OpenX Doesn’t Take Security Seriously

Earlier this week it was discovered that the downloads of OpenX 2.8.10 had been modified at some point to include malicious code that allowed remote code execution. OpenX’s blog post about the incident starts with the claim that “OpenX takes security seriously.”. This isn’t the first time they have claimed that in a blog post (that previous blog post has the dubious distinction of being the third post named Security Matters on their blog). The claim that they take security seriously is hard to square with what happened in this instance, especially in light of previous events. Unlike the issues mentioned in those previous blog posts, which involved unintentional security vulnerabilities, in this case someone was able to gain access to OpenX’s website and modify files on the website to include malicious code without being detected by them. It only came to light that the files had been modified after the vulnerability added to the download was being actively exploited.

That isn’t something that should happen and it would be a big red flag that security isn’t taken seriously if it had only happened once. But this doesn’t seem to be the first time that OpenX’s website has been breached. It appears that their website was previously breached and used to exploit OpenX ad servers in April of last year. OpenX 2.8.10 wasn’t released until September of last year, so this most recent issue would have come either from a subsequent breach or from them not shutting off access after the first breach was detected.

Their post emphasizes that their other products were not impacted by the vulnerability in the downloads, but considering they were breached and didn’t detect it, it reasonable to be concerned that the breach may have reached other parts of their systems. Their post gives no indication that they made any check to insure that is the case.

The claim that they take security seriously is even harder to believe in light of the fact that they fail to take basic security measures with their website even after having their website breached at least twice. This can be seen by their use of an outdated version of WordPress on the very blog were they are claiming to take security seriously:

OpenX Blog is Running WordPress 3.4.1

WordPress 3.4.1 is eleven months out of date and there have been three updates with security fixes released (3.4.2, 3.5.1, and 3.5.2). The announcement for 3.5.2, released on June 21, included this message, which OpenX has ignored:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress is very easy to update, so if they can’t manage to do that it seems likely that they are failing to take other more complicated security measures that need to be taken when a website is being targeted, as theirs has been.

OpenX Ignores Security Issue

Back in July of last year we sent an email to OpenX’s security email address to inform that there was a vulnerability in the Zend Framework that ships with OpenX. We never heard anything back from them and the vulnerable file has not been updated in OpenX.

No, this isn’t a scene from Minority Report. This trash can is stalking you

A frame from a video promoting smartphone-monitoring trashcans in London.

Thursday, when Ars detailed a distributed DIY Stalking network that spied on mobile Wi-Fi users, several readers—such as this one and this one—said the article overstated the real-world threat. We disagreed then, but we're even more convinced of the potential for abuse following reports of the deployment in London of trash cans that track the unique hardware identifier of every Wi-Fi enabled smartphone that passes by.

Renew, the London-based marketing firm behind the smart trash cans, bills the Wi-Fi tracking as being "like Internet cookies in the real world" (see the promotional video below). In a press release, it boasts of the data-collection prowess of the cans' embedded Renew "ORB" technology, which captures the unique media access control (MAC) address of smartphones that belong to passersby. During a one-week period in June, just 12 cans, or about 10 percent of the company's fleet, tracked more than 4 million devices and allowed company marketers to map the "footfall" of their owners within a 4-minute walking distance to various stores.

Unparalleled insight into past behavior

"The consolidated data of the beta testing highlights the significance of the Renew ORB technology as a powerful tool for corporate clients and retailers," the Renew press release states. "It provides an unparalleled insight into the past behavior of unique devices—entry/exit points, dwell times, places of work, places of interest, and affinity to other devices—and should provide a compelling reach database for predictive analytics (likely places to eat, drink, personal habits, etc.)."

Read 7 remaining paragraphs | Comments


Microsoft Releases August 2013 Security Bulletin

Original release date: August 09, 2013 | Last revised: August 13, 2013

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, and Microsoft Server Software as part of the Microsoft Security Bulletin Summary for August 2013. These vulnerabilities could allow remote code execution, elevation of privilege, denial of service, or information disclosure.

US-CERT encourages users and administrators to review the bulletin and follow best practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.

3D Printing Physical Keys


3D printers are fascinating devices that are becoming affordable and widely available.  Many people love to experiment with them, bringing innovation to many different fields. There are so many things that one can do with 3D printing, from controversial ideas like printing weapons to creating copies of security keys. And we’re not just talking about cheap plastic copies. Newer machines can sinter titanium and other materials to create extremely durable objects.

Last week, during the OHM2013 and DEFCON security conferences, two similar presentations on lock picking innovation took place. Both showcased how copies of physical keys could be created using a 3D printer. All that was needed was the keys ID number or a few good pictures of the original key. It’s worrying to think that’s all that is needed to generate a working 3D model of a security key. Some of the 3D model files used are publicly available and can easily be modified or adapted.

This is not a new concept. 3D models for handcuff keys have been publicly available for over a year. Several years ago a few publications demonstrated how to copy a key from a few photos taken with a high resolution camera.

Of course an attacker with decent skills can use ordinary lock picking tools to open those locks as well. With 3D printers becoming accessible to the masses and the corresponding key files distributed online, it becomes even easier and more accessible for a lot more people.

There are many examples where pictures of keys were shown in newspapers or TV shows which could then lead to people copying them. Firemen’s service keys, which can operate many elevators and emergency exits, or police handcuff keys for example, could make for easy targets for anyone with a suitable printer.

While this is not something most people need to worry about, it is important to note that people should be cautious about what physical property they have photographed. Of course this attack does not work with all key and lock combinations. It is kind of similar to digital crypto keys. Older, simpler implementations with weak keys can be broken and should be replaced with stronger versions, but many implementations out there still use small, weak keys and might be at risk.