• Welcome to BellGab.com Archive.
 

The Secutity Thread

Started by Kate the Bionic Uterus, February 12, 2014, 07:37:01 PM

Quote from: Mind Flayer Monk on February 23, 2014, 11:07:15 PM
We are three years ahead in the future here at Bellgab Labs:

3) I8U: Logs advertisers that shows you images and places them on a blacklist. It allows you to automatically generate posts about how disappointed you are with the advertiser, and includes quickly generated memes showing the product being used by distatseful people (think Obamaphone).

If you want to learn more about the content covered in that frontline show, this researcher has some good stuff
http://www.isi.edu/integration/people/lerman/publications.php

Wow that gal has some resume eh? lol

Has anybody heard about this? http://www.theverge.com/2014/2/24/5442576/inside-apples-epic-security-flaw I have an iphone and an ipad but I have not yet updated the OS. I hesitated because mine are older models and I am happy I did. The new OS is good for the new iphone 5 models but if you have an iphone 4 like me and an older generation ipad then the old OS works better.

Anyway, this security flaw is scary...

wr250

Quote from: Kate the Bionic Uterus on February 25, 2014, 02:20:25 PM
Wow that gal has some resume eh? lol

Has anybody heard about this? http://www.theverge.com/2014/2/24/5442576/inside-apples-epic-security-flaw I have an iphone and an ipad but I have not yet updated the OS. I hesitated because mine are older models and I am happy I did. The new OS is good for the new iphone 5 models but if you have an iphone 4 like me and an older generation ipad then the old OS works better.

Anyway, this security flaw is scary...

here is a security flaw for you. a "image" file can run javascript
the gif is 1 pixel in size
hexedit code goes something like :
gif89=1/*....<whatever>*/*<javascript code>*/

it works, tested it here locally using javascripts alert box. could be used to execute any javascript. also works with jpeg headers and png headers. headers being the 1st line of the file thats supposed to define what the file is.
i created the file in a hex editor.
created a html file to "display" the picture
get the javascript alert .

Quote from: wr250 on February 25, 2014, 02:44:46 PM
here is a security flaw for you. a "image" file can run javascript
the gif is 1 pixel in size
hexedit code goes something like :
gif89=1/*....<whatever>*/*<javascript code>*/

it works, tested it here locally using javascripts alert box. could be used to execute any javascript. also works with jpeg headers and png headers. headers being the 1st line of the file thats supposed to define what the file is.
i created the file in a hex editor.
created a html file to "display" the picture
get the javascript alert .

I do recall hearing about stuff like that earlier this year. Is that possible?. I am not a coder but that does sound amazing even if it is also very scary. I am going to ask my brother about it. Luckily for me he is not that far... he works in the office next to me XD

Copied from the TOR thread...

Quote from: eeieeyeoh on February 09, 2014, 04:58:09 PM
Hey Kate, do you know if there is an operating system for PC that can input signal from hardwire ISP and output ISP internet bidirectionally to normal PC that only monitors and records where signal came from and mine going to?

The vid you posted on 1/22/14 08:39 AM was a bit over my head on initial look in speed of delivery of details, not sure if designed to cause fear, certainly info Americans should know about, but I think the threats to the American Constitution need to be dealt with more directly by identifying the source on pulpits in churches, synagogues, and mosques to train the herds. At least I've never heard of any local place of worship of the US Constitution where latest technology trying to overthrow it is discussed.

I got a reply from the Ubuntu forums. Have you ever heard of TAILS? Tails is an acronym for “The Amnesic Incognito Live System”. Maybe this can help you out. https://tails.boum.org/

More info about it here; https://en.wikipedia.org/wiki/The_Amnesic_Incognito_Live_System

wr250

Quote from: Kate the Bionic Uterus on February 25, 2014, 04:03:24 PM
I do recall hearing about stuff like that earlier this year. Is that possible?. I am not a coder but that does sound amazing even if it is also very scary. I am going to ask my brother about it. Luckily for me he is not that far... he works in the office next to me XD


as i said , its not only possible, i did it. it is not a "real" image file, rather a fake file to hold the javascript. all attempts to insert image data and the javascript was not run. however if you ran the fake file in <img src="fake.gif"> tags  it would load and not throw an error. it would run the javascript instead. this is tested as a means of hiding javascript in a html file so as to make it "invisible" (you cant see the code when you click "view source code" in a browser).

/*edit*/
you may need to load the gif under <src script> tags and not image tags. i cant remember and cant find the test files i did a while back.

Quote from: wr250 on February 25, 2014, 04:13:21 PM
as i said , its not only possible, i did it. it is not a "real" image file, rather a fake file to hold the javascript. all attempts to insert image data and the javascript was not run. however if you ran the fake file in <img src="fake.gif"> tags  it would load and not throw an error. it would run the javascript instead. this is tested as a means of hiding javascript in a html file so as to make it "invisible" (you cant see the code when you click "view source code" in a browser).

/*edit*/
you may need to load the gif under <src script> tags and not image tags. i cant remember and cant find the test files i did a while back.

lol no silly ;)- I understand you have done it. What I meant to ask; Is it possible that I may have read about a similar technique in WIRED or another magazine like that?

Your idea is very ingenious in a Doctor Evil sort of way *cue pinky in mouth* muhuhahaha

wr250

Quote from: Kate the Bionic Uterus on March 06, 2014, 04:20:02 PM
lol no silly ;)- I understand you have done it. What I meant to ask; Is it possible that I may have read about a similar technique in WIRED or another magazine like that?

Your idea is very ingenious in a Doctor Evil sort of way *cue pinky in mouth* muhuhahaha

it wasnt my idea, and the article seems to have vanished from teh intertubes. ill dig around some more

this is similar

Tails is the secure system that protected Edward Snowden and is now considered the safest operating system in the world. I have previously mentioned Tails on another thread and ever since I have been researching the Project. This is the perfect time to try it because just a couple days ago it was updated to Tails 1.0 https://tails.boum.org/download/index.en.html

Tails is based on the Debian distribution of Linux and so it has the feel of a Linux based OS. However the set up is not as user friendly as Ubuntu for instance. Essentially you can just burn the OS onto a disk BUT not all computers (brands) can run it and forget about running it on Win8. Also not all flash drives will run the OS. All that information is found on the Tails website linked above. Of course it uses the TOR browser.

Here is a recent article that covers the main points of the project http://www.theverge.com/2014/4/29/5664884/this-is-the-most-secure-computer-you-ll-ever-own

Jackstar

I found this article about hilarious bugs and glitches that developers have found, http://www.gamasutra.com/view/news/216897/Whats_the_weirdest_bug_youve_ever_encountered.php, and it made me realize...

This belongs in the Secutitty Thread!

QuoteFlash bug: Was missing a / on the path to a shared font in a SWF. Caused actual game logic to break inconsistently until fixed
Peals of laughter, I really can't help it. My actual game logic is inconsistently braken.

wr250

For years, the US government loudly warned the world that Chinese routers and other internet devices pose a "threat" because they are built with backdoor surveillance functionality that gives the Chinese government the ability to spy on anyone using them. Yet what the NSA's documents show is that Americans have been engaged in precisely the activity that the US accused the Chinese of doing.

http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden

Jackstar

Background: https://en.wikipedia.org/wiki/Opium_Wars

Important context, imho. Consider: how many more people know more about The Clone Wars, than they do about The Opium Wars?

Jackstar

The TuneIn android app asks me to update it. The new permissions it asks for? It wants to read my contact list.

:rolleyes:

albrecht

Quote from: wr250 on May 12, 2014, 03:40:38 PM
For years, the US government loudly warned the world that Chinese routers and other internet devices pose a "threat" because they are built with backdoor surveillance functionality that gives the Chinese government the ability to spy on anyone using them. Yet what the NSA's documents show is that Americans have been engaged in precisely the activity that the US accused the Chinese of doing.

http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden
I've heard that routers by certain brands have had this bug in them from the almost beginning of the popular internet. 20yrs I had an engineer claimed NSA had backdoor in I think CISCO routers. At the time I just sorta said "ok" because not really into tech and wouldn't know from looking at it one way or the other.

WOTR

Quote from: Kate the Bionic Uterus on May 01, 2014, 09:50:19 PM
Tails is the secure system that protected Edward Snowden and is now considered the safest operating system in the world. I have previously mentioned Tails on another thread and ever since I have been researching the Project...
Another little bit for me to investigate coming up.  Finally decided on a VPN (almost went with that useless "hide my ass" last year.)  After reading how useful they were to the Anonymous hacker I think I am glad I waited.   Not that I am doing anything that requires it (no hacking, no bomb threats, no child porn, no terrorism...)  I just think it should be fun to make the bastards at CSIS and the NSA work a little to track me around the net.  (I had downloaded TOR and visited the silk road a few times for the same reasons...)

My next project is patching the holes in the router that Telus had so kindly supplied to me with back doors.  I am thinking openwrt at this point... but I still need a little longer.

After that perhaps it is time to upgrade my OS.

Yes, I also know that I have allowed cookies and passwords to sit undisturbed on my computer for far too long now.  I am ashamed to admit that it is just easier and I have been lazy as of late.

Why should it be that all of these steps are necessary to prevent large corporations and my own government (paid for with my taxes) from spying on me?

wr250

so are you going to upgrade to OpenBSD ?

WOTR

I will look at openBSD.  Years ago I had a Linux based system... I do not know about Unix...  It really does seem to be a can of worms.  Again, I ask why I pay Microsoft hundreds of dollars for their software when they cannot be bothered to fix their security with the millions in profits.  (Yes, I know I use it because it is easy... but why don't the bother making a secure system?)

I will be looking into that over the next month or so.  Do you use openBSD... What is it like?

wr250

Quote from: wotr1 on May 27, 2014, 12:16:22 AM
I will look at openBSD.  Years ago I had a Linux based system... I do not know about Unix...  It really does seem to be a can of worms.  Again, I ask why I pay Microsoft hundreds of dollars for their software when they cannot be bothered to fix their security with the millions in profits.  (Yes, I know I use it because it is easy... but why don't the bother making a secure system?)

I will be looking into that over the next month or so.  Do you use openBSD... What is it like?

no i use linux, debian testing to be precise.
openbsd is the most secure OS available to the public , and has been for a long time. it requires considerable command line savvy, and the gui is not installed by default. as for recommends i would recommend some flavor of linux such as:

1. debian stable: rock solid, never crashes and well tested. downside, all the software is usually 1-3 versions behind current.
2. opensuse: stable software is more current than debian, but not quite as stable
3. linux mint: same as opensuse, is based on ubuntu, but uses its own gui and not the unity/gnome3 standard desktops

other flavors you may consider, but i chose these as easy to install, have lots of drivers included, and are well supported. you also have many options with desktop environments, i use KDE , although gnome is the other popular one. xfce,lxde and many others are supported as desktop environments as well.

Juan

I keep saying, look at PC-BSD - based on FreeBSD, made for i386 machines and now supports 64-bit. Comes with WINE and packages of software. Easy to install from a CD or USB stick.  Various GUIs installed by default.  It even spots and uses my Focusrite USB audio interface.
http://pcbsd.org

wr250

Quote from: Juan on May 27, 2014, 07:00:19 AM
I keep saying, look at PC-BSD - based on FreeBSD, made for i386 machines and now supports 64-bit. Comes with WINE and packages of software. Easy to install from a CD or USB stick.  Various GUIs installed by default.  It even spots and uses my Focusrite USB audio interface.
http://pcbsd.org

yes thats another good choice.


WOTR

Quote from: wr250 on May 27, 2014, 06:20:22 AM
no i use linux, debian testing to be precise.
openbsd is the most secure OS available to the public , and has been for a long time. it requires considerable command line savvy, and the gui is not installed by default.
Yikes!  No gui by default?  When I had installed a Linux system I recall having to piss around with some commands and it was not too bad (certainly no where near as bad as I had thought it would be.)  However, it sounds like openbsd may be a little too much for me to handle.  I would have to have one computer running windows placed squarely beside the one running openbsd just to surf the net and figure out what I needed to do next and what to type...

I will look into your recommendations as well as that pc bsd.  First is securing my router (maybe a weekend project when I have a little more time?)  Next I have to look more into some of the features of airvpn (yes, I would sooner trust a company that advertises itself as run by activisst and hacktivists than my ISP, government and the US government.)  There appears to be a way to download necessary files in order to allow the firewall to stop DNS leaks.  (Sure enough... a test confirms that my boat is taking on water and my DNS is leaking.)

I really am quite new to all of this and hope that the terminology was correct and what I typed makes some sense... I really hate looking stupid, but I do admit that I am new to taking an active role in the security of my computer and connection.  Until very recently I had believed that so long as I downloaded avast and cleaned the spyware and cleared cookies I was secure enough.  Thanks in large part to Snowden (and now bill C-13 in Canada) I realize that I was very wrong...

DNS leaks, back-doors in routers, poorly designed (yet expensive) software and paying my ISP $60/ month to spy on me for my government and businesses?

wr250

Quote from: wotr1 on May 28, 2014, 02:52:32 AM
Yikes!  No gui by default?  When I had installed a Linux system I recall having to piss around with some commands and it was not too bad (certainly no where near as bad as I had thought it would be.)  However, it sounds like openbsd may be a little too much for me to handle.  I would have to have one computer running windows placed squarely beside the one running openbsd just to surf the net and figure out what I needed to do next and what to type...

its a server os, installs barebones (but secure) and you must configure it yourself

Quote
I will look into your recommendations as well as that pc bsd.  First is securing my router (maybe a weekend project when I have a little more time?)  Next I have to look more into some of the features of airvpn (yes, I would sooner trust a company that advertises itself as run by activisst and hacktivists than my ISP, government and the US government.)  There appears to be a way to download necessary files in order to allow the firewall to stop DNS leaks.  (Sure enough... a test confirms that my boat is taking on water and my DNS is leaking.)

if possible you could run ddwrt open source firmware based on linux: http://www.dd-wrt.com/site/support/router-database

QuoteI really am quite new to all of this and hope that the terminology was correct and what I typed makes some sense... I really hate looking stupid, but I do admit that I am new to taking an active role in the security of my computer and connection.  Until very recently I had believed that so long as I downloaded avast and cleaned the spyware and cleared cookies I was secure enough.  Thanks in large part to Snowden (and now bill C-13 in Canada) I realize that I was very wrong...

DNS leaks, back-doors in routers, poorly designed (yet expensive) software and paying my ISP $60/ month to spy on me for my government and businesses?
i suggest trying some of these opersating systems out in a virtual machine (www.virtualbox.org ) before going on an installfest. (after install on the 1st run virtualbox should ask you to download an extension pack. i highly recommend doing so)

VirusTotal is a free service that analyses suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.

This is a MUST USE SERVICE if you download things off of the internet but it still won't help for "key logging viruses". Still I use it for everything.

https://www.virustotal.com/

Desmond

Very informative thread, lots of good information here.  Thank you for sharing these ideas.


I have an Android problem. I don't download many apps, mainly use my phone for mobile radio listening on the road, (Tune In), and I have a twin phone I use at work and home on wifi, no cell service on this device.


Sometimes I will pick up my idle phone, and something is scrolling thru my pictures, the camcorder may be activated, and last week I awoke in the night to the sound of me coming home from work.... my Dropcam app was activated and playing back a video clip of me unlocking my house and coming home from work!


I have the free version of Lookout installed, but no other security programs.  I'm about ready to go back to basic simple no frills cell phone, but love the wifi devices for listening to radio.


Any suggestions what I can do to improve my Android security?  Is there an app to monitor and tell me what apps are looking thru my pics, activating my camera, and accessing my Dropcam files?


Thanks for any help.

Powered by SMFPacks Menu Editor Mod