Monday, September 25, 2006

Leaking your info on the net...

It's been 8 years since I purchased Windows 98. At that time I felt really good about my self buying an "advanced Operating System". Of course later I realised I had payed for something that didn't work well most of the time. Anyway, I was living the dream. I was the proud of owner of Windows so I had no second thoughts entering my personal information during the Installation.

Not long after that I found out in horror that web pages could read that information and store/forward them. How did they get that? Well, I started finding cookies in my hard disk titled "firstname.lastname@domain". That's right. It was courtesy of Microsoft :/

Every time someone asked for my details, Windows kindly provided them! At no time did I receive such notification or warning. My name, address, phone number etc where transmitted transparenty to the web.

I remember immediately formatting my hard disk (which does not wipe out sensitive data but at least renders them inaccessible to Windows) and installing the OS under a fake name. I, the legal owner of an overpriced OS, had to forge my identity to ensure some, partial anonymity.

Since then, I developed a fear against entering my name anywhere. Privacy statements go right out the window for me. Whether it is a well-known web site (companies, service providers) or a no-name one, it's one and the same. I simply do NOT trust them. I am not ashamed to state so. I am not fealing paranoid. I just feal you are NOT good enough to protect my privacy. Goodbye now.

Wednesday, September 20, 2006

How friendly are "User-Friendly" applications?

Not too many years ago, computer software was just green text on a blank screen with a bleeping cursor. As soon as PCs became popular the term "user-friendly" was born and carried out by the marketing departments of software vendors. What they were trying to do is make a computer and its software more appealing to the average person: colors, icons, tooltips and helpboxes were deployed. In the same spirit, they enforced to the companies' development department an abstraction policy which kept "technical stuff" hidden so that the software users were not confused.

So far everything seems ok and the intension itself is pretty right (make PCs accessible to everyone) but something went wrong on the way. Software that keeps its technical part hidden should operate perfectly (aka bug-free) at the same time. Otherwise when you face trouble, you can't trace it back to its source and fix it/find more about it.

Today's example is Windows Live Messenger but this goes for all software that tend to be "user-friendly". I had this problem: if I chose for the program to remember my password, I was logged in but my contact list was not updated correctly. All my contacts were located under "Other Contacts" and my custom-made categories remained emtpy. I checked with my Hotmail account to make sure that my address book was in order but for some reason the Messenger could not synchronize. Then I tried removing the "remember-me" option so I had to type-in my password every time and, guess what, the synchronization was done perfectly! I mean... omg!

This behavior would stumble the average user who would just say "Windows Sucks". On the other hand, I quickly suspected that in the first case, some local caching was done (save my password, maybe some profile info and stuff) while in the second, all information was downloaded from the server. Yet I had no way of fixing this (clear the cache). At least not from within the Messenger. How friendly is that?

The programmers, in an attempt to keep me away from "technical stuff", have hidden (in fact scattered) all program files. As far as I can tell there's "Program Files", "Documents and Settings\MyUsername\Application Data" and "Documents and Settings\MyUsername\Local Settings\Application Data". Of course these folders are marked hidden so, in normal circumstances, they are invisible to you.

I had to use Tools > Folder Options to View All Hidden Files and Folders, then search my way through Application Data and find a folder titled "Windows Live Contacts". Still I wasn't sure it was the solution to my problem. Anyway, I deleted it and restarted Messenger. WoW! It seemed I'd hit jackpot! The synchronization was done therefore I had just deleted the problematic cached files. Does anything from the above seem "user-friendly" to you?

To sum up, hidding debug options and program structure from the user means you are absolutely sure about your software's well-behavior. Otherwise at least give us a chance in fixing your stupid mistakes ourselves!

Danger! DOT GR XSS Detected!

It has come to my attention that a major website, here in Greece, is vulnerable against XSS attacks. I would expect something better from these guys. That site, which I do not intend to reveal for obvious reasons, is actively present in the IT market and one would think it employeed trained professionals. Yet, right there in the front page a huge exploit relies. I haven't done any serious digging but I expect to find more oversights.

As I've written before, XSS (aka Cross Site Scripting) is happening right now while not only programmers but security experts haven't even heard of it. Eventually they'll get to know it the hard way I guess.

Monday, September 18, 2006

Gimme the address & keys to your house!

Today I received an e-mail from a friend of mine asking me to take a poll about her self ("Do you think I'm smart or do you think I'm sweet?" - Like there's no way she can be both). Anyway, I did answer (don't ask) by following a link to the poll-hosting website. After that, I thought it would be a good idea to set up a similar poll about me and send it to a few people.

It was then that the website asked me to enter my hotmail login and password!!!

The idea was good I guess: they wanted access to my hotmail address book so that the poll I had just created would be forwarded to all of my contacts! Let's say for a moment that spamming my entire address book is ok.

But asking me for my password? What assurances do I get that they will not keep it in some database? I mean giving away my password is a pretty stupid thing to do. The official hotmail services will NEVER ask for it. It may seem convenient to automatically get the e-mail addresses but at what cost?

Anyway, let's say that I am not the least bit suspicious about this and believe they will not store or use my password against my will. Here comes insanity number 2!

The session was not encrypted! No SSL! No nothing! Do you know what that means? The password is transmitted to the server in plain text! That's right, your hotmail password (along with the username) is transmitted from your PC, over a dozen Internet hops and to the server. Anyone may read it in any step of the way with absolutely no effort.

So let's recap: A noname website, in order to conduct a survey among your contacts, asks for your hotmail username and password. That password grants it full access to your messages, contacts and configuration - not just to the address book. Also, that password is transmitted in plain text on its way to their server so any malicious user can read it.

To provide solid proof for this I conducted a little experiment. For the purposes of this, my e-mail will be "testing4this4out" and my password "mypassword". I filled that info in while having a packet sniffer running in the background. The result? As soon as I clicked the submit button I got the following screen in the sniffer...

(If it's too small for you to read, click on it and you'll get the larger version)
As you can see, my e-mail and password appear before you. If this was real life, I would be totally compromised. End of Story.

To conclude, I find it preposterous being asked for my password by a third-party. Moreover when that party does nothing to protect such sensitive information. It seems that we have to look out for ourselves and be constantly on our toes to avoid, the least, an unpleasant situation.

Saturday, September 16, 2006

Wireless Security Revised

There have been talks and talks about Wireless Security but what does the average user know and, more importantly, what does he apply?

Last night I logged in a popular technology forum. It's one of those places where users talks with users and help each other.

A while ago there was a talk (in another forum) I participated in which examined whether forums are the new generation of information or just Unreliable Gossip 2.0. From one point of view, forums allow and promote freedom of speech. Anyone from anywhere may say what he/she has to say. No borders, no boundaries and no censorship. On the other hand, that uncontrollable model of information is susceptible to the "psychology of the group". This means that rumors can easily spread, facts can be twisted and ultimately have dozens or hunders or thousands of people misinformed (I might say deceived) just because "everybody else thinks so". That's the problem right there.

When it comes to critical user-to-user advice, how sure can one be he's getting the right info?

Now, let's get back to the popular technology forum and yet another Thread on Wireless Security. A lot of people in there consider WEP secure, some suggest disabling DHCP and applying a hidden SSID setting and the majority considers MAC Filtering as an effective action. Of course the above will only keep out of a Wi-Fi Network users with the same intellectual level as the ones proposing them. Then again such users don't attack other networks. If they are lucky, when they turn on the computer, it will automatically associate to a network and get an IP through DHCP. Determined attackers on the other hand may penetrate these protective measures in no time.

That's why I consider these tips more dangerous and harmful than any malicious hacker.

The reason is they provide a false blanket of security. Most of these people think "if user1 and user2 suggest them, it's ok". Then, these people, when asked by others to contribute, will replay the same false information as if it was their own, completing an endless loop. Finally a more literate user mentioned WPA/WPA2. That's pretty good unless you use a common dictionary word or name as your Pre-Shared Key.

To sum up, it has been my intention to illustrate the present situation among "user communities" on (wireless) security issues. I would never trust (or at least accept "as-it-is") information from Bob235 or PurpleBeast (the names are fictional), why would you?

Friday, September 15, 2006

Detecting Tor

Talking about Tor with RSnake has produced some interesting points:

First of all, the use of Tor can be detected. In detail, Privoxy - a proxy working with Tor to provide web surfing anonymity - tends to block certain website elements that may blow a user's "cover". Such behavior can be monitored by a website to determine whether a visitor is under a cloak of invisibility or not.

Also, as pointed out, Tor network uses the domain extension .onion (like .com). Of course that is inaccessible outside the network so there you have it, another detection way. If such page gets a hit, the user is using Tor. Of course the user's anonymity is not compromised in any way since one can never be sure about the given IP. Yet this method is a potential tool for content providers who aim in restricting access to identifiable users.

Tor still remains one of the best ways of operating in insecure networks.