Joerg Resch at Kuppinger Cole points us to new research showing  how social networks can be used in conjunction with browser leakage to provide accurate identification of users who think they are browsing anonymously.

Joerg writes:

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network.

The Practical Attack to De-Anonymize Social Network Users begins with what is known as “history stealing”.  

Browsers don’t allow web sites to access the user’s “history” of visited sites.  But we all know that browsers render sites we have visited in a different color than sites we have not.  This is available programmatically through javascript by examining the a:visited style.  So malicious sites can play a list of URLs and examine the a:visited style to determine if they have been visited, and can do this without the user being aware of it.

This attack has been known for some time, but what is novel is its use.  The authors claim the groups in all major social networks are represented through URLs, so history stealing can be translated into “group membership stealing”.  This brings us to the core of this new work.  The authors have developed a model for the identification characteristics of group memberships – a model that will outlast this particular attack, as dramatic as it is.

The researchers have created a demonstration site that works with the European social network Xing.  Joerg tried it out and, as you can see from the table at left, it identified him uniquely – although he had done nothing to authenticate himself.  He says,

“Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I´m a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That´s weird!”

Since I’m not a user of Xing I can’t explore this first hand.

Joerg goes on to ask if history-stealing is a crime?  If it’s not, how mainstream is this kind of analysis going to become?  What is the right legal framework for considering these issues?  One thing for sure:  this kind of demonstration, as it becomes widely understood, risks profoundly changing the way people look at the Internet.

To return to the idea of minimal disclosure for the browser, why do sites we visit need to be able to read the a:visited attribute?  This should again be thought of as “fingerprinting”, and before a site is able to retrieve the fingerprint, the user must be made aware that it opens the possibility of being uniquely identified without authentication.

Researchers from Microsoft recently unearthed exploits targeting the CVE-2010-0188 vulnerability.

On February 16, Adobe released a security advisory describing a vulnerability in Adobe Reader and Acrobat 8.X and 9.X. Once the vulnerability is exploited, attackers gain the capability to perform denial-of-service (DoS) attacks on affected systems. Doing so can cause applications and even systems to crash. Attackers can also execute arbitrary code on affected systems.

Trend Micro detects the exploit binary as TROJ_PIDIEF.EXP, a specially crafted .PDF file. It belongs to a family of known exploits that target Adobe Acrobat and Reader vulnerabilities. This family is also capable of dropping other malicious files such as spyware and backdoors onto affected systems.

Users are advised to update to the latest versions of the aforementioned Adobe products to secure their systems from attacks related to this vulnerability.

Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and executing the malicious file via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

More Adobe Exploits in the Wild

My friends often ask me about steps they can take to keep their systems at work and home free from malware. Apart from the usual recommendation to use alternative, less targeted and therefore slightly more secure operating system like Linux or OSX (OpenBSD would also be an interesting alternative) I used to mention that a change of the web browser would also be very helpful.

Internet Explorer is still the most commonly used browser with a little above 60% market share, but its market share is steadily in decline in the last couple of years. I am fairly sure that one of the main reasons people move to Firefox or Chrome is perceived lack of security. Internet Explorer is the most common target for malware and various exploit packs although the latest versions have proved to be much more resilient to various attacks. With most of the users finally making the switch away from IE6 we hope that the exploits will be even less successful in the future. This of course means that attackers are changing their focus to other products like Adobe Reader of Flash, the most commonly used internet applications after browsers. Exploiting Flash or Adobe Reader allows the attacker to abstract the browser version and often the browser itself. Adobe’s attitude to security also does not help.

It is going to be very interesting to follow the browser race now that Microsoft had to offer an alternative web browser with Windows Update and new Windows installations. So, are we going to see other browser equally used and equally targeted by malware writers? Could we expect a flood of newly discovered vulnerabilities when vulnerability researchers change their focus?

One of the browsers that could benefit from the new browser equality is Opera whose download numbers allegedly tripled since the beginning of the new regime. It is well known that attacks come with the platform popularity and perhaps this is why a new Opera vulnerability with the accompanying proof of concept code was disclosed the day before yesterday.

The vulnerability is a classic integer overflow in opera.dll which can be triggered if the attacker changes the value of the Content Length header of the HTTP response. The integer overflow eventually causes an access protection exception due to an attempted write to a non-allocated memory page. I had a quick look at the proof of concept exploit, which only causes browser to crash to find if the bug is easily exploitable. Since I could not find anything obvious with my 101 level exploit development skills I decided to leave it to exploit development experts and go back to analysing malware and protecting Sophos users.