Poor man’s view of the world

As of 27th September 2007 – yes!

A malicious hacker can misuse Cross-site request forgery (CSRF) to redirect a copy of all your incoming emails to his account! CSRF is also referred to as “one click attack” or “session riding”.

[Before you read any further please understand gmail filters by logging into your gmail account and going to Settings – Filters.]

CSRF is a malicious attack that transmits unauthorized commands to a website from a trusted user. Lets take a simple example to understand this:

1. Pooja is checking her email on a very safe computer (totally patched, fire-walled, with the latest updated antivirus etc etc) using a very safe browser.
2. Because she is logged in to gmail, the gmail authentication cookie is present on her machine.
3. She receives an email from Priyanka containing a really funny joke. The email contains a link to a site which promises her lots more funny stuff. She clicks on the link and is very happy with the site that opens up.
4. What she does not realize is that this joke site has forged a POST request to the gmail “Create Filter” wizard. This creates a filter that forwards a copy of all emails coming into Pooja’s account to Priyanka!
5. Gmail accepts the request to create the filter because the genuine gmail account holder (Pooja) is authenticated and logged in at the moment and her session cookie is passed along with the forged request.
6. This new gmail filter will keep stealing Pooja’s emails till she manually checks her filters and realizes that there is an unauthorized one.

I carried out a small experiment wherein I requested for a filter to forward all emails to a particular account. On analyzing the data trasnfer between my browser and gmail (using Tamper Data extension for Firefox) I found that the relevant GET parameter is cf2_email.

See the following for more information on this -

Many thanks to Giorgio Maone for his post on this issue. As Georgio says – this exploit is “Very clever and very dangerous.”

I recently tried out DriveSentry, a personal data firewall that works on a PC as well as a removable drive.

According to DriveSentry.com…..”DriveSentry complements your existing anti-virus tool by detecting threats to your system using a patent-pending technology. DriveSentry is an intelligent firewall for your drives that works by allowing only applications that you authorize to write to your files. An example is that you can grant access to Microsoft Word to write to a document, but a virus attempting to do the same would trigger a warning”.

The most interesting claim made by the company is that DriveSentry can be used to “enhance your conventional anti-virus software by protecting against zero day attacks. If DriveSentry can actually achieve this, then it would solve a lot of security issues.

Test on WinXP machine

I performed a simple test to try out DriveSentry on my local machine. This test was performed on a Win XP SP2 machine running an updated AVG antivirus.

1. First I wrote a simple js code that can modify the hosts file of a Windows machine.

2. When I ran this js file, the AVG antivirus did not give any alert. The code changed my hosts file!

3. I then installed DriveSentry on my machine and configured it to protect the c:\\windows\\system32\\drivers\\etc\\ folder.

4. I then again ran the js code. DriveSentry blocked it and showed a medium risk level.

5. However the “online advice” option recommended that I “ALLOW write access“.

Conclusion: Drive Sentry seems to have a lot of potential. The product is still in beta so there are lots of improvements expected. The “online advice” system will to grow with the user base. The database of user “advice” is currently too small to trust.

A major security concern for users of online banking / share trading is keylogging.

Simply put, a keylogger installed on your computer could pass on your login credentials (credit card information etc etc) to a cyber criminal. What the criminal could do with this information is anybody’s guess and your worst nightmare.

A recent BBC investigation revealed how a six-year-old British girl hacked into the highly sensitive computer system at the House of Commons using keyloggers. Click here for the detailed story.

The issue is compounded if you use a public computer (e.g. at a cyber cafe, airport lounge, library, hotel etc) to log into your email / banking account.

There are some simple methods that can be used to beat a keylogger (no guarantees !!):

1. Carry a portable version of Firefox with the KeyScrambler Personal add-on. (KeyScrambler Personal “encrypts your keystrokes at the kernel driver level to protect your login information from keyloggers”). You can carry this on a USB drive. Whenever you need to use a public computer, connect your USB stick and use your private secure Firefox browser.

2. Carry your passwords in a randomized manner on a USB stick. e.g. if your password is Priyanka_$_chopRA, all you have to do is carry a text file with the words Priya, ankarra, chop and RAM somewhere in a whole lot of meaningful text. While logging in, copy and paste the said words onto the password input box. A little tedious, but very effective against text keyloggers… WARNING!! – may fail against screen shot capturing keyloggers.

3. Carry a portable antivirus on your USB stick and run it on the public computer. Note: Not very effective and not very easy to do.

Way back in 2002, I had proposed an Internet Draft “Biometric based Digital Signature scheme”. It did not make it to the status of an RFC, but I hope someone somewhere can build on the concept.

Abstract:

Digital Signatures are fast emerging as a viable information security
solution, satiating the objectives of data integrity, entity
authentication, privacy, non-repudiation and certification.

The technique, as it stands today, faces the problem of the
maintenance of the secrecy of the private key. This document provides
a conceptual framework for the establishment of a biometric-based key
generation scheme.

In this scheme, the private key is generated each
time a document or record requires to be signed. Such generation is
based upon a combination of biometric traits.

View the complete document

In today’s hi-tech world, where every T, D and H owns a laptop and more, a fully equipped pen drive still makes a lot of sense.

Top 5 scenarios where a pen drive loaded with the rights apps makes great sense are:

1. You regularly work on a set of files on different computers (one at the office, one at home, one on the go blah blah blah…).

2. The “friendly” neighborhood sysadmin has forbidden installation of software on the office machines.

3. You are going on a well deserved vacation (and you obviously don’t want to lug the laptop around) …. but you need to carry important files in case there is an emergency and you need to work from a cyber cafe.

4. You need to backup files (pen drives are smaller than CDs and DVDs).

5. You want to carry some great videos / movies around.