Tag Archives: Security

Protecting your #windowsphone intellectual property using Dotfuscator

Justin Angel‘s Windows Phone Marketplace Statistics post makes very interesting reading. Justin has done a stellar job downloading all of the Marketplace applications and performing a lot of statistical analysis.

I was particularly interested in one of the statistics: 97% of Marketplace apps aren’t obfuscated. On the off chance that you haven’t come across obfuscation yet, here’s something from wikipedia to get you started:

Obfuscation is the concealment of intended meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret.
http://en.wikipedia.org/wiki/Obfuscation

Obviously this means that a mere 3% of the apps in the Marketplace have some form of obfuscation. Justin was looking for PreEmptive Solutions Dotfuscator signatures, which is currently the only Windows Phone obfuscater available. Regardless of the obfuscation monopoly, 3% for what is currently the de facto tool is surprisingly low and worrying. I think back to my days in academia and how source code was something to be protected. Getting your hands on somebody else’s code was (for some students) a real boon – if you were struggling, picking up a top student’s discarded source code could provide you with something from which gave you a start. I witnessed this a few times, it happened “back in the day”, and I’m sure it still happens today.

Traditionally, we’ve used reflection to provide us with some insight as to the contents of .net assemblies. We used, almost exclusively, .NET Reflector, although recently we’ve seen similar offerings from JetBrains (dotPeek) and Telerik (JustDecompile) to name but two other reverse engineering or decompilation tools. Typically, these tools looks for .dll or .exe files. Windows Phone apps are deployed via a .xap file, we need to crack open the .xap and extract the .dlls that we are interested in looking at. Given that .xap files are actually no more than .zip files, we can simply rename the .xap to .zip and pull out the .dlls from there.

An Example
About 20 years ago (ahem!), my Pascal tutor set us a programming exercise. The full details are documented in this post. In a nutshell, we had to create a [Pascal] program that accepted a letter A thru Z and plotted a text-based triangle, where the chosen letter was the “middle” of the triangle. Once you see the screenshot (and the code), all will become clear.

Needless to say, the problem wasn’t as simple as it sounded. As soon as students demonstrated a solution, others were keen to look at the algorithms and tricks used to arrive at the solution. The code below presents a re-hashed version of my original submission, updated slightly such that it runs as a Windows Phone app.

     private void button1_Click(object sender, RoutedEventArgs e)
        {
            char widest_char;
            int next_char, finish_char, wide, range, direction, position, spacelength, loop;

            widest_char = 'F';

            wide = (int)widest_char;
            direction = 1;
            spacelength = 1;
            position = 1;

            next_char = 66;
            finish_char = 65;

            range = 2 * (wide - finish_char);

            // Calculate initial left indent
            int mid = wide - 65 + 1;

            String firstLetter = Char.ToString((char)finish_char);
            firstLetter = firstLetter.PadLeft(mid + 1);

            textBlock1.Text = firstLetter + "\n";

            for (loop = 1; loop < range; loop++)
            {
                textBlock1.Text += (" ".PadLeft(mid - position));
                textBlock1.Text += ((char)next_char);

                textBlock1.Text += (" ".PadLeft(spacelength));
                textBlock1.Text += ((char)next_char);
                textBlock1.Text += "\n";

                next_char = next_char + (1 * direction);
                position = position + (1 * direction);
                spacelength = spacelength + (2 * direction);

                // Flip direction when the middle of the diamond is reached
                if (next_char == wide) direction = -1;
            }

            textBlock1.Text += firstLetter;
            textBlock1.Text += "\n";            
        }

Here's a screenshot of the output:

Visual Studio 2010 created a .xap file that was deployed to the emulator or physical device. In order to extract the .dll that makes up the diamond application, we rename the .xap file as a .zip file, from there it's just copy and paste.

It's a different story for dotPeek now. It can still inspect the .dll with ease, however the meaningful variable names have been largely lost. The crux of this particular code example revolves around the algorithm that is used to create the diamond shape - some students were very keen to get a glimpse of an algorithm! The algorithm is still very obvious from the code fragment below:

private void button1_Click(object sender, RoutedEventArgs e)
    {
      char ch = 'F';
      int num1 = (int) ch;
      int num2 = 1;
      int totalWidth = 1;
      int num3 = 1;
      int num4 = 66;
      int num5 = 65;
      int num6 = 2 * (num1 - num5);
      int num7 = num1 - 65 + 1;
      string str1 = char.ToString((char) num5).PadLeft(num7 + 1);
      this.textBlock1.Text = str1 + "\n";
      for (int index = 1; index < num6; ++index)
      {
        TextBlock textBlock1 = this.textBlock1;
        string str2 = textBlock1.Text + " ".PadLeft(num7 - num3);
        textBlock1.Text = str2;
        TextBlock textBlock2 = this.textBlock1;
        string str3 = textBlock2.Text + (object) (char) num4;
        textBlock2.Text = str3;
        TextBlock textBlock3 = this.textBlock1;
        string str4 = textBlock3.Text + " ".PadLeft(totalWidth);
        textBlock3.Text = str4;
        TextBlock textBlock4 = this.textBlock1;
        string str5 = textBlock4.Text + (object) (char) num4;
        textBlock4.Text = str5;
        TextBlock textBlock5 = this.textBlock1;
        string str6 = textBlock5.Text + "\n";
        textBlock5.Text = str6;
        num4 += num2;
        num3 += num2;
        totalWidth += 2 * num2;
        if (num4 == num1)
          num2 = -1;
      }
      TextBlock textBlock6 = this.textBlock1;
      string str7 = textBlock6.Text + str1;
      textBlock6.Text = str7;
      TextBlock textBlock7 = this.textBlock1;
      string str8 = textBlock7.Text + "\n";
      textBlock7.Text = str8;
    }

Obfuscating the .xap using PreEmptive Solutions' Dotfuscator, changes the playing field quite significantly. Whilst Dotfuscator can obfuscate a Windows Phone .xap file, we still have to rename it to a .zip before we can inspect the assemblies found inside it. Extracting the assembly that draws the diamond, then firing it through dotPeek results in the following, rather lengthy, code fragement:

 private void ᜀ(object A_0, RoutedEventArgs A_1)
    {
      int A_1_1 = 6;
      switch (0)
      {
        default:
label_2:
          char ch = 'F';
          int num1 = (int) ch;
          int num2 = 1;
          int totalWidth = 1;
          int num3 = 1;
          int num4 = 66;
          int num5 = 65;
          int num6 = 2 * (num1 - num5);
          int num7 = num1 - 65 + 1;
          string str1 = char.ToString((char) num5).PadLeft(num7 + 1);
          this.textBlock1.Text = str1 + MainPage.b("ሗ", A_1_1);
          int num8 = 1;
          int num9 = 1;
          while (true)
          {
            switch (num9)
            {
              case 0:
label_8:
                num2 = -1;
                num9 = 5;
                continue;
              case 1:
              case 4:
                num9 = 3;
                continue;
              case 2:
                if (num4 == num1)
                {
                  num9 = 0;
                  continue;
                }
                else
                  goto case 5;
              case 3:
                if (num8 < num6)
                {
                  TextBlock textBlock1 = this.textBlock1;
                  string str2 = textBlock1.Text + MainPage.b("㠗", A_1_1).PadLeft(num7 - num3);
                  textBlock1.Text = str2;
                  TextBlock textBlock2 = this.textBlock1;
                  string str3 = textBlock2.Text + (object) (char) num4;
                  textBlock2.Text = str3;
                  TextBlock textBlock3 = this.textBlock1;
                  string str4 = textBlock3.Text + MainPage.b("㠗", A_1_1).PadLeft(totalWidth);
                  textBlock3.Text = str4;
                  TextBlock textBlock4 = this.textBlock1;
                  string str5 = textBlock4.Text + (object) (char) num4;
                  textBlock4.Text = str5;
                  TextBlock textBlock5 = this.textBlock1;
                  string str6 = textBlock5.Text + MainPage.b("ሗ", A_1_1);
                  textBlock5.Text = str6;
                  num4 += num2;
                  num3 += num2;
                  totalWidth += 2 * num2;
                  num9 = 2;
                  continue;
                }
                else
                {
                  num9 = 6;
                  continue;
                }
              case 5:
                if (1 == 0)
                  ;
                switch (1 == 1 ? 1 : 0)
                {
                  case 0:
                  case 2:
                    goto label_8;
                  case 1:
                    if (0 == 0)
                      ;
                    ++num8;
                    num9 = 4;
                    continue;
                  default:
                    goto case 1;
                }
              case 6:
                goto label_15;
              default:
                goto label_2;
            }
          }
label_15:
          TextBlock textBlock6 = this.textBlock1;
          string str7 = textBlock6.Text + str1;
          textBlock6.Text = str7;
          TextBlock textBlock7 = this.textBlock1;
          string str8 = textBlock7.Text + MainPage.b("ሗ", A_1_1);
          textBlock7.Text = str8;
          break;
      }
    }

Clearly the Dotfuscator version is much harder to understand. This is about as far as most obfuscation methods can go, they won't make it impossible to reverse engineer your application, but they will make it very time-consuming for those trying to read and understand the code.

If you are planning to obfuscate your Windows Phone apps, be sure to test them after they have been obfuscated. Like any tool that alters code post-compile, there is a chance that something may cause your app to fail. As part of the Windows Phone SDK, the Application Deployment tool is your friend. It will let you deploy .xap files to the emulator or a physical device outside of Visual Studio 2010. In other words, once you've built and tested your app, after you've obfuscated the .xap, use the Application Deployment tool to re-test the deployment.

Of course, if you are targeting Windows Phone Mango, all of this becomes rather academic. As Justin points out, from Mango onwards, .xap files will be DRM protected. Whilst your .xap will be downloadable from the Marketplace, the file itself can't be cracked open in the same way I mentioned earlier in this post. However, if you are planning to target Windows Phone 7.0 "NoDo" 7392/7390 builds, obfuscation might be something for you to consider.

Survey: 3-D Secure, Verified by Visa, MasterCard SecureCode

I would like to draw your attention to a “5 click” survey that will help Anthony Bouch progress with his MSc in Information Security. You would be doing Anthony a huge favour by completing his anonymous survey!

It’s a very short survey, you don’t even have to enter any text if you don’t want to, here’s a snapshot of it:

You could use that last question to mention the fact that Amazon currently does not implement 3-D Secure, Verified by Visa or MasterCard SecureCode and that you believe they should!

It’s one thing clearing your tracks, but make sure you clear out index.dat too

Readers who are sensitive to shocking content should stop reading now – the following screenshot contains text that might offend!

I am asked on a rather regular basis to “fix” laptops and desktop. Typically they’ve started running slower or have started to automatically run applications that perform untoward actions. “Internet Security 20xx”-type of applications seem to be more common; certainly the last 5-6 laptops that I’ve been asked to fix have had some variation installed. If you’re running good anti-virus software, you don’t need anything else. If you’re browsing the web and are suddenly told “your computer is infected, click here to fix it”…it’s probably a hoax.

Today, I was invited to deal with a blue screen of death on a friend’s laptop. On the surface, it looked like it was a driver issue stemming from Nero. However further inspection revealed a sordid history!

I use CCleaner as part of my regular Windows maintenance. It’s a great application that will remove unwanted files from your PC, without actually breaking it. Fewer files on your hard drive mean that anti-virus, malware scanners, etc. can run a little faster – they’ve got fewer files to scan.

By default, CCleaner will clear any temporary internet files left behind by your browser of choice. My friend was using Internet Explorer…whilst the temporary files had been cleaned up, the index.dat file had not. If you are using Windows 7, the index.dat file can be found here: C:\Users\<>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 Essentially, it contains a list of the sites you’ve visited, even if you’ve cleared out your temporary internet files.

Upon inspection of the index.dat file, it was soon clear why the laptop was experiencing problems!

Busted. Next time, my friend will remember to check the index.dat box in CCleaner! I should note that this isn’t the most offensive list of sites that I’ve discovered whilst cleaning up a PC – I couldn’t bring myself to take a screenshot from that PC!

Further reading:

Browser history can help determine rebuild vs clean up, but can be revealing…
“It wasnae me” – browser history, real world example 2

Don’t be fooled… GoMessenger – Subject: You’re BLOCKED

I’m sure that regular readers wouldn’t be caught by this, however, it’s a timely reminder to be extra careful with your passwords!

I received an e-mail today “Subject: You’re BLOCKED” claiming to be from MSN Messenger. My e-mail spam filter reacted and blacklisted it automatically.

However, you might be tempted by its content, it reportedly will tell you who has blocked you on MSN Messenger…

My advice is simple, ignore it. There are a few clues on the page that suggest it’s not as professional as it seems: “This site not modify your nickname”. Why would it do that? Why would it need to say that? Plus, it’s not grammatically correct. These are just a few clues. Diving into the source code for the page, suggests that there’s some Google Ad scam going on too.

Even if it does what it says it will do, it’s still harvesting your password, which is something we need to avoid.

Technorati Tags: , , ,

054 – Stephen Lamb on his new role in marketing / PR

Twelfth the in the Twelve Podcasts of Christmas 2008!


Badge facing inwards, clever security move, very clever. Oh, and that’s the huge Christmas tree in Building 2 at TVP as mentioned in the podcast!

“I wanted to scare the hell out of myself”

As many readers and listeners will know Stephen Lamb moved from his security role over to…well, a role in public relations. I for one wanted to know what Stephen does in his new role and I know a few other folks were keen to know too. Ten weeks into the new role, I happened to be in the same place as Steve…we grabbed a coffee, a comfortable sofa and recorded this: “30 minutes on the sofa with Steve”. I won’t spoil it for you, if you’re keen to understand Steve’s new role, this is well worth a listen!

Podcast feed – subscribe here!

This podcast: http://www.craigmurphy.com/podcasts/054-Stephen-Lamb-II.mp3

Resources
Stephen’s blog
Stephen on Twitter

The Twelve Podcasts of Christmas 2008
01 – Kyle Baley on ALT.NET and Brownfield Development in .NET
02 – Aaron Parker on Microsoft Application Virtualisation
03 – Caroline Bucklow from IT4Communities: charitable software development
04 – Eileen Brown on IT Professionals, TechNet, Women In Technology & Girl Geek Dinners
05 – Stephen Lamb on security, community, Linux and Twitter
06 – Cristiano Betta on Geek Dinners
07 – David Yack and Jonathan Carter on ALT.NET, MVC and Community
08 – Andrew Fryer on SQL Server 2008 and “upgrade”
09 – Viral Tarpara on Collaboration, SharePoint, Open Source (Port 25) and Community
10 – Guy Smith Ferrier on Internationali[s|z]ation, VS2008, .net 3.5, C# language features
11 – Matt Dunstan on event management, “engagement” and life as an Application Platform Manager
12 – Stephen Lamb on his new role in marketing / PR

Technorati Tags: , , , , , , ,

047 – Stephen Lamb on security, community, Linux and Twitter

Fifth the in the Twelve Podcasts of Christmas 2008!


Stephen, with the TVP Building 2 Christmas tree in the background!


“Identity management is important. As soon as folks know what you look like, every Santa and his elf want to podcast with you!”


One of Stephen’s sessions at the Birmingham launch (mentioned in the podcast!)

Heroes Happen Here

Earlier this year, 2008, Birmingham was host to the Microsoft Heroes Happen Here product launch. VBUG’s Andrew Westgarth and myself were allowed to roam around recording interviews with many of the Microsoft Executives and Microsoft evangelists!

In this podcast, we’re sitting on a comfortable sofa with Microsoft’s Stephen Lamb. Recorded in March 2008, it is before Stephen switched to his PR role, so the topic is security. However, HHH was a community event too, so we chat about community for a bit too.

I do have a more recent podcast with Stephen, recorded early December 2008. It covers Stephen’s new PR role and will be released as part of the Twelve Podcasts of Christmas!

Podcast feed – subscribe here!

This podcast: http://www.craigmurphy.com/podcasts/047-Stephen-Lamb.mp3

Resources
Eileen’s blog
Andrew Fryer’s blog
Stephen Lamb’s blog
Viral Tapara’s blog

The Twelve Podcasts of Christmas 2008
01 – Kyle Baley on ALT.NET and Brownfield Development in .NET
02 – Aaron Parker on Microsoft Application Virtualisation
03 – Caroline Bucklow from IT4Communities: charitable software development
04 – Eileen Brown on IT Professionals, TechNet, Women In Technology & Girl Geek Dinners
05 – Stephen Lamb on security, community, Linux and Twitter
06 – Cristiano Betta on Geek Dinners
07 – David Yack and Jonathan Carter on ALT.NET, MVC and Community
08 – Andrew Fryer on SQL Server 2008 and “upgrade”
09 – Viral Tarpara on Collaboration, SharePoint, Open Source (Port 25) and Community
10 – Guy Smith Ferrier on Internationali[s|z]ation, VS2008, .net 3.5, C# language features
11 – Matt Dunstan on event management, “engagement” and life as an Application Platform Manager
12 – Stephen Lamb on his new role in marketing / PR

Technorati Tags: , , , , , , , , , , , , , ,

Passwords alone, are not enough. Even if they were, are they hard to break?

[As quoted in the Guardian: http://www.guardian.co.uk/technology/blog/2008/nov/23/technology-letters-blogs]

Relying on a single password for more than one purpose, e.g. logging on to your web-mail, instant messaging service, Facebook, Bebo, etc. is probably very commonplace.  Indeed, exposés such as Twitterank, and even it’s parody site TwitterAwesomeness, highlight the ease at which folks will essentially surrender their username and passwords.  Twitterank didn’t just catch the unsuspecting Internet user, they also caught a number of people who really should have known better. 

Sites that do need your Twitter username and password, such as BrightKite, use it in order to post tweets on your behalf.  In BrightKite’s case, it tweets each time you “check in” to their “where am I” service.  The check-in process involves you telling BrightKite where you are, it then sends out a Tweet telling the world.  Such sites make their intentions very clear in the Terms Of Use, Code of Conduct and Privacy pages. 

However, so did Twitterank. The site made it clear what it wanted you to believe it was doing with your username and password.  Even if you didn’t read the Twitterank terms of service or FAQ, it was embedded within the source code, as Barry Dorrans carefully points out.  The speed at which the Twitter population flocked to Twitterank suggests that were there any ulterior motives, the site would be well placed to exploit a significant portion of the Twitter accounts that it had opportunity to harvest.

Twitterank was different.  It relied on our instinctual want to graded or rank ourselves amongst our peers.  No matter how hard we try, we’re all competitive by nature.  We want to know where we stand/sit in relation to our peers.  Some services, such as Twitter Grader have managed to achieve this without the need for a Twitter password.  Granted there’s only so much Twitter Grader can do, however it’s a polite service that has introduced me to a number of Twitter users in Scotland – users that I may not have discovered.

There was little indication whether a Twitterank of 100 was good or bad.  Some users reported ranks of over 200, others, as we’ve seen already, received a rank of zero.  The mathematics behind the site were reported via a comment in this blog as being “Real Math(tm)” and were comparable in accuracy to Google’s PageRank mechanism.  I’m not a mathematician so I won’t be debunking any formula, algorithm or approaches.  Well, not just yet at least.  For Twitterank to have been useful, it would need to allow us to determine whether our rank was better or worse than other Twitterankers (there it is again, I do apologise).

Twitterank didn’t really try to hide its intentions, however because of the the site’s ease of use, instant gratification and rapid publicity, its uptake was huge (it trended TweetStats and Twitter Search, and at the time of writing, continues to do so – outdoing “Obama” and “James Bond”).  The publicity was part of what made it so popular – it sent out a Tweet announcing your Twitterank, including a link back to the site thus encouraging users to discover their own ranking.  In most cases, this would probably be fine, however spare a thought for the Twitter folks who received a ranking of zero – and there where many of them!  Indeed, many Twitterankers (can I really get away with saying that?  Too late now!) tweeted their dissatisfaction at their ranking. 

Amusingly, Twitterank’s creator (@ryochiji) reported on his Twitter feed that low rankers should try again tomorrow.  Oh, so that’s how it works – everybody’s Twitterank will improve over time, that’ll work, great system, yes?  Further information may be found on the Twitterank blog, assuming WordPress haven’t deemed it necessary to close it down.

It’s not all about gullible users though
This morning, at the time of writing, a few hours after Twitterank was exposed for the social experiment that it probably is (or was), saw me reading Bruce Schneier‘s Read me first column in the Technology section of The Guardian.  Bruce writes a great piece explaining how passwords don’t need to be broken per say, but that they are inherently easy to guess.

Without spoiling the article too much, assuming that you are going to read it, Bruce highlights our password selection techniques.  One such method, and one that is certainly very familiar to this writer in his corporate environment, is the keyword+appendage approach.  Users often take their child’s name, their dog’s name, etc. and add a numeric digit or two after the name, e.g. frank01 or rover12. 

Today’s processing power means that software can intelligently guess huge combinations of keyword+appendage passwords in a relative short and acceptable period of time.  Gone are the days when passwords would take days or weeks to crack.  If you need more convincing, think about how long it takes the average WiFi hacker to crack your wireless router/modem WEP encryption keys.  Or even your WPA encryption?

Bruce makes the suggestion of using a personal sentence as your password.  Not the sentence itself, but an obfuscated version of the sentence.  His example (yes I’m spoiling the original article, sorry) uses “This little piggy went to market” – it creates an obfuscated password of tlpWENT2m.  Such as password would take a significant amount of time to be guessed using processing power alone.  Just in case you were tempted, Bruce rightfully advises that we don’t use tlpWENT2m ourselves…oddly enough.

Increasing security, some options
With the ease at which Twitterank coaxed visitors into typing in their username and password, it seems the days of the password as a single source of authentication are numbered.  We need to be considering more secure alternatives that involve “levels of authentication”.  Usablity is the key to widespread acceptance, any product in this space must be easy to use; its interface must be fundamental such that selection of a secure-level authentication token requires little more effort than offering a basic-level token. 

With Twitterank-like incidents becoming more common, I predict that during 2009 we will see the general acceptance and widespread uptake of such authentication mechanisms such as OpenID, and CardSpace (further reading here and here).  You should familiarise yourself with these mechanisms because major web-sites such as Yahoo are gradually introducing them as part of their login process.  Indeed, even the likes of Facebook, where you can be whoever you want to be, may have to succumb and implement a more secure user registration and identity verification process.

Beyond authentication into verification
Going beyond authentication, we need to consider verification, particularly of identity.  The internet has little in the way of process that can help us confirm an individual’s authenticity and identity – how do you know that the person your are tweeting with or Facebooking is the person they say they are?  Twitter had the great fake Sarah Silverman incident of October 2008.  Facebook has many impersonation cases, a few of which I discuss in elsewhere on this blog

Firms, such as NetIDme are well placed to take advantage of the needs of the authentication and identity verification marketplace.  Identity verification through NetIDme processes involves a combination of stages, if you’re in the UK or US they boast a 95% “automatic verification” rate. The remaining 5%, or if you are a child, requires some form of personal contact with the NetIDme team – whether it is a fax or a phone call.  However, prior to the personal contact, you are invited to provide such things as your Driving Licence Number, National Insurance number, Social Security Number or Passport number in order for third party checks to take place.  Obviously this is much more involved and potentially more invasive than a simple username/password combination. The fact we are now able to authenticate and verify who we are, including how old we are, is a key step forward in the growth and maturity of the Internet.

And finally…
At the time of writing Twitterank is still up and running, whilst there appears to be no malicious intent on the creator’s part, the whole debacle in the social engineering space has left a bitter taste in the mouths of many people.  I am sure that no ill intent was ever on the cards, however Twitterank has proven that everybody needs to think about their own on-line security and the implications of password surrender. 

Just think what might have happened to your Twitter feed? “Ah,” you say, “but it’s just my Twitter feed, I don’t really care if somebody hacks it and owns it.”  That’s fine, but a lot of users have a single password, and that is where the problem stems from.  Identity theft often starts from the smallest thing.  I have a colleague whose identity was stolen simply because she left her name on the door bell of her previous house. The house had been sold to a gentleman who then let / rented the house.  The new tenants used the knowledge of the previous owner’s name to start off the identity theft process.  It is that simple.

I’ll leave you with advice that is mentioned elsewhere in this blog:

  1. Don’t use the same password for social networking sites and services that are more important to you such as your on-line bank or your web-mail.  If your password is harvested, as Twitterank could have done, you may find yourself compromised in more than one way.
  2. Avoid simple passwords such as “password”, “itsasecret” or “letmein”.  Amazingly, during my university days somebody actually told me their password was “itsasecret”.  Indeed it was…I logged in and was later accused of cracking the said password.  A little trouble ensued but it was soon dropped when I explained that i had actually been given the password in the first place! 
  3. Consider “upping” your levels of security your OpenID – there are plenty of providers.  Yahoo, MyOpenID and NetIDme to name just a few.  Any progress in this direction, is good progress. Of course, you could always demand OpenID!

Safe and happy surfing!

Further reading:

Password security – even big names fail
Twitterank – celeb or peon? @t_rank

Twitterank – celeb or peon? @t_rank

my Twitterank is 9999.99 http://twitterawesomeness.com/

Just a short post to remind users to be careful with their online credentials.

Twitterank appears to have grabbed the limelight (tonight, GMT) as one such web application that relies on folks wanting to be popular…or at least find out how popular (or not) they are in comparison to some metric that ranks them over other users.

However it’s basically a user-name and password harvesting mechanism. I have a suspicion that it’s a social experiment and all those passwords that were collected will not be used for anything dodgy. Whatever the truth, in the wrong hands the possibilities are endless – here are a couple to worry you: @blowdart and @camurphy

camurphy: @blowdart @dacort – true evilness would be to post random tweets from random victims…did I just say that out loud?

blowdart: @CAMURPHY @dacort Stuff like “I’m wearing my sister’s panties”. DO IT!

If you have received a Twitterank, my advice to you is that you change your Twitter password immediately. Once you’ve done that, any other places that you use that same password for, change it there too.

A safe parody of the site can be found here, courtesy of @dacort.

There’s more here:
http://blogs.zdnet.com/collaboration/?p=163
http://mashable.com/2008/11/12/twitterrank/
http://www.louisgray.com/live/2008/11/twitterank-can-have-my-password-no.html
http://www.guardian.co.uk/technology/blog/2008/nov/13/twitter-password-security

If you must rank yourself, check out twitter.grader.com – it doesn’t need your password to give you some feel-good factor!

Oh, @t_rank, I’m still waiting for reply to this polite request!

eCards linking to dangerous executable files…

In a previous post I mentioned that phishing and spoofing were still very much in the mainstream. There are many tricks that scammers use in order to convince the unsuspecting Internet user to part with their financial details. One such trick is to send fake e-mails inviting users to click on an “eCard”. In reality, clicking on the eCard link typically links to file that can be run on the victim’s computer – even though today’s modern browsers offer many levels of warning, users frequently click on yes or OK when asked “are you really sure?”

Most eCards are trojan horses – they lay in wait watching for useful information such as credit card details, passwords, etc. to be typed into reputable web-sites. They then capture that information and, more often than not, attempt to transmit it to a central source that is capable of making the most of stolen credit card information.

Here’s an example:

As noted in my previous posting, it’s always worth verifying the destination of any links found in e-mails (there are some good comments on that post, with tips worth heeding). However, link aside, the text of the e-mail has a few other clues that suggest it might not be authentic. Look for problems with grammar, spelling mistakes, incorrect spacing, etc. I’ve highlighted a couple in the e-mail above. Also look out for “odd” e-mail addresses that are out of character, e.g. Hallmark would never use a personal e-mail address (other card vendors are available!)

If you are feeling even more adventurous, you could take a look at the message itself. In Microsoft Outlook if you right click on an e-mail in the Inbox view, choose Message Options and you’ll see something similar to the text below:

Return-path:
Envelope-to: your.name@yourdomain.com
Delivery-date: Mon, 13 Oct 2008 15:30:19 +0100
Received: from dynamic-123-123.natpool.uc.edu ([123.137.123.123])
by pc1.yourmailhost.com with esmtp (Exim 4.69)
(envelope-from )
id 1KpOR9-0007BM-6h
for your.name@yourdomain.com; Mon, 13 Oct 2008 15:30:19 +0100
Message-ID: <09622.bamber@nolan>
Date: Mon, 13 Oct 2008 12:42:56 +0000
From: “123greetings.com”
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: “friend”
Subject: You have received an eCard
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=4.7
X-Spam-Score: 47
X-Spam-Bar: ++++
X-Spam-Flag: NO

A few things can be gleamed from the e-mail headers. Most reputable eCard web-sites wouldn’t use a client-side e-mail tool such as Thunderbird. Nor would they purport to be “123greetings.com” but actually be a personal e-mail address of a.bbbb@acccgggs.com. Similarly, “friend” isn’t something mainstream vendors would use. A closer inspection reveals that this e-mail appears to have made use of a .edu domain, i.e. an educational establishment may have been used in the transport of this particular e-mail. Indeed, it is this .edu domain that demonstrates the true nature of trojan horses – they don’t always steal your financial details, they sometimes enable your computer such that it can act as e-mail hubs whereby further propagation of the the same or similar eCard e-mail takes place. In other words your computer could be used to send out eCard e-mails.

Incidentally, this particular eCard hit my spam filter before I even saw it. However, whilst my e-mail host has good spam filtering, coupled with my local spam filter (MailWasher Pro), it doesn’t mean other e-mail hosts are doing the same, it’s still possible that an eCard could make it into your inbox.

Again, regular readers will be sucking eggs after reading this post, however these e-mails are still doing the rounds. I always find it handy having these real world examples handy as demonstrations when I’m explaining the less than salubrious side of the Internet to newcomers.

Technorati Tags: , , , , ,