General discussion


Firewalls; Java; Security; Windows; Linux Scary!

By lastchip ·
Having followed another discussion relating to Windows, I decided to run some security checks on my home network and used a site - a site I have not used previously.

It was with some dismay, that this site punched straight through my Hardware (BSD based) firewall and Zone Alarm on my Windows machine to reveal my internal IP address.

How was it done? Via a Java program the site tells me!

So experimenting with Firefox's settings, turning off BOTH Java and Java Script had the desired results and auditmypc could no longer "see" my address. However, that meant that I could no longer use secure sites such as my on-line bank; a frustrating backward step that was unacceptable to me. Reinstating Java Script solved that problem, (Java still turned off) but I understand from a security point of view, this is not ideal either.

It now makes me wonder, if there is any such thing as a secure environment. auditmypc at its first attempt gained the information without my knowledge. I was totally unaware of that information being collected. WHAT ELSE is being collected without our knowledge or consent?

Oh, and for anyone that thinks they are safe behind a Linux machine, my Xandros/Firefox combination produced identical results!

This conversation is currently closed to new comments.

16 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Java and JavaScript are attack vectors? Who knew?

by stress junkie In reply to Firewalls; Java; Security ...

I've been writing about these problematic components for a long time. I often complain to web site administrators when I find that they are using one or both of these components. I won't mention any web sites but there are a lot of them.

I have disabled Java completely for my web browser. Unfortunately I find that JavaScript is so widely used that I cannot realistically get away from it.

Remember, though, that any software feature can become an attack vector. Even when we talk about Unix security we are limiting that discussion to attacking the system software. User data is just as much at risk on a Unix machine as it is on a Windows machine. That is why I have different user accounts on my home machine. I have one account just for accessing the Internet. I have another account for personal data. The Internet account cannot see the files that are owned by the personal data account. I never access the Internet from the account that has the personal data.

I use Unix/Linux but you can do the same thing on Windows.

Collapse -

I did.

by Jaqui In reply to Java and JavaScript are a ...

and I don't have javascript enabled at all.
if a site doesn't work I leave, there ain't nothing on it I'm worried about.

Collapse -

Tells you something doesn't it

by Tony Hopkinson In reply to Firewalls; Java; Security ...

You can only access on-line banking through an insecure technology.
Indeed. They used your HTTP port to send down a program that ran locally with the authority of your JVM. It collected info and then punched it back through HTTP.
So the real problem is the authority assigned by your OS to the JVM. Seeing as options to control and leave it working are extremely limited your only real security option is to kill client side execution of alien code. Do that and the trusted computing architecture falls completely on it's arse, where it belongs in my oppinion too.

Collapse -

to true

by Jaqui In reply to Tells you something doesn ...

the best rule of thumb for any online activity:
it is not to be trusted.

no exceptions, always assume that it can or will be intercepted.

128 bit encryption has been broken.
so the standard ssl is not secure.
no clientside script is secure.

any the communication channel between your system and the remote system is itself subject to being cached on a hacker's / phisher's machine.
once you end the session all that data is available for them to work on decrypting it.

a new security model needs to be implemented. my personal prefference for such requires that the remote site ( like TR ) to send a disk with the required keys to use encryption over and above that used in ssl.
once you have the keys, you install them in your browser and then you connect to the https site, and the keys are used to set up a secure session in the ssl session. you've doubled the encryption, with no decryption sent online.

completely changes the ecommerce aspect though.

Collapse -

I don't feel so alone now.

by stress junkie In reply to to true

I have made similar statements about not trusting any communication scheme that travels over the Internet. I often get responses that indicate that people think I'm a nut. Recently I had one person say that if it's good enough for banks then it is good enough for him.

The prevailing opinion, even among techies, appears to be that "They" wouldn't use this or that technology to transmit confidential data unless it was secure. "They" will protect us. "They" know what they're doing. Etc. I disagree with all of those assumptions and the resulting conclusion.

Security is too important to take chances. I expect that anyone who has had their identity stolen would agree.

Collapse -

Yeah, cause banks never lose our personal info.

by shardeth-15902278 In reply to I don't feel so alone now ...

The truth is there is no such thing as perfect security. All you can do is secure to a level such that the cost for breaking in is higher than the potential reward. unfortunately security costs money, so businesses tend to aim as low as possible in order to protect their margins.

Personally, almost all my internet activity is done from a Virtual Machine, which get's restored to initial state after every reboot (that or a Knoppix CD).

Collapse -


by Jaqui In reply to Yeah, cause banks never l ...

I never said my suggestion was perfect, only that it is better than the single layer used now. ~G~

but I don't trust any site

nor do I trust the certificate authorities that issue the certs to enable ssl.
( they may actually do thier investigating right*, butthere is no accountability if they screw up, so it's a purchase the certificate and go senario )

* Verisign and Thawte do investigate as much as they can with thier higher rated certificates, but youpay extra for that.

Collapse -

it comes down to their cost/benefit analysis

by jerry~Beans&Bytes In reply to Yeah, cause banks never l ...

and i don't trust them to care as much as i do.

i have the luxury of doing my work in a totally offline environment. this is a sacrifice machine, my window to the online world. if i need something from outside for my work, it comes in here, gets scanned seven ways to Sunday, and then is introduced to my network. i use a prepay credit card for online transactions, and never put more on it than i expect to use.

is it inconvenient? not more so than i can take.
is it secure? i'm not risking more than i can afford to lose.

Collapse -

Security != Convenience

by akhasha In reply to Firewalls; Java; Security ...

No, really. But getting your IP address from the other side of a firewall doesn't mean much, if your firewall is set up sensibly.

Collapse -

The problem is how it was done

by stress junkie In reply to Security != Convenience

The reason that obtaining the computer information is a problem is that it was obtained by running code on the victim computer. It's a proof of concept for running malicious code. Obtaining the IP address simply proves that the Java and/or JavaScript code from the remote computer can obtain information that it should not be able to see. Adding to the vulnerability is the ability of JavaScript to run external programs. I'm not really up-to-speed on JavaScript's capabilities. I'm just repeating what I've read. The idea is that if JavaScript can run external programs then it could gather a lot of information including the name of the operating system, its version, its patch level, the account name of the user running the web browser, and other details about the victim computer. That would tell the remote computer how to attack the victim computer.

Back to Security Forum
16 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums