Think you’re now untrackable? Think again. HTML5 is now tracking you.

July 22nd, 2014 No comments

We have worked long and hard in the Information Security world to keep ourselves anonymous for many reasons on the internet, and yet, he were are, with some new revelations, that we’re being tracked yet again.

CIA seal

CIA seal (Photo credit: Wikipedia)

We have seen may articles on the use of TOR, it’s beginnings, and how the CIA, DARPA and others have actually funded it to enable their resources to use the internet with anonymity, and that they have methods available to actually find the actual end user communicating using the service. (see Almost everyone involved in developing Tor was (or is) funded by the US government) for more info.

 

English: Tor Logo

English: Tor Logo (Photo credit: Wikipedia)

However, what I’m talking about here, is something that I heard this morning on the SANS Daily InfoSec Podcast for July 22, 2014, There is a topic of great interest to me.  Recently, I disabled flash in my browser, (Firefox on Linux), and moved to HTML5.  I did this to make my browsing more secure, however, the report from the Podcast showed me that this comes with a new privacy leak.  Meet the Online Tracking Device That is Virtually Impossible to Block, is the title of the writeup, and it shows, that in HTML5, there is;

Information Security Wordle: RFC2196 - Site Se...

Information Security Wordle: RFC2196 – Site Security Handbook (Photo credit: purpleslog)

“A new kind of tracking tool, canvas fingerprinting, is being used to follow visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.”

Basically, as I understand it, canvassing is a method in HTML5 that allows a website to draw pixels in your browser, meant for drawing objects, and the difference in fonts, operating systems, and many other variables, there are now methods to fingerprint the system, and potentially the end user.  One of the primary offenders is the popular blog plugin called “AddThis

 

“First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.”

The article is very disturbing, and they include a proof of concept URL to test your own browsers. If you want to see an example of fingerprinting, also take a look at http://www.browserleaks.com/canvas.

 

The only method that I can use to prevent this action is to use No-Script in Firefox, however, it makes any HTML5 page useless.

 

 

 

Stay tuned, I’m hopeful someone will create a browser plugin to selectively stop HTML5 from rendering pixels on your canvas, in a hidden format.  I’m proposing the name NO-CANVAS, something that works like No-Script, and allows you to whitelist sites, and or objects that request access to the HTML5 canvas.

 

Until then, I’m going to be taking a much closer look at what sites are doing with HTML5, and I’ve already added “AddThis” to my Adblock and No-Script plugins.

 

What are your thoughts, is this paranoia, or a significant risk?

 

 

 

 

 

 

Walmart – The *new* fence for credit card thieves

July 16th, 2014 No comments

Walmart FailSo, I went to Walmart with my fiancé, and while we were checking out, I showed my credit card and ID to the employee at the checkout, and the person said, “I don’t know why people do that, it’s not like we check ID for credit cards.”  The checkout clerk didn’t even want to look at my card, or my ID, nor did he validate that my card was signed.  (Which it’s NOT)
I tried to explain that when using a credit card that identification is also supposed to be checked, and this person replied, “What if someone gave their card to another person to buy things for them?, it’s not like we [Walmart] have a policy against people using other people’s cards, it’s not like we can stop them or anything.” They followed with, “we allow people to use cards that aren’t theirs, we do it all the time.”

Credit Card Fraud

 

I took a moment to try to explain that this was fraud, but the person behind the register simply said, “Well how can it be illegal, we do it all the time?”

I finally finished with the statement, “Well, now I know how my credit card was used illegally in Lawrenceville Georgia last month at a Walmart.” It seems to be the place to purchase goods with stolen credit cards.

 

Needless to say, Walmart seems to be the lowest common denominator when it comes to Credit Card Fraud.  Read some of the stories below to learn more…

 

Do you have a retailer that doesn’t check cards well? Please comment and let us know.

HeartBleed – still lingering

June 12th, 2014 Comments off

Today while going through some of our logs, I was alerted to several instances of systems that are susceptible to a “reverse HeartBleed” attack. As the company I work for is very risk averse, I tried to contact the hosting company (SoftLayer) to discuss this with them.  I reached out to them via their online chat application, and chatted with a nice fellow, presumably named “Jason S.”  The transcript of the conversation appears below, with my name redacted, and my companies information redacted.

Thank you for choosing SoftLayer. A representative will be with you shortly.
You are now chatting with ‘Jason S’
Jason S: Hello, thank you for contacting SoftLayer. How can I help you today?
dc0de: Jason, how can I get in contact with your Information Security Group? We are receiving attempts to break into our systems from one of your hosted IP Addresses
dc0de: Actually, from several.
Jason S: I’m sorry to hear this dc0de
Jason S: May i have your account number?
dc0de: We do not have an account number.
dc0de: I’m with , and I’m a Sr. Information Security Analyst, working for the VP of Information Security.
dc0de:dc0de Information Security Analyst

,<telephone#>,

dc0de: ^^ My information
dc0de: If you could put me in contact with your information security team, I would greatly appreciate it.
Jason S: You will need to email abuse@softlayer.com
Jason S: Put all the information you have in the email and our abuse team will take care of it
dc0de: I would like to speak to someone on the phone or we will have to block your IP ranges from coming to our data centers, thereby potentially impacting your customers.
dc0de: Could you have someone in your Information Security team contact me directly, or provide me with a phone number to call?
Jason S: You can try our support number
Jason S: SUPPORT: 866.403.7638
Jason S: But I’m afraid they are going to tell you the same thing.
dc0de: are you saying that you do not have an information security department?
Jason S: We do take these things seriously and will look in to it
Jason S: That would be our abuse team
dc0de: and they are only available via email? That’s not very approachable.
Jason S: Is there anything else I can assist you with dc0de?
dc0de: Nope.
Jason S: Thank you for choosing SoftLayer.  We value your feedback.  Please click the “Close” button at top right to answer a few questions about your experience with us today.

As you can see, there wasn’t a very simple method to get in touch with their “InfoSec” people, and as such, I’ve gone to Twitter, and posted this, to show how poorly hosting providers are these days, and how difficult they make doing our jobs in InfoSec.

The worst part? SoftLayer is hosting several systems for a company based out of Nigeria, in their Dallas Data Center that are at the heart of the problem.  Whelp, if you’re a SoftLayer customer and have difficulty communicating with some businesses in North America, don’t blame us, we just blocked the SoftLayer network blocks at our border.

Note to SoftLayer – We tried to get in touch with you, and you made it very inconvenient, if not impossible to work together.  Kthnxbye.

 

Categories: Opinions Tags:

Keeping your portable devices safe and secure

May 23rd, 2014 Comments off
Cellphone Keyboard

Cellphone Keyboard (Photo credit: Wikipedia)

 

Today, many of us have at least one portable device (smart phone/tablet/mobile hotspot/etc) in our households. These devices provide us the ability to do more things when we are in and out of the office. This new era of technology is certainly changing the landscape of how we work, play, and communicate. We would like to explore a scenario that could happen to you, that has already happened to countless others, so that we can explore the risks and pitfalls that also come with this new technology.

What we’re talking about is having your device infected, lost, or stolen. Understanding the risks will help you recover more quickly from these events, and hopefully make you a smarter portable device user. So let’s start out with the basics, the risks of smartphones.

Smartphone Risks

Smartphone Risks

These top risks have one thing in common, data theft or loss. This is a huge area where criminals are eager to gain a larger foothold. Let’s take a minute to think about the data on your device.

First, you have your name, most likely, your home address, some contact information for friends and family, and most of the time, you have information about your employer, and perhaps even email, remote access, and other sensitive data. Some people actually do their banking from their devices; send information via SMS/Test Messaging, social networks, and much more.

Most people store this on their phone, and save passwords, so that someone gaining access their phone, could potentially gain access to all of the accounts and data that your phone is enabled to connect to.

Thankfully, there are a few simple things that you can do, to make this much more difficult for these actors to get YOUR data and information.

  • Notify your carrier immediately if your device is lost or stolen. This allows your carrier to try to locate and/or wipe your device remotely, reducing the risk of data loss or malicious use of your device.
  • Password Protect and Encrypt your device. These steps can decrease the risk of data loss in the event that your phone is lost or stolen. Install remote detection, remote wipe, and remote photo capturing software applications. If your device can be remotely wiped it will ensure that a lost phone does not turn into a Data Breach.
  • Install only approved applications from approved application sources (Google Play, or the Apple Store). Beware of “free” applications, many applications that appear to be “free” also collect data from your device, WITH YOUR consent.
  • Do NOT automatically connect to Wireless Networks. Many devices are set to connect automatically to wireless networks, however, there are many public places with open wireless, which are not secure and are easily spoofed. How do you know that the wireless network you connected to really is the official “coffee shop” wireless access point(s)? There could be someone sitting in the coffee shop with a fake Wireless device in their backpack, spoofing the same wireless ID of the “coffee shop”. It happens more frequently than many would like to admit, and is a great way to get people’s account information, personal data, and install back doors on mobile devices. Use care when connecting and only connect to wireless networks that you are certain aren’t under malicious control.
  • Disable auto-discovery of your Bluetooth on mobile devices and laptops. Many devices are left in the “broadcast” mode of bluetooth, allowing other devices to find, and potentially connect to your device. While some strides have been made to make this a more secure method of communications for short distance, many devices still are broadcasting their Bluetooth ID’s blatantly, for the world to see.

 

 

Five Steps to Mitigate the Risks of BYOD(shoretel.com)


BYOD continues to revolutionize communications(shoretel.com)


Wolverton: With smartphone theft on the rise, it’s time to protect yourself(mercurynews.com)


How to Find a Lost or Stolen Android Smartphone or Tablet(gottabemobile.com)


Minnesota enacts 1st law on cellphone disabling(kansascity.com)


The Beginners Guide to Bring Your Own Device (BYOD)(marblesecurity.com)


Smartphone Security: 5 Tricks that Will Help Keep Your Phone Secure(epicagear.com)


Top Ways To Protect Gadgets(smartsign.com)


Why You Should Do More to Secure Your Smartphone(dailyfinance.com)


Mobile Operator Takes a Stand Against Stolen Devices(mylookout.com)


Why you need privacy in communications – You can still have it… in IM.

November 6th, 2013 1 comment

Today, more than ever, with the release of the recent NSA Spying scandal, the new version of CALEA going forward in Washington, and ever present movement by governments to read into the private messaging of individuals, we all need to get smarter, and use tools that we may have never touched before, to regain the privacy in interpersonal communications across the internet. There are many tools out there, and there are many different ways to achieve the same goals, however, today, I’m going to talk about a few p̶r̶o̶d̶u̶c̶t̶s tools that I use on a daily basis for Instant Messaging (IM) from my Windows 7 computer.

First and foremost, I use Pidgin for all my IM needs. Pidgin is available, for free, to anyone, simply by going to http://pidgin.im/. For those of you who are reading this with limited experience with Free Open Source Software (FOSS), this will be a revelation, that yes, there are free tools out there that allow you to download, install, and use, with no charge, no catch, no penalties. Pidgin is my main tool for chatting inside, and outside of work. It also allows me to have multiple connections to different IM services, as seen by the list that they have on their website:

AIM, Bonjour, Facebook Chat, Gadu-Gadu, Google Talk, Groupwise, ICQ, IRC, MSN, MXit, MySpaceIM, SILC, SIMPLE, Sametime, XMPP, Yahoo!, & Zephyr

I’m only using AIM, Google Talk, IRC, MSN, and Yahoo! & also use SIPE, which allows connection to my internal Microsoft Communicator, through the use of the rich plugin architecture built into Pidgin.  Pidgin allows developers to build plug-ins, so that you can extend the functionality of the tool, and SIPE, is one of those that works very well, allowing me to use one client to “rule them all” so to speak, with regards to my Instant Messaging.  While there isn’t a Pidgin for mobile devices yet, (I’m ever so hopeful), this tool does allow me to have all of my IM contacts available in one tool, where I spend the majority of my day, on my computer.  This plugin architecture is critically important for the privacy aspect that I mentioned above, as there is an external plugin that is needed, in order to achieve secure Instant Messaging.

Once you have installed Pidgin, and have gone through the setup of the client, you should easily find how to add your accounts into the tool.  Once this is done, and you’ve tested the functionality with your Instant Messaging contacts, it’s time to go private… Now here is the difficult part.  If you want to encrypt your communications end to end, the person you’re Instant Messaging with, has to have the same type of encryption.  In this write up, we’re talking about the tool called OTR, or Off-The-Record Messaging.  OTR supports several IM clients, to date, they’re Pidgin, from the https://otr.cypherpunks.ca/ page, I see that OTR can function with the following IM clients: Pidgin, Adium, Miranda, Kopete, and they also support an AIM proxy.  You can read more and view video tutorials on their page

Simply put, adding OTR to pidgin is a trivial windows install, requiring that you specify the location of the installed Pidgin program, (if you changed it from the default when you installed Pidgin), and a restart of the Pidgin application.  Once installed, you simply launch Pidgin, go to the Tools menu, select Plugins (or press CTRL-U), in the plugins list, scroll down to Off-the-Record Messaging, put a check in the box to the left of the title, and select the “Configure Plugin” button on the bottom.  Inside the plugin’s configuration dialog box, you’ll find two tabs, Config and Known fingerprints.

Config Tab

The config tab has the configuration for your Default OTR settings, as well as the ability to generate private and public key pairs, for use when communicating secure with someone else.  You will see your defined IM accounts in a drop down list, and you can select each one, and generate a key.  You should only need to generate these keys once per computer, and there are methods to back these keys up, and take them with you, however, I will not be covering that process here.  There are many sources of how to do this on the internet, and google is your friend (giyf).  If you’d like to know how to do this, bookmark this post, and come back to it later, as I’ve added a google search for the instructions here.

Once you have that setup done, now it’s time to find your friends and get them using one of the OTR supported IM clients, and setup some conversations.  I’ve looked through the data that passes through the OTR plugin, and saw that it was completely encrypted, appears as total garbage to whomever is spying on your communications.  Bear in mind, that you are responsible for ensuring that your communications are encrypted, and the OTR plugin adds informational messages into your IM window, showing you the status of your communications.

 

receiving encrypted IM, when you’re not encrypted

 

setup of encrypted communications and confirmation of encryption

 

Note, that even though I do not log my OTR conversations, doesn’t mean whomever I’m communicating with, isn’t logging theirs, so it’s no guarantee that your conversations won’t come back to haunt you, but it does encrypt the transport end-to-end to ensure that no one can snoop on the wire.

When you first setup your communications, you’ll receive a notice that your buddy is not “Authenticated”.  This page, shows how that authentication can be accomplished.  Please use NON IM methods of confirming your identity if you are not sure who you are chatting with.  A more full step through process of how to setup and use Pidgin and OTR can be found here.  (https://securityinabox.org/en/pidgin_securechat – no affiliation)

Once you’ve got everything working, it’s wonderful to know that your communications cannot be intercepted by your employer, your government, your enemies, or anyone else out to remove your privacy from your communications.

 

If I have time, I’ll follow up on how to setup some other methods to increase your privacy on the internet.  Please stay tuned.

 

 

.

Thank you [adult swim]

June 12th, 2013 Comments off
Categories: Geek Humor, humor, Opinions Tags:

Problem Solving – it’s not just YOUR way

May 10th, 2013 Comments off

Problem Solver

 

So, a geek friend of mine (we’ll call Joe) has a teenage girl (we’ll call Ana) who started sleeping in late, and skipping her first few classes of school.  “Joe” has a rule for “Ana” about school.  That rule is very simple, “Don’t make me have to talk to the school, ever.”

Well, “Ana’s” behavior was causing the school to contact “Joe” daily, and after discussing the problem with “Ana” for several days, with no real change in her behavior, “Joe” took the problem on as only a geek would do.  He decided that he would wake her up at 0530, to ensure that she could get up, showered, dressed, eat breakfast, and walk to school on time.

At this point of the story, it is important to inform you that “Joe” is a night owl.  He is a very grumpy morning person, if not as bad as me, perhaps a bit worse.

  • He does NOT do mornings.
  • At All.
  • Ever.

So, “Joe” goes down to harbor freight, purchases a “100 dB Old Fashioned Sound ‘Ooga’ Air Horn” , couples it with an Arduino on his home network, places it under “Ana’s” dresser in her bedroom, and sets up a cron job to fire off at 0530.  This was all done while “Ana” was in school.

Fast forward to the next morning…

The cron job fires, 100db of OOoooga Goodness goes off for 5 seconds, and “Ana” bolts out of her room angry, showers, gets dressed, eats breakfast, and gets to school on-time.

That afternoon, when she comes home, she and “Joe” sit down and talk again, and “Joe” asks, “So, you seem to be having a problem with getting up in the morning.  We discussed this problem, and it’s impact on me, as I don’t want to get calls from the school.  So, your problem, became MY problem.  I’m a problem solver.  Are we going to have a problem getting up tomorrow morning? I can set an alarm for you.”

“Ana” replied, “No, we’re not going to have a problem.”

“Joe” is a kindred spirit, we’re problem solvers.  Don’t make YOUR problem MY problem, I WILL solve it.

 

FYI, “Ana” has been getting up in the morning on time ever since…

Defcon Sexism… in a nutshell

August 17th, 2012 Comments off

“Exactly two things have made sexism lower at DEFCON since DEFCON 8:
An increased number of women in technology attending, and attendees who now know that they may have to step in to help. Everything else … is security theater.”
–dc0de.

DEFCON… Twenty Years…

June 30th, 2012 Comments off

DEFCON 20 Logo

 

Paying Homage to the Community…

As we begin to prepare to go to DEFCON 20 we need to be humbled that something that Dark Tangent (aka Jeff Moss) started twenty years ago, is not only still going on, but is THRIVING more than ever.  When I went to DEFCON in 2000, (DEFCON #8), I never really expected that I would be able to support the community that makes this convention possible.  Not only was I awestruck by the amount of knowledge and camaraderie that defines DEFCON, but also wanted to help continue to give something back to the community that makes DEFCON possible.  As DEFCON grew, and moved from the venerable Alexis Park to the Riviera Hotel, I was asked by noid (Head of Security Goons) to become a Security Goon.  Not only was I honored, but I had very little knowledge of how much work was involved and how great an organization the Security Goons and DEFCON Goons were.

Now that I am a Goon, and this will be my 7th year donating over a week of vacation, personal expense, and compromise to volunteer my time to work at DEFCON.  Some of the maladies that befall a Goon while walking anywhere from 11 to 21 miles per DAY, for at least three days, (This year looks like 4 days of work) include:

  • leg cramps
  • sore feet
  • loss of voice
  • “DEFCON Flu”
  • Sharpie on body parts
  • over ingestion of alcohol
  • verbal and physical abuse
These are only the ones that are safe for work, and that i can publicly post.  For those of you who have attended DEFCON in the past, Thank You!! For those of you who are coming for their first time, please read the DEFCON FAQ‘s…
Here are some links for you to look at, and suggested reading…   Enjoy… as I will… celebrating the 20th Year of a great DEFCON Community…

The hackers life – my weekend at Defcon - Lou Lesko - National Geographic

GOONOLOGY 101 - Technorazzi Magazine

Official DEF CON FAQ v0.95

Who are the Goons of DEF CON?

 

Help find this stolen Motorcycle

November 7th, 2011 Comments off
Red 1977/76 Moto Guzzi 850 t3, stolen between 11/4/11 19:30 and 11/5/11 10:00, in San Pedro, CA

Help find this stolen motorcycle.

A friend of mine had his motorcycle stolen between 11/4/11 19:30 and 11/5/11 10:00 near 25th and Gaffey, San Pedro CA. Please be on the look out for it, it’s a 1977/76 Motoguzzi 850 t3, with the following distinguishing features.

• Clutch lever is original Motoguzzi aluminum (as seen in photo)
• Rear brake lever is newer, black, very diff from clutch lever
• The pipes you see in that picture are specific. They aren’t unique but you probably won’t see another Motoguzzi with them
• The tank has a ‘scar’ on the right side just below the Motoguzzi logo
• Seat is new marine vinyl except for the rear section which still has the original material, with a crack, and the original MotoGuzzi silk screened on it
• Has non-stock, aftermarket spoke wheels
• Front tire has a groove in it, just right of center (as your facing it)

If you have any information at all regarding this motorcycle, please contact  flea23b at gmail dot com, or me at mr.dc0de at gmail dot com.  (note that there is a ZERO in my username)

Categories: Friends, Help, Theft Tags:

© 2008-2014 dc0de\'s notes... & dc0de.com All Rights Reserved -- Copyright notice by Blog Copyright