Dragan on Security

I use McAfee suite on one of my computers. It has McAfee Site Advisor which should help with knowing which Web sites are safe and which are risky or dangerous. Today (April 2, 2009) I was surprised that McAfee warned me in attempt to access some of Google’s services with red mark and message:

74.125.77.132 may try to steal your information.

Why were you redirected to this page? When we visited this site, we found it may be designed to trick you into submitting your financial or personal information to online scammers. This is a serious security threat which could lead to identity theft, financial losses or other dissemination of personal information.

I checked and found that this IP address belongs to Google.

To whom to believe: Google or McAfee, interesting question isn’t it?

Read this interview and you probably will be scared. It is interview with Matt Knox. He talks about his early days designing and writing adware for Direct Revenue.

He says:

It would have been fairly trivial for me to go spelunking for people’s credit card information or whatever. I had four million nodes. I could have done it without anybody at the company even noticing.

and:

Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.

Question is: Who owns “your” computer?

Thanks to Aleck for pointing me to this scary interview.

PDFCreator is a free tool to create PDF files from nearly any Windows application. Real PDFCreator Web site is: http://www.pdfforge.org/products/pdfcreator. I have been using it for quite some time (as per trusted friend recomendation) and it is really good tool. Easy to use and pretty fast, it satisfies most of my needs regarding creating PDF files i.e. printing to PDF from various programs which I use.

But there are some impostors on the Internet. Wikipedia article about PDFCreator says:

PDFCreator’s popularity, achieved through word of mouth advertising, has motivated other commercial software vendors to try to fool people who are looking for the free software PDFCreator to purchase their own commercial software version instead, by using a similarly spelled name to “PDFCreator”.

Such attempts include Capsoft’s USD$57.95 PDF Creator and WCCL’s USD$24.95 PDF-Creator.

I will not put that links here as I don’t want to give them any additional PR, but names of domains are carefully chosen so you can easily be mistaken. Actually, this may be considered as kind of scam and phishing. Not exactly according to classic definition of phishing scam but using some of its principles.

I was tricked by CapSoft recently. It’s funny how it happened. New computer required many things to be installed and set up. As I didn’t have the appropriate PDFCreator version saved on my disc, I did brief research on the Internet, I found it (I thought it was appropriate one), and downloaded it, and… Previously, I spent a lot of time installing, transferring data from old machine, setting up, and I was pretty tired. In those circumstances, I missed to check if that version and the PDF website, which I easily googled, was the appropriate one. I spotted that Web site looks a strange, but I thought they changed it since previous time I downloaded PDFCreator. They required e-mail address to send link for download, what was first bad sign. Link, which I received on e-mail, lead to download.com Web site, using redirection over some aweber.com domain. Unfortunately, I wasn’t to carefull, downloaded, installed that PDF Creator and started to use it. Soon, I got e-mail from them. Erhm… I can’t remember that for “old version” (actually right one), I was ever asked for my e-mail address neither I received any mails from them.  And I received more mails, almost every 2-3 days one new mail. Needless to say that user interface is different, behavior is slightly different but I persuaded myself that it is because of newer version.

Suddenly, 14 days after installation it stopped to work as trial period passed and tool offered “Buy now” in message. I hit it and fortunately that button didn’t work somehow. Then, I inspected carefully information on CapsSoft and their version of PDF Creator and found out many complaints on net and also Wikipedia article which I cited above. McAfee Site Advisor also has got discussion about this. After this I inspected my machine for viruses, spyware, rootkits. I still have to check more thoroughly is there any malicious code that I might have got by installing wrong PDF Creator (with space between PDF and Creator in difference to PDFCreator without that space). Just to note that also, their wrong web site has www-pdfcreator in its domain name what is intentionally chosen to trick people. There is no “About us” section on their Web site, neither any phone that you can call nor physical address, apart from PO Box. Etc… etc… It looks like very suspicious company.

My advice is to be careful, very careful when downloading open source software, as many impostors use well known names and its variations to trick people and then to take money. 

(more…)

In this article I tried to explain why we should not believe Internet polls and explained some of ways to cheat them. Here is one more proof: Victoria Secret competition gets hacked.

How?

In the early hours of Oct. 21, Plunkett and his friend created a Perl script that could log 1,500 votes per second on the Victoria’s Secret Web site. Twelve hours later, Drexel had gone from 9,000 to 5.2 million votes.

The script took Plunkett all of three minutes and 30 computers to run.

It’s interesting to read.

It might happen even in middle of worlds’ financial crisis. We should wait and see. Or not just wait, you can really contribute to new search engine. To contribute, you should just install free software and use it. The name is Edgios and software is in Alpha stage.

Edgios already have got lot of publicity on Web sites and discussion forums. It is a large-scale distributed search ‘cloud’ that offers higher-quality search results. Users participate in the cloud by downloading the Edgios personal search software, and connecting that software to the net.

Recent discussion on one of most important developers’ forums in Serbia raised many questions about Edgios. Some of participants questioned idea, concept, and many raised privacy and security concerns as well. Also, it seems that many people are scared by Google and Yahoo and have no courage to question their solutions and to start something what may compete with big ones. It can be successful or not, but it is worth a try at least, especially if you have famous Venture Capital to back your ideas. If that is one who backed Skype it is then more serious.

Some of question raised in discussion are: Is it secure? Is it safe? Authors say:

Yes! That’s exactly the point. By having the Edgios personal search client on your computer, you’re in control of what you share and what you keep private. Traditional search engines keep much more information than you might expect, and they hang onto it for a long time. With Edgios, you’re in control.

I would add: do you know what Google or other search engines know about you already? Have you asked yourself that question?

Here are some facts grabbed from Edgios Web site about company:

Edgios is a US company, based in Palo Alto, CA. The company is backed by Draper Fisher Jurvetson (DFJ), a premier Venture Capital firm based in Menlo Park, CA. DFJ shares with Edgios a passion for distributed computing, having backed Skype, the most successful P2P startup to date. Edgios has additional offices in Portland, OR, and in Serbia.

About founder:

The company has very strong connections with Serbia, having been founded by Dr. Borislav Agapiev, who grew up in Belgrade before moving to the US in 1985. The technology that makes Edgios possible has been developed entirely in Serbia, by a team of extremely talented and bright young developers. The entire team is proud of demonstrating that world-class search technology can be developed in Serbia, relying on the deep talent pool of local developers.

Edgios is Dr. Agapiev’s second search startup. He was also the founder of Vast.com, a San Francisco-based search engine for online classifieds. Vast.com is a leader in the online classifieds market, reaching millions of customers in the US and worldwide, having as partners and customers several large US companies. From its start, Vast.com has also been relying on Serbian engineers for technology development and innovation.

About search mechanism:

Edgios does not use a centralized search index of the Web, located in a massive data center, fed by an algorithmic ‘crawler’. Instead, it has an index that’s built by users, for users, and it employs a fully distributed index residing in memory and on the disks of computers that are part of the search cloud. The power of a fully decentralized, distributed search system is dependent on the number of its users. We believe that with just a few hundred thousand users that the Edgios search cloud is capable of surpassing conventional search engines, in terms of freshness, depth, and quality of search results.

It will be interesting to watch progress of this story and to be part of story, why not?

There is interesting call for papers for an Elsevier’s special issue of Electronic Commerce Research and Applications on Social Networks and Web 2.0. You can submit your manuscripts online. Papers will be reviewed and published depending of reviewers’ decisions.

It will cover many of relevant topics related to this hot and fast evolving area. I’m particularly interested in privacy and protections issues of social networks and Web 2.0.

Important dates are:

• Optional abstracts: April 15, 2008
• Initial submission: June 15, 2008
• First round reviews: August 15, 2008
• Resubmission by: October 15, 2008
• Final acceptance: December 15, 2008

Be careful, be very careful when use social networking sites! Some social networking sites and some sites that pretend to be social networking, but are marketing profiling sites, may pose huge privacy risk. I will talk here about very popular StubmleUpon which shouldn’t but actually yes.

When you sign for StumbleUpon, you have possibility to email everyone on your mail lists including MSN/hotmail, Yahoo mail, Gmail, AOL, facebook, Outlook, Outlook Express etc and call to join you on your friends list. It is offered through very simple user interface in browser.

If you chose to use this possibility you will need to provide your user name and password for MSN/hotmail, Yahoo mail, Gmail! Seems as password scam, isn’t it.

Much more, if you choose to Outlook i.e. tick radio button next to the Outlook logo it will immediately start downloading add-on called StumbledUpon Contact Import. I hope that you have proper Security level set in your IExplorer; otherwise you will provide them with list of all your Outlook contacts by just one (even accident) click.

If you click on above image, you’ll see larger size image and read message which says “Don’t worry, it’s safe :)”. Message ends by smile, yes… Funny! By reading terms and privacy policy of StumbleUpon, you probably will not find many details about this. It looks like usual benign privacy policy without mentioning high privacy risks that you are exposed to by using this social networking site.

After sending question to support using Web based contact form, automated response arrived which I answered by additional e-mail question stating urgency of response. There is no answer on these questions yet.

There are also other privacy risks of this social networking site including list of friends visible by everyone, visited (stumbled) Web sites, contacts, preferences, messages etc. StumbleUpon offers its toolbar which is considered as spyware by some antispyware scanners.

There is also post on Steve Riley’s blogthat talks about some FaxBox. When you sign up for FaxBox, they ask for your permission to email everyone in your address book (FanBox knows how to talk to most webmail systems).

My recommendation is to avoid clicking on anything suspicious, especially something which will talk to your mail clients, Web based mails and your contacts there. Or to say it stronger: do not click on anything like this never ever!

There is also earlier post on this blog “The Privacy Risks of Social Networking Sites”.

Note:StumbleUpon sent many visitors to my blog and it seems that some stumblers like this blog – thanks all of them. But I have to be honest – StumbleUpon poses privacy risk.

I think we should not. It is easy to cheat. If you want to know how, read bellow.

You are aware of many Internet pools on various Web sites. I can remember days when having poll on you web was one of pillars to increase numbers of visitors. Other pillars were: often update or content change, news, links from others site and, of course most important good ranking at search engines.

Polls are very interesting. How we can know if their results are honest and accurate? Hones voting means that one unique visitor has right for one vote. That is minimal criteria. But what is one visitor? Is it one person, one IP address, one computer, one Web browser, one user with user name and password?

What are usual poll logging methods to provide honest voting? Some of polls don’t log voters at all. But, basically, most of polls use logging by:

• Cookie
• IP address
• Cookie & IP address
• User name

Cookie seems as honest way on first sight. It means one user from one machine and one browser means one vote. If you have two or three browsers installed, you might want to vote 2, 3 or more times. Or simply you can delete cookie and vote as many times as you wish.

How to delete cookie? Not a big deal. You can do it in Firefox very easy. Chose Tools -> Clear Private Data.

And than check Cookies box.

And also in IExplorer – Go to Tools -> Internet options, General Tab and chose Delete in Browsing history section.

What about IP address logging? It is not honest voting system as many networks have one IP address. So it allows one vote. But, very often, behind one single public IP address there is network / organization with many people. However only one person can vote. Contrary, one single IP address doesn’t mean certainly that you can vote just one time. What if you wish to vote more times? You can just use tools that maintain your anonymity on Internet. For example you can use Tor. And with Tor you can vote almost as many as times you want. Number of times is limited by number of Tor servers around globe. Just click on click on Use a New Identity and voila.

You should have in mind that Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn’t magically anonymize all your traffic just because you install it. It is recommended you use Firefox with the Torbutton extension. 

If a poll system uses combination of Cookie & IP address, you can use deletion of cookies in addition to Tor tools and its features. This will help to vote dishonestly.

System with user name and password is pretty honest voting system. Its problems are the same as problems with general user-name / password based security systems and its pitfalls.

If poll doesn’t log votes it is not worth considering. You simple shouldn’t believe its results. You can only consider it as way for site owners to show that they have poll and have lots of visitors who vote. Results are not of any value.

And what we can conclude about Internet polls? In most cases these systems are pretty invaluable. If somebody is interested in to jeopardize voting he can do it with some knowledge. Only voting of value is based on user name / password scheme. But it attracts a very few voters. People generally doesn’t want to be bothered with registration and logging to your Web in order just to vote.

I hope that Google AdSense program have good way of handling this issues. Otherwise it is easy to fake somebody other AdSense clicks and to get his AdSense account closed by Google because of fake clicks. There is post about it on this blog.

And couple words about Tor. What Tor is?

Tor is a software project that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the Internet’s TCP protocol.

You can download Tor & Privoxy & Vidalia & Torbutton bundle for free here and use it.  But remember:

…then please don’t just install it and go on. You need to change some of your habits, and reconfigure your software! Tor by itself is NOT all you need to maintain your anonymity. There are several major pitfalls to watch out for…

Enjoy polls including ones on my blog. And be carefull with its results.

“If your router is infected, it can take you anywhere… independently of what you type in the address bar, and you will think that you got to where you wanted to go.”

See funny but educational cartoon about pharming and its consequences on SecurityCartoon.com. There are some five slides with good explanation of pharming. There are many interesting cartoons there and also geek dictionary.

Enjoy and learn something in the same time!

Hackers target browsers as possible nests for attack to user systems. Having in mind average Internet users and surfers and their (our) lack of caution while surfing and visiting various Web sites, there are very good chances and possibility for various exploits.

Interesting article about Adobe Reader which affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7 appeared at ZDNet blog. Petko D. Petkov wrote very interesting article browser rootkits at GNUCITIZEN. Joanna Rutkowska also wrote article about this problem on her blog. Joanna’s article has been inspired by Petkov’s.

I will quote here some of Petko D. Petkov’s ideas.

The rootkit author can take on many different strategies. The following listing shows some of the things that are possible:

• Obscure browser extensions – the most common place a rootkit may exploit. The extension will be visible to the system and the user but at the same time will remain hidden by tricking the user into believing that it is an important browser component.
• Hidden browser extensions – rootkits masters can hide the presence of malicious extensions from the user. This is the default behavior of Internet Explorer components. Firefox extensions can also be made hidden by suppling a special field with the value of true in the Install manifest file.
• Backdoored install base – the rootkit can simply infect common browser components that are already in place. Firefox, for example, is shipped with browser.jar located in the application folder. This JAR archive contains the default Firefox GUI interface and all basic components, all written in XUL and JavaScript. Rootkit masters can simply smuggle their own JavaScript into browser.xul part of browser.jar and as such root the default GUI.
• 3rd-party rootkits – browsers are complicated piece of software which interacts with many 3td-party components such as Adobe PDF and Flash. These technologies can be easily rooted as well. In terms of Adobe Reader and Acrobat, the rootkit master can simply copy a simple JavaScript file inside the PDF script auto run folder. Every time the victim opens a PDF, the rootkit will execute which, as a result, will grant control to the attacker. In terms of Adobe Flash, the rootkit master can weaken the Flash settings to allow certain external sites to perform restricted operations circumventing the plugin security policies. Let’s not forget that rootkit masters can simply register additional browser plugins which will hook on important browser hooks.
• Extension of an extension rootkits – these types of rootkits take a form of an extension for a browser extension (i.e. userscripts for Greasemonkey). They can be trivially installed and can hook on external XSS proxies from where they can be controlled. 

Joanna says:

Petko in his post gives several ideas of how browser-based malware could be created and I’m sure that we will see more and more such malware in the near future (I would actually be surprised if it didn’t exist already). His main argument for creating “Browser Rootkits” is that they would be “closer to the data”, which is, of course, undisputable.

The other argument is the complexity of a typical browser like e.g. Firefox or Internet Explorer. It seems like we have a very similar situation here to what we have with “classic” operating systems like e.g. Windows. Windows is so complex that nobody (including Microsoft) can really spot all the sensitive places in the kernel where a rootkit might “hook” – thus it’s not possible to effectively monitor all those places. We have a similar problem with Firefox and IE because of their extensible architecture (think about all those plugins, add-ons, etc) – although we could examine the whole memory of firefox.exe process, we still would not be able to decide whether something bad is there or not.

Nice reading for those interesting in Internet security and privacy. It is likely that much more is to come on this topic very soon.