What a timely reminder to steer the topic back to security. It embarasses me to admit it, but in all likelihood, my Windows Live Messenger account was hacked. The damage, my contact list was spammed with some acai berry diet pill offer. The spam wasn’t particularly convincing, as anyone who knows me wouldn’t consider me losing 21 pounds being a good thing. In fact, I’m on a weight gain diet but that’s a whole other story. Nonetheless, it got me to review my security practices. There is definitely rooom for improvement. No, that is spelt correctly.
To those affected, my sincerest apology. I’m in no way implying that you need to lose weight. While I hope the messenger spam is the only chaos caused, there is always the possibility that they could have made away with the email addresses of my contacts. I personally could think of better things to do with those information than to send spam but evidently there are people that would fall for them.
Within minutes of the spam being sent, a mate of mine txt’d me to let me know what had happened. Now, I’ve come across this before. In all the previous cases, I was the one being spammed. Unfortunately, this time, the table is turned. From past experiences, changing the Windows Live Messenger password seems to help; and that is just what I did. So far, things are looking alright. Fingers crossed. While it may seem an obvious response, I’m not entirely convinced that it is always the smartest thing to do.
As the saying goes, ‘Fool me once, shame on you; fool me twice, shame on me‘. I’m now extremely motivated to get to the bottom of this. I have done a bit of research into this already but there doesn’t seem to be a lot of information on it. I’m going to start a new page on my blog to present my findings. I’ve learn some interesting things already. I do need to run some tests to confirm my theories.
On the positive side, it resurrected some of my old contacts. People I haven’t talked to in ages suddenly started contacting me. It also prompted me to trim off any dead contacts. This way, should it somehow happen again, the damage will be minimised.
As promised, here is a fairly up-to-date post on a piece of security news. Monster.com, a popular job site, was breached last Friday. The intruder made off with names, phone numbers, email addresses, and passwords of job seekers. Apparently, this is their second major breach.
I vaguely remember registering an account with them before. I’m not sure, but I’m not particularly bothered anyway as I’ve change my email address and password since. It did get me thinking though.
Let’s face it. All sites will be breached at one point or another. It’s simply a matter of minimizing the damage. One feature that I wish for, but rarely see, is the ability to delete or disable an account. I appreciate that it may not always be practical to delete an account for various reasons. However, users should at least be able to disable an account and remove any sensitive information that are no longer required. In a day and age where identity theft is a common occurrence, developers really should take more responsibility in safe-guarding user data.
I haven’t been to Monster.com for yonks, so I’m not sure if they have any such measures in place. Details on the breach is scarce at the moment. I suppose the forensic investigation is underway. In the mean time, check out Monster.com warns job seekers of breach for a more detailed story.
You may have learn about a form of web attack known as clickjacking. If not, now is a good time. If you own a website, you should seriously consider adding frame busting code to prevent your site from being loaded in a frame.
Frame busting can be easily achieved with some simple Javascript:
<script type="text/javascript">
if(top != self)
top.location.replace(document.location);
</script>
Just add the code above between the <head> and </head> tags of your webpages.
As a user, there is something you can do as well to protect yourself. Run NoScript. Don’t confuse this with the HTML <noscript> tag. NoScript is a Firefox extension that enables you to control which Javascripts are allowed to execute. It has a ClearClick feature that can detect potential clickjacking attempts. You will probably find NoScript to be really annoying to start with but it can protect you from a lot more than clickjacking.
If you’re security conscious like me and have secured your wireless network with a 64 character WPA2 hex key, you may well know that Ubuntu won’t accept it. The Network Manager applet will happily accept the first 63 characters but the moment you enter the 64th character, you won’t be able to save it. This is because the Network Manager is expecting a passphrase rather than a hex key. I can’t confirm it at this point but I think Ubuntu 8.10 will now accept hex keys.
However, this is Linux and you can always take matters into your own hand. What you need to do is to manually edit the configuration file. The network configurations are stored in /etc/network/interfaces. This is what mine look like:
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet dhcp
wpa-driver wext
wpa-key-mgmt WPA-PSK
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-ssid <network ssid>
wpa-psk <64 char hex key>
wpa-ap-scan 2
This is not the first time I came across this problem. It is currently preventing me from configuring my Asus ExpressGate. I have encountered similar situations with some Windows applications as well. It might be a good idea, the next time you setup a wireless network, to generate a random 63 character passphrase instead. You then have the flexibility of converting it to its hex equivalent when necessary.
On a side note, the command for restarting the networking service is:
sudo /etc/init.d/networking restart
I was up in Wellington last weekend for Kiwicon II and I must say the 50 bucks was well worth it. Over the course of two days, I learned that:
- video conferencing systems are insecure, hackers may be watching you
- I have a lot more to learn about heap overflows
- locks do not prevent access, they simply slow you down
- fancy locks are fancy but not as secure as you may think
- you can be knocked off Google
- your Bluetooth devices may be giving away your whereabouts
- the range on wireless devices is greater than you think
- Paul Craig owns all the Internet kiosks out there, check out iKAT
- Windows make life easy for malware creators, it’s a feature not a bug
- Google is a hacking tool… well, I already knew that
There were other interesting topics including biometrics, Citrix, and drive-by-downloads.
Tokemon was awesome. It was 3 hours of hacking and drinking @ Shooters. All legal of course. I couldn’t be bothered lugging my laptop up to Welly as I was trying to travel lite, so I didn’t get my hands dirty this year. Plus I don’t feel like having it pwned. I did learn quite a bit from watching the pros at work.
Hopefully, there will be a Kiwicon 2009. I will definitely be back.
HackThisSite.org is a fun site if you like hacking. It is a free, safe, and legal training ground for hackers to test and expand their hacking skills.
I vaguely remember some of the challenges from a site I visited a few years ago. It could have been HackThisSite but I can’t be certain. Anyway, I’m working my way through the challenges at the moment. I have completed most of the easy missions without much difficulty but there is a lot for me to learn before I can tackle some of the more advanced challenges. I enjoy the wide range of topics covered by the challenges, which includes web security, application security, programming, Javascript, and stegonography.
HackThisSite can be quite addictive. Once I get started on a mission, it’s hard to stop. That’s partly the reason why I haven’t been blogging much recently. All the late nights have also taken its toll as I almost missed work this morning. By the time I woke up, I should have already been at my desk, sipping hot chocolate like I usually do. Luckily, my manager was away today.
Are you sure? There is currently a DNS flaw out in the open waiting to be exploited. The scary thing about this flaw is that you may be completely oblivious to it. You will type a web address into your browser, hit Enter, and arrive at the page you expect. Problem is, are you really at the real site? All the signs seem to suggest you are. And yet, you may be about to send your password to a phishing site halfway across the world.
Patches are available, but has your DNS server been patched? For most users, this responsibility lies with your ISP. Fortunately, there is something you can do. DoxPara Research is providing a DNS Checker that will enable you to test whether the DNS server you’re using is vulnerable to this particular flaw. If the DNS server is found to be vulnerable, consider using OpenDNS instead.
The full details on the vulnerability is currently hard to come by as everyone is hush-hush about it in order to allow more time for people to patch up their DNS servers.
I was reading through some security articles today when I came across a mention of the Quantico Circuit. The name sounds intriguing so I searched it up.
The telecom company’s people told Pasdar, who they’d brought in for the project, that the unusual backdoor conduit was called the “Quantico Circuit” and “should not be firewalled”. Pasdar was concerned that the channel, code named for the FBI academy in Northern Virginia, was an open door to his client’s “core network,” giving unrestricted access to the cellular phone company’s “billing system, text messaging, and fraud detection”. The conduit made it possible, for example, “to tap into any conversation on any mobile phone supported by the carrier at any point”.
Are you thinking what I’m thinking? This is like something out of Digital Fortress. What a coincidence.
Though I haven’t verified the source, I wouldn’t be surprised if it’s true. Especially after the recent amendments to the Foreign Intelligence Surveillance Act (FISA).
References
Comodo Firewall Pro is a free personal software firewall. While I appreciate the fact that it’s free, I must say that it has been driving me mad. I wouldn’t recommend it to anyone at this stage just yet, but I wouldn’t stop you from trying it either.
This whole thing started a few weeks ago when I rebuilt my system. A scan revealed that the pirated firewall I had been using for the last few years came with a malware. Now, this is not the first time I discovered a malware-infested pirated software. In fact, I once installed a pirated antivirus which itself is infected with a virus. What an irony. You would think me being the security conscious person that I am would have learnt my lesson but obviously that wasn’t enough. But after discovering the malware in the seemingly clean pirated firewall I had trusted for ages, I finally learned that you can’t trust any pirated software, especially pirated security products. What easier system to infect, than one without security protection.
Now, I’m not about to reveal the full security setup of my machines. Even though I have a bunch of security measures in place, the reality is that all softwares have bugs. I should know as I’m a software developer. Revealing my machine setup would make them much more susceptible to attack. Since I’m reviewing the Comodo firewall, you now know I have that running on my system. Or do I still?
I quite like Comodo firewall because it is highly configurable. It supports five different levels of protection ranging from Disabled to Paranoid Mode. I’m not paranoid about security so instead I run it in the Train with Safe Mode. What I soon found out is that when you put the firewall into training mode, it in turns put you in training mode. It is not particularly user friendly and a lot of the tasks require you to navigate through numerous menu items. There are a few quirky behaviours as well, and until you learned them, life would be hell.
All in all, I would say the training mode is overly annoying. That is a really bad thing as it requires the user to be constantly alert. A moment of lapsed concentration could cause the user to make a bad call. While it has a rather rich feature set already, I believe Comodo still has some way to go yet to make the firewall a truly usable product.
I don’t like Internet Explorer. The main reason being that it’s really difficult to clear all the user data. Even when you think you’ve got it all, some crap will always remain. That is why I use Firefox. Which consequently explains why this site looks better in Firefox than IE.
I have always been wary of the AutoComplete Password feature in browsers. This nifty little utility, IE PassView, will show you why. IE PassView is able to lists all the passwords that IE saved for you when you answer Yes to that oh so helpful and insecure feature. More importantly, this tool allows me to verify that I don’t have any passwords stored in IE. And if I do, the tool enables me to easily remove them.
IE do actually allow you to remove these auto-complete passwords. However, it won’t show you what it has saved. To clear out all your IE passwords, go to Tools > Internet Options > Content > Personal Information > AutoComplete and click on Clear Passwords. While you’re at it, uncheck the Use AutoComplete for user names and passwords on forms option to prevent IE from ever saving another password for you.
I should probably also point out that Firefox with a default configuration also suffers from the same problem. It does however provide a solution to the problem by supporting the use of a Master Password. The Master Password is used to encrypt all your other passwords saved by Firefox. When Firefox attempts to auto-complete a password, you will be prompted for the Master Password. This only happens once per session. To enable the Master Password feature, go to Tools > Options > Security and check the Use a master password checkbox.
I personally avoid using the AutoComplete Password feature in either browser. Apart from the fact that they are insecure, you run the risk of forgetting your passwords. This becomes a real problem when you have to access a site from a different computer. Or, if you should be unlucky enough to lose your computer.