System7

Spread the word, information is free.

Archive for category news

Firefox: Prevent tabnapping

Jun 24

Posted by The Gunslinger in news, security | No Comments

There’s a new anti-tabnapping feature in NoScript, the Firefox browser add-on.  It’s not exactly straight forward to enable…(from the Security Now podcast)

I learned via Twitter from Alejandro, whose twit handle is @microtwit32, that NoScript, the favorite script blocker for Firefox, quietly added support for tabnabbing. We talked about tabnabbing last week or the week before. Remember that that’s an interesting exploit where pages that you’re not viewing currently, for example in Firefox, can be changed in a way that, if you went back to the page, it could easily fool you to believe that your eBay session had timed out, or Google Mail session had timed out, or something saying, oh, please, reauthenticate. The idea being that the page changes when it’s not the tab on top, so you’re not viewing the page at the time, don’t notice that it changed from something completely different to something that is spoofing one of the services that you are using.

It turns out that scripting is powerful enough now to allow a probing of the services you do use so that a sufficiently sophisticated script could figure out what it is that, like, what banking site you tend to use, and present something convincing on the tab that you’re not viewing. So when you switch back to that, it’s like, oh, look, my banking site says I need to log in again. So what our NoScript author did at v1.9.9.81 and since – I went back and looked through the update and feature notes. He quietly added a new option which is not – it does not surface to the level of the user interface. So it’s not a button you can click on the UI. But if you go, if you put into the Firefox browser’s URL field “about:config” and hit Enter, that will take you to a huge page of alphabetically sorted security and UI and every kind of option under the sun that basically governs in great granular detail the way Firefox operates.

The item you’re looking for is noscript.forbidBGRefresh, as in background refresh. So again, it’s noscript.forbidBGRefresh. Now, that can have a value of 0, 1, 2, or 3. 0 is no change of behavior at all, no blocking of background page refresh changes. 1, which is the default mine had been set to, blocks refreshes on untrusted, unfocused tabs only. Now, trust and untrust is relative to NoScript, that is, have you said that you trust this page, like Amazon.com, for example, or not. The setting of 2 blocks refreshes on trusted, unfocused tabs. I don’t know why you would choose that because it doesn’t block them on untrusted tabs. But setting 3 blocks them on both trusted and untrusted tabs.

And I changed mine to 3 because I can’t really see a valid reason why, whether I trust a site or not, if I’m not looking at the page, I don’t think it needs to change what I’m not seeing. And in fact I’ve noticed that I’m sometimes distracted when I notice a page that I’m not looking at is changing, is, like, refreshing. Some script timer timed out, and it’s changing the ads on the page, or it’s refreshing the whole page in order to get new content or something. Well, I’d just rather not have it do that behind the scenes. So I like the fact that NoScript now lets us prevent any nonfocused page from changing itself. Seems like a useful thing to do.

System7 WordPress 3.0 upgrade

Jun 22

Posted by The Gunslinger in news, system7 | No Comments

The System7 website has been updated to WP 3.0.  The automatic upgrade option worked flawlessly.  Now, when will Drupal get their act together and realize they need to improve their upgrade procedure?

You can read about some of the more interesting WP3 features here: http://sixrevisions.com/wordpress/wordpress-3-0-guide/

(tool) HTTPS Everywhere

Jun 21

Posted by The Gunslinger in news, privacy, security | No Comments

There’s a new Firefox add-on, HTTPS Everywhere, jointly developed by Tor and the EFF.  If a website has an SSL certificate, the add-on will automatically redirect the user to the page’s https address.  The add-on comes loaded with a default ruleset for some of the more popular websites such as Google, Twitter, Wikipedia, etc.  HTTPS Everywhere allows users to create their own redirection rules with XML and regular expressions.  There’s another H write-up here.

Tags: ,

“Who is blocking WHOIS?”

Jun 15

Posted by The Gunslinger in news | No Comments

I just read an interesting article Who is blocking Whois.  It turns out that ICANN stipulates all registrars must provide WHOIS database access via port 43.  Garth Bruen, knujon.com, did a full analysis of all registrars testing their WHOIS database uptime — that’s assuming he was able to determine their WHOIS database address.  ICANN assumes in good faith registrars will follow convention and locate their lookup servers at whois.registrar.TLD.  Some registrars don’t even advertise the address (if they are providing access at all).  I hope you’re not supporting any of the guilty registrars on the list….

(Tool) FireShark: Aid for web incident response

Jun 13

Posted by The Gunslinger in forensics, news, security | No Comments

The tool of the day is FireShark, a free web analysis tool.  This is great to have in your toolbox for IR.  FireShark will generate a mind map of a given webpage — think of it being a graphical representation of NoScript i.e. the map for Amazon.com would show quantcast.com, google-analytics.com, facebook.com, and twitter.com connected because it loads javascript and or images from those pages.  The tool consists of a Firefox plugin with some additional perl scripts.

Now, if the authors would add geolocation to the maps we could quickly see if a site is pulling from a server in Russia or China would could be an obvious sign of infection….

Tags: ,

Ubuntu can bypass iPhone pin to read data?

Jun 12

Posted by The Gunslinger in apple, news, privacy, security | 1 Comment

According to this zdnet article, when plugging your iPod into an Ubuntu machine the device is mounted without ever being prompted for a PIN code.  This is working on non jail broken iPhones.  I’m surprised the article only names Ubuntu — surely this must work for other distributions?  Unfortunately I don’t own an iPhone to test first hand.

On a side note, is Ubuntu taking over the world?  Sometimes you don’t want to make things too easy otherwise all of the idiots will flock from Mac and Windows and plague all of our favorite distributions with requests for ports of ___ (insert favorite fan boi single platform software here).

Tags: ,

DNS Performance & Security…

Jun 11

Posted by The Gunslinger in google, news, security | No Comments

I’ve gotten tired of Road Runner’s DNS redirection/hijacking service which I opt out of yet it keeps coming back.  I decided to do some DNS benchmarking, comparing my assigned ISP name servers against publicly provided DNS such as Google.   The results were very surprising.  It turns out I have less latency and hops reaching some of the publicly available DNS servers instead of those provided by my ISP (the servers actually resolve lookups faster).

Here’s what I did:

  1. Download and run DNS Benchmark (Windows or Wine): http://www.grc.com/dns/benchmark.htm
  2. Add your ISP assigned DNS servers into the DNS benchmark tool for comparison (Windows: ipconfig /all  Linux: cat /etc/resolv.conf)
  3. Load any additional public DNS servers into the tool: publicly provided DNS
  4. If public DNS is faster, configure your machine for hardcoded DNS (not to pickup from DHCP).

Coincidentally, Symantec has just released their own version of a public DNS that provides malware filtering.  You can read The H article here.  Symantec’s “secure” DNS servers are 198.153.192.1 and 198.153.194.1

Tags: ,

Forensics on Amazon’s Kindle

Jun 3

Posted by The Gunslinger in forensics, news | No Comments

I recently stumbled upon to great blog posts regarding Kindle forensics.  Eric Huber’s ‘A Fistful of Dongles’ blog has some interesting initial analysis on imaging the Kindle and key artifacts to zone in on.

Part 1: A Cursory Look at Kindle Forensics

Part 2: Additional Thoughts on Kindle Forensics

Some interesting data Eric discovered:

  • last book read w/ timestamp
  • position in the book
  • books loaded on device
  • strings user has searched for
  • *Remember with Kindle’s 3G ability you may want to use a Faraday bag

Tags: , ,

Google beta’s SSL for web searches

May 24

Posted by The Gunslinger in google, news, privacy | No Comments

According to this H article, Google is beginning to beta a new feature of providing SSL for their standard web search service. As one commenter noted, Google is still collecting the same information from your searches but this will limit 3rd parties from eavesdropping on your search queries. Remember SSL doesn’t guarantee absolute privacy as there’s Moxie Marlinspike’s work, chance of CA intermediaries, and your employer loading their own trusted CA’s into your corporate devices.

Tags: , ,

Sourcefire’s “What would you do with a pointer and a size?”

May 22

Posted by The Gunslinger in news | 4 Comments

The Sourcefire Vulnerability Research Team (VRT) has an interesting project related to (near) real time detection of malicious data passing through an ingress/egress point.  Specifically they’re attempting to use this technology to detect malicious PDF’s.  Unfortunately right now you can’t scan the documents in real time without hurting the user experience.  Options would be to queue PDF’s until analyzed or attempt to post re-mediate malicious PDF’s that have been passed through (recall & purge).  They’ve released their real time framework and are looking for user snippets to perform detection of malicious data.  (think gluing some of Didier’s PDF analysis scripts together….)

*In case you’re unaware, Sourcefire is the maker of Snort IDS.