abwaters 2.0 » security

Bruce Schneier leaves his wireless network unprotected!

digg — Sun, 13 Jan 2008 05:59:21 +0000

Bruce Schneier, author of Applied Cryptography and other books and articles on security and privacy, leaves his wireless network unprotected. My first reaction was probably the same as yours. What an idiot! He then goes on to make a few points that made me regret my first reaction. Bruce highlights the many other ways we take security for granted including leaving doors unlocked, drive in the rain while on a cellphone (whew!) and make other security sacrifices for the sake of convenience.

He explains that while it leaves your computers more vulnerable to leave your wifi open, you are exposed when you use your laptop in a public location anyway so you had better learn to secure your computer.

While I agree with nearly all of Bruce’s comments, I think i’ll keep my wifi secure. Oh yeah…i’m going to start locking the back door when I leave the house now as well!

Bluetooth not secure! Surprised?

digg — Wed, 02 Jan 2008 01:12:35 +0000

I remember when the hoopla was about radio scanners eavesdropping on analog cordless phones. Every new technology seems to introduce a new way to violate our privacy. This little gem seems to allow capturing or recording audio while a bluetooth device is not actually in a call. This would mean that you can eavesdrop from room-to-room or with a laptop, from car-to-car at a stoplight even when someone is not using their bluetooth headset.

Here is a link to a useful collection of bluetooth hacking tools.

http://www.security-hacks.com/2007/05/25/essential-bluetooth-hacking-tools

Here is a link to a video demonstrating the bluetooth hack.

http://www.hackszine.com/blog/archive/2007/12/eavesdropping_on_bluetooth_hea.html

Gaping holes exposed in fully-patched IE 7, Firefox

digg — Wed, 06 Jun 2007 02:39:45 +0000

Polish hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE 6, IE 7 and Firefox 2.0…

I don’t know what to say…this is huge! This is a very large, easy to exploit vulnerability that exposes a site’s cookies to any malicious web site on the net.

A harmless proof-of-concept exploit can be found here.

http://lcamtuf.coredump.cx/ierace/

Wait…i’m getting a vision…yes, it’s coming clearer…a Microsoft Security Patch is in your future.

OS X Security

Bryan Waters — Thu, 23 Nov 2006 19:36:58 +0000

Another vulnerability has been found in OS X related to their disk image format. This is on an operating system that openly thumbs its nose at Windows for being insecure. There is even a commercial poking fun at the viruses that plague so many Windows users but seem to ignore the Mac.But the irony is that Windows is a victim of its success. Regardless of whether you like Windows or not, the fact of the matter is that it is the dominant operating system. According to the MarketShare service by Net Applications, the market share for Windows was 94% compared to 5% for the Mac for general usage.

The same way that software developers tend to develop for platforms that allow them to reach the largest possible audience, hackers and virus writers target systems for maximum return. It is simply human nature. People do not expend effort to receive minimal returns. For this reason, IE and Windows have both been heavily targeted where for the time being, the Mac is simply a curiousity for malware authors.

Please understand that i’m not making a statement about whether one operating system is more or less secure than the other. I make my living developing software for both platforms and enjoy the unique features of each. I’ve enjoyed the rivalry between the two companies and believe that the users have thoroughly benefited from the constant one-upmanship. What I am saying is that the state of security for each is not relevant. As long as humans use computers, there will be a way to exploit systems and take advantage of their users.

Currently, there are hundreds of viruses with thousands of variants for Windows operating systems. For the Mac, every single individual vulnerability makes the news partly because there are so few and partly because the Mac is marketed as a much more secure operating system.

I predict that the number of viruses, exploits, spyware and other security problems experienced by the Mac will be directly correlated to its market share.

Customer Support and Email Worms

Bryan Waters — Mon, 20 Nov 2006 18:38:29 +0000

This morning, I received a spam email with a worm attached that actually made it past my spam filters and I have to admit, it is pretty clever. In fact, the thing that impresses me is the amount of social engineering and creativity that goes into these attacks.

The one I received this morning has the subject line: “Mail server report.” Here is the text of the email.

Mail server report.Our firewall determined the e-mails containing worm copies are being sent from your computer.Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

This email was accompanied by an attachment named: Update-KB984-x86.zip. This was infected with…well, an email worm. They actually told me what it was in their own email…by claiming to protect me from the thing they were sending me in the email.

Turns out the attachment was a ‘Worm.Stration’ variant. Evidently, the Stration Worm (also know as the Warezov worm) is fairly new although it does the same old thing that worms have been doing for years. The difference is that these new guys are able to survive in a world with multilayered spam filters and triple-decker anti-virus, anti-spyware, firewalled systems.

According to a Microsoft blog, McAfee, Symantec and Microsoft’s own antivirus didn’t detect this one. As malware goes, this one doesn’t do much but it is spreading extremely rapidly due to its ability to avoid detection and the use of social engineering.

Browzar – A False Sense of Security

Bryan Waters — Mon, 13 Nov 2006 01:16:08 +0000

When I first read about Browzar, I was impressed by the hype. After further investigation, I found the product to be easy to use…no installation required and with the simplest and most straightforward of interfaces. A perfect browser for most people…just so long as you don’t expect to actually protect your privacy. After downloading Browzar, I went to a couple of websites trying to exercise their browser in various areas likejavascript compatibility, css support and so on. Browzar worked flawlessly but there was something bothering me. Up till this point, it had not occurred to me that they were just hosting the IE web browser ActiveX control. I guess I should have realized this fact from the size of the download. Once I realized they were just using Internet Explorer, I knew that it couldn’t possibly be as safe as they were claiming. So I started digging deeper…

Browzar claims that it doesn’t keep a browsing history, stored files, cookies and avoids the auto-complete feature built-in to IE. It turns out that it that they were right about the stored files, cookies and auto-complete history.

But it does keep a browsing history. It seems that since they are using an embedded copy of IE, they can get around almost everything else, but the index.dat file created by the IE object and its libraries still exists and keeps a record of your entire browsing history. After looking at the FAQ on the Browzar site, they even acknowledge this fact but they add the disclaimer that the index.dat file is a system file that under normal use cannot be seen or read and that only someone with a relatively sophisticated knowledge of computers could access this file. It turns out that there are freeware, shareware and even open-source utilities available that allow access to this file.Â The same sort of utilities that may be easily obtained by someone only slightly skilled at using Google.

Just to prove the point, instead of downloading one of these tools, I wanted to find the simplest mechanism possible to view the browsing history from the index.dat file just to see what it would take. It turns out that Sysinternals (now owned by Microsoft) provides a free utility that extracts strings from binary files. Note:this is essentially a Windows version of the *nix command-line tool of the same name. You can download “Strings” from the following location:

Â http://www.microsoft.com/technet/sysinternals/utilities/Strings.mspx

After downloading Strings, I deleted my index.dat files (not all that easy by the way) and proceeded to run Strings on the freshly created index.dat both before and after a short browsing session with Browzar. Here are the results.

Before Browzar Session:
Strings v2.3
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals – http://www.sysinternals.com/

Client UrlCache MMF Ver 5.2
ODXP0UB5
ZCFT4EYX
S52JULZU
1XC9JDO3

Notice that other than a few hash directories for storing content, the index.dat file is completely empty.

After Browzar Session:
Strings v2.3
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals – http://www.sysinternals.com/

Client UrlCache MMF Ver 5.2
ODXP0UB5
ZCFT4EYX
S52JULZU
1XC9JDO3
HASH
REDR
ehttp://www.browzar.com/start?v=1201
LEAK
http://www.browzar.com/start/?v=1201
start[1].htm
HTTP/1.1 200 OK
Content-Length: 5370
Content-Type: text/html
Content-Location: http://www.browzar.com/start/index.html
ETag: “dec1a412f3c71:66d”
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
~U:root
LEAK
`Sta
http://abwaters.com/
abwaters[1].htm
HTTP/1.1 200 OK
X-Powered-By: PHP/4.4.4
X-Pingback: http://abwaters.com/xmlrpc.php
Status: 200 OK
Keep-Alive: timeout=10, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
~U:root
LEAK
http://pagead2.googlesyndication.com/pagead/ads?client=…
…
http://pagead2.googlesyndication.com/pagead/show_ads.js
…
http://abwaters.com/wp-content/themes/2cDarkGrey/meta/addtomyyahoo.gif
…
http://abwaters.com/wp-content/themes/2cDarkGrey/img/side.gif
…
http://abwaters.com/wp-content/themes/2cDarkGrey/meta/google.gif
…
http://abwaters.com/wp-content/themes/2cDarkGrey/meta/bloglines_sm2.gif
…
http://abwaters.com/wp-content/themes/2cDarkGrey/meta/addmymsn.gif
…
http://abwaters.com/wp-content/themes/2cDarkGrey/meta/addmyfeedster.gif
…
http://abwaters.com/wp-content/themes/2cDarkGrey/img/cats.png
…
http://abwaters.com/content/images/vista_screen2_th.jpg
…
http://pagead2.googlesyndication.com/pagead/ads?client=…
…
Note: The “after” session dump was edited for space and privacy reasons.

The “after browzar” session has an entry for every piece of content requested by the Browzar session. Sure looks like Browzar history to me.

There are dozens of tools for getting at this same information and anyone wanting to get at this information bad enough will likely be able to access it regardless of technical ability. The fact is, its there!

Browzar’s main claim is that it erases your browsing history to protect your privacy. Something that is obviously not true.

The other problem with Browzar’s claim of privacy protection is that it completely avoids the issue of external privacy violations of your browsing session. There is no use of tunneling, anonymizers, proxies or any other mechanism which means that all your network traffic is exposed to any external sniffing, caching or logging. Since inexpensive home firewalls now routinely come with built-in logging features, this is not as unlikely as it may sound.

It seems that Browzar provides only the simplest protection against privacy violations which, based on the testimonials on their site, are most useful against your family members or friends who share your computer.

By the way, it turns out that both their business model and their privacy weakness were listed in their FAQ on their site. They make money from the searches that users initiate with the “Browzar Search” box in the toolbar and they point out that they don’t address the index.dat issue. If I had only read this a little closer, I could have saved myself a lot of time.

On their website they claim that a Mac and Linux version is coming soon. I suppose they will have to use the Mozilla source to build that. For example, a no-install version of Firefox bundled with Tor would be outstanding!

On the positive side, Browzar is very visually appealing! Now if they could only get that privacy thing addressed they might have something…