Personal Computer Security - Interesting Read

[Jim727]

http://blogs.zdnet.com/security/?p=197

Very interesting stuff on information leaking from any computer. Like yours. My systems are very secure, but this still showed more than I would like.

Make sure you check the Mr-T info (at "click on this link") and the "Ferret" link to see the powerpoint.

As far as I'm concerned, breaking into my house through the phone line is no different than breaking in through the window -- and the perpetrators deserve equal treatment.

[HardDrive]

Not much of that information is terribly useful, but the fact that it spit back the local private IP is a bit alarming. WTF? Why would the browser report that?

[slodave]

I noticed the LAN I.P. too. Weird.

[Jim727]

You work late too, huh?

I think there's an awful lot that is alarming - WiFi known networks, drive shares, email passwords, IM (don't use it) lists, etc.

Really amazing stuff - lots that's not useful, but if you're a blackhat there's a lot that is.

[slodave]

Quote:

Originally posted by Jim727
You work late too, huh?

I think there's an awful lot that is alarming - WiFi known networks, drive shares, email passwords, IM (don't use it) lists, etc.

Really amazing stuff - lots that's not useful, but if you're a blackhat there's a lot that is.

What browser are you using? Firefox shows very little relevant info.

Dave

[john70t]

I tried the "For a basic idea of the kinds of information your browser is willingly coughing up. Click on this link", and it responded: "Turn on JS, numbnuts."
Firefox has a plugin called "NoScript" which everyone should be using. It's easy to allow trusted websites with one click and one more level of "defense".

Also, turn off Outlook Express preview(or better yet uninstall it), and use a simple firewall like ZoneAlarm.

Also push Start/RUN, then type in "msconfig" for a list of the processes that start automatically when the computer does. A lot of programs(cough...spyware) such as RealPlayer and Quicktime install "updaters" which run unseen in the background.

[Jim727]

Slodave: I use Firefox as well. It's interesting what the scan found in ie, though even though I don't use it, block it with my firewall, and have pretty much neutered it. But because some apps require it I can't completely rip it's black heart out of my system. I particularly dislike the drm crap ie uses and whenever I find drm components I kill them.

Mine (npdsplay and npwmsdrm will be dead before the hour is out):

Browser Plugins (3):

* Plugin name: Adobe Acrobat
o Filename: nppdf32.dll
o Description: Adobe Acrobat Plug-In Version 5.00 for Netscape
o Mime info: application/pdf Acrobat pdf enabled
* Plugin name: Windows Media Player Plug-in Dynamic Link Library
o Filename: npdsplay.dll
o Description: Npdsplay dll
o Mime info: application/asx Media Files * enabled
o Mime info: video/x-ms-asf-plugin Media Files * enabled
o Mime info: application/x-mplayer2 Media Files * enabled
o Mime info: video/x-ms-asf Media Files asf,asx,* enabled
o Mime info: video/x-ms-wm Media Files wm,* enabled
o Mime info: audio/x-ms-wma Media Files wma,* enabled
o Mime info: audio/x-ms-wax Media Files wax,* enabled
o Mime info: video/x-ms-wmv Media Files wmv,* enabled
o Mime info: video/x-ms-wvx Media Files wvx,* enabled
* Plugin name: Microsoft® Windows Media Services
o Filename: npwmsdrm.dll
o Description: Windows Multimedia Services DRM Store Plug-In
o Mime info: application/x-drm DRM File dnp enabled


Firefox plugin detection:

~~~~~
John70t: Yeah, love the js message - had to turn it on for the test also. However, it also wanted a network login (twice) which I did not provide. Would really like to know what that login was for. Outhouse express has been terminated with extreme prejudice on all my machines. Don't allow plugins, so no need for NoScript, though I've heard good things about it.

Your point about msconfig is excellent; Spybot also provides the utility to make those configurations.

All: This is all about the Mr-T scan. The really interesting stuff is to be found under the "Ferret" link. It all makes sense, considering what an o/s has to do when booting up, but that is for those more knowledgeable than me.

[Paul_Heery]

Interesting results. But, a little flawed.

I regularly use TOR. In the results below, it shows the results from the final proxy (I'm not on Verizon FIOS), but it reports that I'm not using TOR.

Code:

Environmental variables:

    HTTP_ACCEPT = */*
    HTTP_ACCEPT_CHARSET = ISO-8859-1,utf-8;q=0.7,*;q=0.7
    HTTP_ACCEPT_LANGUAGE = en-us,en;q=0.5
    HTTP_CONNECTION = close
    HTTP_USER_AGENT = Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)
    REMOTE_ADDR = 72.70.36.11
    REMOTE_PORT = 37233
    REQUEST_METHOD = GET
    SERVER_PROTOCOL = HTTP/1.1

Derived Information:

    Hostname: static-72-70-36-11.bstnma.fios.verizon.net
    It appears you are not using Tor

[Jim727]

For sure it's not perfect. E.g., it says I have an Acrobat plug-in - I don't. It also incorrectly identifies some information in my machine but that's because I set it up that way.

Regardless, I think it's interesting to see another example of the intensity of the drive to gather data about you as well as the level of technical skill it takes to be even partially protected. The average user gets a computer from [fill in vendor name], plugs it in and goes to the 'net, all blissfully ignorant of what is going on. "But I have an anti-virus program!!"

[Moses]

Mac using Safari. No data gathered.

[steveo123456]

"Mac using Safari. No data gathered"

Same here. Get a Mac!

[Jim727]

Well, the discussion stayed a bit lighter than I expected; however, I find the Safari comments interesting as I'll definitely be exiting the microsoft world over the next few years due to win vista.

Points I consider worth pondering include the availability of tools to allocate spyware resources according to software usage, installed plugins, security tools, etc. Also the financial and other motivators for building and mining databases of internet users.

I also saw no mention here of anyone looking into the Ferret pages. Very interesting stuff there, including:
"Wifi Packets
Probe Requests
http://www.theta44.org/software/karma.README
http://www.nmrc.org/pub/advise/20060114.txt
When a wifi enabled laptop starts up it will look for a list ok “known networks” or networks it has connected to before.
This list can be used to determine where the laptop has been used.

DHCP ++
You can offer up an address and pretend to be what ever server you are looking for.
Look at the Karma project.
Respond to WiFi “probe”
Respond with DHCP address
Respond to ARPs
Respond to NetBIOS queries
Respond to SMB/DCE-RPC connections
Respond to DNS queries
Respond to SMTP connections"

It's not just about "testing" your browser.