Security researcher finds 'cookiejacking' risk in IE

Researcher dealing with online security has developed a method that tenuously compromises digital credentials needed to access accounts on Facebook and other websites by utilizing a glitch in Microsoft's Internet Explorer (IE) browser, a report The Register said.

Referring to the exploit as cookiejacking, Rosario Valotta claims that a zero-day vulnerability found in every version of Microsoft's IE under any version of Windows allows an attacker to hijack any cookie for any Web site.

Demonstrating his findings at security conferences this month in Switzerland and Amsterdam, Valotta acknowledges that to exploit the hole, the hacker must employ a bit of social engineering because the victim must drag and drop an object across the PC for the cookie to be stolen.

But Valotta said he was able to devise the right type of challenge on a Facebook page that required people to drag and drop an object by undressing an onscreen photo of a woman, noted Reuters, thus allowing him to capture their Facebook credentials via a cookie.

"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," he said, according to Reuters. "And I've only got 150 friends."

From its point of view, Microsoft doesn't see much real-world risk to cookiejacking.

By hijacking site cookies from IE7, IE8 and even IE9, attackers would be able to access victims' Web email, Facebook and Twitter accounts; or impersonate them on critical sites that encrypt traffic, like online banks and retail outlets.

Jeremiah Grossman, founder and CTO of WhiteHat Security, called Valotta's attack "clever" and said he could see hackers taking to it as a fallback to clickjacking, which he and Robert Hansen uncovered and publicized nearly two years ago. "In the event they can't find a cross-site scripting or clickjacking vulnerability, this would be a nice fallback plan for [attackers]," Grossman said.

But MIcrosoft didn't think cookiejacking was much to worry about.

"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," said Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC). "In order to possibly be impacted, a user must visit a malicious Web site and be convinced to click and drag items around the page in order for the attacker to target a specific cookie from a Web site that the user was previously logged into.

Valotta said the process primarily targets cookies created by Facebook, Twitter and Google Mail, but the procedure can be used on almost any website and can affect all versions of Windows.

He added that by implanting a special tag, called iframe, the hacker can easily evade the cross zone connections and can force the browser to expose cookies stored on the user's computer. However, the attacker will have to know where the cookies are stored in the hard drive as it can be different in different versions of the Windows and the person’s username in Windows before he can implement the procedure.

Valotta said before he could carry on with his experiment he alerted the Microsoft security team in January and the company will be sending updates to fix the problem in June and August.

Presidential pardon relieves local ex-drug smuggler

SEATTLE  — President Barack Obama has pardoned a Seattle man 35 years after he was locked up for his role in a drug smuggling ring that brought hashish from The Netherlands.

Randy Dyer, 63, spent three years in prison and three decades after his release ministering to Washington inmates. He said Jesus forgave him for his crimes decades ago, but he still choked up when he learned Obama had pardoned him as well, The Seattle Times reported Friday.

"The president represents the United States of America and millions of people, and he is saying, 'We see what you've done with your life and we feel you are worthy of being forgiven,'" Dyer said.

While the pardon does not erase Dyer's criminal record, it recognizes that Dyer has taken responsibility, atoned for his crimes and demonstrated that he has led a responsible, productive life over the past three decades, the newspaper said.

When Dyer was 15, he was arrested by the FBI for stealing a car and driving it to Idaho. He had three federal felonies on his record by the time he got out of high school, and in his early 20s he began bringing kilos of marijuana from Nogales, Mexico, to Seattle, authorities said.

A drug dealer in Mexico, who had a connection in Amsterdam, approached Dyer about a plan to smuggle hashish.

Dyer was convicted in May 1975 of conspiracy to import marijuana (hashish), conspiracy to remove baggage from the custody and control of the U.S. Customs Service, and conveying false information concerning an attempt to damage a civil aircraft.

The president represents the United States of America and millions of people and he is saying, 'We see what you've done with your life and we feel you are worthy of being forgiven,' " Dyer said. "The president of the United States has acknowledged my life is not just chatter."

While the president's pardon does not erase Dyer's criminal record, it recognizes that Dyer has taken responsibility and atoned for his crimes and has demonstrated that he has led a responsible, productive life over the past three decades.

The White House does not comment on pardons or explain why they are granted or denied.

The fact Dyer was in Ballard when he heard news of his pardon could be considered divinely fitting: Long before he started preaching to inmates in jails and prisons across the state, Dyer was "a wannabe gangster" roaming the rough and tumble streets of blue-collar Ballard in the 1960s.

Years ago, Dyer petitioned the state and regained his right to vote. Sometime in the 1990s, he said, his wife Karla broached the subject of a presidential pardon.

The couple began compiling the paperwork needed to apply, "but we were so embarrassed by (President) Clinton that we decided not to send in the paperwork," Karla said, referring to Clinton's decision to pardon 140 people the day before he left office in January 2001, including his half-brother, Roger Clinton.

Then in 2004, they decided to file for the pardon.

More than 100 people signed affidavits on Dyer's behalf, attesting to his character. The FBI interviewed the couple, along with relatives, friends and work associates.

In August 2008, the couple received a letter from the U.S. Attorney's Office in Seattle saying their petition had been approved locally and was being sent to Washington, D.C. They heard back on May 20.

"I think because I'm involved in prison ministry, it will mean something to other people that God has given me this gift from the president of the United States," Dyer said. "Not everybody gets a pardon from the president. He'll be glad he signed it. I'll make him proud.

Cannabis cafes set to become private clubs, no entry for tourists

Dutch government said Friday that it will ban tourists from buying marijuana from the Netherlands' famed "coffee shops."

Under the new rules spearheaded by far-right political leaders, only Dutch citizens will be able to enter the stores, and they too will face tougher restrictions.

Resident patrons will be required to sign up for a one-year membership, and each shop will have a maximum of 1,500 members, according to a justice ministry spokesman.

Critics argue the move, which should be enacted by the end of the year, could pulverize tourism.

The Netherlands – particularly Amsterdam, which is home to 220 coffee shops -- is known for having one of Europe's most lenient soft drug policies. The country's cannabis cafes have become popular attractions.

There are also fears that the move will result in a black market for the drugs.

Ministers say they expect the closure of coffee shops to tourists will lead to a reduction in drugs-related tourism. Nevertheless, ‘adequate measures’ will be taken by police and officials to make sure the move does not lead to an increase in street dealing.

Amsterdam city council continues to oppose the introduction of the membership card. ’We are concerned about the problems that will arise from large-scale street dealing,’ said a spokesman for Eberhard van der Laan.

‘There are also health concerns, because with street dealing we cannot monitor the quality of the soft drugs or the age of the buyers.

Illegal growing industry is thought to be worth some €2bn a year. According to the Telegraaf, some 40,000 people are involved in marijuana cultivation and some 5,000 plantations are busted every year.

The crack-down on coffee shops follows the recommendations of a government commission in 2009 which said jashish and marijuana contain far more active ingredients than they did when the policy of turning a blind eye to their use was introduced in the 1970s.

At the same time, the bigger the coffee shops get, the more likely they are to be in the hands of organised crime. To that end, the commission recommended cafes become smaller and should only sell to locals.

Maastricht has already closed its coffee shops to tourists because of the nuisance while the border towns of Roosendaal and Bergen op Zoom have got rid of coffee shops altogether.

The concept of coffee shops was introduced in the 1970s to separate hard and soft drugs. The country’s 500 or so coffee shops are permitted to stock up to 500 grams of soft drugs while users can have up to five grammes for personal use.

Last July, a senior European legal official said the Netherlands was within its rights to ban tourists from coffee shops.

Advocate general Yves Bot said he considers the move necessary to protect public order and reduce the nuisance caused by drugs tourism. In addition, the ban would contribute to European efforts to combat the illegal drugs trade, Bot said.

The Netherlands highest court, the Council of State, has asked the European court to determine if the Maastricht ban conflicts with EU laws.

The Dutch court is currently hearing an appeal by a local cafe owner who was forced to close in 2006 after two non-Dutch nationals were found on his premises.