The Recycle Bin

A repository of comments, code, and opinions.

Google’s Malware Detection: Worthless at Best

with 2 comments

Dangerous at worst.

Google has rolled out a new feature where it attempts to inform people that they think they are browsing from malware infected PCs.  It’s a noble idea, and I don’t want to rag on them too much, but it is also a terrible idea.  Most of the time I would say something like ‘at least someone is trying.’  But I can’t with this one.  There so many problems with the idea in general, and their advice is so unbelievably wrong it borders on malicious.

How It Works

When you do a search on Google.com, Google will look at the IP address of the incoming web request, and compare it to a list of IP address that known malicious proxies use.  If it’s on that list, your results page will show a banner that says something like: “Your computer appears to be infected” and then link you to their wonderfully ignorant help page: http://www.google.com/support/websearch/bin/answer.py?answer=1182191

When you do a search on Google, your web browser is sending a request to Google’s servers.  When Google receives this request, one of the fields in it is your computers IP address – think of it as a return address on an envelope.  Malware is able to modify your machine so that every web request you make is routed to one of their “proxy” servers.  Once the request hits their server, they can read it, modify it, or do whatever, and then forward it on to the site you were trying to reach.  Now, when that site gets the request (Google in this case) the return address isn’t your computer, but instead the malware’s proxy.  Google will do the search, send the page to the proxy, and the proxy will send it back to you.  You likely have no idea that this proxy is siphoning your requests and watching everything you do.  I made a slideshow demonstrating the concept:

So what Google is attempting to do here is look at the IP address of the request and if it is from a known malicious proxy, include this malware warning banner at the top of the results.

What’s Wrong With it?

Look at the “Malware Response” part of the slides, see how the response also gets routed through the malware proxy?  That proxy is able to edit the page that Google sends back and is in complete control of the content.  They could replace the banner to say “You’re computer is infected with malware, click here to download antivirus software” and then link them to a fake anti-virus Trojan that could extort money.  Every link on this page could be modified to point to more Trojans: http://www.google.com/support/websearch/bin/answer.py?answer=8091.  How many users are going to think that this fake anti virus program is legitimate now that Google is pointing them there?   This just shows a complete lack of technical understand by Google, and advice from a source like that is always the worst type of advice.

What Should They Have Done?

Nothing.  There is absolutely nothing a remote website can do if your computer has been modified by malware.  A remote site cannot even accurately warn you you are infected because the proxy can just remove the warning before the page reaches your machine.  All of the advice given here to fix your machine once it is infected is as worthless as snake oil.  The only thing you can do to remove malware from an already infected machine is to reformat it and start over.  If you are lucky and have a backup that you trust, you could try reverting to that.

Please, please, please, please please do not click on any banner or link that tells you that your computer is infected.  This has been common advice to battle fake antivirus Trojans for a while now, but apparently Google wasn’t listening.

Written by Nathan

July 24, 2011 at 11:52 pm

Posted in Security, Web

Tagged with , , ,

Public Wi-Fi Dangers with Android Phones

leave a comment »

Turns out there is a nasty vulnerability affecting pretty much every Android phone out there.  Since it involves connecting to public Wi-Fi networks it seems like a good follow post to one of my previous post.

Here’s how it goes: When you connect to a site like Facebook for the first time, you exchange your credentials with the site and in return the site generates a unique session ID.  After the credential exchange, all you need is your session ‘token’ to authenticate with the site.  This token is only valid for a period of time (configured by the site, some are 30 minutes, 2 weeks, some never expire).  This allows you revisit the site and remain logged in with out entering your credentials every time.  Android phones are set by default to automatically reconnect to Wi-Fi networks that they have already connected to.  Once connected, the apps on the phone automatically connect to their corresponding web service, either exchanging session tokens or real usernames and passwords.

Here is what an attacker can do:  If a person has connected their phone to a common public Wi-Fi hotspot, say Starbuck’s Wi-Fi, whose SSID just happens to be “Starbucks” then the next time their phone sees a network named “Starbucks” it will automatically connect to it.  All an attacker has to do is set up a malicious hotspot near a real one, name it the same thing, and wait for the phone to come into range of the network and automatically connect.  Once connected, they can grab session tokens and then they can operate on that site as that user, as well as eavesdrop on what is being sent to the service. 

Since most sites only use SSL for logging in, your user name and password for the service is protected.  However, there is a pretty good chance that the site does not use SSL for the rest of the session and simply sends the session token in plain text.  The problem is that Android will reuse the session tokens generated while the phone was connected to the previous trusted Wi-Fi network, mean that your session ID is free game for anyone to use.

Best way to mitigate this is to shut off the option to automatically connect to networks that the phone has already connected to.

Much more detail here: http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

Written by Nathan

May 19, 2011 at 10:39 am

Posted in Security

Tagged with , ,

Secure Mobile Browsing

leave a comment »

I’ve written, and rewritten this post about three times already, and I’m tired of thinking about it. I’m just going to write out whatever comes to mind on the subject and just post it as is.

This started as a conversation with wife about the safety of mobile banking. We were driving away from our credit union and I wanted to check to see if a transaction had posted yet, so I pulled out my smart phone and browsed to the credit union’s site and checked. She told me that she has reservations about browsing sensitive (banking, email, etc.) on a smart phone.

With this post I intend to explain what happens when you browse the mobile web and hopefully put to rest some fears.

Websites can be connected to in two different ways: unencrypted (HTTP) or encrypted (HTTPS). Most sites will use a hybrid approach and use HTTPS for the login or checkout page, and then HTTP for the rest of the site. Banks however, should use HTTPS 100% of the time. I blogged a while back about HTTPS, so I’m just going to paste what I wrote then here:

[With HTTPS] the goal is to establish a unique encryption session between your computer and the server, so that eavesdroppers aren’t able to steal your valuable information as it gets sent along the line. This is accomplished by using the Secure Socket Layer (SSL) protocol. SSL uses public-key cryptography to securely establish a session (symmetric) key that is used to protect the subsequent data. This is how it works:

Client (you and your browser) connects to a server over https:// (port 443)

Server sends you it’s public certificate – This certificate contains the server’s public key .

Client generates a random number, encrypts it with the server’s certificate and sends it – This number is the premaster key

Server takes the premaster key along with some other random numbers that were exchanged and generates the session key

Now that you and the server have agreed on the same key all the data sent from this point forward will be encrypted.

So we can now settle on the fact that if the site you are browsing to is using HTTPS, then no one can eavesdrop and steal any of your info. This is true whether you are browsing from your home computer, work computer, mobile phone connected to 3G, or mobile phone connected to an open Wi-Fi network.

So, why do some people say it is unsafe? There is an added risk of phishing attacks when you are browsing on a network you don’t trust (unsecured open Wi-Fi). Since all the traffic from your phone to the website will have to travel through this router that you don’t trust, the attacker could send you to a page that looks just like your bank’s page, at which you will log in, get some sort of error, and then be redirected to the real page. You will probably think that you typed your password wrong, try again, get through, and never think twice about it again.

So that is the only reason why you shouldn’t do any sensitive browsing on an open Wi-Fi network. All other networks are safe, provided the site uses HTTPS. If it doesn’t, it doesn’t matter if you trust the network or not, everyone can see everything you do.

Would love some questions if anything is unclear and I will do a follow-up.

Written by Nathan

May 11, 2011 at 10:50 am

Posted in Security

Tagged with ,

Enhanced Mitigation Experience Toolkit

leave a comment »

EMET 2.0

I learned about this tool at Microsoft’s Bluehat 2010 conference this year.  A blurb from their website explains it as

“EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications. This helps prevent vulnerabilities in those applications (especially line of business and 3rd party apps) from successfully being exploited. By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products. In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor.”

EMET allows you to set certain security mitigation techniques into programs that are unable to write these techniques into the code.  You could have a legacy application that is no longer being developed, an executable that is currently being exploited that you would like to harden, or just any particularly risky program that you want to sure up.

Here is a screen shot:

image

  My current configuration:

image

I decided to pick all internet face application (Messenger, Mesh, IE) and a few of the more highly targeted programs (Adobe Reader, Office) and enable all of the security mitigations that EMET can provide.

It’s a neat little tool, and it works really well.  I have not noticed any performance impact.

Download: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04&displayLang=en

Written by Nathan

November 13, 2010 at 1:30 am

Posted in Security

IE9 Taskbar Integration

leave a comment »

IE9 – http://www.beautyoftheweb.com/ – has an awesome new feature that lets you pin websites to the Windows 7 task bar.  You simply drag the tab down to the bar and it gets pinned and starts to function more like a regular application.  With just a little bit of markup, web developers and add tasks to their jumplist, and give an overlay tile to show up to the date information.

Here is a screen shot of Twitter pinned to the taskbar:

Twitter pinned to the taskbar

To the left is LinkedIn, and Amazon is to the right.  The other two icons are Live Writer and Live Photogallery.  As you can see, web pages look just like normal applications.

Also, when you pin an website, the colors and header of IE change to match the branding colors of the site.  It’s as if IE steps out of the way, and lets the website own the entire experience.

image

WordPress.com has jumped in on this and added taskbar and jumplist integration for every WordPress.com blog.  Go ahead and drag The Recycle Bin to your taskbar and see for yourself!

Written by Nathan

October 8, 2010 at 9:00 am

Privoxy

leave a comment »

The AdBlock guys did some interesting analysis on exactly how much bandwidth, space, and recourses web advertisement are taking up and wrote about it in this blog post [adblockplus.org].  They develop an ad-blocking plug-in for Firefox, so they definitely have a one-sided opinion on the issue.  It’s interesting either way to see just how much these ads “cost” you.  Add this post together with the one from here a while back about malware coming in though advertisements, and it makes you want to block them all the more. 

On top of plug-ins for your browser there is another (arguably better) way to block ads, and that is a web filtering proxy.  A proxy is simply a filter that sits in between your internet browser and the web and can help you control what you receive or send out.  I’m current running Privoxy, an open source local proxy and absolutely love it.  It is really simply to use – just install it, and set your browsers connection to use a proxy at 127.0.0.1 port 8118.  Its a quick and dirty way to block advertisements for any browser on your system with use browser plug-ins.

Written by Nathan

February 10, 2009 at 12:47 am

Posted in General

Teaser Feeds

with 4 comments

It really bothers me when websites truncate their posts in RSS feeds and only show you little snippets of the story.  It defeats the purpose of RSS – and renders my offline reader useless.  I can understand why they do it; they want to get page views and ad impressions, and most of the time the post isn’t that interesting so I skip it.  But really, does the Whitehouse.gov RSS feed have to do it too?

Written by Nathan

January 26, 2009 at 1:13 am

Posted in Web

Tagged with