simple security

Paul Kedrosky received an phishing email that asked him to click through and unsubscribe from a magazine's mailing list.

In this age of RSS feeds, why cant the banks and similar institutions starting generating RSS feeds and have people subscribe to it. There is no sign-up or sign-out process. The very act of subscribing to a feed becomes the sign-up process. For any update or marketing material they want to send out (what else do they send out in their mailing lists anyway), they put it in the feed. If you dont like their feed, you just hit delete remove it from your feed aggregator or reader. No "you will be removed in 48-76 hours from this list" messages. Its a win-win situation for everyone.

Every email that you receive contains some header data along with the viewable message. Most of the email clients, whether they be the online clients like Yahoo or desktop ones like Outlook, hide this header information. They usually make little sense for the average Joe. But, if you are interested and want to dig deeper, the headers reveal some nice nuggets of information.

First, lets talk about how to view an email header information using various clients:
Yahoo: Open an email. There is an option on the right side that says "Full Headers".

Hotmail: Goto Options -> Mail Display Settings -> Message Headers. Then select "Advanced". Now you will start seeing the headers along with each email.

Here are some of the interesting headers:

• Message-ID: It is a unique ID that is assigned, usually, by the first mail server. Looks something like this: 26371062.1119955958999.JavaMail.root@fac501 Infact, having a JavaMail in this field, indicates that the backend used to send out emails is Java. This can be useful information for hackers/crackers.
• Return-Path: This is usually an email address that receives an "bounced message" if the delivery fails. This is part of the trace field group.
  
• Received: Every relay MTA (Mail Transfer Agent) will add its own "Received" header to the message. This field is also used by SMTP gateways to detect message looping. Going through all the Received headers can give you a trace of how the message was passed around before reaching you. Also, this field usually contains an IP address and/or domain name. You can easily find out information about the various MTA's by doing an IPWHOIS search on the IP address. (check out my Find who what where from IP Address post).
  
• From: This field contains the email of the sender. This field can easily be forged.
  
• Reply-To: This field contains an email address that will be used when you hit the reply button on your email client. Usually this field has the same value as the From field.
  
• X-Mailer: Usually this field indicates what kind of application/client was used to send out the email. If someone sent you an email using Outlook the X-Mailer would look like: Microsoft Outlook, Build 10.0.6626. This is an optional field, but if present it can reveal the environment of the guy sending you the email. So dont reply to spam emails. You might end up giving information about your environment.
• X-Headers: Basically any header field starting with an X- is a custom field and is used by many applications/services for proprietory reasons. These fields also reveal some nice inner details/workings of the application/client/service that sent out the email. X-Mailer (above) is an example of an X-Header.

For those of you who want to explore further, here is the SMTP RFC 2821 and Internet Message Format RFC 2822

If have access to your webserver log files, you might find various IP addresses listed in there. These are the people who visit your sites. How do you find out who these IP addresses belong to? What geographic location they are coming from? Well, there is an easy way. Check out this site: http://www.dnsstuff.com/

The dnsstuff site has a lot of tools that can assist in finding out more about your visitors through their IP addresses. You can do a IPWHOIS lookup, which besides showing you the owner of the IP address block, will also show you the city from which this IP address originates.

Some of the tools that I use regularly from that site are:

• IPWHOIS
• City From IP
• Reverse DNS Lookup
• Tracert
• URL Deobfuscator (this is a nice one - it breaks/decodes complex URLs into an easy to read format)

Yesterday evening I went to Costco for some shopping. As usual, I do go around the computer/electronics aisle just to check out what things they are selling. I saw this Microsoft Fingerprinting device that they were selling for under 40 bucks. Now that is pretty affordable, considering the amount of security you are going to get. It might not appeal to desktop users, but I'd recommend this device for guys who go around traveling places and carry their notebooks around with them.

The Microsoft site also lists a Keyboard and a Mouse with a built-in fingerprint reader. Check out one of my earlier posts, in which I wondered why dont hardware manufacturers build fingerprinting hardware into keywords and mouse. Now only if websites start accepting fingerprints as a login mechanism, it would solve the too many passwords problem to an extent.

I've been very busy working on an update to the FooBar Search Alerts (FSA) service. Finally, this past weekend, I released an update to the service. Now FSA supports monitoring of RSS/Atom feeds.

You can create an alert for a feed that you want to monitor for certain keywords. Whenever your keywords apppear in the feed, you will receive an email containing the link to the new postings.

So, lets say you want to monitor craigslist for new postings containing the word "iPod" or "Shuffle". Start monitoring "www.craigslist.org/ele/" and FSA will automatically detect the feed for that particular web page. Once some new posting(s) appear that contain the word "iPod" or "Shuffle" you will receive an email with links to the actual postings on craigslist. Not only craigslist, you can monitor any site out there which publishes a feed for its content. Popular sites like NPR, CNN, Slashdot and almost all of the blogs publish a feed these days.

Neat feature, eh? Create your alert here

FSA currently supports RSS (0.90, 0.91 Netscape, 0.91 Userland, 0.92, 0.93, 0.94, 1.0 and 2.0)and Atom 0.3 feeds.

FSA can also be used to monitor sites that dont publish a feed, but you will not receive content update links in your notification email.

Ever felt the need to export your contacts information from various web services like:
* Microsoft Office Outlook
* Outlook Express
* MSN Hotmail
* Google gmail
* Yahoo
* .Mac Mail

Check out this page, it lists down the steps through which you can export your "contacts" from all the services listed above.

Black hat hackers:
Black hat is a skilled hacker who uses his or her ability to pursue their interest illegally. They are often economically motivated, or may be representing a political cause. The term comes from old Western movies where heroes typically wore white or light-colored hats and outfits, and the villains wore black outfits with black hats.

Grey hat hackers:
Grey hat is a skilled hacker who sometimes acts legally and in good will and sometimes not. They are a hybrid between white and black hat hackers. They hack for no personal gain and do not have malicious intentions, but commit crimes.

White hat hackers:
White hat is a hacker who is ethically opposed to the abuse of Computer systems. S/he generally focuses on securing IT Systems

Also, a hacker as described by Wikipedia:
Hacker is a term used to describe different types of computer experts. Currently, "hacker" is used in two main ways, one pejorative and one complimentary: in popular usage and in the media, it generally describes computer intruders or criminals; in the computing community, it describes a particularly brilliant programmer or technical expert (for example: "Linus Torvalds, the creator of Linux, is a genius hacker.").

There is a whitepaper out on Watchfire that descrbies what HTTP Request smuggling is:

Here is the executive summary from their whitepaper:

HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks – web cache poisoning, session hijacking, cross-site scripting and most importantly, the ability to bypass web application firewall protection. It sends multiple specially crafted HTTP requests that cause the two attacked entities to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it. In the web cache poisoning attack, this smuggled request will trick the cache server into unintentionally associating a URL to another URL’s page (content), and caching this content for the URL. In the web application firewall attack, the smuggled request can be a worm (like Nimda or Code Red) or buffer overflow attack targeting the web server. Finally, because HTTP Request Smuggling enables the attacker to insert or sneak a request into the flow, it allows the attacker to manipulate the web server’s request/response sequencing which can allow for credential hijacking and other malicious outcomes.

Here is a screencast video presentation that shows how to break a WEP key in 10 minutes using Whoppix. Need more proof that WEP is insecure?

What is Whoppix?

Whoppix is a stand alone penetration testing live cd based on Knoppix. With the latest tools and exploits, it is a must for every penetration tester and security auditor. Whoppix includes Several exploit archives, such as Securityfocus, Packetstorm, SecurityForest and Milw0rm, as well as a wide variety of updated security tools. The new custom kernel also allows for better WIFI support, for tools such as Aireplay.

Incase you are the hacker type and want to create your own distribution, this article from IBM's website provides a good starting point. Here is another nice primer titled Linux from Scratch: A Tour. Here is a Linux from Scratch FAQ.

David Lazaurus (SFGate) writes on how Web tours are a boon for burglars.

Virtual tours are commonplace at most real estate Web sites, allowing prospective buyers to closely inspect a property from the privacy of their PCs.

Try it yourself. Go to Realtor.com, the leading real estate Web site, and plug in a ZIP code. (I experimented with 94121 for San Francisco's tony Sea Cliff neighborhood and 94109 for Nob Hill.) Click where it asks whether it should display properties with virtual tours first. Then click "show properties."

In houses selling for millions of dollars, I saw a wide variety of art objects and attractive furnishings. I saw the places in people's bedrooms where jewelry or other valuables likely would be kept. And I saw front entrances that clearly didn't have alarm panels. Side windows that could be opened easily by breaking a single pane. Kitchen doors that didn't look very formidable.

As far as virtual tours go, be aware that they're as convenient for bad guys as they are for buyers.

For folks who are on the road most of the time or even if use your local Starbucks to surf thru their WiFi network, you can use OpenVPN.

OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls (articles) (examples) (security overview) (non-english languages).

OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

OpenVPN runs on Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. It can be run as a daemon, service, or from the command line, it is also possible to control OpenVPN through a GUI.

MMS streams are multimedia broadcast streams that you can usally play in your Windows Media Player or even in WinAmp. There is was no easy way to download and save them to play back later. Here are two utilities that you can use to save MMS streams. Have fun!

gmms is a simple MMS-stream downloader based on mmsclient that works on both Windows® and Linux. MMS-streams are multimedia streams broadcasted on the Internet, following the MMS-protocol. The simple explanation is that with gmms, you can save every kind of stream having mms:// at the start of the download URL to your hard-disk. The stream can be and audio or video stream, as long as it's URL starts with mms://.
Download gmms: http://gmms.sourceforge.net/

MiMMS, a maintained version of "mmsclient", is a simple client to download streaming audio and/or video media from the internet using the MMS protocol (i.e. from mms:// type URLs, generally found in asx files). Downloaded streams can then be replayed offline at your leisure, using any compatible media player of your choice.
Download MiMMS: http://savannah.nongnu.org/download/mimms/

Om Malik writes about an Harris Interactive poll:

Of the 2,800 regular Internet users quizzed by Harris, a significant number (49 percent) did not believe that browser choice is a key factor in protecting their computers from malicious software attacks: 17 percent thought it had no effect and 32 percent admitted they don't know whether the choice of browser makes a difference. Most participants said security would prompt them to change browser, however, with 66 percent confirming they would consider using another browser for improved security.

Interestingly, this article states that there is no safe browser out there. What can an average Joe do? As I have said in the past, users shouldnt have to keep up with security vulnerabilities and issues. It should be taken care by people who write software and people who provide services.

Here is an article on ZDNet by George Ou stating the six dumbest ways to protect your WiFi network.

MAC filtering.
SSID hiding.
LEAP authentication.
Disabling DHCP.
Interior antenna placement and low power.
Limiting your use to 802.11a or Bluetooth.

Obviously using WEP to secure your Wifi doesnt even make it to his list. As I had mentioned earlier, it takes just minutes to break a WEP key. Check out this article that walks you through using WPA2 to secure your Wifi network.

So throw away your old 802.11b or 802.11a adapters/routers and get the new ones that have WPA2 support. The price point has also come down in the affordability range of $25 - $50.

I was visiting family and friends in California during the long weekend and so had a lull in the postings here. Now that I am back, I am going to resume my posting with full force. Woot!