Security Paranoia

With the click of a mouse on one computer, the screen of the laptop a few feet away flashes wildly as a flood of data flies silently across a private network cable connecting the two machines. Within a minute the laptop’s file sharing password is compromised.

“The computer is having a bad day,” says a reporter as he watches the effect of the attack on his machine. “Packets are coming at it so fast, the firewall doesn’t know what to do.”

Some hackers claim they can teach a monkey how to hack in a couple of hours. We asked two hackers, Syke and Optyx (at their request, we are using their hacking pseudonyms rather than their real names), to give us non-simian reporters a demonstration.

What we got was a sometimes-frightening view of how easily nearly anyone’s computer–at home or at work, protected or not–can be cracked by a determined hacker. But we also found out that computer users can make a hacker’s job much harder by avoiding a few common mistakes.

Syke, a 23-year-old white-hat hacker, and Optyx, a 19-year-old self-proclaimed black hat, both work in computer security (Syke, until recently, for a well-known security software vendor; Optyx for an application service provider).

They launch their attack on our notebook from desktop computers located in the windowless basement that is New Hack City, a sort of hacker research-and-development lab (and part-time party lounge).

The lab’s rooms are filled with over a dozen Sun SPARC servers, assorted network hubs and mountains of ethernet cable, an arcade-size Ms. Pac Man game, and a DJ tower stocked with music-mixing equipment for all-night hacker jams.

This article was dervied from http://www.pcworld.com/article/id,45726-page,1/art…

Quick answer is NO.

I have been looking into web 2.0 and AJAX lately. AJAX is great. No doubt about that. Everyone loves it and it does provide killer experience for users. But there is cost of it. AJAX and other web 2.0 technologies allows use of cross-site scripting and XMLHttpRequests, which can open up yet another door for vulnerabilities.

Cross-site scripting vulnerabilities are now far more attractive targets than more notorious bugs such as buffer overflows, according to new figures from Mitre, a U.S. government-funded research organization.

Buffer overflows have long been one of the most common types of bugs attacked by malware, with Intel and Advanced Micro Devices (AMD) even building in hardware support for an anti-buffer overflow technology called NX (No Execute) or XD (Execution Disable).

But a shift is under way, according to Mitre’s findings. While buffer overflows affect executable files written in languages such as C, the increasing popularity of cross-site scripting (XSS) bugs indicates attackers are looking more at programming languages typically used for Web applications, such as Java, .Net and PHP.

Client-side scripting languages generally include same-origin policies, which allow interaction between Web objects and pages only as long as they come from the same domain and over the same protocol. XSS bugs allow malicious Web sites to find ways around these policies, potentially accessing sensitive data in other objects or browser windows.

The second most popular type of attack was SQL injection, which allows attackers to execute malicious SQL statements within a database. Third most popluar were PHP “include” vulnerabilities, which can allow attackers to execute arbitrary script on a server by including them in an existing script.

Out of about 20,000 reported vulnerabilities recorded by Mitre so far this year, 21.5% were XSS, 14% were SQL injection and 9.5% were PHP includes. Buffer overflows came in fourth, at 7.9%.

IF YOU think the password protection on your MS Word file is keeping it safe from prying eyes, chances are you’re wrong. The time it takes to crack password-protected Microsoft Office files has tumbled from a 25-day average to a matter of seconds, thanks to a decades-old code-cracking technique that until recently was not viable.

The technique, described in a 1980 paper, A Cryptanalytic Time - Memory Trade-Off, involves pre-generating a massive “rainbow table” of passwords and their corresponding hashes - the encrypted strings of numbers computers use to verify passwords.

Until now, the terabytes of storage needed to write the tables haven’t been available. But cheap storage means rainbow tables are in vogue in the IT security industry. “Take a look at hard-drive storage. I buy terabytes like I used to buy megabytes,” says Christian Stankevitz, the laboratory manager for Chicago-based IT security consultancy Neohapsis.

In the past, passwords were cracked by randomly guessing at the correct string of characters in what’s known as a “brute force” attack. In these assaults, the encrypted form of the password - the hash - is extracted from the target file or computer. A randomly generated password is encrypted and its encrypted form is compared to the extracted hash. If it doesn’t match, the process is repeated until a match is found - it’s a long and tedious process.

With rainbow tables, the encrypted form of most possible passwords are pre-computed and stored alongside the actual, clear-text password. Users can simply look up virtually any hash in the massive index and match it to the corresponding password in seconds.

The tables can break password protection in many common file formats, including versions of Adobe’s PDF format (the current version is immune to the attack), the default encryption on protected Microsoft Office documents (40 bit) and even Windows password files.

“It’s a lot of (storage) space but the nice thing is it only needs to be done once,” says Pieter Zatko, a division scientist at BBN Technologies, a government contractor that conducts research for the US Department of Defence and other government agencies.

Mr Zatko is best known for writing the L0phtcrack password cracking tool in the ’90s. It was used to crack Windows passwords with ease, something he hoped would change the way organisations managed their passwords. Instead, L0phtcrack was commercialised and became the industry-standard password auditor, much to Mr Zatko’s dismay. “That was my problem with L0phtcrack. People were using it to audit their passwords,” he says. “It was supposed to be a statement of ‘understand your risks’.”

This article was derived from here

So far, I have found Mozilla’s Firefox better then IE in terms of security.

It claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here’s a roundup of some of the more useful ones I’ve found.

• Add n’ Edit Cookies
  This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience. This extension not only shows you all the details, but lets you modify them too. You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
• Dr. Web Anti-Virus Link Checker
  This is an interesting idea — scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service. I haven’t rigorously tested this or anything, but it’s an interesting concept that could be part of an effective multilayer personal security model.
  
• FormFox
  This extension doesn’t do a whole lot, but what it does is important — showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
  
• FlashBlock
  Flash hasn’t been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it’s often an annoyance. This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like. It lacks the flexibility I’d like (things like whitelists would be very handy), and doesn’t give you much (any?) info about the Flash element before you run it, but it’s still a handy tool.
• LiveHTTPHeaders & Header Monitor
  LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server. Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox’s status bar. They’re not really specifically security tools, but they do offer a lot of info on what’s really going on when you’re browsing, and an educated user is a safer user.
• JavaScript Option
  This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I’d like to see this idea taken farther (see below), but it’s handy regardless.
• NoScript
  This extension is pretty smooth. Of all the addons for Firefox covered here, this is the one to get. NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with. NoScript can also block Flash, Java, and “other plugins;” forbid bookmarklets; block or allow the “ping” attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code.The one thing I’d really like to see from this extension would be more ganularity over what the Javascript engine can access. Now it’s only “on” or “off,” but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces.
• QuickJava
  Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1). Hopefully a new version will be available soon.
• ShowIP
  This is another tool that isn’t aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar. Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info. You can add additional web lookups if you like, as well as passing the IP to a local program. Handy stuff.
  
• SpoofStick
  The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored “You’re on ” in the toolbar. For folks who know what they’re doing this isn’t wildly useful, but it could be just the ticket for less savvy users. It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
  
• Tamper Data
  Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and get an overall feel of what’s going on, but you can still drill down and get as much detail as you like.

Got more Firefox security extensions? Leave a comment and I’ll collect them in an upcoming post.