM booth, how many were handed out is not known. The identity of the malware has not been given by IBM, they have simply said that it is widely detected and has been know about for at least two years. It exploits Windows by utilizing auto run to spread. IBMs email apology goes like this:

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008.

The malware is known by a number of names and is contained in the setup.exe and autorun.ini files.  It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically.

Please do not use the USB key, and we ask that you return it to IBM at Reply Paid 120, PO Box 400, West Pennant Hills 2120.

This can happen with a batch of USBs has content loaded onto it by a PC that is already infected. It couls have happened either at IBM or at it?s suppliers. But this is apparently not the first time this has happened at AusCERT. Australian telco Telstra also made the same faux pas in 2008 according to Secure Computing?s report.

Google Street View Wi-Fi Grab: ‘We screwed up’

Posted on May 20, 2010 by sophieparker

Sergey Brin, Google co-founder admitted the company screwed up after it?s Street View cars were found to have spent 3 years capturing personal data from open Wi-Fi networks.

When addressing a room full of reporters Brin announced "Let me just say: We screwed up, I’m not going to make excuses about this." 

Google confirmed in a blog post on Friday, that it?s Street View cars had in fact been capturing payload data from open Wi-Fi network, to previous it?s assurances. On month prior to this the company said that the cars were only collecting SSIDs and MAC addresses. But the post said that the mobile team had included payload-capturing code in the cars? software. Google has said that it "did not want, and had no intention of using, payload data". Google has said that it will delete the data and stop using the cars to collect Wi-Fi data.

When asked what safeguards Google has in place to ensure this doesn’t happen again, Brin said: "We do actually have a lot of controls in place, but obviously they didn’t prevent this error from occurring, and therefore, we are putting more controls in place and we’re asking an external third party to work with us on this is as well. Trust is very important to us. And we’re going to do everything we can to preserve it."

Google has brought in a third party to review its Wi-Fi data collection software and to confirm that the data it collected was deleted appropriately. The company has also said it will review it?s "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future".

The Irish data protection authorities, have already requested and had data collected in Ireland deleted. The States have called on the Federal Trade Commission to investigate the incident. The FTC and Department of Justice have been confirmed as "interested" and investigating the matter.

Windows 7 64-bit Display Driver Bug

Posted on May 19, 2010 by sophieparker

Tuesday brought a warning from Microsoft to users of a vulnerability in Windows 7 64-bit and Windows Server 2008 R2 that could expose users to malware attacks.

The bug, which resides in the Canonical Display driver, is likely to just cause a vulnerable machine to reboot. But it also has the potential to allow the silent installation of malware. In order to utilize this flaw, attackers would have to bypass memory randomisation protections in the OS that prevent code execution attacks.

The vulnerability is due to the Canonical Display Driver’s failure to properly parse information copied from user mode to kernel mode. Attackers could exploit the flaw by tricking a user into viewing a booby trapped image on a website or in an e-mail. The driver is used to interact with old Windows Graphics engines by emulating the XP driver.

Microsoft spokesman Jerry Bryant, said a patch is in the works but didn?t say when it would be available. Until it?s release, attacks can be prevented by disabling Aero. To turn it off, choose Start > Control Panel and click on Appearance and Personalization. Then click on Change the Theme. Then select one of the Basic and High Contrast Themes.

Koobface Gang Touch? Danchev

Posted on May 18, 2010 by sophieparker

The infamous Koobface worm gang have responded to security researcher Danchev?s post about their shenanigans with an answer buried in their latest malware version.

Dancho Danchev? posted a blog back in Feb that detailed their motives and activities called “10 things you didn’t know about the Koobface gang”. The koobface worm spread on social networking sites, and is thought to be one of the most complex strains of malware written. It?s nature is to steel information from infected hosts and promote scareware sites.

But this is not so according to the Koobface gang?s “Ali Baba”, who posted a response as a message on Koobface infected hosts. Which hid scareware in bogus video codecs. It seems the gang would like to be viewed as elite coders that are not in it for the money but for the kicks. Danchev has said that “What makes an impression is their attempts to distance themselves from major campaigns affecting high profile US based web properties, fraudulent activities such as click fraud, and their attempt to legitimize their malicious activities by emphasizing the fact that they are not involved in crimeware campaigns, and have never stolen any credit card details,”

Danchev goes over his original points in a blog that is well worth reading in full. Danchev is still firm on the fact that he believes the gang are behind the Bahama botnet, the scare ware attack on the New York Times and the fact that he believes they are experimenting with alternative delivery mechanisms like Skype. The Koobface gang do admit that they were responsible for redirecting Facebook?s IP space to Danchev’s blog however, which is a blog worth reading too.

the response from the Koobface gang is the 2nd directly to Danchev and the 3rd in which he is referenced. It seems a friendship is blossoming between them?

Zeus-friendly ISP Goes Down

Posted on May 17, 2010 by sophieparker

One of the webs most crimeware-friendly networks was taken down on Friday. The plug was pulled on it?s upstream service provider.

PROXIEZ-NET, a Russian based ISP lost its connection to the internet at roughly 11am in the UK. Statistics on Zeus Tracker, a website that monitor the status of ISPs used to control Zeus zombies, shows that it hosted 13 known command and control channels before going offline. Thus making it the most Zeus friendly ISP.

It?s not been confirmed why PROXIEZ-NET has gone offline, but it is know that it?s upstream provider, DIGERNET, has also had it?s internet connection severed. Classless Inter-Domain Routing records show it was withdrawn from internet routing tables, rendering its downstream node incommunicable.

PROXIEZ-NET has received allot of criticism for supposedly being a haven for cyber-crime. Tuesday saw the network being added to Spamhaus? real-time block list, and on Thursday DIGERNET was removed from that list.

The disruption this will have on the Zeus crime gangs is yet to be seen. The takedown of 100 Zeus affiliated server was a short-lived victory. A couple of day later their ISP found a new upstream provider, putting the server back online.

In fact, vitamelatonin.biz and a few other dodgy domains are still mapping to IP addresses in PROXIEZ-NET’s netblock, according to lookup searches. These Domains might die out overtime, but a Zeus Tracker leader feels it is still possible that redundancies built into Zeus botnets would allow them to connect over alternate channels.

PROXIEZ-NET have always billed themselves as a ?bulletproof? provider, immune from glitches in service and law enforced takedowns. So this is certainly mud in the eye for them.