Posts Tagged ‘FireFox’

« Older Entries

psych0tik releases GoogleSharing proxy

Sunday, February 7th, 2010

A few weeks ago we released a post on staying anonymous online through the use of various configuration changes and Firefox add-ons. One of the Firefox add-ons mentioned was the GoogleSharing proxy add-on. This allows Firefox to reroute unauthenticated requests to Google services through a community proxy that hides your identity while you browse the internet. This add-on is still in beta, so we browsed the source and did a few tests with tcpdump to ensure that it was infact doing what it claimed to be.

GoogleSharing will reroute the following Google services (however, it can be configured not to reroute requests to specific services):

  • Maps
  • Groups
  • News
  • Video
  • Products
  • Images
  • Finance

This is a really neat concept for staying anonymous from Google. The proxy itself masks your IP address, cookies and other headers so that even while logged into other Google services, such as Gmail, searches are not linked to you. We validated this through the use of tcpdump [see figure 1 and 2(generated by Wireshark)] and you can also validate it based on the different appearance of Google web pages, including the link for “Sign Out” which reads “Sign In” with GoogleSharing enabled.

Figure 1 – GoogleSharing is disabled. We can see the lookup of google.com via DNS and then the request (with the search string) being sent to an IP address returned from the DNS request

Figure 2 – GoogleSharing is enabled (however, not using SSL.) We can see the lookup of the psych0tik development proxy, storm, and the following request to storm’s IP address with the Google search.

You can access the psych0tik GoogleSharing proxy by adding it to your proxy list.

Proxy Server: storm.psych0tik.net

Non-SSL Port: 8080

SSL Port: 8443

If you choose to use the proxy in SSL mode (highly recommended), you will need to do the following:

  1. Browse to https://storm.psych0tik.net:8443
  2. When prompted, add an exception for the SSL certificate
  3. Verify under GoogleSharing’s options for the psych0tik server that “use SSL” is enabled
  4. Enjoy!

If you have any questions or issues please contact a psych0tik staff member via our psych0tik IRC. We’ve established #googleshareproxy to provide general chat with regards to this service.

-psych0tik Staff

Tags: , , , , , , , , ,
Posted in psych0tik News | No Comments »

Anonymous browsing or being a web ninja

Friday, January 29th, 2010

These days it seems like everyone is looking at what you do online. Online advertisers make money from the ads placed on your site, but they also gather statistics about all your visitors for their own purposes. Search engines store information for a variety of reasons. Social networks contain more information on our past than most of us can probably remember.  With the rise in popularity of the internet and it’s change from a place for geeks, hackers, and nerds to a place for the whole family it seems that the idea of anonymity online has almost disappeared. The internet has gone from the dark back-row in a movie theater to the digital equivalent of Orwell’s 1984.

I’ve always been skeptical about the idea of an intertwined real and internet life. When I was growing up and chatting to the sounds of a modem, I remember being told not to post my name online, not to tell people what school I went to, or my birthday. What are the first few questions when you register for Facebook? Who can see those? Obviously Facebook is a bit different than someone you meet in a chatroom, but it is interesting to think how freely we give out information we used to keep more protected. The reason richo set up the first psych0tik IRC server was that we didn’t like having conversations monitored by the guys running the messenger services. proxyElite was born from a desire to have reliable access to web proxies and aide in anonymous access. But I digress.

There are aspects of this problem that I simply don’t want to address. Social networks, photo-sharing sites, and blogging all seem to be inevitable parts of daily life. These are however known leakages. You don’t post to your blog or update your Facebook status with the idea that it’s just for your records. This is an issue as end-users we can do little more than educate ourselves on. Look at the Privacy Policy of websites and check your settings for options to disallow other users from viewing your content.

Beyond all these information giants are the internet’s motion detectors. Silent scripts and hidden images along with tracking cookies follow your movement, constantly reporting back to their creator’s servers. A recent post by the EFF shows that even your browser’s headers can be used as a unique identifier the majority of the time. [They provide a page that shows the entropy lost by each field checked, see the references below.]

In such a complex environment as the internet it can be quite difficult to tackle a problem as large as this, but with a mixture of configuration changes, Firefox Add-ons, and using proxy solutions it is possible to add to the difficulty of tracking your online activities.

Reducing and eliminating tracking cookies is a great place to start.

Configuring Firefox to delete private data when you close it is a great way to effortlessly limit the duration a tracking cookie is present. Many antivirus solutions also have an option to search for tracking cookies and remove them. This provides an external method to clear these, independent of the browser.

I use a multitude of Firefox Add-ons to not only protect my browser from malicious content, but also to help eliminate as many of the tracking technologies as possible. NoScript and Ghostery help to block scripts that might secretly send information back. RequestPolicy is great for defending against embedded tracking images (as well as CSRF); however, it is a bit over-zealous. User-Agent switcher allows me to adjust the entropy of some of my headers to be more “standard.”

Finally, using web proxies, Tor, or services like GoogleSharing it’s possible to cloak yourself even further. These services work to either distribute your connection across other machines or to reroute it through another. The Firefox TorButton Add-on also helps to mask your headers to make your session less unique. GoogleSharing is unique in that it doesn’t proxy all requests. Rather, only requests made to non-authenticated Google services like Google’s search. The requests are routed through a GoogleSharing server (via a Firefox Add-on), normalized, and passed through. Other users using the same proxy would add to the terms and add more chaff to deter monitoring by Google.

The Frankenstein of security that is now my browser with these assorted Add-ons and changes isn’t exactly as fluid or functional as before. A lot of sites break until I sort out which Add-on has blocked which critical script. Proxies and Tor make requests run more slowly. The web is definitely a more complicated place, but isn’t the effort worth it? You wouldn’t casually walk down a dark alley filled with dangerous looking folk without some protection. All the family friendly, Web 2.0 sites and services make the internet look like a lovely place, but let’s not forget that the dark alleys exist and are often in between all the “safe havens” we travel to.

References:

EFF’s Panopticlick Research Project on Determining Browser Entropy

EFF Blog on User Tracking on the Modern Web Part2 Part3

GoogleSharing Firefox Add-on

Ghostery Firefox Add-on

Mozilla Support on Clearing Private Data

Tags: , , , , , , , ,
Posted in Articles | No Comments »

Reading Rainbow: Episode 11

Friday, July 18th, 2008

Windows has it’s place in today’s world. Here are some examples of places it is and really shouldn’t be. http://www.networkworld.com/community/node/29644

Many companies provide their employees with company cell phones. When text messaging is enabled a unique privacy issue develops regarding when the logs may be obtained. Techrepublic’s article explains how legality plays into this issue. http://blogs.techrepublic.com.com/security/?p=490&tag=nl.e036

Which browser is most secure? Which is best ‘out of the box’? This article goes through three popular browsers and discusses their security issues and strengths. http://itmanagement.earthweb.com/…E+vs.+Safari+vs.+Firefox.htm

I recently re-discovered this set of web-radio shows and thought I would post the link. They don’t have a huge selection of shows currently, but the 40 or so that are posted are really top notch. I have recently been working through the series on the Linux Boot Process and cannot recommend it highly enough. http://hackerpublicradio.org/

Quantum physics applied to security. That’s right. By keeping track of the quantum states of photons researchers have found a way to make a cryptographically secure transmission. Any eaves dropper would alter the current state and would therefor destroy the transmission. http://www.economist.com/sci…fm?story_id=11703138

Think you know everything there is to know about information security? This quiz is nowhere near comprehensive, but does ask a few interesting questions. http://www.newsfactor.com/…00Q2H0VF&page=5

Net Perspective has recently created a blog section for their developers and designers. As an ex-employee, I recommend keeping up with this set of blogs as these individuals are some of the top in the industry. http://blog.net-perspective.com/

Tags: , , , , , , ,
Posted in SamuraiNet Archive | No Comments »

Using RefControl

Wednesday, July 9th, 2008

Continuing on with my web application penetration testing series I will now go into the usage of RefControl. RefControl is useful in checking referrer-based exploits, such as CSRF.

RefControl

RefControl allows you to specify the referrer for a site when you view it. Accessed either from the Tools->RefControl options is the global list of all rules for all sites that you have set. Access from the right clicking menu are the current settings for the site you are visiting. If you have set no rules, you will be able to add in a new rule.

After selecting the RefControl options for the current site, you are able to add in your custom referer, send no referer, or have RefControl automatically send the root of the current site.

What use is this? With the tidal wave of CSRF exploits being found a tool that can help find these would be welcomed with open arms. This is where RefControl enters the domain. While referrer checking is not a hardened safe guard against CSRF many site still employ its use.  By setting RefControl’s custom referrer to an off-site referrer you are able to check forms and links with GET variables simply by interacting as you normally would. If the request goes through, that form or link should be inspected further. Sites using only Token Key Pairs might be vulnerable to this method of probing, but not vulnerable to CSRF itself. This is why it is important to continue inspecting after said vulnerability is found, rather than simply accepting it as a vulnerability.

Another interesting permutation of RefControl is setting the custom referrer to include SQL characters. Many sites check referrers and store then in a database for analytic purposes and this allows the penetration tester to check if those inputs are being validated also.

Tags: , , , , , ,
Posted in SamuraiNet Archive | 3 Comments »

Oops….

Monday, July 7th, 2008

It has been brought to my attention that the P3P settings in Firefox 2 have actually been disabled. I missed this in my research as I was going more to understand how it worked and simply assumed that it did work. Mozillazine states that “P3P functionality is not present in Firefox and will probably be removed from Mozilla Suite (see bug 225287).” (http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries as provided in a comment on my Cookies, Cookies, Cookies posting.)

I apologize for missing this fact, however; the concept of P3P and third party cookies are still valid so I will leave the posting up.

Tags: , , , , ,
Posted in SamuraiNet Archive | No Comments »

Reading Rainbow: Episode 9

Monday, June 16th, 2008

Virtual machine’s use unique MAC addresses to access the internet. This article provides a listing of their identifiers so that you may asertain whether or not a particular machine is within a Virtual machine. http://blogs.techrepublic.com.com/networking/?p=538&tag=nl.e102

Botnets are no new threat and neither is the way they are used. The article shows some statics on just how powerful they are and what sorts of damages they are doing. The second link provided is from SANS and discusses a proactive, rather than reactive way to deal with the possibility of infection. The final link provided shows how bot herders are using their destructive potential to make money. With such a lucrative business in place it puts more and more pressure on security professionals to take the next step in securing their systems. http://www.sourcewire.com/releases/rel_display….9472&hilite= http://isc.sans.org/diary.html?date=2008-06-14 http://www.technewsworld.com/story/The-….Con-Game-63357.html

Again we find proof that hackers are compromising government systems and using the data attained to raise problems. What is possibly more disturbing is the government’s continuing lax efforts to deal with the issue at hand. It seems that just pushing it under the carpet is the defacto method of dealing with these problems, when the correct approach should be to deal with the problem at the source. Here we see that Chinese hackers actually managed to gain access to dissident lists and actually managed to find the people on those lists. http://ap.google.com/article/ALeqM5g….ZaBwez4_gq7mwD918ATTG0

Mozilla’s Firefox 3 was supposed to come packaged with “private browsing” a “no digital trail” method of surfing the net, however; because of the amount of code affected by this options it has been released without this feature. http://news.cnet.com/8301-10789_3-9967829-57.html

Tags: , , , , , ,
Posted in SamuraiNet Archive | No Comments »

Cookies, Cookies, and Cookies

Sunday, June 8th, 2008

[April, 2010]Update:

Mozilla removed this functionality from Firefox in version 2 and will not be reviving it. I’m going to leave the text below, as it does describe P3P, but any mention of Firefox should be considered as an example. For more information about Mozilla’s decision to remove P3P functionality from FireFox, please see the Bug Report.

————-

That’s cookies times three… or perhaps Third party cookies. Not the world’s greatest pun, but all the same a decent intro. In this posting I will explain third party cookies and why they are bad as well as provide a method to deal with these pesky cookies without destroying your “website experience.

What are cookies and what are “third party” cookies?

Cookies are small bits of information stored on your computer. Web-sites place tracking information in these cookies to remember who you are, if you’ve logged in, in the case of shopping carts, what you’ve purchased, and all sorts of other useful information. Most of this information is not publicly accessible, even with physical access to the machine because the information is stored server-side; however, the Session ID or other information is stored within the cookie. (This is what allows “session hijacking” with XSS.)

Cookies come in all shapes and forms: first party cookies, third party cookies, session cookies, etc. A first party cookie is issued by the site you are visiting and is only accessible by that website. For example, when you visit my blog, samurainet.org issues you a cookie to keep track of if you’ve logged in and for the “unique visit” counter. Only samurainet.org can access this cookie and it’s information and thus makes it a first party cookie.

A third party cookie can be issued by any web-site and subsequently can be accessed by any web-site. The main purpose of these are for tracking users and advertising. These cookies are not important to the operation of web-site, unlike first party cookies that may be carrying your Session ID.

Managing cookies with FireFox.

Firefox provides settings for cookie management. You will find these settings in Firefox’s advanced configuration. There are three settings that I will discuss here, network.cookie.cookiebehavior, network.cookie.p3plevel, and network.cookie.p3p. Each contains values that can be modified to affect the overall behavior of Firefox when dealing with cookies.

Network.cookie.cookiebehavior – This controls how the browser allows cookies. ( values: 0 – allow all, 1 – allow first party only, 2 – disallow all, 3 – allow cookies based on the P3P policy)

Network.cookie.p3plevel – This specifies the P3P acceptance policy when Network.cookie.cookiebehavior is set to 3. (values: 0 – Low[afafaaaa], 1 – Medium[ffffaaaa], 2 – High[frfradaa], 3 – Custom)

Network.cookie.p3p - This specifies the custom P3P policy. The policy specifies 8 positions with 4 separate values that I will explain below.

Selecting the policy for you.

The P3P (Platform for Privacy Preferences, a W3C project) policy dictates the handling of both first and third party cookies from sites of various levels of trust. The trust is based on what the web-site claims to be doing with your information and cookie information. As a personal rule, I distrust even reputable web-sites and prefer to keep cookies for as short a time period as possible.

P3P gives four possible values ( A – accept, D – downgrade to a session cookie, F – flag, and R – reject) for cookie management as well as 8 various scenarios for the cookie to fall under. The P3P cookie “byte” is structured as followed. (Taken from the Mozillazine.org web-site)

  1. First party cookies from sites with no privacy policy
  2. Third party cookies from sites with no privacy policy
  3. First party cookies from sites that collect personal information without permission
  4. Third party cookies from sites that collect personal information without permission
  5. First party cookies from sites that collect personal information only with permission
  6. Third party cookies from sites that collect personal information only with permission
  7. First party cookies from sites that don’t collect personal information
  8. Third party cookies from sites that don’t collect personal information

Firefox has built-in cookie management that ranges from blank policies (in the cookiebehavior) for accepting all, rejecting all, or accepting only first-party cookies as well as pre-built P3P policies of Low (accept all and flag suspicious third party), Medium (flag all suspicious first and third party, and accept the rest), and High ( flag suspicious first party, reject suspicious third party, accept all others and downgrade third party that collect personal information.) [I have used suspicious to refer to positions 1-4 since the site either claims no privacy policy or is collecting information without permission.]

That sure is a lot to process, but are those policies good? That really depends on if they suit your needs. My policy is a custom policy, meaning I have set cookiebehavior’s value to 3 as well as p3plevel’s value to 3 (custom). I have then specified the following p3p value: DRDRDRDR. Very simply I downgrade all first party cookies (meaning they will be deleted when I close Firefox) and I reject all third party cookies, regardless of where they came from. This provides me blanket protection against third party cookies, since I don’t care about advertising and I don’t want to be tracked. Also, it provides me the ability to still use all web-sites normally, but stops them from tracking me beyond one session (at least by using cookies.)

References:

http://kb.mozillazine.org/Network.cookie.cookieBehavior

http://kb.mozillazine.org/Network.cookie.p3p

http://forums.mozillazine.org/viewtopic.php?p=2576901

http://kb.mozillazine.org/Network.cookie.p3plevel

http://www.clicktracks.com/insidetrack/articles/first_v_third_cookies.php

http://www.w3.org/P3P/

Tags: , , , , , , ,
Posted in SamuraiNet Archive | 3 Comments »

Reading Rainbow: Episode 8

Saturday, June 7th, 2008

Restrictive passwords make cracking more difficult by requiring that users use a wider range of characters; however, can restrictive password policies actually decrease time required to crack? This blog goes into the math behind it. http://lukenotricks.blogspot.com/2008/03/more-on-counting-restrictive-password.htm

Mozilla has a new campaign to break the world record for number of downloads in 24 hours. They have even gone to allowing people to pledge downloads, to be sure they accomplish their goal. This is an interesting marketing campaign. http://www.spreadfirefox.com/en-US/worldrecord/

In a previous post (America’s Cyber defense or lack there of) I pointed out problems with foreign hackers and our government. Here are two articles as a semi-continuation of the saga. http://www.scmagazineus.com/Potential-security-breach-by-China/article/110790/ http://www.thehindubusinessline.com/2008/06/04/stories/2008060451781200.htm

If you are considering being in the IT field or are looking to hire new IT staff, this article is well worth a read. 30 items that IT staff should know. I don’t agree with all 30, but the list itself is something to be looked at and will help you evaluate yourself or potential staff. http://www.infoworld.com/article/08/06/02/23FE-how-to-fire-IT-staff-skills-list_1.html

After battling with an .htaccess problem all day long I ended up at this article. It didn’t solve my problem, but is a great source of information on all things .htaccess. http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

Tags: , , , , , ,
Posted in SamuraiNet Archive | No Comments »

Using Tamper Data

Wednesday, May 21st, 2008

In my previous post on penetration testing I mentioned various tools that I use for web application testing. In this post and future posts, I will go into some of these tools and how I use them. This post will be over Tamper Data, which is probably the add-on I use most for penetration testing.

Tamper Data is used for monitoring and editing requests made to a server. When you start Tamper up and refresh a page or have a page that automatically refreshes or uses AJAX you will see the requests in the top portion of the window. When selected, the bottom will display both the request headers you sent as well as the response headers you received. These can be useful for determining information about the server, monitoring background processes on a site (such as AJAX requests), and seeing all the various files and locations that are loaded when you view the page. While this is useful for reconnaissance work and gaining initial information on the a target, this is not where Tamper’s strong suit lies. As the name suggests, Tamper Data is for … Tampering with data.

Despite the fact that Tamper is running and capturing headers for requests and responces, Tampering has not actually be started. By clicking “Start Tamper” we enable Tampering of Data. Now, when Tamper notices an outgoing request it will halt that request and ask for approval. You are then presented with three options to proceed, along with the option to discontinue Tampering. If you unselect the check box, Tamper will go back into passive mode and allow you to work, undisturbed, on the current request.

Submit: This simply sends the request as-is. Normally I use this if unsuspecting traffic gets caught up in Tamper’s web, such as gmail which makes AJAX requests.

Abort Request: This should be a fairly obvious option. It will stop the request from being sent. I generally use this when I am testing a potentially malicious site. In the case that a client asks me to review some code or I am analyzing a piece of Cross Site Scripting code I will use Tamper, to allow the request to be made, but to stop it before any of the data is actually transfered. I would recommend using this only after looking over the code. Some Cross Site Scripting code does not need for a request to be made to be dangerous and therefore Tamper is a poor defense.

Tamper: Here is where the real meat and potatoes to Tamper lay. When you choose to tamper with the request you are brought to a new window. On the top of the window is the URL the request is being sent to. In the case of a POST, this saves us the effort of looking through the HTML (and potentially JavaScript) for where the request is to be sent. On the left-hand side of the window we have the Request headers and their values. We can actually modify the request headers on the spot. Instead of using JavaScript injection to modify cookie data, we can simply change it in the request header, we can modify our referrer to be anything we want, even spoof our User Agent. For referrers and User Agents I recommend other tools, but Tamper is the swiss army knife of my FireFox plug-in set of tools and I have used it over the others for such actions. Finally, we reach the right-hand side of the window. This is the POST data of the request. Here we can see what POST fields are sent and the values they are sent with. By right clicking we can add other elements and we can modify the values of current fields. Again, this saves us the effort of bypassing client side restrictions on what values may be sent or to submit an element not part of a select without using JavaScript. When finished tampering, simply select OK and watch you request be sent.

As this is an introduction to the usage of Tamper, I won’t go into advanced usage of the tool nor will I go into exactly how I execute some exploits with it. I leave you to tamper with Tamper.

Tags: , , ,
Posted in SamuraiNet Archive | 3 Comments »

Reading Rainbow: Episode 6

Monday, May 19th, 2008

I played with both of these plugins. The view formated source one didn’t do a whole lot for me, but the view source chart was a great improvement. It makes checking out HTML much easier, and with the added ability to collapse various blocks of code it makes it easier to sort through just what I want. http://blogs.techrepublic.com.com/programming-and-development/?p=670&tag=nl.e055

A friend asked me a few months ago to help him uninstall Internet Explorer 7 and it was more than a pain. Here is a great explanation of how to do it painlessly.http://blogs.techrepublic.com.com/window-on-windows/?p=680&tag=nl.e101

As security becomes more mainstream, solutions grow beyond the capabilities of do-it-yourself solutions. Here is discussed various ways to keep current and secure, without sacrificing stability and redundancy. http://blogs.techrepublic.com.com/security/?p=456&tag=nl.e036

As hacking becomes “more popular,” or perhaps simply easier with the availability of tools, proper attacks are not the elegant assaults of yesteryear. Now, brute force attacks are run simply because the tool is easily downloadable and anyone with an internet connection and a target can attempt to crack user accounts. Discusses her further is an example of just this situation. http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=207603339&subSection=Cybercrime

I saw this site on a forum and it’s really wonderful. Has texts on all sorts of programming languages, networking, the works. http://stommel.tamu.edu/~baum/programming.html

Tags: , , , ,
Posted in SamuraiNet Archive | 2 Comments »

« Older Entries