Monthly Archives: December 2008

What’s behind that short URL?

5
Posted by Tom on December 29, 2008 – 3:05 pm
Filed under Social Networks
Tagged as , ,

plz click this short url

There was a good post over at ThreatChaos the other day about a new Firefox extension which will automatically show you the real URL’s of shortened URL’s. What is URL shortening? For example…this long URL:

http://www.google.com/maps?f=q&hl=en&geocode=&q=washington+dc&sll=37.0625,-95.677068&sspn=33.764224,56.25&ie=UTF8&ll=38.905996,-77.023773&spn=0.25915,0.439453&z=11&g=washington+dc&iwloc=addr

becomes…

http://tinyurl.com/9lum95

By using a service like Tinyurl or one of the many other sites available you can easily shorten a URL so your friends don’t freak when you send them long links. When it comes to Twitter it becomes almost mandatory that you shorten that long URL to meet the 140 character limit in your tweets.

What’s the problem?
Getting people to click on a malicious link just got easier with these services. Sure, people will still click on strange URL’s without a mask (even manually typing in strange URL’s as I showed in this post), however, by masking *any* URL with these services a phishing or malware attack can be even more successful.

Also, how can you *easily* see what the real site is behind one of these short URL’s? TinyURL and others offer you a service to “preview” URL’s but many sites don’t offer this and who is actually going to attempt to manually verify what is behind those links? That’s way too much work.

Another problem is that some of these short URL services allow you to obfuscate an already short URL with another short URL. Take for example Xrl.in. The TinyURL above (http://tinyurl.com/9lum95) becomes http://xrl.in/1b0i. This throws off the preview feature of many sites like this. This problem could add multiple redirects and levels of obfuscation to malicious links. All it takes is the right combination of short URL sites.

Right before I was about to post this I saw a post by Jennifer Leggio over at ZDNet regarding the URL redirection issue. She mentions that FriendFeed has implemented a feature that reveals short URL’s if you hover your mouse over the links. This is great…for FriendFeed, what about other more popular social media sites? Check out her article for a good overview of the issue and some interesting information about what other social media sites are doing and not doing about this problem.

The “Long URL Please” Solution
While not 100% perfect this a great start and it looks like the developer is working on improving the Firefox extension and API. You can even use it with other web browsers besides Firefox with a bookmarklet available on his site. Simply click on the bookmarklet and it will transform all the short URL’s on the web page currently loaded.

The Long URL Please Firefox extension will automatically show you the true URL of 30 supported short URL site’s. No hovering over a link or clicking to a site to preview it. It just shows you the link…no extra work on your part. This works great for the Twitter web client as well as any web page that has a link from one of the 30 supported services. One problem I saw was that short URL sites like xrl.in and others will keep popping up (I listed a site above that links 70 of these services). It’s going to take some work from the developer side to keep up with all of these new services. In addition, this doesn’t help with Twitter applications like ones that are Adobe Air based or developed using another type of framework. However, it looks like the developer is working on it and he is trying to get other applications to integrate to his API. Either way, check out this great extension and follow the developer on Twitter to get news on improvements. I look forward to see how this type of extension will evolve.

Short URL’s won’t be going anywhere soon…lets hope social media applications and end users start using them with a little bit security in mind.

What solutions do you think could solve the short URL problem?

JanusPA – Hardware Privacy Adapter

2
Posted by Tom on December 23, 2008 – 11:45 am
Filed under Privacy on the Internetz
Tagged as , ,

This is really cool. The guys that brought you the JanusVM Internet Privacy Appliance are about to release instructions on how to make a hardware privacy adapter. What is a hardware privacy adapter you ask?

Via Hack a day:

“It’s a small two port router. You just plug it in-line between your computer’s switch and your internet connection. It will then anonymize all of your traffic via the Tor network. You can also use it with OpenVPN. The hardware appears to be a Gumstix computer mounted to a daughtercard with two ethernet ports. It will have a web configuration just like a standard router. This looks like a great plug-n-play privacy device.”

Once you buy all the parts you can build your own for about $250. Not too bad for an easy way to anonymize all of your traffic over the Tor network or a VPN. Tor and Privoxy can sometimes be a real pain to configure so something like this would be fantastic to just plug in and configure once. It’s also nice that is can use OpenVPN as well.

My only issue with Tor is that it can be *really* slow for web surfing depending on what relays you connect to and there are some warnings you should be aware of. Also, your Tor installation needs to be updated frequently as the development team is always making updates and improvements. However, Tor is better then nothing if you are concerned with online anonymity.

Kudos to the JanusPA team…looks like I might have a hardware project to work on next year once the instructions get released.

Who are you giving your Twitter account to?

3
Posted by Tom on December 16, 2008 – 1:00 am
Filed under Social Networks
Tagged as ,

Twellow anyone?

It’s always interesting to me when I check out a new Twitter application, it always seems to ask you to “verify” your account or ask you to pass your Twitter user name/password to their application. This of course is done without any protections or any way of knowing what happens to your account information on the other end.

Take for example a recent find called Twellow which is basically a big directory of Twitter users (like the yellow pages). Twellow has some neat features like searching for other Twitter users by keywords and interests. Twellow like many of these types of Twitter applications work by scraping public timelines to populate their site with your information. Twellow asks you to “claim” your profile by putting in your Twitter password. This is where it gets interesting…

To the unsuspecting user it’s tempting to just give your credentials away to every website that asks for it. Twellow is a good looking, legitimate website right? Did you stop to think what could happen to your login credentials? Can you really trust that they don’t record your credentials? The disclaimer says they don’t use your password for anything…you trust everyone right? :-)

What’s your Twitterank?
If you are a heavy Twitter user you may remember the Twitterank fiasco about a month ago. Like many people on Twitter just hearing of a website that will calculate your “rank” on Twitter sounded like a cool idea. No harm in this right? Rumors quickly spread on Twitter and in the blogosphere that Twitterank was a phishing site and that the developer was harvesting Twitter accounts. It ended up that this was most likely a legitimate application…BUT…why do you trust it? Why as social media users do we blatantly trust every Twitter or social media developer out there? No offense to the developer of Twitterank but there are way too many of these sites out there that ask for your account information. A real Twitter phishing site is easy to do using these same tactics. All you need is a legitimate looking website that preys on human weakness…we all want more followers and more rankage, right? For example, if you want to see a spoof Twitter phishing site, check out Twitter Phisher done by the fine folks over at Hak5 (be sure to view source in your browser for some extra lolz).

What’s the fix?
First, social media users need more education. Seriously, don’t just give your credentials away to anyone that asks for it (this actually applies to everything in life). Is your Twitter ranking really that important?

If you did give your credentials away, hopefully you used a different and unique password for that particular account. That way, if your account did get compromised then only one account is compromised, not your entire portfolio of accounts. How do you manage multiple passwords? Give a password manager like 1password or KeePass a try to create and manage unique passwords for each of your social media accounts.

Secondly, social media websites like Twitter need to use better forms of authentication. How about something similar to what FriendFeed is doing by issuing users a “remote key” for all third-party interactions with your account. Of course this isn’t perfect but it’s a step in the right direction. I applaud FriendFeed for having the remote key functionality a required part of the API. BTW, Twitter has been talking about using nifty solutions like OAuth, so do it already @Twitter! HTTP Basic Authentication just doesn’t cut it.

Authentication of user credentials and social media is a big problem…(actually verifying who you say you are is a another topic altogether). What authentication solutions for social media do you think should be adopted?

Notacon 6 Speaker Update

0
Posted by Tom on December 15, 2008 – 10:53 am
Filed under Cleveland
Tagged as , ,

Notacon Logo

Looks like the Notacon website has updated the speaker list and there looks to be some really good talks so far. Here is the list from the Notacon 6 website and blog post:

Time To Replicate The Real Threat: Client Side Penetration Testing
CG & g0ne

Interactivity with Arduinos, Transducing the Physical World
droops & Morgellon the Lowtek Mystic

Fun With The MSP430 MCU
Travis Goodspeed

Hacking Light – How we came to love Holga and Other Stories of photo hi jinx
Jeon & Treize

“Pilates” for Common Cubicle Injuries
Michele Martaus

Super Jason Scott Presentation 64
Jason Scott

Programming The Sega Genesis For Mad Profit and Crazy Mad Profit
SigFLUP

Hacking Cognition
Tottenkoph & Selkie

Intro to Go
Jason Viers

What is Notacon?
Notacon is one of the most unique conferences you will ever attend! Notacon 6 is April 16th – 19th 2009 held in Cleveland, Ohio. Notacon explores and showcases technologies, philosophy and creativity often overlooked at many “hacker cons”. Registration is open!

Maltego 2.01 Released

0
Posted by Tom on December 3, 2008 – 12:55 am
Filed under Penetration Testing
Tagged as , ,

Looks like the fine folks over at Paterva have released version 2.01 of Maltego. If you don’t know what Maltego is…look here. Check out some of the changes and new features. From the announcement:

Features:

* Copy and paste to/from graphs
* Copy and paste to/from text
* Above can also function as “import”
* Zoom to pointer
* Looking glass zoom mode
* Added notch on slider that will return 10,000 entities (if your RAM can stomach it)
* Brought back “Run All Transforms” – you asked for it!
* Cancel transform run (e.g. i clicked on the wrong transform and it’s taking forever while my graph is turning into a green mush, can we please stop this now)
* Easier Mac install

Fixes:

* Authentication proxies now works (including NTLM)
* Cancel on entity export (small annoying fix)
* Transform manager window resizes properly (useful for those on E^3s)
* The dreadful save bug has been fixed (if you never saw it count yourself lucky)

In addition they note the in the upcoming 2.1 version they will be allowing local scriptable transforms! I am really looking forward to this feature as the custom transform creation process will hopefully get a whole lot easier.

Note that the main download page doesn’t have the new package yet so if you want it now you need to get the download links from the forum post here. I would expect the main site updated later today.

Also…the crippled “community edition” is still on the old version for now (updated shortly I am sure). By the way, it’s only $430 USD for the first year, $320 USD per year thereafter for a license of the commercial version…well worth it!

Young IT Professionals of Northeast Ohio

3
Posted by Tom on December 1, 2008 – 12:27 pm
Filed under Cleveland
Tagged as ,

There is a new group forming in Northeast Ohio for IT professionals focused on the younger generation and is an opportunity to network and learn from one another. The first meeting is at the Great Lakes Brewing Company on December 10th @ 6pm (downstairs in the beer cellar). Cost is $15 to help with appetizers but is open bar! Read: Great Lakes has Christmas Ale on tap!

If you plan on attending please RSVP to Devon Campbell (dcampbell2 [aT] mcpc.com).

This event should be a great way to network and meet others in the area! Hope to see some of you locals there!