Network Lighthouse

For a while now, it’s been known that the md5 hashing algorithm is susceptible to collisions, reducing the level of security it provides, although predominately in only a theoretical manner.

Now some enterprising researchers have used this vulnerability (along with 200 ps3’s) to create a fake certificate authority, ensentially allowing them to create certificates for any name that browsers will trust implicitly.

Schneier on Security: Forging SSL Certificates.

There are a couple of factors that mean the internet isn’t ‘broken’ by this:

• By itself it’s not particularly useful to have a certificate for “example.com”, I also need to convince someone that “example.com” is at my ip address. (Some of the recent dns vulnerabilities could be used for this)
• Most CA’s don’t use MD5 anymore, those that do are moving to more secure algorithms.

One comment that Bruce made in his blog (linked above) that I disagree with is about people ignoring SSL warning messages, I have never (and make sure my family and colleagues do the same) ignored SSL warnings,  they are there for a reason and I make sure if I see one I understand why I am seeing it before doing anything I wouldn’t want to be compromised.  I strongly recommend that SSL warnings (like all security messages) seriously.

-Daniel

The latest version of my social networking plugin for Thuderbird has just been released.

Changes for this version:

Internationalization support has been added (translators wanted)

Default cache time increased to 30days

Cache clean up code added, rather than continuously building up, expired entries get cleaned up on launch

Only one feature is planned for the next release (at this stage),   cache flushing for individual entries.  If you have any suggestions please post in the forums or leave a comment.

In order for me to get this published as an ‘official’ Thunderbird plugin I still need more reviews, if you use the plugin and think it’s a good thing, please post to the forum with a short review saying how great you found it.

Update: I probably should upload the new version as well rap4tb-085

-Daniel

Another major organisation bans USB drives,  although this seems to be due to a severe virus outbreak.  The risks associated with USB drives and other removable media are well documented these days, with rarely a week going by with out some news story about data on media being lost or stolen.

The Pentagon Bans USB Flash Drives: Will There Be a Floppy Disk Comeback?.

While outright banning removable media seems like an attractive solution, I wonder if it really is the best option, Encryption and device control options exist that allow a large degree of control and security to be retained while keeping the flexibility of removable storage.

Over the last one or two years, we have seen a fairly major shift in the methods of criminals working on the internet.  In the past viruses that spread rapidly and took down networks were the norm.  Just cast your mind back to Code Red, Nimda (both of 2001) and Sasser (2004), and you’ll get a feel for what I am talking about.  All these worms did massive amounts of damage during their limited life spans, with their primary purpose to disrupt computer systems.

However in the last couple of years there has been a shift to more organised criminal activities, the storm worm (first appeared early 2008) which at its peak some researchers estimated as having infected over 10 million machines provides a great example of this.

The storm botnet, was created in such a manner that parts of it could be leased to others which could then be used for trojan and spam distribution, DDOS attempts and other activities.  While viruses and worms from previous generations of malware where designed to have a single payload, the purpose of storm appeared to be focused on turning a profit.

Another indication of the changes that I have alluded to is the recent release of an out of band patch release, MS08-067, by Microsoft.  In brief this patch closed a flaw in all versions of windows which, for Windows 2008 and XP at least, allowed for remote code to be executed as the local service account.   Several security experts were concerned about the potential of to be used to create a worm of Code Red/Nimda proportions.   This threat never really eventuated, there were a couple of worms that took advantage of this vulnerabilty but nothing really eventuated.

Why did the expect horror worm never eventuate?  It appears (to me at least) that today’s malware authors are not interested in high profile activities, and any worm based on MS08-067 was sure to gain additional publicity, in the interests of generating a name for themselves.  Malware authors today are looking to create more stealthy worms and trojans that go undetected for as long as possible, quietly stealing credit card data,sending spam and replicating themselves.

One example of how stealthy these new threats can be is Rustock.C, discovered in May 2008 it has been identified as been in the wild, as least as far back as October 2007.  It employeed a number of very sophisticated techniques to hide itself and prevent itself from being analysed.  No longer are malware authors working to build a name for themselves, they are looking to develop a product or service that can be sold to make a profit, just like any other software company in the world.

It used to be the case that when your computer was infected with a virus/trojan/etc you would realise eventually, something bad would happen, CIH would destroy your partition table, Blaster caused network flooding and machine instability.  These days you would be lucky to notice your machine was running slow before finding out months later that your credit card details were stolen by a trojan running quietly in the background.

That’s all for this article, stay tuned for part 2, Identity Theft and Credit Card Fraud.

-Daniel

Wikipedia have a great resourse, Timetable of notable Computer Viruses and Worms, from which information was taken for this article (a number of linked articles were also reference).

After installing rap4tb as per a usual plugin there are an extra couple of steps required for it to work.

Go to http://www.rapleaf.com/developer/api_access

• If you haven’t registered with them do so (its free and you get to control what people see about you through their service)
• Copy your API key and paste it into the Rap4TB options window.
• Click OK

If you don’t do this correctly then the plugin wont work. You will get a message in the status bar saying ‘API KEY NOT VALID’

Stiill having problems why not try the forums.

-Daniel

One of my biggest gripes with the internet is that everytime I sign-up to a web site or want to download something I have to enter my personal information.

Yes, I know that web browsers can auto-populate most of these forms, but what happens when I change postal addresses or phone numbers?  I need to remember all the sites that I gave my details (those that I care about anyway), and update my details.

As an example of how important this can be, a few years ago I moved houses and thought I had updated all my banking, insurance, etc details with my new residence.  Two years later, when I was preparing to move to the UK, I called my car insurance provider to cancel my policy only to be told that I didn’t have any as it expired 18 months previously.

Of course I should have used a mail redirection service, but why does it have to be so difficult to keep my details up-to-date accross all my different providers?

Is there a solution to this? None that I am aware of yet, but I do have a plan on how to make life simpler for all.

More details to come.

-Daniel

So you’re about to hire a new team member or maybe your boss left and you want to find out about the new guy. Whatever the cause at some point in time most have us have used Google to try and find out about someone. For those who have not tried this, it is often more difficult than it sounds. For example if you search for my name, even with quotes, returns over 150,000 results not one of the first 100 actually referred to me (I stopped looking after that).

This in mind how do you find out about someone using the web?

Firstly your going to need something a little more unique that a persons name. According to the 1990 US census, almost 3% of males had a first name of James and 1% of the population has the last name of Smith. This means that 1 in around 3000 males (in the US) are called James Smith. Given the current population of the US, around 300 Million, there are about 100 thousand people called James Smith in the US alone.

Of course this is the worst case scenario but it points out why names by themselves are not enough to successfully build a profile. What you need is some other details about the person, things like companies worked for, names of partners, and ideally an email address. If your recruiting the person you’re looking for, then their resume or CV will have previous employers and maybe an email address.

To make this article somewhat interesting, I’ll go through the whole process using myself as an example. Here’s what we (in terms of this article) know about me, my name is Daniel Thomas and I have worked for Virgin Blue airlines. Lets go back to google and search for me with that information with this string ‘”Daniel Thomas” “Virgin Blue”‘. This turns out to be a much better search, only returning 60 results. Going through the results one by one can be painful but fruitful exercise.

Here are the relevant results, I’ve eliminated the results that dont have any relevance:

• LinkedIn (we’ll come back to this one later)
• The Juice
  • A report on a company party, including a photo of the subject (me)
• Alumni Newsletter
  • Here’s one I’d forgotten about, not only confirming where I worked, but also work colleagues and where I went to University.

So now we know now:

• Name: Daniel Thomas
• Employer: Virgin Blue
• School at University: CIT @ Griffith University
• A photo of me from a company party
• And a list of people that I’ve worked with

Lets move on to social networks, one of the great advantages and perils of social networking sites is the amount of personal information that people can put online and share with others.

We’ve already seen LinkedIn, as it came up in the search results. Have a quick look at what it says about me. You will quickly see a full career summary with most of the jobs I’ve ever had, any education that I’ve added.
Unfortunately for this article thats about the end of the paper trail for me, I’ve gone to some efforts over the years to keep my personal details just that, with the exception of what I chose to publish at LinkedIn. Even so there is enough out on the web to buildup something of a profile.

Other social networks can be a great source of personal information, the only problem is identifying which sites a person uses. If you know their email address then this process becomes a lot simpler with RapLeaf. Just plugin their email address and they’ll search all the major social sites and show you which ones have a profile for the address you entered. In some cases they’ll even link straight to the profile you are after.

Going beyond this things get a bit complicated, but here are some other ideas of places that can be useful for finding information about people.

• News Articles LexisNexis
• Court Records
• Phone Books
• ZoomInfo
• If you don’t mind spending some money, you could also use a commercial background checking services

Anytime you find something new about a person, go back to google and search for them again trying the new information as well.

Thats it for this article, hope you found it educational.

-Daniel

While I was researching for my article about developing a persons online profile I stumbled upon an online service called RapLeaf. It allows you to enter an email address and reports back with a persons online ‘reputation’. The reputation scoring is interesting, but not what I thought was the killer feature. The best feature of this website is that it tracks membership to numerous social networking sites, be it LinkedIn, Facebook, Flickr, MySpace or anyone of over a dozen different sites.

My immediate thought was this is cool, but I want to know about people in my inbox not going to the web every time I get an email from someone. And hence RapLeaf4Thunderburd was born. It utilises the API provided by RapLeaf to obtain various information about the sender of the currently selected email in a statubar at the bottom of the window, including the various social network sites that they are members of.

Check out the screenshot, the persons name has been obscured to protect their identity. Each of the icons represents a social network site that the sender is a member of and if clicked opens a browser to the relevant website and if known straight to their profile.

Having not done any serious code for a while, and never attempted XUL development before, and only a rough understanding of JavaScript, it was a steep learning curve. But four days after discovering the RapLeaf we have the first release of the plugin.

Instructions

After downloading (see below) and installing have a look at the instructions to finish off the install.

Please note this is definitely still a BETA plugin use at your own risk.

Privacy Note

This plugin sends the email address of people communicating with you to RapLeaf.

Version Update

Version 0.4 This version addresses a couple of privacy concerns, it now supports hashing the senders email address before sending it to rapleaf, this is now th default behavior.  Additionally there is now an option to use https instead of http to ensure the request and response are encrypted.

Version 0.5 This version adds caching of previously retrieved data making the experience a lot smoother.   Length of cache time is configurable in the options window and can be disabled by setting cache time to 0.

Version 0.8 This version tidies up a lot, the preferences have been moved into the plugin options, where it should be and other miscellaneous fixes.  Now ready for release, just need more people to post feedback in the forum.

Get it here: rap4tb.xpi or from Mozilla Addons