Tuesday, July 31, 2007

Want Internet Anonymity? Be Creative!

When it comes to Internet Anonymity most people try to leak absolutely no information. This isn't always possible and definitely makes them look suspicious. What I propose is to be a little more creative! Create an imaginary character who will represent you online. This character must seem real enough in the way that you give out no real information of your own but still put together a complete, every-day person.

First of all find a name. Next come up with a birth date. After that decide where he will live (country, town, street and zip code). Write them down. These things are pretty much all you need to open an online account and should be the same in all accounts you will use under that name. So our character will need at least an e-mail address so create one. That's it! You can "play" this character and "become" him when in need to masquerade you actual identity.

Wish to enter a forum without giving your real name? Avoid something like "superman123" for your nickname. Use your character's name instead.

Now that we've solved the personal information issue, we want to make sure no digital trail will lead back to the real you. Use TOR along with Torbutton (if you have Firefox) to surf the Internet anonymously! I'd suggest you use a different Firefox profile or even a portable version like PortableFirefox to separate your real-you cookies and passwords from the character's, otherwise one may be able to link you two!

That's about it. The key element is NOT to hide your information but present false yet valid-looking to anyone who requests it. Even if some of your real data gets leaked in the process, one won't be able to tell which is fake and which is not so the "noise" produced by the imaginary character will still cover your tracks. Finally, remember that the character is a role you need to play. That character should seem to be a normal person going online, with habits (maybe subscribe to a couple mailing lists), hobbies and activities.

Sunday, July 15, 2007

Botnet Movie

There's a cool botnet introductory movie over at GOVCERT.NL (Computer Emergency Response Team for the Dutch Government).

Friday, July 06, 2007

Data Ticking Time Bomb

There's an interesting article over at BBC Technology News concerning the compatibility of modern and future computer systems with old file formats.

From the article:
"Unless more work is done to ensure legacy file formats can be read and edited in the future, we face a digital dark hole." [...] "If you stored something on a floppy disc just three or four years ago, you'd have a hard time finding a modern computer capable of opening it." [...] "We cannot afford to let digital assets being created today disappear. We need to make information created in the digital age to be as resilient as paper."

This really is an emerging problem as we move forward to a more computerized world. Right now the technology allows us to digitize large aspects of ours lives. Computers and electronic services are replacing traditional concepts such as paper-based documents and records and physical transactions.

Nowadays nobody uses floppy disks and most new computers don't even have a floppy drive. How about those people who kept an archive in such disks in the past? They probably won't be able to access it from their current computer system and what about in a year or so? Also, a lot of electronic documents are stored in formats that have either evolved or been completely abandoned. So, is that information lost? This should never be the case when it comes to unique, irreplaceable data!

Currently the idea of open document (format) standards is constantly gaining ground. They are standards for creating text, audio, video, picture files etc. So as long as they are carefully designed and most vendors follow them, we shouldn't have a problem. Things get complicated when closed source software such as Microsoft Office establishes and follows product-specific, non-standard formats which may even be incompatible among different versions!

When it comes to storage media (like floppy disks) the problem still exists since technology evolves quite rapidly and does not allow any ties from the past to slow it down. So yes it's quite possible that the CD you are using today to backup your files will be useless in five years from now since your new computer won't have a CD-ROM Drive! Besides, blank CDs don't have a life expectancy more than a couple of years. At this point, the evolution and wide use of computer networks and the Internet might give the answer. It's so easy to quickly upload and manage large amounts of data that a lot of people do their backups online!

Anyway, it's an interesting article to read and a lovely topic to ponder on.

Friday, June 22, 2007

"Change Your Password!" or Not?

Today I came across an article at the "Daily Cup of Tech" blog where the author urges you to frequently (every month or two) change your password(s). At first this may seem like a really good idea but I'll have to disagree. First of all let me point out some other password-related security guidelines.

One should never use the same password in all of his accounts. Should one of them be compromised, he is totally helpless. For example your password to a forum should never be the same as the password in the e-mail address you have provided during registration. Most people have two or three passwords and use one of them for their "most-secure" accounts, the second one for their e-mails and the third for every other "low-security" case. I'm not necessarily saying that's the best one can do. Also, passwords should be hard to guess (and therefore hard to remember). So a totally random combination of letters, numbers and symbols, longer or equal to 8 characters is a nice choice.

Let's get back to the article. Having at least three totally random passwords like "C9U6h#*U" or "swa!Es7u" is already a hard thing to do. Frequently changing them and therefore memorizing them every month or so is something nearly impossible for the average user. Too much effort can push one into writing down the password or storing in somewhere like on his cell phone. This is far worse than keeping the same password for a long time.

In my opinion, a secure-enough password is not in any danger from contemporary password-guessing techniques. The only way it can be compromised is if transmitted over an insecure medium, like a non-SSL HTTP session.

Friday, May 18, 2007

Schneier: Airline Security Cartoon


Found it at Bruce Schneier's blog. It really is a hilarious example of Cover Your Ass (CYA) Security.

Saturday, May 12, 2007

Schneier: Is Big Brother a Big Deal?

Is Big Brother a Big Deal?

From the article:

Big Brother isn't what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today's information society looks nothing like Orwell's world, and watching and intimidating a population today isn't anything like what Winston Smith experienced.

Wednesday, May 09, 2007

When you think you know what you don't know...

I was attending a Legal Issues on E-Commerce lecture yesterday and I was amazed by the superficial knowledge of the audience on security matters. Being totally ignorant is something I understand, since they may have never had the chance to learn about it, but believing you know about it when you don't is absolutely disappointing.

So we were talking about digital signatures on e-mails and online transactions in general and a guy claimed that when you apply for an e-mail address and give out your name and address, it is the provider's obligation to verify that info and therefore when you get a mail from someone you really should trust its source (yeap, the "From:" field). Can you believe it?

OK, maybe he has never heard of spoofing an e-mail address or taking over ones account but how can he be so sure of the facts to argue that an electronic message coming through a "known and well-respected" provider's network is something you can trust?

Anyhow, here are some Wikipedia links concerning Digital Signatures, Electronic Signatures (totally different object) and Public-Key Certificates.

Wednesday, April 04, 2007

Schneier: The Failure of Two-Factor Authentication

The Failure of Two-Factor Authentication (March 15, 2005)

From the article:
Two-factor authentication [...] works for local login, and it works within some corporate networks. But it won't work for remote authentication over the Internet.

Monday, April 02, 2007

Software Leftovers

Don't you just hate it when, after you've uninstalled a game or application from your Windows PC, you get all kinds of leftovers? It usually is the installation directory, empty. It may also be a registry key, no longer necessary. And the question is why.

Why do these people write so lousy uninstallation routines that leave annoying garbage behind? One would think I am talking about some third-class piece of software but no. I am talking about very popular games and applications by well-known, well-respected companies.

Maybe it's the whole "Windows Attitude" to spread files here and there, register a couple of components and forget half of them behind in the end. Maybe they just think nobody will ever want to remove their program (cause it's "so cool").

Being a programmer myself, I find it really irritating when others fail to do their job. Over time you will get a PC which will be slower due to a large number of redundant file system and registry entries that still have to be parsed by the OS. And of course there is the aesthetic part which calls for a nice "clean" system.

I want to look at my hard disk and find my currently installed software and files and NOT a history of my activities over the last two years. Is that too much to ask?

Wednesday, February 21, 2007

Auditing Wi-Fi Areas.

I've always been curious about the kind of security applied in “Hot Spots” or “Wi-Fi Areas”. These are places where you can access the Internet on pre-paid time. I'm not even going to talk about securing the client's activities and data or providing any kind of anonymity. I was really keen on finding what means such providers have deployed to make sure no unauthorized personnel has access (aka people who haven't paid for their time). So today was my lucky day. While waiting for a flight at Athens International Airport I had the chance to test their Wireless Internet Access Service. Apparently they don't use any kind of encryption on their Access Points. That means anyone can connect to it and receive an IP Address through DHCP (Dynamic Host Configuration Protocol). That's good right? These guys want even the least tech savvy user to be their client. As soon as you try to access your first web site (I'm guessing they offer HTTP only), you are redirected (through a transparent proxy) to a login screen and asked for a PIN which can be found on the back of pre-paid cards. When you enter a valid PIN, (I'm guessing) your IP and/or MAC Address are recorded and their firewall let's you out (or your proxy fetches stuff for your or something like that). So, that's how it works.

Let's say I am a bad guy, well not a bad guy – just a guy who doesn't want to pay. I would go and sit next to a guy who is already surfing, sniff the unencrypted air to easily discover the legit user's IP and MAC Addresses. (Of course I could also sniff sensitive information such as his passwords or e-mails but that's another story.) After that would I configure my own wireless card to use the exact same information (hence masquerading my self as the legit user) and I'm in! That's it! I wouldn't even have to try to find holes in their firewall or crack their infrastructure or brute force PINs. Pretty easy huh? Well, it is.

Then I tried to understand it. First of all their administrator has applied no access control mechanisms to the Access Point because that would require a significant trade-off. It would require every user to know how to configure his wireless device to conform with those security systems (e.g. MAC Filtering, Hidden ESSID, WEP, WPA). This could scare away potential customers who just don't get along with computers very well and the CEOs don't want that. So no “frustrating” security measures.

OK so a lot of people can get it for free. We know it and they know it. Although at first it may seem that a bandwidth piggyback is so cool and let's you surf for free, it actually works in their favor. How?

First of all, including the piggybackers, more people will appear using their Wi-Fi Areas. And, as we all know, people tend to imitate other people's behavior. So if you have a wireless-capable device and see other people using such service you will also feel the urge to use it. So there you have, indirect advertisement! Moreover, people able to perform such stunt will be so proud of themselves that will tell their friends about it. And when their friends try to do it for themselves they may fail but they were expecting Internet Access on the spot so it is very likely they will actually pay for the service after all. Extending that, there will be a time the original hacker won't be able to find victims to take advantage of but going online from the airport may already have become a habit to him or somehing he relies on so even he may purchase credits for the service. Also, if you come to think about it, they providers aren't losing that much. Most users (even unauthorized ones) are there to catch a flight so under normal circumstances that won't take more than a couple of hours. It's not like they are stealing bandwidth for days or so.

To sum up, what is advertised and offered, is Internet Access to counteract those long waiting hours or allow one urgent e-mail to be sent or a short chat to be conducted. In other words it addresses the need for communication, something people are always willing to pay (a lot) for. The generics of this, who pays for it, who doesn't, how secure and reliable it is, are not considered (although they should be) important both by the provider and the majority of users so everyone is happy at the end of the day.

Tuesday, January 30, 2007

Imbalanced (IMBA) Corporate Security.

It seems that both corporate networks and their physical installations may be compromised because of some irresponsible security officer.

When we are talking about security (at a corporate level) we imagine an area (or multiple areas) where only certain people are allowed in. And once they are in, they are divided into groups depending on what they are meant to do in that area. That area may be a physical location (office/building). In there, only the company employes are granted entry priviledges. Once they are in, each one works in his own cubicle and only senior employes wonder around checking everybody else. This is the same when it comes to an electronic network: you have different areas (subnet A, subnet B, etc) and different kinds of permissions (server 1 access, server 2 access, etc).

Security officers are mostly concerned about letting people in. When a new guy is hired they screen him and watch him for a while before granting him appropriate permissions. The problem is that administrators are selfish creatures. If they say you are "OK", that's it. They never check up on you or re-evaluate their decision.

This is bad enough but the problem starts when they forget about you even when you leave the company for ever. As a result, active accounts of ex-employees remain in the system allowing them access at any time. This is huge! It only takes an unhappy ex-employee with the appropriate privileges and maybe a little hacking to enable stealing or destroying information or damaging the infrastructure itself.

It's been over a year since Bob left the company his was working at. A few days ago he realized that his network access had NOT been revoked (and - I bet- neither had his physical privileges, alarm codes etc). He was able to remotely access specific systems from the company network and gain administrative privileges. He could install backdoors in those systems to ensure future access. He could use those systems to attack others, sniff the inside of the company's network (firewalls are of no use in this case) and basically do a lot of nasty things. Also he could take advantage of small security vulnerabilities he had knowledge of (like the fact that they used the same local admin password on every PC) to cover his tracks and hide his identity. Taking it a little bit further and under the assumption that nobody bothered to cancel his alarm code (they took his key through), it would be possible to invade the premises during the night, disarm the alarm using his code (or any other ex-colleague code his knows - this is another big issue) and steal/damage anything he wanted.

As Bob told me, it took 3 months since the day he started working there to get a key for the front door and remote access privileges. Apparently the security officer wanted to make sure he was not some malicious person. What worries me thought is that he took all that time to verify Bob (while making his life harder since he was an employ and did not have sufficient means/privileges to do his job) but still, 12 months since his last day at work, Bob's clearance hasn't been revoked. It's safe to assume that this is not an one-time event. Unfortunately it is my belief that there a lot of "orphan" accounts in the system.

This rises a couple more risks. Let's assume that Jane is also an ex-employee but isn't as cunning as Bob. She has never thought of doing any of the stuff I've just talked about. Jane's account is still active though and is protected by a very easy password. When the sysadm tries to enforce a new (better?) password policy he will not look after Jane's account because Jane is not working there any more. Right? Wrong! Maybe all 999 employees have updated their accounts with hard-to-guess, complex passwords. It takes a single account, Jane's, with a dumb password like "janedoe47" for an attacker to infiltrate the network.

Loose privileges are a liability!

To sum up, securing a physical area or a network means analyzing every possible scenario and providing general cover and failsafes and not just focusing on the "front door". Because that's where an attacker will try to gain access. He will hit weak abandoned accounts with weak passwords, forgotten remote privileges and protocols that should have been revoked.

Sunday, January 28, 2007

Dogbert's Password Recovery Service for Morons.

Check it out here and here :)

Putting jokes aside, some "secure" services work that way :P

Wednesday, January 17, 2007

When Google turns against you...

Google began as a research project in January, 1996 by two students in Stanford University, California. Larry Page and Sergey Brin (the two students) believed they had a better idea for searching the Internet than the existing ones which ranked web sites based on the number of times a search term appeared on each page (so the more keywords you had in your home page, the higher rank you got - obviously inaccurate and exploitable). The Google Search Engine actually analyzed the relationships between websites (how and how many sites linked to another site). It went public in 1997.

Today, the year is 2007. Almost, ten years have passed and Google is estimated to hold 70-78% of the Internet market. It has become a synonym for web searches and is even, unofficially, a verb ("Google 'this' to know more"). It's one, big, central point (hence "point of failure") which searches and indexes the entire World Wide Web. Some call it the "front page of the Internet". People would kill for their sites to appear on the very first results for a keyword. And on the other hand, "if you site is unreachable by Google then it doesn't exist". This really changed the Internet in the late decade but what about now? There truth is that various problems are coming up.

Google can be fooled or (worse) manipulated.

A couple of days ago I read an interesting article on Javalobby which talked about how their forums got spammed and how the Google flagged them and removed them from its results. The guy who posted the story on Slashdot titled it "When Your Site Ceases to Exist". But, let's take things from the top. Javalobby maintains a forum with parts of it where unregistered (and anonymous?) users may post. That's a BIG mistake. It's also very naive (I'll expand on this another time). As a result, spammers exploited that and filled them with about 50.000 messages advertising pills, porn and gambling. Very soon Google's filters picked that up and considered their site yet another "bad apple", burying it down into the ground. How did that affect the site? According to the article's author, they lost about 10.000 visits a day which came from search results references. That's a tragedy for someone who has invested time and money so that users can find his site when looking for certain things. Of course he didn't have a contract or any other agreement with Google. He just trusted it to do the job right.

Yesterday, I read another interesting story on GNUCITIZEN. According to this, their site was down a couple of days due to technical difficulties, displaying an automated error page (Wordpress default error). It's the same error page any site would show if using the same software they did. So the author discovered that Google correlated his site with others showing the same error because it thought they displayed the same content. Technically they did. It was the same HTML page so, based on absolute deterministic logic, they should belong in the same group. The problem is they don't and, worse, even after the problem was fixed and the normal home page was back on, Google kept grouping the site with irrelevant ones. The author goes even further thinking this from a security point of view. He says that if an attacker sets up a couple of web sites (with minimal cost) displaying the same error page from above, plus some Pay per Click advertisements, Google will "work" for him, grouping them with other legitimate sites, which may hold a very high rank in certain keywords. So if an average user types those keywords he'll a list of search results containing the legitimate sites, followed by the attacker's. As a result the attacker with little time and cost will have managed to steal those keywords in his favor and have malicious content showing up in the first page of search results. Imagine porn advertisements in the same results page as the link to "www.ibm.com" when someone searches for "IBM". And Google will have been his accomplice.

So... what do we have here? It has been clearly demonstrated that Google is a single point (of failure) which can be fooled and manipulated. Nowadays if Google can't find you, you don't really exist. Does it have to be that way?

The answer is NO and it comes from the world of peer-to-peer (P2P) systems.

A lot of people know and use digg. It's a website with no actual content but which allows any user to post a link about another website and a short description. Then, other users who find that link interesting, place a positive vote on that post (not on the user). If they don't, they place a negative vote. And when some third user visits digg, he is presented with a portal containing the latest of everything on the Internet (and links to them). There's a threshold (can be customized per user) on what you see. You get posts that collected a large number of positive votes and miss all the others. You can also vote positively or negatively on one or more posts, shaping that way its ranking. The result is that you read stuff that's interesting for most people and skip the rest.

And what about del.icio.us? It's a website with no content of its own (like digg) where users keep records of their personal bookmarks. It works this way: you come across a site you want to bookmark, you place it on del.icio.us and tag it (that is characterize it using keywords). Then, you or everybody can select a tag and find all listings under it. For example you find a funny link about computer games. You post it and tag it using the keywords "funny", "computer" and "games". After a month or so you may select "funny" to see all links that you considered to be funny and so can everybody else.

Isn't that searching the Internet? The difference is that it is users who do the job and not some stupid bot. This isn't P2P on a system level but on a human one. It's not that there are a lot of computers searching and exchanging results and listings but it's humans who do that. If I see something worth looking to, I'll post it so that my (Internet) friends can see it. Then, each of them will promote it (by voting it or tagging it) so that his (Internet) friends can see it and so on. Nobody waits a single source for information.

In both cases from above crowdsourcing is applied. That is both digg and del.icio.us are empty vessels, filled with user activity from all over the globe. Pages are commented and ranked using democratic votes. If one posts something bad, he gets all negative votes and it's buried under the good posts. If one makes a bad comment on a good post, the comment itself is buried by negative votes on the comment and not on the post. It's all very amazing.

OK it's not like "I want to know about Company ABC" but it's not like YET. Imagine a similar site as big as Google where people registered and tagged everything. Then there would be an "ABC" tag and not just that. There would be comments on the company, it's products, it's site, etc. How about that?

Isn't that a couple of generations ahead from looking at a huge list with nothing but a couple of URLs (Google Style)?

Now that we are talking about it there is another, more obvious, P2P model for searching. A distributed Search Engine. Each user's browser contains a small "agent" which looks at a small piece of the Internet, indexing sites. Then, it communicates with it's (network) neighbors (browsers) informing them of its findings. They do the same thing. So when the user (human) types something in that search engine (the interface of which resides in his computer), it knows where to find it or, a least, who to ask. Then it gets multiple results and even mirrors of the source along with ranks and tags like the ones I've just talked about.

When you are looking for something, wouldn't you prefer an option some guy you trust has recommended? Well, that's what I am talking about! I'm talking about the future.

No more "Google can't find me, therefore I don't exist". We won't have to care about that. If you exist you will be found. Or maybe the saying will be shaped into this: "I'm not interesting enough, therefore I don't exist". Haha we are talking about the ultimate democracy. Which government or agency will be able to suppress such system?

When you are trying to censor or manipulate content that the entire planet reviews and comments on, the battle is lost before it even begins.

Of course there a lot of security issues here. Will someone be able to poison such system by deploying thousands or millions of user-imitating bots? Will someone be able to run a DDOS attack by manipulating the system (Slashdot Effect or Digg Effect)? Will phenomenons like "psychology of the crowd" or "gossiping" take over? These (and a lot more) are factors we should really take into account but decentralizing information databases and adopting a more open model when it comes to content management and distribution is certainly the way of the future. I'll get back to the security portion of this some time.

To sum up, the Google algorithm in its current form may not able to handle well the Internet of today and certainly won't be able to do so in the future. Like two students from California revised in 1997 the way we searched the Internet, maybe it's time again to make the next step forward into something as radical and advanced as Google was for that time.