Privacy feature in IE8 leaks private data

HAARLEM, NETHERLANDS - A privacy feature built into the second beta version of Microsoft's Internet Explorer 8 browser isn't as private as advertised.The InPrivate Browsing feature in Microsoft's latest browser is designed to delete a user's browsing history and other personal data that is gathered and stored during regular browsing sessions. The feature is commonly referred to as 'porn mode' for its ability to hide which websites have been visited from nosy spouses or employers.Forensic experts however found it trivial to retrieve the history, according to a test by Webwereld, an IDG affiliate in the Netherlands, and Fox IT, a Dutch firm specializing in IT security and forensic research."The privacy option in this beta is mainly cosmetic. For a forensic investigator, retrieving the browsing history should be regarded as peanuts," said Christian Prickaerts, forensic IT expert with Fox IT.To prevent login details, online orders and other sensitive information from leaking out, the privacy feature prevents Internet Explorer 8 beta 2 from storing any cookies. The browser furthermore refrains from storing the browsing history in the Windows registry.But researchers were able to retrieve data displaying general information about the browser's behavior. Although URLs (Uniform Resource Locators) aren't stored, Prickaerts was still able to restore the browsing history. "The remaining records in the history file still enable me to deduce which websites have been visited," said Prickaerts.Even more data is stored in the browser's cache, a feature designed to speed up performance of websites by storing a copy of recently accessed information on a user's hard disk. InPrivate Browsing failed to disable this feature. Users seeking a higher level of privacy could manually delete the cache, but it can later easily be retrieved through commonly available forensic tools.The shortcomings in InPrivate Browsing put the level of privacy protection in Internet Explorer 8 on a par with Firefox 2 and 3. The open source browser allows users to delete all private data, but does that by merely deleting files. Those too can easily be retrieved. Developers have crafted plugins for Firefox which mitigate the risk of information leaks.Microsoft's main goal with InPrivate Browsing is to prevent other users of the same computer to gain access to the browsing history, the company said in an e-mail response. The feature isn't designed to protect a user's privacy from security experts and forensic researchers, the company said.

Original Post Here

Mobile Network Operators face unique security challenges

Mobile Network Operators face some particularly unique challenges. They have all the normal concerns of a business dependent on IT, plus the added requirement that they must secure the network while making it widely available to their customers and the customers of other operators without compromising the infrastructure, their peers, or the end users and their personal data.

These challenges are set in an environment of changing technology, business models, and industry structure. Couple this with the fact that of outages cost big money, and mobile communications are often highly personal, the stakes are very high for MNOs.

To assist fellow security professionals working in the Mobile sector, 360is have come up with our list of the most common mistakes made by MNOs.

Mistake 1. Over Integration / Under Segregation

One of the tenets of good information security is the separation of networks of differing levels of trust. Unfortunately this practice is easily eroded or rendered ineffective by over-integration of different functions onto a single hardware platform or software infrastructure. Over integration amplifies the effects of any individual security failing .

One sure sign of over integration is that you have difficulty in drawing up truly separate network diagrams for subscriber, management, and telemetry functions. Conversely, if you can easily move data and conduct interactive sessions between those 3 networks without a defined intermediate gateway or bastion stage in the process, this is also a bad sign.

Mistake 2. Misplaced Faith In Encryption

The second mistake and the first are often found together. Software and Hardware vendors have tended to treat encryption as a sort of magical security whitewash, to be sprayed liberally over everything, disguising unsightly flaws or cracks in the architecture. Encryption (implemented properly) is a great way to ensure confidentiality of communications on a shared network but historically it has suffered from poor implementation; weak random number generation, flawed protocols, and endpoint vulnerability.

In practice attackers rarely focus on the encrypted tunnel itself when there are far easier pickings to be had among the authentication system, the tunnel endpoints, and intermediate proxies.

Mistake 3. Not Considering Atypical Behavior

Once handsets were dumb. They had no user-settings, no expansion, and no ability to run code other than their Firmware. Users could make voice calls and send SMS, life was simple for the MNO. Today a "handset" can be a phone, a smart phone, a laptop, even a server. Services extend to voice, SMS, Internet, Corporate VPN, i-mode style portals, and hosted applications like BlackBerry.

MNO's expend huge amounts of time and money testing all these handsets with all these services to ensure a positive experience for their subscribers, but somehow in the testing... security gets ignored. Just because handsets are normally allocated addresses by DHCP and browsers are configured to use your proxy, doesn't mean an attacker with a laptop will follow "regular user behavior". Does your security testing take this into account? Claiming "You can't do that with our (handset/registration process/portal)" is not a very effective defense for your network.

Mistake 4. Incorrect Trust Models

Crashing these mistakes into one-another is becoming a theme. Following on from atypical behavior we come to the problem of trust among network elements, users, and their traffic. The reason why behavior is such a problem is that mobile networks often have their trust models wrong.

A trust model that relies on the handset to behave itself is as bad as those that rely on the user to behave himself. MNO security staff should be very wary of trusting source addresses, the interface traffic appears on, or any credentials passed by systems they do not exclusively control. If somebody says "It's a walled garden, we don't need to worry" you are probably already making mistake 4.

Mistake 5. No consideration of Modes Of Failure

Not planning for the inevitable failure of one or more parts of your security architecture is foolish. Sooner or later a configuration slip-up, a careless/malicious insider, or a new bug in your systems will cause one of your security mechanisms not to work. Does it fail-safe? Are you pro-active in checking all the careful steps you took to avoid mistakes 1-4? What is the extent of your exposure if any one of these mishaps occurs? Vendors hate to answer the question "what about when it doesn't work?" but you as security architects for your MNO must accept such eventualities as inevitable and plan for the worst.

Conclusions

The challenges faced by MNOs are similar to those faced by SCADA users a few years ago. They stem from the increasing pervasiveness of IP, the evolution of handsets from "dumb" single purpose devices to more flexible, complex systems, and the increased variety of services offered to subscribers. In an industry where "air gaps" are a myth, we have found many MNOs making the same mistakes as their cousins in the utility sector.

Equipment vendors must shoulder part of the blame for vulnerability in mobile networks, many of their systems are based on unhardened main-stream Operating Systems. However, MNOs themselves do not escape criticism.

It is common for entire networks to be sourced from a single vendor, radio-side and fixed-side, but this is no excuse for abdicating responsibility for operational security. That burden rests squarely with the operator.

http://www.securitypark.co.uk/security_article261518.html