Dragan on Security

Interesting list on Virtual Hosting Blog » The Privacy Toolbox: 100 Guides and Resources for Keeping Your Personal Information Safe, categorized into:

• Articles
• Blogs
• Resources
• Applications
• Organizations
• Tips
• Guides
• Books

This list might be of great help.

In recent post on this blog, I described some of StumbleUpon privacy risks. BBC Technology News now have article about privacy problem related to Facebook, another social networking tool. Under title Facebook faces privacy questions they talk that Facebook is to be quizzed about its data protection policies by the Information Commissioner’s Office. It says:

The investigation follows a complaint by a user of the social network who was unable to fully delete their profile even after terminating their account.

Currently, personal information remains on Facebook’s servers even after a user deactivates an account.

Facebook has said it believes its policy is in “full compliance with UK data protection law”.

We will see how this will be solved. Anyway, social networking come to its dark side because of increasing number of security and privacy problems.

Hackers target browsers as possible nests for attack to user systems. Having in mind average Internet users and surfers and their (our) lack of caution while surfing and visiting various Web sites, there are very good chances and possibility for various exploits.

Interesting article about Adobe Reader which affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7 appeared at ZDNet blog. Petko D. Petkov wrote very interesting article browser rootkits at GNUCITIZEN. Joanna Rutkowska also wrote article about this problem on her blog. Joanna’s article has been inspired by Petkov’s.

I will quote here some of Petko D. Petkov’s ideas.

The rootkit author can take on many different strategies. The following listing shows some of the things that are possible:

• Obscure browser extensions - the most common place a rootkit may exploit. The extension will be visible to the system and the user but at the same time will remain hidden by tricking the user into believing that it is an important browser component.
• Hidden browser extensions - rootkits masters can hide the presence of malicious extensions from the user. This is the default behavior of Internet Explorer components. Firefox extensions can also be made hidden by suppling a special field with the value of true in the Install manifest file.
• Backdoored install base - the rootkit can simply infect common browser components that are already in place. Firefox, for example, is shipped with browser.jar located in the application folder. This JAR archive contains the default Firefox GUI interface and all basic components, all written in XUL and JavaScript. Rootkit masters can simply smuggle their own JavaScript into browser.xul part of browser.jar and as such root the default GUI.
• 3rd-party rootkits - browsers are complicated piece of software which interacts with many 3td-party components such as Adobe PDF and Flash. These technologies can be easily rooted as well. In terms of Adobe Reader and Acrobat, the rootkit master can simply copy a simple JavaScript file inside the PDF script auto run folder. Every time the victim opens a PDF, the rootkit will execute which, as a result, will grant control to the attacker. In terms of Adobe Flash, the rootkit master can weaken the Flash settings to allow certain external sites to perform restricted operations circumventing the plugin security policies. Let’s not forget that rootkit masters can simply register additional browser plugins which will hook on important browser hooks.
• Extension of an extension rootkits - these types of rootkits take a form of an extension for a browser extension (i.e. userscripts for Greasemonkey). They can be trivially installed and can hook on external XSS proxies from where they can be controlled. 

Joanna says:

Petko in his post gives several ideas of how browser-based malware could be created and I’m sure that we will see more and more such malware in the near future (I would actually be surprised if it didn’t exist already). His main argument for creating “Browser Rootkits” is that they would be “closer to the data”, which is, of course, undisputable.

The other argument is the complexity of a typical browser like e.g. Firefox or Internet Explorer. It seems like we have a very similar situation here to what we have with “classic” operating systems like e.g. Windows. Windows is so complex that nobody (including Microsoft) can really spot all the sensitive places in the kernel where a rootkit might “hook” – thus it’s not possible to effectively monitor all those places. We have a similar problem with Firefox and IE because of their extensible architecture (think about all those plugins, add-ons, etc) – although we could examine the whole memory of firefox.exe process, we still would not be able to decide whether something bad is there or not.

Nice reading for those interesting in Internet security and privacy. It is likely that much more is to come on this topic very soon.

Plain and simple video about Google search privacy at YouTube (here) and Google’s privacy policy.

The second and great article in Economist’s series looks at the new technologies for collecting personal information, and the dangers of abuse: Civil liberties: surveillance and privacy | Learning to live with Big Brother.

Conclusion starts with interesting subtitle and says:

Boiling the frog

If the erosion of individual privacy began long before 2001, it has accelerated enormously since. And by no means always to bad effect: suicide-bombers, by their very nature, may not be deterred by a CCTV camera (even a talking one), but security wonks say many terrorist plots have been foiled, and lives saved, through increased eavesdropping, computer profiling and “sneak and peek” searches. But at what cost to civil liberties?

Privacy is a modern “right”. It is not even mentioned in the 18th-century revolutionaries’ list of demands. Indeed, it was not explicitly enshrined in international human-rights laws and treaties until after the second world war. Few people outside the civil-liberties community seem to be really worried about its loss now.

That may be because electronic surveillance has not yet had a big impact on most people’s lives, other than (usually) making it easier to deal with officialdom. But with the collection and centralisation of such vast amounts of data, the potential for abuse is huge and the safeguards paltry.

Ross Anderson, a professor at Cambridge University in Britain, has compared the present situation to a “boiled frog”—which fails to jump out of the saucepan as the water gradually heats. If liberty is eroded slowly, people will get used to it. He added a caveat: it was possible the invasion of privacy would reach a critical mass and prompt a revolt.

Ordinary users of search engines, bank portals, e-commerce sites usually don’t care about all various data that these keep about Web site visitors in order to learn more about their behavior, habits and preferences.

In article Barclays Manipulates Online Sales there is one explanation how they collects and uses data about visitors. Also, they have couple of words about what Google do when you install Google toolbar.

It is also well known that other site owners are collecting information about site visitors. Sometimes it is told to users clearly, sometimes less clearly and sometimes not. Advice is: be careful.

This sounds unbelievable but document marked as strictly confidential, Ericsson Interception Management System Manual is available for free download from Internet. I don’t know is that obsolete document or valid, but anyway it is very surprising that you can obtain document from Internet. I learned about this through an article in IEEE Spectrum related to Greek telephone tapping scandal.

There is interesting article at SDL blog titled: SDL and the Unconcerned Pragmatic Fundamentalist.

Related to this is the research done by privacy expert Dr. Alan Westin. Westin divided the respondents of performed survey into the following categories:

The Privacy Fundamentalists: Fundamentalists are generally distrustful of organizations that ask for their personal information, worried about the accuracy of computerized information and additional uses made of it, and are in favor of new laws and regulatory actions to spell out privacy rights and provide enforceable remedies. They generally choose privacy controls over consumer-service benefits when these compete with each other. About 25% of the public are privacy Fundamentalists.

The Pragmatic: They weigh the benefits to them of various consumer opportunities and services, protections of public safety or enforcement of personal morality against the degree of intrusiveness of personal information sought and the increase in government power involved. They look to see what practical procedures for accuracy, challenge and correction of errors the business organization or government agency follows when consumer or citizen evaluations are involved. They believe that business organizations or government should “earn” the public’s trust rather than assume automatically that they have it. And, where consumer matters are involved, they want the opportunity to decide whether to opt out of even non-evaluative uses of their personal information as in compilations of mailing lists. About 57% of public fall into this category.

The Unconcerned: The Unconcerned are generally trustful of organizations collecting their personal information, comfortable with existing organizational procedures and uses are ready to forego privacy claims to secure consumer-service benefits or public-order values and not in favor of the enactment of new privacy laws or regulations. About 18% of public fall into this category.

In IEEE Spectrum, July 2007 issue, there is interesting article how some extremely smart hackers pulled off the most audacious cell-network break-in ever. It is still unknown who pulled off the most audacious network hack ever, but here’s (IEEE Spectrum: The Athens Affair) how they did it. This article gives a technical insight.

The illegally wiretapped cellphones in the Athens affair included those of the prime minister, his defense and foreign affairs ministers, top military and law ­enforcement officials, the Greek EU commissioner, activists, and journalists.

The Wikipedia article http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005 contains additional links to press stories and background material.

Ericsson’s Interception Management System user manual (marked confidential) is available on the Web through a Google search: http://www.google.com/search?q=IMS+ericsson+manual or at http://cryptome.org/ericsson-ims.htm. 

Interesting article on popular topic at IEEE Security & Privacy: What Anyone Can Know: The Privacy Risks of Social Networking Sites.

Conclusion is:

The most frequently identified risk of morphing our social lives and personal communications into the digital era (in addition to the broad and indiscriminate dissemination of our every thought and compromising photo) is that there is no longer an expectation of privacy in the sphere that traditionally has been the core of our self-conceived private lives. If prospective employers or university admission officers want in-depth access to a candidate’s personal activity, they can access these sites (either directly or through college-age staff members), and readily get an uncensored, unflattering, and in many cases largely unrepresentative portrait of that candidate. Not only is this information unfiltered by the selective editing of context (it was not prepared to show a candidate in the best light for a job interview, but rather to impress beer-swilling friends), but it is often deliberately skewed toward the exhibitionist, provocative, and inflammatory, as schoolyard showboating should be. Bonding is not the same social process as applying for a responsible job. We don’t routinely bash chests with future employers. But if the very nature of the forum undermines our claim to privacy protection, the answer might be in PC Magazine’s advice to users of MySpace that “[c]ertain information is best withheld from the public.”5 If not, an entire MySpace generation could realize, when it is much too late to intervene, that the cyber personae they spawned in adolescent efforts to explore identity have taken on permanent lives in the multiple archives of the digital world.