Evil Plug-ins

I love plug-ins! I love them on Firefox, WordPress, Dreamweaver and now on Chrome. It has crossed my mind that some of these plug-ins could be created and distributed by very smart people with criminal or mischievous intent. But the reality of bad plug-ins didn’t hit me until I noticed a link on digg.com about Stealing Logins using Google Chrome Extensions. I am no programmer but understand enough to see how cleaver it is.

Basically, someone creates a innocent looking extension or plug-in, they distribute it and the innocent looking plug-in/extension sends your personal information to where ever.

How can a person avoid this?! I guess the safest way would be to not use ANY plug-ins and extensions.. but that is over kill.
I know that I am pretty paranoid about WordPress extensions/plug-ins but the open source community is pretty good about peer reviewing, testing and reviewing some of the more popular plug-ins. When it comes to software I depend heavily on reviews of others who have used the product. If there are no reviews (even on forums or dev/plug-in sites), I usually consider the app to risky.

Sometimes what I do is try the app/extension/plug-in on a site/blog I don’t care as much about. In the case of browser plug-ins, I use a single trusted browser with minimal plug-ins to do important sensitive/personal transactions. Most of the stuff I do on the web does not require so much scrutiny.

Unfortunately, there is always a risk with plug-ins, apps, and extensions. All we can really do is manage the risk, by being careful and suspicious.

Thanks Mr. Grech for the knowledge.

More GMAIL Problems

This was news I could not ignore because I really, really like Gmail. These hacks are ridiculous. I hope that google is getting a handle on this. It looks like the accounts are getting hacked with some sort of script that runs from a site or email while gmail is opened:

According to David Airey & gnucitizen.org:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
gnucitizen

As many of you already know on November 2nd, MakeUseOf.com’s domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.

You can see the whole story on our temporary blog makeuseof-temporary.blogspot.com/

I wasn’t planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

Now the thing is the domain name domainsgames.org is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR
Domain Name:DOMAINSGAME.ORG
Created On:22-Oct-2008 07:35:56 UTC
Last Updated On:08-Nov-2008 12:11:53 UTC
Expiration Date:22-Oct-2009 07:35:56 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:MONIKER1571241
.
.
.
.
Name Server:NS3.DOMAINSERVICE.COM
Name Server:NS2.DOMAINSERVICE.COM
Name Server:NS1.DOMAINSERVICE.COM
Name Server:NS4.DOMAINSERVICE.COM

More at Makeusof.com

The Google Fix

GMail Security Hole Allowed Malicious Hacker to Invade the Life of a Blogger

Mr. [tag]David Airey[/tag] a blogger and designer from UK had his [tag]site[/tag] Hacked by some useless bastard. This [tag]gmail[/tag] hacker set up a malicious site that exploited a security flaw in gmail to set up an email filter that autoforwarded all David’s emails to another malicious email account. Although Google has appearently fixed the problem, if you have been affected by one of these malicious webpages the filter may still be in your gmail account. David Explains how to find it and get rid of it:

MPORTANT: If you use GMail, it’s absolutely vital that you check your account settings now.

Here’s what to do:

When logged into GMail, click on the ’settings’ tab in the upper right of the screen. Then check both the ‘Filters’ and the ‘Forwarding and POP’ sections.

Get more information from David Airey.

Right now David is fighting to get his domain back legally after refusing to be manipulated by the gmail hacker.

To David,
Good on you, man! And as bad as it is, I’ve been emailed a couple of people who have lost thousands from hackers. I’ve been on the receiving end of these desperate criminals too… and like you I choose to use my blog like a gun.

read more | digg story

Encrypt ALL gmail traffic

Another great post from dmiessler:
Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn good at it. Once you start using their services it gets easier and easier to migrate more of your life to them. But there’s a slight problem.

Google, like any other legitimate service provider, encrypts login traffic, but not your content. So the moment you’re signed in they switch to plain-text communications and send everything to you in the open.

http://dmiessler.com/blogarchive/why-you-should-encrypt-all-of-your-google-activities-poc

Google Space

Google has an unorthodox style of business that continues to astound me. For one thing they started giving out 2 gigs of free space while Yahoo/MSN and others were still giving 250M and closing out accounts after 30 days of no activity. They also give 1gig of space for pictures with Picasa. Now they give 6gigs for hard drive space for a measily $20/year.

There were some rumors about them doing something called “gdrive” which would be an application that would use a bit a space on personal computer around the world. Genius! I can be quite secure too. I saw some technology built into the Sidewinder Firewall that effectively seperated every service in its own area of hard drive so that if that service was comprimised it would not do damage to the rest of the system.

Point and click Gmail hacking at Black Hat

This hack uses sniffing on a network:
The attack is actually quite simple. First Graham needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement. He then ran Ferret to copy all the cookies flying through the air. Finally, Graham cloned those cookies into his browser – in easy point-and-click fashion – with a home-grown tool called Hamster.

The counter to this is to NEVER login at open networks (particularly the blackhat and for the love of all things holy and good NEVER login without encryption at the defcon)

td daily – gmail hack @ blackhat

Internet blows CIA Agents' Cover

Google, LEXIS-NEXIS, and other online search databases can be used to find information about CIA agents and operations. Pretty amazing that you can find this stuff so easily. 

I amazes me that people and government agencies are still in the dark on how powerful these Internet databases are.  Google hacking will enlighten you on just how much can be exposed on the Internet without your knowledge.

read more | digg story

6 Dumbest Ideas in Computer Security – Revisited

Markus Ranum’s popular “6 Dumbest Ideas in Computer Security” is apparently accepted by many. I agree with a couple of his points, but have serious issues on the others.

Here is what Mark had to say in a nutshell:

1) Default Permit –

Allow everything except bad processes and/or users.

I Agree.

There is a lot of this going around and it is dumb. And I say its dumb in total humility, we all do dumb things from time to time. With Windows XP service pack 2, which is basically a firewall implemented on top of the OS and though it is not perfect, I believe that more people are beginning to see the importance of DENY ALL.

2) Enumerating Badness

Listing a concentrating on the thousands of malware as opposed to concentrating on accounting for the legitimate software and getting rid of the rest. It’s a ploy by the man to keep security corporations afloat.

I Agree and Disagree with this.

I agree that it is important to have accountability for what is going great on your system and running as it should. You should know and maintain your “known good” baseline configuration. But it is like protecting your home. Shouldn’t you know what recent rash of crimes are going on in your neighborhood?

Shouldn’t you keep note of those crimes and have a method or practice of protecting yourself. Although it is impractical to seek out every possible type of attack a criminal will use against your home, you should at least have protection against the MOST LIKELY methods that might be used against your home. I believe that being aware of some of the most possible known threats to your system and taking action is like personal insurance.

3) Penetrate and Patch –

Systems should be designed better so they don’t have to be patched.

WTF (What the f*#@!!)

Of course systems should be designed better… and humans should be designed so that we don’t go to war! And there shouldn’t be hunger anywhere on planet earth. Could have, Should have, would have. In a perfect world, I.E. WOULD HAVE been ABORTED. But Internet Explorer was released to all and controlled 95% of the browser for years. Mark, there are systems that need patches. Security isn’t just proactive its reactive. I understand and agree with what you are saying but in the real world millions of people by millions of badly designed and even hazardous products.

4) Hacking is Cool

Mark insists that saying “hacking is cool” or having popular series of “hack” books (i.e. Google Hacks, Mind Hacks) is glorifying criminals.

I Strongly Disagree.

This is yet another example of someone ignorant of what hacking actually is.

I’ve had numerous arguments about this. I don’t care what you say Mark (or anyone else) hacking is and always will be cool. NO!… I don’t believe CRIME is not cool. Hackers are not always criminals. You would have to go to the Defcon to realize this. But Mark seems like the type that would look down his nose at Defcon and everyone there. Many of the vulnerabilities that are discovered before criminals exploit them are discovered by gray hats, hackers who actively or accidentally discover security holes. Many times these gray hats actually warn the companies and are told to sit down and shut.

Even if you did believe that every hacker is a criminal and ALL hacking is a crime, would it not make sense to know your enemy and what he/she does? Criminal Profilers must not only know the tactics of criminals they have to UNDERSTAND them. I was a cop for five years. In my experience, the best cops & investigators understood not only how and why people commit crimes but also how they try and get out of it.

Mark calls hacking “social problem.”

Even TLC (the learning channels) does not take this stance on hacking. Check out their list of the famous & Infamous hackers.

Hackers included on the TLC page:

Steve Wozniak (co-founder of Apple)

Richard Stallman (creator of GNU)

Dennis Ritchie/Ken Thompson (created UNIX)

TSutomu Shimomura (caught Kevin Mitnick)

Linus Torvalds (creator of Linux)

 

This is a good definition of what a hacker is:

http://en.wikipedia.org/wiki/Hacker#History

Most Information Security professionals (or those claiming to be) either completely understand what “hacking” is or do not understand it at all.

5) Educating Users

Users should be kept dumb.

I disagree.

Social Engineering is the best example of what happens when your users are blind. The biggest threat to any system is the people using them. Kevin Mitnick said, “There is no patch for stupidity.” Really funny, but I disagree the patch is Security Awareness. Check out what the folks at Security Awareness for MA PA and the Corporate clueless blog had to say. 

          6) Action is Better Than Inaction

It really is easier to not do something dumb than it is to do something smart.

I agree. Very well put.

 

I would also add a seventh, brought up by Par Kris Buytaert at x-tend.be:

7) Security Can be sold in a Box

         Everyone wants a push button solution to all their security issues.  The truth is that it does not exist.  The only way to beat the game is stay ahead of it.  That is not to say everyone should be security geeks, but they should have some understanding of spyware, malware and other filth (that is if they value there accounts, privacy and data).

 

Over all, I feel that article has a lot to give to computer security community.  Its great that there are professionals that put that much thought on what they feel  is right.

 

 

Become ungoogable

Site to hide your text online; or chat or bypass company sniffers… pretty handy.  I think this make for a decent Anti-Google Hack.

This site is pretty cool.  It hides text by turning it into a
picture file.  Pretty creative!  You see, search engines can
usually find what you type in forums, websites, blog and even some chat
sessions.  But what if you didn't want your text to be found on
the Internet.  There are some plugin tools you could use or you
could encrypt the text but here is another way called Hiddentext.net.

This site turns your text into a picture with a randomly generated name
like LYe776e.jpg so that it isn't picked up by Google/Images.

Hiddentext.net also loads it on there server –> http://www.hidetext.net/hide/1RCet5KbrQ.jpg

Although I'm not sure how long, the site gives you the option of deleting the message permanently.

 This could be great for privacy if your trying
to get an online message to a select group of people.  On the
negative side, this would work really great for Al Qeda, but so would
encryption.

read more | digg story

1 2