Claims–based Identity and Access Control

Imagine a world where you don't have to worry about authentication. Imagine instead that all requests to your application already include the information you need to make access control decisions and to personalize the application for the user.
In this world, your applications can trust another system component to securely provide user information, such as the user's name or e-mail address, a manager's e-mail address, or even a purchasing authorization limit. The user's information always arrives in the same simple format, regardless of the authentication mechanism, whether it's Microsoft® Windows® integrated authentication, forms-based authentication in a Web browser, an X.509 client certificate, or something more exotic. Even if someone in charge of your company's security policy changes how users authenticate, you still get the information, and it's always in the same format.
This is the utopia of claims-based identity that A Guide to Claims-Based Identity and Access Control describes. As you'll see, claims provide an innovative approach for building applications that authenticate and authorize users.

Read more

Facebook Clickjacking Attack Spreading Through ‘Likes’

A new clickjacking worm is spreading through Facebook via the ‘Like’ feature. The attack, which is said to have hit hundreds of thousands of users, uses a combination of social engineering and clickjacking exploit makes it appear as if a user has “liked” a link.

Read more

IE8: Ad blocking with the InPrivate Filter

There's an interesting article up on Neowin about how one can implement an effective ad blocker in IE 8 using the browser's InPrivate Filtering. Turns out it's not hard at all. Because it's built-in.

IE8 actually contains a great Ad blocking feature built-in, it's called "InPrivate Filtering". The InPrivate Filter (enabled by pressing CTRL+SHIFT+F) is intended to block content that may potentially share your information; thankfully advertisements are one such example of said content.
The InPrivate Filter is 'smart' in the sense that it can and will (if enabled) automatically detect content which appears with a high frequency on websites that you visit. In this regard, the Filter learns as you use the web and can detect what is an advertisement or of similar content, and take action accordingly. By entering the 'Manage Addons' window, you can select how many websites a piece of content must show up on before it is flagged, at which point you can then determine whether you want to block or allow such content.
Given the functionality of the InPrivate Filter, it seems that all that is required is a "Subscription List" containing the locations of advertisements for the filter to function as other Adblock applications. This is similar to a "Block List" in Adblock Pro and equivalent software. With such a list, it should be possible to simply block certain locations outright without relying on IE to learn from your browsing habits.
With regards to a subscription list that will block advertisements outright without having to 'learn' your browsing habits, I am in the process of searching for such. I have stumbled across this link where someone has compiled an XML file of the blocked URL's from Adblock Plus.

In order to Import these URL's into the InPrivate Filter, you must enter your "Manage Addons" window, accessible via Tools > Manage Addons. Click the InPrivate Filtering button, followed by Import and then locate the XML file. The result should be IE8 blocking content from said providers outright, without the need to learn via your browsing habits. Doing so has blocked about 99% of the advertisements I see while browsing with IE8.

To make it automatically enabled whenever you open the browser:


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE]

"StartMode"=dword:00000001

0 - off
1 - auto
2 - manual

Thanks to Manos P. and Mitchel T. for the tip.

http://www.dslreports.com/forum/r22124619-IE8-InPrivate-filter-from-adblock-plus-list

Edit:

If you’re using Internet Explorer 9 which is in Beta as of this writing, create/rename the DWORD value named FilteringMode (instead of StartMode) and set 1 as the data. Thanks, slinky333.

Read more

Facebook disables 6 rogue phishing apps, but 5 more appear

Facebook on Thursday said it had disabled six rogue apps that were stealing Facebook users' log-in credentials and spamming people, and within hours more appeared.

Five more of the apps appeared on Thursday, called "Friends," "Friends Gifts," "Matching," "Pok," and "Your Photos," according to an updated blog post by Trend Micro researcher Rik Ferguson.

By that night those new ones were disabled too. Facebook "will continue to ensure that all applications on Facebook Platform comply with Facebook policies," a spokeswoman for the company said.

According to Ferguson's post: "The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters' advertising returns."

He had discovered six rogue apps earlier in the week. One of those was disabled as of Wednesday, and later the other five from the first batch were disabled.

Before the apps were removed, victims had been receiving notifications that someone had commented on a post of theirs. The notifications contained links to a phishing site where users were prompted to provide their Facebook log-in credentials and then prompted to install one of the rogue apps, according to Ferguson. Once the app was installed, the victim's friends were spammed.

Updated at 10:44 p.m. PDT with Facebook disabling the five new apps and at 12:43 p.m. with discovery of five new rogue apps.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press.

Read more

Security updates available for Adobe Flash Player, Adobe Reader and Acrobat

Critical vulnerabilities have been identified in the current versions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2. Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.3 and Acrobat 9.1.3.

Note: As a result of this out-of-cycle Adobe Reader and Acrobat update, Adobe is planning its next quarterly security update for Adobe Reader and Acrobat for Tuesday, October 13.

Read the whole story and solution

Read more