General discussion

  • Creator
    Topic
  • #2184210

    Firewalls; Java; Security; Windows; Linux Scary!

    Locked

    by lastchip ·

    Having followed another discussion relating to Windows, I decided to run some security checks on my home network and used a site http://www.auditmypc.com – a site I have not used previously.

    It was with some dismay, that this site punched straight through my Hardware (BSD based) firewall and Zone Alarm on my Windows machine to reveal my internal IP address.

    How was it done? Via a Java program the site tells me!

    So experimenting with Firefox’s settings, turning off BOTH Java and Java Script had the desired results and auditmypc could no longer “see” my address. However, that meant that I could no longer use secure sites such as my on-line bank; a frustrating backward step that was unacceptable to me. Reinstating Java Script solved that problem, (Java still turned off) but I understand from a security point of view, this is not ideal either.

    It now makes me wonder, if there is any such thing as a secure environment. auditmypc at its first attempt gained the information without my knowledge. I was totally unaware of that information being collected. WHAT ELSE is being collected without our knowledge or consent?

    Oh, and for anyone that thinks they are safe behind a Linux machine, my Xandros/Firefox combination produced identical results!

All Comments

  • Author
    Replies
    • #3186106

      Java and JavaScript are attack vectors? Who knew?

      by stress junkie ·

      In reply to Firewalls; Java; Security; Windows; Linux Scary!

      I’ve been writing about these problematic components for a long time. I often complain to web site administrators when I find that they are using one or both of these components. I won’t mention any web sites but there are a lot of them.

      I have disabled Java completely for my web browser. Unfortunately I find that JavaScript is so widely used that I cannot realistically get away from it.

      Remember, though, that any software feature can become an attack vector. Even when we talk about Unix security we are limiting that discussion to attacking the system software. User data is just as much at risk on a Unix machine as it is on a Windows machine. That is why I have different user accounts on my home machine. I have one account just for accessing the Internet. I have another account for personal data. The Internet account cannot see the files that are owned by the personal data account. I never access the Internet from the account that has the personal data.

      I use Unix/Linux but you can do the same thing on Windows.

    • #3182289

      Tells you something doesn’t it

      by tony hopkinson ·

      In reply to Firewalls; Java; Security; Windows; Linux Scary!

      You can only access on-line banking through an insecure technology.
      Indeed. They used your HTTP port to send down a program that ran locally with the authority of your JVM. It collected info and then punched it back through HTTP.
      So the real problem is the authority assigned by your OS to the JVM. Seeing as options to control and leave it working are extremely limited your only real security option is to kill client side execution of alien code. Do that and the trusted computing architecture falls completely on it’s arse, where it belongs in my oppinion too.

      • #3195413

        to true

        by jaqui ·

        In reply to Tells you something doesn’t it

        the best rule of thumb for any online activity:
        it is not to be trusted.

        no exceptions, always assume that it can or will be intercepted.

        128 bit encryption has been broken.
        so the standard ssl is not secure.
        no clientside script is secure.

        any the communication channel between your system and the remote system is itself subject to being cached on a hacker’s / phisher’s machine.
        once you end the session all that data is available for them to work on decrypting it.

        a new security model needs to be implemented. my personal prefference for such requires that the remote site ( like TR ) to send a disk with the required keys to use encryption over and above that used in ssl.
        once you have the keys, you install them in your browser and then you connect to the https site, and the keys are used to set up a secure session in the ssl session. you’ve doubled the encryption, with no decryption sent online.

        completely changes the ecommerce aspect though.

        • #3195392

          I don’t feel so alone now.

          by stress junkie ·

          In reply to to true

          I have made similar statements about not trusting any communication scheme that travels over the Internet. I often get responses that indicate that people think I’m a nut. Recently I had one person say that if it’s good enough for banks then it is good enough for him.

          The prevailing opinion, even among techies, appears to be that “They” wouldn’t use this or that technology to transmit confidential data unless it was secure. “They” will protect us. “They” know what they’re doing. Etc. I disagree with all of those assumptions and the resulting conclusion.

          Security is too important to take chances. I expect that anyone who has had their identity stolen would agree.

        • #3195263

          Yeah, cause banks never lose our personal info. ;)

          by Anonymous ·

          In reply to I don’t feel so alone now.

          The truth is there is no such thing as perfect security. All you can do is secure to a level such that the cost for breaking in is higher than the potential reward. unfortunately security costs money, so businesses tend to aim as low as possible in order to protect their margins.

          Personally, almost all my internet activity is done from a Virtual Machine, which get’s restored to initial state after every reboot (that or a Knoppix CD).

        • #3196125

          and..

          by jaqui ·

          In reply to Yeah, cause banks never lose our personal info. ;)

          I never said my suggestion was perfect, only that it is better than the single layer used now. ~G~

          but I don’t trust any site

          nor do I trust the certificate authorities that issue the certs to enable ssl.
          ( they may actually do thier investigating right*, butthere is no accountability if they screw up, so it’s a purchase the certificate and go senario )

          * Verisign and Thawte do investigate as much as they can with thier higher rated certificates, but youpay extra for that.

        • #3048409

          it comes down to their cost/benefit analysis

          by jerry~beans&bytes ·

          In reply to Yeah, cause banks never lose our personal info. ;)

          and i don’t trust them to care as much as i do.

          i have the luxury of doing my work in a totally offline environment. this is a sacrifice machine, my window to the online world. if i need something from outside for my work, it comes in here, gets scanned seven ways to Sunday, and then is introduced to my network. i use a prepay credit card for online transactions, and never put more on it than i expect to use.

          is it inconvenient? not more so than i can take.
          is it secure? i’m not risking more than i can afford to lose.

    • #3051477

      Security != Convenience

      by akhasha ·

      In reply to Firewalls; Java; Security; Windows; Linux Scary!

      No, really. But getting your IP address from the other side of a firewall doesn’t mean much, if your firewall is set up sensibly.

      • #3051450

        The problem is how it was done

        by stress junkie ·

        In reply to Security != Convenience

        The reason that obtaining the computer information is a problem is that it was obtained by running code on the victim computer. It’s a proof of concept for running malicious code. Obtaining the IP address simply proves that the Java and/or JavaScript code from the remote computer can obtain information that it should not be able to see. Adding to the vulnerability is the ability of JavaScript to run external programs. I’m not really up-to-speed on JavaScript’s capabilities. I’m just repeating what I’ve read. The idea is that if JavaScript can run external programs then it could gather a lot of information including the name of the operating system, its version, its patch level, the account name of the user running the web browser, and other details about the victim computer. That would tell the remote computer how to attack the victim computer.

        • #3051441

          Quite so!

          by lastchip ·

          In reply to The problem is how it was done

          And the reason for starting this discussion.

          I repeat, there was no way I could tell this “snatching” of information was taking place; that’s the “scary” bit.

          It seems to me, any Internet open port, is a potential vulnerability. After all, if you want to enjoy using the Internet, how else are you going to communicate? Hence my comment; “It now makes me wonder, if there is any such thing as a secure environment.”

          Now to the real crunch. If you want to use your computer as I do, for secure(?) transactions, in many cases, you are locked in to using Java Script. Between a rock and a hard place springs to mind.

          Further, TR is on the whole, an “informed” site. How many millions of “victims” are out there, just waiting to be robbed?

          Surely, now is the time for a re-think from the ground up!

    • #3051128

      But, how bad it is, actually?

      by chilango02 ·

      In reply to Firewalls; Java; Security; Windows; Linux Scary!

      It’s obvious that we all prefer to keep our internal IP addresses out of stranger’s eyes.

      But, is it really bad by itself? Or only a sign of a not-so-securely configurated network??

    • #3050648

      well Linux is a bit safer with java on

      by sagetumbleweed9 ·

      In reply to Firewalls; Java; Security; Windows; Linux Scary!

      I ran to http://www.auditmypc.com with konqueror
      – and behold – the intimate IP was revealed.
      ouch. I tried tweaking a few things to no avail.

      I am doubly disturbed…
      1) Beloved Java bumming me out.
      2) How did they do that? I can’t get a fix on
      how to find my own IP with java.

      I fired up the fox and tested it out – and my
      loacal IP was not revealed. The major difference
      I think is konq uses an older blackdown (1.42)
      jre, while firefox uses 1.5+. Maybe the older
      mozilla code in konq is bad.

      However, even though firefox passed auditmypc
      tests, another online firewall test found the
      local IP address 127.0.0.1. Perhaps, a lucky
      guess? It knew the Computer Name though (and
      it’s not “My Computer” so it wasn’t a guess).

      for Windows users, I bet (under a dollar to be
      safe) you can make zone alarm pro mask out the
      inner IP address. Perhaps you might have to make
      it a static IP and add it to the restrictions –
      like one does to block credit card numbers and
      such with zap.

      ~Strongheart~

      • #3050611

        Not just IP Address though

        by tony hopkinson ·

        In reply to well Linux is a bit safer with java on

        One fella selling a scurity tool used to redirect you to a page and display a directory listing of your machine.

        Get local IP Address
        SCRIPT>
        var ip = new java.net.InetAddress.getLocalHost();
        var ipStr = new java.lang.String(ip);
        document.writeln(ipStr.substring(ipStr.indexOf(“/”)+1));

    • #3051990

      Use extensions on Firefox to block java

      by cornejo.alvaro ·

      In reply to Firewalls; Java; Security; Windows; Linux Scary!

      You can use “noscript” extention for firefox in order to block java scripts on a per site basis. I do not know about a similar solution for IE

Viewing 5 reply threads