Monday, May 21, 2012

3. Personal image on the Internet: privacy vs control


"Between the idea and the reality, Between the motion and the act, falls the shadow" - T. S. Eliot




Hello!

This will be a different post, that has nothing to do with my original idea of ​​the blog, I will try with an opinion post; yes, it will be not technical and can reach a wider audience (non-technical people) or lesser (is anyone interested?).

The subject on which I want to theorize is the presence on the Internet as an individual, the image that may be obtained from us on the web. Times change and is well known the saying "adapt or die" and I will discuss the evolution of my vision and the reasons that I hold:

  • Anonymous stage
Working in the security world my first stage was to search for absolute privacy, becoming a taliban of privacy:
- I never did Google searches being authenticated in Gmail
- I had Google Analytics IPs in hosts file redirected to my machine (translation: I cut this information flow to Google)
- No Facebook, Tuenti and similars
- Etc., etc., etc.

  • Paranoic stage
One day I created me a Facebook account with the sole purpose to avoid someone supplant me and, at the same time, find out what people could tell about me. Sincerely, I distrust of my closest friends; in all aspects of life they make me to be alert day and night: p (there are some antecedents of one forum that I had to close due to force majeure).

  • Opening stage
Social networking and web 2.0 are making a very important social and technological change and, as part of this world and, especially, as computer engineer, I could not stay aside, so I started to open up me to the possibility of be part of it and try to know these technologies.

I especially remember the conversation I had with my friend and former chief Javier Megias (@jmegias), who is very active on Twitter, about this social network. He explained to me that, after the first stage of using it as a source of current information, Twitter lets you to create an own "brand", to define yourself in the network, providing visibility of your work, profile and concerns.

  • Self-portrait stage
After outlining the various stages that I have had, it's time to justify the moment I find myself

It is necesary to be conscious that the data we upload to the Internet are no longer our own, we lose control over them. To illustrate, I put a link to a video I used in a talk about privacy on the Internet some years ago, but it remains very valid:



The message is clear: "Think before you post"

Therefore, knowing that uploading something to the Internet we lose control over it, that I  recommend  is to have strong control over every word or image. You may wonder, "but why I can not be natural and publish whatever I want?" Because one simple reason, you haven't bounded the visibility of this information, you can't define the scope limits of those words. Let's go to see it with an example:

- Do you speak  the same way with a policeman and with your friends? So, are you  hypocrite ? No,  you just have to know to be in every situation or environment. But, what happens if you can't be sure who's listening? That you must moderate yourself, just in case. Then, on the Internet do the same.

There are several examples of hard consequences to the publication of information on the Net, it include a dismissal due to the information posted on Facebook (the man at work said he was sick and then published photographs about his "holidays"); or that nowadays at 80% of divorce proceedings in the USA  it is used information from social networks and private chats; or fairly recent, on Twitter, one situation in wich I want to focus for more detailed reading.

It turns out that two British boys had planned to go on holiday to the USA, and they published some tweets announcing that they were going to have the big party with sentences like "we are going to burn Troy" or to "destroy America", seemingly harmless phrases. So, what their surprise was?, that on landing in the USA they were detained and later they were sent back home (original news in www.dailymail.co.uk). This is because FBI has acknowledged publicly that they are dedicated to monitor social networks.

After trying to raise awareness of the importance of strict control of published information, I'm going to detail some of the  measures  that I'm having nowadays:
  • I use Google+ social network, but I have turned off the famous "instant upload" (automatic upload of pictures taked with the phone to your account)
  • I don't take me naked photos and I'll never do it, neither with my normal camera, neither with one smartphone (do you know the #scarlettjohanssoning case?)
  • I don't use Google Latitude, why always I have to be located? I like my intimacy
  • I use Foursquare despite the loss of privacy because I appreciate its benefits
  • I have disabled the geotagging of photos
  • I try to avoid giving many clues that I'm on vacation and so my house is completely uninhabited at the mercy of burglars. There are some websites dedicated exclusively to find out if a certain individual may be on vacation but I think it best not to put any link
  • I want to implement an XXX measure of protection in my laptop that is XXX used and consist in XXX the webcam with XXX or similar, just in case...
  • I want to implement an archaic measure of protection on my laptop that already use @chemaalonso, which involves covering the webcam with a adhesive plaster or similar, just in case ...
Recently, I have readed one article by @enriquedans in wich he commented that, as we know, nowadays all human resources department  that prides itself performs a Google search for information on applicants, but therea are some that even not ask you for the resumé,   the information they find on the net will serve as your cover letter. The article is this: XXXX ¿Curriculum vitae? Are you from the past? (in spanish)

So, after this long discourse (mental note: write shorter posts) on whether to hide or publish without fear, I advocate for control, and the conclusion is simple: Paint yourself!



Well, this article lends itself well to opinions, so I encourage you to leave yours and see the different views in comments. 

Greetings!


NOTE: This is a non-automatic translation of the original blog written in spanish. I hope you are comprehending and tell me if you find errors. Thanks a lot!

Sunday, May 13, 2012

2. Clickjacking protection


"Work to prevent crime not to need punishment" - Confucius




Hello!

In this second post, I'm going to talk about different measures that have been used to avoid clickjacking's techniques or click kidnapping, whose definition in spanish I link from Wikipedia or, even more developed, in english.

I must admit that I fought against these measures when I was trying to bypass one restriction that, furthermore, it wasn't a click kidnapping strictly, instead I was trying to load a popular page (whose name I don't want to remember) in a frame. My intention was to interact with this page from an own frame using Javascript.




However, I found several counter-measures trying to avoid the above behavior to preclude the technic of click kidnapping. This is because this capacity can be forced to get control of the users click.


I was trying to develop the concept of clickjacking when I found a very good explanation that I recommend you read on a blog that I did not known, as it is clearly explained: http://rooibo.wordpress.com/2008/10/05/clickjacking-a-fondo-y-con-ejemplos/ (in spanish)

So let's look at the defenses that have been used to prevent this attack.


One possible solution is to use complements for browser (extensions or plugins) which protect against this attack. The first option is the popular NoScript for Firefox, which allows define a white list of domains you trust to run Javascript. However, this option does not apply to everyone, by the added complexity and, above all, because it shifts the responsibility to end users, who need not know anything about Clickjacking, Javascript or flux capacitors.

Then, I understand that it isn't the user's responsibility, controls must be moved to server-side.

The most popular option has always been the insertion of own Javascript code in the web code, to hinder as much as possible this attack; it has been used non-standard measures ad-hoc developed with the best programmers make plus the obfuscation of this code. These protections are target by a constant attempt to circumvent it, so in the most popular pages we have seen real racing of measures, counter-measures, counter-counter-measures, etc.

In the following link we can see how it is develop a Javascript code to prevent a web page being included within a "frame-buster" and also shows how it is possible to bypass that protection "frame-buster-buster": StackOverflow Frame buster buster.

Well, here I stood, trying to get my counter-counter-prottection_against_frames, fighting with Javascript, when I realized that there was a new measure of protection that exceeded this approach of cat and mouse.

And this measure is a simple idea that Microsoft implemented in IE8, a meta tag that is inserted into the header of HTML code that don't want to be included in a framework, named X-FRAME-OPTION. Thus, when the browser sees this tag, means that page don't want to be included in one frame and it don't load it. This measure soon became a de facto standard, implemented in most browsers.

So the only way to bypass this protection is to modify the user's browser, thus preventing a massive attack.

So, with this, my idea was definitely frustrated because my intention was to add functionality to this website, not to deceive the user into installing an add-on that modifies their browser's function, for this purpose is more ethical and easy to make a plugin to get directly the desired functionality.

Well, this is not a post to teach a technique of attack or audit, quite the contrary, how to protect a web as a result of not being able to get an "extra functionality".

Greetings!

PS: This post has needed more than 3 months to get out, when my intention was at least monthly. I promise to put me the batteries and the next will be out long before, I have several ideas that I'm working.


NOTE: This is a non-automatic translation of the original blog written in spanish. I hope you are comprehending and tell me if you find errors. Thanks a lot!