frameloss

Mozilla-Fu: Firefox Add-ons

The web is not what it used to be.  Aside from being much richer, and useful.  It is also much more annoying and dangerous.  From seizure-inducing banner ads that distract attention away from actual content, to not being able to find any useful information amidst the onslaught of advertisements; there are many annoyances out there.

With more refined and effective client-side attacks emerging it is difficult to trust any website.  From old-school Cross Site Scripting, to slightly newer Cross Site Request Forgery (I will be posting a how-to on XSRF attacks soon, so be sure to subscribe to my RSS feed), to emerging threats like Gifar (Great video here, on how it works.)  Any site visited may be an attack vector–even sites that you may consider trustworthy.

The intent here isn’t to sound all gloom and doom-ish, really.  There are some things that can be done about it.  No, there isn’t a cure-all panacea available, but along side the threats and annoyances there have been some cool tools developed to help combat the constant spew of vile coming from the web :)

There are two Firefox Add-ons that I cannot live without, seriously I get really annoyed trying to surf without them:

• Noscript
• Adblock Plus

Noscript is great, it does a couple of things that are noteworthy.  First, it helps prevent XSS and XSRF attacks.  It doesn’t prevent every type of attack, but it helps immensly.  Second, it stops Flash, Java, and Silverlight from running automatically–the applets can still be started manually so it isn’t exclusive of watching the latest viral video, but one noticable advantage is how quiet the web suddenly becomes once these applets have been stopped from automatic execution.

Adblock plus does what is sounds like.  It works quite well–I wouldn’t even consider visiting a social-networking site without these two tools!

The Illusion of Security: Denver Police Radio Systems

As part of the security procedures for the DNC in Denver the police department changed their radio system (at what I am guessing was a great expense) to use ESK (Edacs system key.) This is a “security” measure that adds encryption to the digital control channel for Edacs systems. It is supposed to prevent eavesdropping and interference. The audio transmissions are still in the clear–all this does is make older trunking scanners less useful, newer models work fine, and how it prevents someone from jamming the data channel or even breaking into a transmission once it is started is a mystery to me!

You can still listen in at scanamerica since they have a newer ESK capable scanner (I just donated to them–if you use it you should too.) Alternatively Uniden is releasing an update to their BCD396T scanner that understands ESK. Of course you can still use your old-school scanner to listen too, but it sounds a bit messy and you no longer get the calling station identifier, it is also a lot less likely that you will be able to follow a full conversation if there is more than one conversation happening at once.

Update:

It was late last night when I wrote this post, and have some time to think.  So, suppose there was a credible threat that someone might want to get on the Edacs system and use misinformation to redirect the police.  The timing for greatest negative impact would have to be during a large internationally covered event, such as the DNC.  The only protection that changing to ESK buys is a little bit of time.  If an attacker is prepared, has researched the system and planned an attack, he or she would be thwarted for a few days by changing to ESK unexpectedly.  It takes time to get updated hardware–maybe a couple of days for an informed and funded attacker; longer for the less informed and funded.  This change successfully stops the teenager that found a police radio at a garage sale, but is that who we are really worried about?

After thinking about it, the move, while pretty weak as a long-term tactic, is quite smart because by timing it correctly it maximizes the strategic value of a weak protection when the impact of an event is highest.  It is real easy for many security professionals to get caught into the black and white thinking that pervades the academic side of security.  But in the real world, sometimes you have to settle–this is a good example of how the value of a weak security control can be maximized.  I am not advocating the use of weak controls! I am just saying that sometimes you have to make do with what you have.

Homeland Securi-tee

A shirt (from Alterni-T) that even Bruce would appreciate:

Call the police, I have been spammed!

Colorado passed HB 08-1178 aka the “Spam Reduction Act of 2008″ which makes it illegal to send spam to a Colorado citizen. It gives the state Attorney General the right to prosecute email abuse.

According to a Colorado Democrats statement “HB 1178 increases the odds of catching email spammers by providing state enforcement authority similar to federal authority against unwanted e-mails. Colorado consumers can now take complaints to local authorities. (Rep. Morgan Carroll, D-Aurora; Sen. Bob Hagedorn, D-Arapahoe County) “

What would you like to bet that the Attorney General probably doesn’t have the resources to start investigating spam complaints, and if someone did call the police to file a spam complaint that they would get laughed at? Did I mention that I get about 100 spam messages a day? That’s what happens when your email address is over 10 years old–seriously should I call the 5-0?

Announcing MyNmap

I have posted the code for a project I started back in 2003.

MyNmap Screenshot

I needed the ability to manage port scan data from thousands of systems and the ability to sort through it quickly. The result was a mish-mash of LAMP + a PERL script that takes Nmap’s XML and inserts it into a database, allowing some basic reporting. The installation instructions are a little sparse right now, but I hope to straighten that out soon. Check the README file in the tarball for instructions–I wouldn’t suggest trying it if you aren’t familiar with LAMP applications.

I have found the program to be immensely useful, and I hope you do too!

You can download the source here.

The Rise of the “Traveltop”

A paranoid guide to traveling with a laptop computer.

I don’t travel much for work, but I do get around for vacation or conferences. I have traveled internationally a couple of times in the last year, and around the U.S. several times. This is how I approach laptop security when I am traveling.

A big concern to many people is what you keep on your laptop. My personal laptop has information that I don’t wanted shared, and my work laptop has information my employer doesn’t want shared. A few concerns when traveling are laptop theft, search and seizure by a friendly three letter government agency (who, rest assured, have your best interests in mind,) evil-twin hotspots, and traffic interception.

There are a few ways to deal with each problem, which are helpful for travelers. The first rule is to anticipate that the worst will happen: your laptop will be stolen, searched, attacked, or sniffed at some point.

The best protection is to use what I like to call a “traveltop”, which is a laptop configured solely for traveling. The key should be that you are willing to walk away from the laptop and not give it a second thought. There are plenty of laptops available for less than $500. I am not talking about something like an EEPC or watered down laptop, I picked up a Toshiba Satellite for roughly $450, which has 64bit dual core AMD processors and is sufficiently fast for almost everything I could want to do outside of gaming. My Macbook Pro cost me more than five times as much. Think of it as cheap insurance.

The key for this strategy to be effective is to limit what information you put on the laptop. Don’t use it for creating and editing documents, don’t store email on it, don’t even put your web bookmarks on it. Here are some of the methods I use to keep my traveltop clean, likely to resist attack, and divulge the minimum information to someone who gets their hands on it:

1. Buy a throwaway. If you are traveling with any frequency it is likely that you make enough money to afford a $450 laptop. If you can’t afford that, maybe you should reconsider taking a computer at all–if you can’t afford to lose your laptop leave it at home and use a phone for checking email.
2. Use Firefox. Don’t use Internet Explorer. Configure Firefox to delete all cookies, history files–everything when you close it. You can do this by clicking on Tools -> Options -> Privacy, and clicking the checkbox that says “Always clear my private data when I close Firefox.” I realize this doesn’t protect you from a full forensic analysis, but it does help limit your exposure. For example the TSA will check your Internet history when looking at a suspect laptop.
3. Install Google Toolbar. I know, it sounds counter-intuitive, but the only thing I use from the Google toolbar is the feature that allows you to share bookmarks across different systems. Not only is it convenient–but it is safer because your bookmarks are stored online and require authentication to access them. Don’t get a false sense of security though, because google will leak your session cookie unencrypted, which allows anyone sniffing the network you are on to login as you while the cookie is valid–this is easily dealt with, and is covered later.
4. Use webmail. Google is good, hushmail is safer–which ever one you choose don’t store your messages on your traveltop, don’t even print them from the traveltop–in fact I highly suggest not even configuring a printer on the system.
5. Encrypt the entire hard drive. Truecrypt is free, faster than most commercial alternatives, easy to install, and runs on most popular operating systems (Windows, Mac, and Linux.) I suggest using a really long password–actually don’t use a password, instead use a sentance it will be easier to remember, and will stand up a lot better to automated key guessing. A couple of thoughts about dealing with government agencies (foreign or domestic.) If a border agent demands your password, or requests that you type it–comply. There is no reason to go to jail, and unless you are well funded and plan on taking on the courts (and it would require an incredibly large effort) you will lose. Although Truecrypt has the ability to have “hidden” partitions with entire operating systems inside of them–with so called “plausible deniability” this is in my opinion a bad idea. First, some research has shown that it is possible to detect (under certain circumstances) that this is being used. Second, if you get caught deceiving police, border agents, whatever you can get into a lot more trouble–it may establish mens rea. But, IANAL–don’t trust me for legal advice :)
6. Don’t save documents locally. If you must carry documents use an encrypted thumb drive to store them. Send the thumb drive to yourself at your destination using registered mail. Better yet, if you can use a web-based solution such as Webdav, or Google Documents use that. Another good solution is to use something like a Remote Desktop or Citrix session to access your files–which almost completely eliminates the likelihood that you will inadvertently place something secret on on your traveltop.
7. Use an encrypting proxy for Internet traffic. If someone is going to watch your network traffic it will most likely happen at a wireless hotspot. Many times programs leak information that an attacker can use even if the login is encrypted, a good example of this is Google Mail, which allows cookie theft. One method of dealing with this is to use an encrypted tunnel to a trusted (or more trusted) network. There are free and commercial products for doing this. If you don’t have any technical expertise, one method is to use Anonymizer a commercial web service that helps Windows users. More technical users may want to use a SSH Tunnel or setup a proxy server such as Squid or Apache using SSL and authentication. By verifying the SSL encryption certificate (or SSH key) you can be sure that no one has performed a man in the middle attack, or is injecting data as is common in evil-twin attacks.
8. Clean house frequently. You should use a program that cleans up tracks of web surfing, temporary files, and other day to day activities.  Webroot software makes Window washer, which works reasonably well, but is a little flaky under UAC on VIsta.  Anonymizer makes a competing product that is bundled with their web surfing tool, but they have problems with Firefox 3.  A feature that is desirable is the ability to “wipe” files and not just delete them (if you can turn this on permanently for your Recycle Bin it is better.)  Wiping the file with random data before renaming it and then removing it makes it effectively impossible for the deleted file to be recovered, even partially.
9. Use a firewall, anti-virus and anti-spyware software. This is a no-brainer. I am, however, skeptical about expensive programs. Use the free stuff like Avira, and the free Windows anti-spyware stuff. Don’t open strange attachments, don’t run as the administrator user, and don’t use your traveltop to surf pr0n! I know a lot of people say that Vista is not ready for prime time, but for most users it provides protection that XP lacks.
10. Update your software. Yes, I know, this is another no-brainer. A day or two before you leave for your trip you should use Windows update to get current. Stay on the latest version of your web browser too. Why does this matter? Many evil-twins will attempt to exploit your system by attacking known security weaknesses that have already been fixed. For an example of such a program, check out Hotspotter–it is particularly devious, and having the latest system updates installed really helps protect your system.
11. Buy a laptop lock, and use it when you leave your laptop alone. Sure a few blows with a hammer will break most laptop locks, and many are easy to pick. What you are trying to stop is crimes of opportunity. If someone is targeting you for theft they are more likely to be successful, but most thefts aren’t planned and most of the lock picking enthusiasts aren’t thieves. So buy a lock and use it.
12. Use an anonymous recovery service. I put little stickers on all my expensive electronics, that offer a reward through Track it Back, which is a service that offers a reward to people that find your belongings, and arranges to have a courier pick it up and mail it back to you. There are other services out there too. Basically it assumes that many people are honest, and will return something of value that they find. The allure of a reward may be more tempting for a thief that discovers that your laptop won’t boot without a password.
13. Make your laptop less attractive. I put stickers all over my traveltop–it makes it distinct, harder to claim “Oh, it looks just like mine, sorry”, and destroys the resale value for a thief.

The most important concept is that by not placing valuable information on your laptop you don’t put it at risk. I know it seems obvious, because it is, but how many big corporations have you heard about this year alone that lost something of value?

I Hack Charities.

Here is a cool group I came across at DC16:

Most of the current projects are in support of a school in Uganda, but I suspect that as a project it will take off and expand. They take donations of computer hardware, volunteer time, money and conference swag. All those notebooks, tote bags and pens/pencils that get picked up at conferences could make a real difference for a kid.

DC16

Defcon 16 Badge

I just made it home after going to the annual freakshow that is Blackhat and Defcon. I haven’t been to Defcon since I believe DC9, so it has been 7 years. Overall the conference was pretty much the same, the best part wasn’t the talks but the people you meet. However, the Sensepost talk was really cool–everytime I come across those guys they really scare me (I first met a few of them back in 98 at a class.) The part that caught my eye was a tool that they released for tunneling TCP over http. Pretty cool stuff for pen testing, and they have JSP, PHP, and ASP versions of the program.

We weren’t able to see Kaminsky’s talk–there is a moral about hackers and crowd control somewhere in the story, but basically they didn’t have room for all the people that wanted to watch his presentation (whatever, I’ll download the torrent.)

We met some really cool folks while we were out there, if you have never been you should really go! If you don’t know anyone and you plan on going next year give me a shout and we will meet up.