What kind of information sends your computer out?

Hi there,

here is a blog about a privacy conference that is quite scary:
http://blogs.zdnet.com/security/?p=197

Has anyone a clue to counter this flow out of privacy information?

true north

 

Don't know if it's my browser (or config) but I was more surprised by the lack of info given. Opera is not my default-browser, so that might be part of the reason that some things were not picked up.

 

Heh, no info on mine, just an abusive line saying

'Turn on JS, numbnuts'.

 

I didn't even get that much. There's nothing at all under the "Master Reconnaissance Tool" heading, and I have Java and JS enabled. Good old Proxomitron.
Rick

 

Be sure and read the comments following the blog, especially:

"Here's my results - and how to better protect yourself."

Also, look at this thread, especially LWM's posts and his link to an earlier thread:

https://www.wilderssecurity.com/showthread.php?t=174453

And rightly so, because of the way the article is craftily constructed. This type of journalism has become almost a genre in itself.

Think carefully of the impact of the language and the flow of content. ("loaded" words in bold)

Title:

Leak: to allow to become known, as information given out covertly.

The information given out by the browser is not covert, it is overt, and this is widely known. See threads referenced above.

Opening Statement:

Very descriptive writing, setting up the reader with fear, uncertainty, and doubt as to what might lie waiting for her/him in what would appear to be the dangerous swamp called the internet. The reader is likely to pass quickly over the word "could."

There are the obligatory references to experts giving a paper at a conference. (Look for numerous quotes from Joanna Rutkowska's appearance later this year at the Black Hat Conference)

Data is presented, and we learn that:

How would breaking into the machine be accomplished? We are left in the lurch to imagine the worst. The comments about Wifi are too general, and known exploits have occurred where user security has been either too lax or non-existent. See references in the blog comments.

Now, many of these experts are knowledgeable in their field, and have contributed much to understanding how exploits work. But by culling statements from their presentations for their sensational impact, and leaving it at that, gives the reader nothing on which to base an analysis and think about security. Mentioning the dreaded XSS attack helps too.

Now, we have something: a social engineering element has been add to the pot.

Left unsaid: when and how does he find you to make this attack? There may be something here that needs to be dealt with, but we are given nothing of substance.

Concluding statement:

Really?

This type of journalism with similar articles and titles certainly attracts many readers to the site, but one has to question, of what use is it on a site devoted to technology? Of greater interest to readers would be bringing in people with solutions and more analysis. Here, we have just one side of the discussion and one point of view.

I'm sure that when a sample attack surfaces, ways of securing will become readily evident in addition to those mentioned already.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

What he said!

 

Thanks, Ron and Pedro.

-rich

 

Hello,
What they said ... and more.
Experts say ... hah!
Cheers,
Mrk

P.S. Turn on the javascript to see the demo... uh oh... really...

 

If my computer hears about a $50 DDR400 2x1GB. Otd, no rebate, Crucial, OCZ or Patriot brand & CAS2 RAM deal.

I think my computer would bust through my front door.

I'd have to chase it down the street.

 

here is a blog about a privacy conference that is quite scary:
http://blogs.zdnet.com/security/?p=197

Has anyone a clue to counter this flow out of privacy information

Well What a load of rubbish Who ever made it has no idea or rather is scare mongering .simple answer to this junk and so called test out links ,Don't have Java running ,as thy The test site want it enabled ,i got Nil responce and as far as as soon as your pc turns on it sends out , Ehhhhh , "Umm teh" -- ok but first one has to be on the nett ! i see a few valet pionts made but hy could be less scary to a new reader! and this cant do a thing about it ,Mmmm think the fella should jion here and learn !

 

I use Proxo with Sidki's latest configs but that page Master Reconnaissance Tool told me a lot of stuff Fx reveals. Most of it I know it reveals. How did that site know though what sites I visited a month ago? They looked at Fx history?

Plus, why would they report that I have LocalRodeo plugin for Fx? I had never heard of it and I certainly don't have it! I had to do a search to find out what the heck it is. They also say I have Java enabled. I don't. I don't have Sun Java.

 

I put that page to Trusted Zone and it showed no info (in IE it is possible to choose, which javascripts to enable & disable, so it is not just enable & disable javascript). When I set Trusted zone to Medium-Low I got this popup and after I acepted it, it showed some info.

Rich is absolutelly right, there is no reason, why anyone should bothered about that info being revelead, it is not like revealing credit card numbers. If someone wants to protect that info by slowing down his internet using proxy, it is his choise. By the way, I have enabled error reporting, anonymous info sending to MS, Google and I know, that some software on my PC call home, since I have no outbound protection, and it does not bother me at all. I have nothing top secret at my PC, though they can find out, that my current hardware sucks.

 

I just tried that site in Maxthon with scripting set to prompt (I had it turned off originally). I could get no information in Trusted Zone or not. But the reason is a scripting error on the page. I hate IE. IE6 is as bad as IE5.5 on my older 98SE machine. Constant scripting errors. I was curious though to see what would be revealed about IE.

I still don't understand how that page can claim I have localrodeo plugin for Fx when I don't. Plus, it also claims I have localrodeo plugin for SeaMonkey and I don't.

 

The Mr-T doesn't work on IE6. You can read the author's blog about it. It only works on IE7.

As for it saying I have LocalRodeo installed on Fx and SeaMonkey, I started a thread at Mozillazine and got some interesting replies. One person explained everything about Mr-T.

BTW, NoScript for Fx next version will incorporate what is in LocalRodeo.

I don't know why everyone has been dissing the article. Actually, when you look into this, I am sure glad that I use the Proxomitron and Hostman. It was an excellent article ...not FUD either. You should be concerned with what your browser is revealing. I got my answers but not here which surprises me a bit.

 

I'm not surprised at all, instead.
I noticed many people here tend to overlook what is happening inside their browsers, as long as they've got antivirus, firewall and possibly a sandbox wrapped around their browsers. So anything marked as JavaScript related is either labeled as browser specific (my browser is safer than yours) or paranoid (my PC can't be hacked by a web page), and the info they give away is not considered precious unless it comes from the local filesystem.

As I tried to point out in another thread, there's so much ongoing inside our browsers that we should keep our eyes opened wide even if we browse the internet in a completely isolated virtual machine.

The fact is that much of our life is moving online, so having our web profiles compromised (webmail account, facebook, linkedin, myspace or whateversocialnetworkimaffiliatedto account, GtheNextGreatestGoogleApp access, not to mention tax filing or other government services, online banking, paypal and the like) can be just as bad as having our PCs 0wn3d.

 

What they are criticising is the panic article without solutions. Worst, they state there is no solution. Nothing helpful is in that article.
Rich approached it. Maybe you prefer to reply to his post?

 

Hello elio,

That was not the point of those criticizing the article.

More useful would be more indepth discussions such as the one you started about XSS, with viable solutions suggested.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Pedro, my "most people" didn't include neither you or Rich, actually.
Furthermore, I'm just arguing that this forum is probably not the first place to visit for web security advice (yet?).

Rich's answer is actually very thoughtful and balanced.
Nonetheless, if someone who's never been exposed to these "pure web" vulnerabilities could interpret it as a dismissal (move on, nothing interesting to see here). On the contrary, the not-so-apparent and maybe inconvenient truth is that the "solutions" he indirectly points out (like disabling JavaScript) are actually considered too much radical by many users of this board.

Anyway, I think that rather than replying I could integrate it to a certain extent...

I subscribe to this comment, which deserved to be linked, and especially to its final "rundown" and conclusions which deserve to be quoted:

The link above is worth to explain and reassure about some "privacy jokes" and scaremonger sites, but is slightly off-topic here.
MR-T is not a demo of the typical HTTP-headers munching server side script, and it definitely collects much more data than you expect to give away in your typical navigation session.

Sure, we all consider "overt", for instance, our global navigation history, i.e. the list of the web sites we visited, let's say, during this session or even during this month...

What about portscanning your machine or even your local network? How "overt" should a map of the services running in your PC, in your router or in a webserver inside your private intranet be?

Just to be short, the aim of an article like that is not and should not be an in-depth technical discussion of how web-related security issues work.
It may serve as an introduction and an awareness bell ring, but then, if you want detailed explanations allowing you to build a plausible defensive line, you are free to gather information elsewhere: the article itself contains a good link to start, RSnake's blog, and the MR-T's source code is itself the most instructive reading.

Where the article falls short is to provide any advice to end-users, as Rich correctly pointed out.
It doesn't mention NoScript or TOR, even if RSnake himself is a NoScript user
On the other hand, it seems most readers managed to figure out their conclusions anyway, so the piece wasn't that bad maybe...

 

Yes, it serves the purpose of awareness, but not enlightment.

Well, if you keep posting, we'll do better. I was compeled to give FF another go because of Noscript, after your discussions about XSS.

Now i'm trying again Proxomitron, this time giving a damn about how it works. I can block scripts per site, but i don't know how/ if it counters XSS. Next i'm checking out Sidki's filters to see.
This is because i like Opera a lot, but it lacks this kind of control.
And this tool does a lot Proxomitron rules big time

 

Elio,

As a starting point for those here who haven't waded through that long thread, your description of the XSS types is informative:

https://www.wilderssecurity.com/showthread.php?p=1002678#post1002678

Also, these posts in the same thread by:

fax Post 26

and

flinchlock Post 51.



regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

In some ways this is true, because people get caught up in discussing products, rather than analyzing threats and developing strategies that lead to solutions. Herbalist hits at this often.

Too bad, because ronjor posts articles almost daily that provide information about current exploits, trends in the industry, etc.

Unfortunately, they aren't as popular as "Which is better" topics.

EDIT: another difficulty is when a poster asks for advice. Without knowing the details of his system, his surfing habits, etc, it is often very difficult to give advice, because the intitial question often is, Would this product make me more secure?

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

How true

OK, let's fuel some "popular" discussion, then

Pedro!!!

NoScript > Proxomitron (much greater, in facts) against JavaScript treats.
Proxomitron just filters the textual content of the response, it cannot prevent script execution: there are several quite obvious ways to escape those textual filters (e.g. embedded event handlers, CSS expressions or bindings, encoded data: URLs and so on), so I'm fairly confortable stating that, generally speaking, Proxomitron cannot effectively block a malicious script.
This is a job for NoScript.

Once you convert to Firefox+NoScript, you can keep Proxomitron for content filtering (especially if you still use multiple browsers) or you may prefer switching to Firekeeper, which can do more or less the same (a bit more actually) but from the browser inside.

Anyway, client-side protection from XSS is currently given only by NoScript.

Inflammatory bottom line:
Firefox+NoScript(+Firekeeper?) > Opera+whateveryouwant

 

I'm quite interested in this. As a long time user of firefox + Proxomitron (sidki) I'm curious about the alternatives. From what I gather, to simulate the proxomitron environment using fx extensions, I'd need:

Adblock (Plus) + Filter set
noscript
greasemonkey + scripts
Firekeeper

Would using the above be a better option than Prox now, pros/cons?