Dragan on Security

There is interesting call for papers for an Elsevier’s special issue of Electronic Commerce Research and Applications on Social Networks and Web 2.0. You can submit your manuscripts online. Papers will be reviewed and published depending of reviewers’ decisions.

It will cover many of relevant topics related to this hot and fast evolving area. I’m particularly interested in privacy and protections issues of social networks and Web 2.0.

Important dates are:

• Optional abstracts: April 15, 2008
• Initial submission: June 15, 2008
• First round reviews: August 15, 2008
• Resubmission by: October 15, 2008
• Final acceptance: December 15, 2008

Be careful, be very careful when use social networking sites! Some social networking sites and some sites that pretend to be social networking, but are marketing profiling sites, may pose huge privacy risk. I will talk here about very popular StubmleUpon which shouldn’t but actually yes.

When you sign for StumbleUpon, you have possibility to email everyone on your mail lists including MSN/hotmail, Yahoo mail, Gmail, AOL, facebook, Outlook, Outlook Express etc and call to join you on your friends list. It is offered through very simple user interface in browser.

If you chose to use this possibility you will need to provide your user name and password for MSN/hotmail, Yahoo mail, Gmail! Seems as password scam, isn’t it.

Much more, if you choose to Outlook i.e. tick radio button next to the Outlook logo it will immediately start downloading add-on called StumbledUpon Contact Import. I hope that you have proper Security level set in your IExplorer; otherwise you will provide them with list of all your Outlook contacts by just one (even accident) click.

If you click on above image, you’ll see larger size image and read message which says “Don’t worry, it’s safe :)”. Message ends by smile, yes… Funny! By reading terms and privacy policy of StumbleUpon, you probably will not find many details about this. It looks like usual benign privacy policy without mentioning high privacy risks that you are exposed to by using this social networking site.

After sending question to support using Web based contact form, automated response arrived which I answered by additional e-mail question stating urgency of response. There is no answer on these questions yet.

There are also other privacy risks of this social networking site including list of friends visible by everyone, visited (stumbled) Web sites, contacts, preferences, messages etc. StumbleUpon offers its toolbar which is considered as spyware by some antispyware scanners.

There is also post on Steve Riley’s blogthat talks about some FaxBox. When you sign up for FaxBox, they ask for your permission to email everyone in your address book (FanBox knows how to talk to most webmail systems).

My recommendation is to avoid clicking on anything suspicious, especially something which will talk to your mail clients, Web based mails and your contacts there. Or to say it stronger: do not click on anything like this never ever!

There is also earlier post on this blog “The Privacy Risks of Social Networking Sites”.

Note:StumbleUpon sent many visitors to my blog and it seems that some stumblers like this blog - thanks all of them. But I have to be honest – StumbleUpon poses privacy risk.

I think we should not. It is easy to cheat. If you want to know how, read bellow.

You are aware of many Internet pools on various Web sites. I can remember days when having poll on you web was one of pillars to increase numbers of visitors. Other pillars were: often update or content change, news, links from others site and, of course most important good ranking at search engines.

Polls are very interesting. How we can know if their results are honest and accurate? Hones voting means that one unique visitor has right for one vote. That is minimal criteria. But what is one visitor? Is it one person, one IP address, one computer, one Web browser, one user with user name and password?

What are usual poll logging methods to provide honest voting? Some of polls don’t log voters at all. But, basically, most of polls use logging by:

• Cookie
• IP address
• Cookie & IP address
• User name

Cookie seems as honest way on first sight. It means one user from one machine and one browser means one vote. If you have two or three browsers installed, you might want to vote 2, 3 or more times. Or simply you can delete cookie and vote as many times as you wish.

How to delete cookie? Not a big deal. You can do it in Firefox very easy. Chose Tools -> Clear Private Data.

And than check Cookies box.

And also in IExplorer - Go to Tools -> Internet options, General Tab and chose Delete in Browsing history section.

What about IP address logging? It is not honest voting system as many networks have one IP address. So it allows one vote. But, very often, behind one single public IP address there is network / organization with many people. However only one person can vote. Contrary, one single IP address doesn’t mean certainly that you can vote just one time. What if you wish to vote more times? You can just use tools that maintain your anonymity on Internet. For example you can use Tor. And with Tor you can vote almost as many as times you want. Number of times is limited by number of Tor servers around globe. Just click on click on Use a New Identity and voila.

You should have in mind that Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn’t magically anonymize all your traffic just because you install it. It is recommended you use Firefox with the Torbutton extension. 

If a poll system uses combination of Cookie & IP address, you can use deletion of cookies in addition to Tor tools and its features. This will help to vote dishonestly.

System with user name and password is pretty honest voting system. Its problems are the same as problems with general user-name / password based security systems and its pitfalls.

If poll doesn’t log votes it is not worth considering. You simple shouldn’t believe its results. You can only consider it as way for site owners to show that they have poll and have lots of visitors who vote. Results are not of any value.

And what we can conclude about Internet polls? In most cases these systems are pretty invaluable. If somebody is interested in to jeopardize voting he can do it with some knowledge. Only voting of value is based on user name / password scheme. But it attracts a very few voters. People generally doesn’t want to be bothered with registration and logging to your Web in order just to vote.

I hope that Google AdSense program have good way of handling this issues. Otherwise it is easy to fake somebody other AdSense clicks and to get his AdSense account closed by Google because of fake clicks. There is post about it on this blog.

And couple words about Tor. What Tor is?

Tor is a software project that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the Internet’s TCP protocol.

You can download Tor & Privoxy & Vidalia & Torbutton bundle for free here and use it.  But remember:

…then please don’t just install it and go on. You need to change some of your habits, and reconfigure your software! Tor by itself is NOT all you need to maintain your anonymity. There are several major pitfalls to watch out for…

Enjoy polls including ones on my blog. And be carefull with its results.

“If your router is infected, it can take you anywhere… independently of what you type in the address bar, and you will think that you got to where you wanted to go.”

See funny but educational cartoon about pharming and its consequences on SecurityCartoon.com. There are some five slides with good explanation of pharming. There are many interesting cartoons there and also geek dictionary.

Enjoy and learn something in the same time!

Hackers target browsers as possible nests for attack to user systems. Having in mind average Internet users and surfers and their (our) lack of caution while surfing and visiting various Web sites, there are very good chances and possibility for various exploits.

Interesting article about Adobe Reader which affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7 appeared at ZDNet blog. Petko D. Petkov wrote very interesting article browser rootkits at GNUCITIZEN. Joanna Rutkowska also wrote article about this problem on her blog. Joanna’s article has been inspired by Petkov’s.

I will quote here some of Petko D. Petkov’s ideas.

The rootkit author can take on many different strategies. The following listing shows some of the things that are possible:

• Obscure browser extensions - the most common place a rootkit may exploit. The extension will be visible to the system and the user but at the same time will remain hidden by tricking the user into believing that it is an important browser component.
• Hidden browser extensions - rootkits masters can hide the presence of malicious extensions from the user. This is the default behavior of Internet Explorer components. Firefox extensions can also be made hidden by suppling a special field with the value of true in the Install manifest file.
• Backdoored install base - the rootkit can simply infect common browser components that are already in place. Firefox, for example, is shipped with browser.jar located in the application folder. This JAR archive contains the default Firefox GUI interface and all basic components, all written in XUL and JavaScript. Rootkit masters can simply smuggle their own JavaScript into browser.xul part of browser.jar and as such root the default GUI.
• 3rd-party rootkits - browsers are complicated piece of software which interacts with many 3td-party components such as Adobe PDF and Flash. These technologies can be easily rooted as well. In terms of Adobe Reader and Acrobat, the rootkit master can simply copy a simple JavaScript file inside the PDF script auto run folder. Every time the victim opens a PDF, the rootkit will execute which, as a result, will grant control to the attacker. In terms of Adobe Flash, the rootkit master can weaken the Flash settings to allow certain external sites to perform restricted operations circumventing the plugin security policies. Let’s not forget that rootkit masters can simply register additional browser plugins which will hook on important browser hooks.
• Extension of an extension rootkits - these types of rootkits take a form of an extension for a browser extension (i.e. userscripts for Greasemonkey). They can be trivially installed and can hook on external XSS proxies from where they can be controlled. 

Joanna says:

Petko in his post gives several ideas of how browser-based malware could be created and I’m sure that we will see more and more such malware in the near future (I would actually be surprised if it didn’t exist already). His main argument for creating “Browser Rootkits” is that they would be “closer to the data”, which is, of course, undisputable.

The other argument is the complexity of a typical browser like e.g. Firefox or Internet Explorer. It seems like we have a very similar situation here to what we have with “classic” operating systems like e.g. Windows. Windows is so complex that nobody (including Microsoft) can really spot all the sensitive places in the kernel where a rootkit might “hook” – thus it’s not possible to effectively monitor all those places. We have a similar problem with Firefox and IE because of their extensible architecture (think about all those plugins, add-ons, etc) – although we could examine the whole memory of firefox.exe process, we still would not be able to decide whether something bad is there or not.

Nice reading for those interesting in Internet security and privacy. It is likely that much more is to come on this topic very soon.

Plain and simple video about Google search privacy at YouTube (here) and Google’s privacy policy.

Kenneth van Wyk, a 20-year veteran of IT security and the principal consultant for KRvW Associates LLC, analyzed mail clients in Datamation. Here is his article: Mozilla Thunderbird vs. Microsoft Outlook. Kenneth is also co-author of two security-related books; he has worked at CERT, as well as at the U.S. Department of Defense. One month ago he wrote article Mozilla Firefox vs. Internet Explorer: Which is Safer?

Ordinary users of search engines, bank portals, e-commerce sites usually don’t care about all various data that these keep about Web site visitors in order to learn more about their behavior, habits and preferences.

In article Barclays Manipulates Online Sales there is one explanation how they collects and uses data about visitors. Also, they have couple of words about what Google do when you install Google toolbar.

It is also well known that other site owners are collecting information about site visitors. Sometimes it is told to users clearly, sometimes less clearly and sometimes not. Advice is: be careful.

This looks like true story, but might be Google - Yahoo battle. Anyway, it is nice to read story about Google at Yahoo: Google mistakes own blog for spam, deletes it - Yahoo! News. It says:

Readers of Google’s Custom Search Blog were handed a bit of a surprise Tuesday when the Web site was temporarily removed from the blogosphere and hijacked by someone unaffiliated with the company.
 
The problem? Google had mistakenly identified its own blog as a spammer’s site and handed it over to another person.

The change was first noticed by the Google Blogoscoped Web site, which noticed that posts on the Custom Search Blog had been deleted and replaced by a strange comment from someone identifying himself as Srikanth.

[...]

On August 5, 2007 WordPress team announced two security-related releases available for both users of our main 2.2 branch and the legacy 2.0 branch. See: WordPress › Blog » WordPress 2.2.2 and 2.0.11.

I’ve upgraded my blog today to 2.2.2 and started to think how to definitely fully automate process of upgrading WordPress blog. Any ideas?