Computer Security 101

Moderator: doubleVee

<<

James McGuigan

User avatar

Ghost in the Machine

Posts: 396

Joined: Thu Mar 27, 2008 7:42 am

Location: Between Reality Tunnels

Post Mon Jun 02, 2008 8:55 pm

Computer Security 101

To understand data security, its often helpful to look at it terms of what information is transferred/stored where, and how an attacker could obtain this information, and how they could use it to obtain your identity.

There is no such thing as absolute computer security, rather its a case of how much effort you want to put into blocking various vectors of attack, vs how much effort the attacker is willing to put into obtaining your information. Choose the level of paranoia you are comfortable with.

When you register, your details are transmitted over the wire, and stored in the ESK database. Your profile data is publically available, but unless you tick the box, it is not publically available.

Your IP address is not publically available, but it is transmitted over the wire every time you view a website, and is stored on the ESK database next to every post.

As for attack vectors, OSAs options would include:
1. Cross site scripting attacks. Posting some javascript code in a posting, which submits your cookie information (IP and username) to an external website. - Part of the reason for the funny [tag] syntax used when making your posts here is to avoid this sort of attack. And as a a fairly well used piece of open source software, security issues like this would have been given quite a bit of attention, and browsers have additional safeguards, but future security bugs and exploits are potentially possible - google for "sammy is my hero" for an interesting story - disabling javascript in your browser will void any such attacks.

2. Infiltrate ISPs or backbone providers and monitor traffic over the wire. Governments supposedly do this, but ISPs should generally consider this data as commercially confidential to outsiders - This would revel your IP, the websites you visited, and potentially any data sent over the wire that they managed to capture - Using https, proxies and/or tor will encript traffic over the wire, and make it mathematically unreadable to a 3rd party listener.

3. Directly comprise the ESK webserver. This would either require finding an exploit in the software running on the server (its linux so its fairly secure), or knowledge of the server login details. A brute force attack (attempting every alphanumeric login combination) would take a very long time, and would be logged and noticed by the server admins.

4. Comprise an individual, or machine, that happens to have server access to the ESK server. Either by accessing their computer, or though social engineering or intimidation. - This would expose the email addresses, private messages and IPs - not really much you can do about these last two, other than trust the admins. Signing up with a separate email address and deleting private messages with sensitive information in them would minimise the amount of useful data stored on the server.

5. Fake a user login into this site. It would require your username and password, but chances are that your own password is less secure than the one on the server (such as a word in the dictionary), or may be the same as used elsewhere (and they have somehow discovered that one). Once they are logged in as you, they can see everything you can see.

5. Social Engineering, which is the non-techie way of getting information. Essentially it involves pretending to be somebody else and asking seeming innocent questions to extract the desired information - be on guard to survey questions asking you for your password in exchange for a chocolate bar.


So once they have this data what can they do,

Your ISP will either give you a static IP, or a dynamic one (such as on a modem - changes every time you log in). The RIAA have been trying to ask ISPs for personal details when given an IP list, not sure about the UK now, but I think they now need to bring a John Doe law suit in the US before the ISP is forced to hand over the data.

Your email, means they can spam you. And also whois the domain you have your email hosted with (which is more an issue for personally hosted servers).

If you use the same nick as on other forums, or post personal information elsewhere on the internet, it may be possible to locate this information and cross-reference it with clues from elsewhere to piece together your identity.

If they try to directly access your IP address, and you have an ADSL router, they will only see the router and not have permission to send it any commands. If your machines IP is directly accessible (ie a USB ADSL modem), then its worth getting a firewall installed (or not using windows - ie Linux or OSX), Windows XP SP2 has a firewall by default.

For email, I STRONGLY recommend against using Outlook Express, its hopelessly insecure, and likely to get your computer infected with a virus. Use big outlook, or Mozilla Thunderbird.

As for web browsers, IE7 and IE8 have slightly improved security measures over IE6. But I would recommend Firefox, even if not just for the security, but for all the really, really useful extensions and add-ons that make web-browsing so much better. (Also as a web developer, having to support IE6 in websites is a real nuisance, but until everyone stops using it, its holding back the state and ease of web-development)

Again its largely a question of general awareness, combined with the amount of effort you want to put into maintaining your desired level of paranoia, vs the value of the information you want to protect (both from your viewpoint and theirs), and the amount of effort they want to go to in order to have a chance of obtaining it.


This is the quick website-security 101 posting. Hopefully enough details to chew on, but don't take it as a definitive guide. Any questions, either ask away or simply google for them.


PS. If I have gotten anything wrong, missed something important out, or stated it in a way that might be misinterpreted by a non-techie, then please comment.

PPS. I have made this thread sticky, so if anybody has any other links, guides or howto's on staying safe on-line, or other relivant questions or answers, please post them here for reference.
Freedom is a choice. Choose to be yourself, choose to speak your truth and do so with compassion. And above all else, choose to be not afraid. If I can't dance, its not my revolution.
<<

astra

Site Admin

Posts: 451

Joined: Mon Feb 25, 2008 5:53 am

Post Tue Jun 03, 2008 12:05 am

Thanks James, very helpful!
<<

stuckin

OTIII

Posts: 157

Joined: Fri May 30, 2008 1:40 am

Post Tue Jun 03, 2008 2:10 am

Thank you, for those of us that are not bery computer literate.
<<

Tru2form

User avatar

Site Admin

Posts: 1204

Joined: Wed Feb 13, 2008 3:56 am

Location: Beijing, China

Post Tue Jun 03, 2008 9:52 am

Rad post, James. I get questions about this a lot.

"Who can see my IP address? Who has access to my email and under what circumstances."

etc.
Us rabbits? DO something? - Wind in the Willows
<<

R0bbie

User avatar

EPFer

Posts: 16

Joined: Thu May 15, 2008 2:44 pm

Post Sun Jun 29, 2008 11:10 pm

Good post! only...

Xss isnt limited to java but can be done with any scripting language.. hell i can implement an Xss even with the BBcode tags.

Also you forgot SQL injection and since this forum requires a DB to run its vulnerable.

And another thingy... Xss isnt limited to the client side browser I can run any attack script even scripts that attempt to exploit the server and since it runs as root and isnt chrooted.... well lets not go there lol.

And then im not even starting about man in the middle attacks, buffer overflows or underuns, 0point.... well you get the idea. Only a hackers creativity is really a limit to what they can do.

As for links

Word of caution - some of these sites contain live viral samples do not download them unless you know what you are doing. They are posted there for research purposes and should be used as such.



http://www.theregister.co.uk/
good for the latest threats and other techy stuff.

http://www.offensivecomputing.net/
This is somewhat risky for the unenlightend since it contains viruses and other nastys but they are some of the best security guys around. Got an virri question, ask it there.

http://packetstormsecurity.org/
News site with monthly exploits and security papers.

this is just off the top of my hat, some stuff obviously isnt posted here since thats considered the " underground scene " and I rather stay on their good side. lol
Last edited by R0bbie on Sun Jun 29, 2008 11:21 pm, edited 1 time in total.
" I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. " - Dune, Frank Herbert.

" Living in fear is not living. " - Stuckin
<<

stuckin

OTIII

Posts: 157

Joined: Fri May 30, 2008 1:40 am

Post Sun Jun 29, 2008 11:15 pm

ROBBIE:

Can you repeat that in earth speak please??? Lost me after Java....
If someone has to teach you how to be happy , then you are not truly happy....Happiness is a state of mind.
<<

R0bbie

User avatar

EPFer

Posts: 16

Joined: Thu May 15, 2008 2:44 pm

Post Sun Jun 29, 2008 11:50 pm

Ill try.

Xss is common slang for Cross Site Scripting basically it means that contend ( sites ) that run on server A download stuff from server B where server B is the bad one. So what happens is, a hacker sets up a server with an attack script this can be java, php, or any other language, he then makes this available on the internet say as http://www.badbadserver.com/attackscript.js he then posts a link on a forum that points to a trusted site like http://www.nsa.gov, only the sneaky thing is, In his link he has included another link, only this one points to his own server so anybody who clicks the NSA link is basically loading 2 sites at once. One with the attack script and the one he wanted to load.

( non of the links work btw they are only examples )

Oh technically the above isnt correct since it isnt the actual server that does the downloading but the browser. Its the browser that downloads the 2 sites not the server.
" I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. " - Dune, Frank Herbert.

" Living in fear is not living. " - Stuckin
<<

stuckin

OTIII

Posts: 157

Joined: Fri May 30, 2008 1:40 am

Post Mon Jun 30, 2008 12:01 am

Robbie:

Thanks for the clear-up. I got that a lil better.
If someone has to teach you how to be happy , then you are not truly happy....Happiness is a state of mind.
<<

R0bbie

User avatar

EPFer

Posts: 16

Joined: Thu May 15, 2008 2:44 pm

Post Mon Jun 30, 2008 12:08 am

I find that i have a difficult time explaining those technical things, I guess they make more sence in my mind than in normal ppls minds... ( Ive got ADHD so its all running along a lil faster then it should ) Anyways if you have a question just shoot me a PM and ill try to answer it in understandable language. Or just post it here.

with utmost regards,

Robbie.
" I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. " - Dune, Frank Herbert.

" Living in fear is not living. " - Stuckin
<<

ChapStick

EPFer

Posts: 12

Joined: Thu Dec 04, 2008 4:43 pm

Post Wed Dec 10, 2008 4:05 am

So what you're saying is....

So basically, for average users looking to protect their identities you're saying (correct me if I'm wrong):

1. Don't give out personal information. at all.
2. Don't use your regular email address
3. Don't make your password "password" (this is never a good idea)
4. Use firefox if you can, and disable java regardless
5. Make sure you have a some sort of firewall for protection.

Anything to add? The only question I had was how to find out if I have the right kind of router to prevent anyone from accessing it (in the case that the server were to be compromised). That's just good to know in general.
<<

James McGuigan

User avatar

Ghost in the Machine

Posts: 396

Joined: Thu Mar 27, 2008 7:42 am

Location: Between Reality Tunnels

Post Mon Dec 29, 2008 4:53 am

For those who installed the Scientologist On-Line program CD, which also installs a web filter program on your computer, to uninstall it:

From: http://home.snafu.de/tilman/krasel/filter/tech.html

ScienoSitter patches wsock32.dll to forward calls to stcpx.dll. Due to this mechanism, the "ScienoSitter" can simply be uninstalled by replacing the patched wsock32.dll with the original, which is backed up during the installation process at wsock32.dll.tmp (c:\windows\system32 directory)

Here is the list of filtered words, sites and newsgroups:
http://www.taniwha.com/crack.list.html
Freedom is a choice. Choose to be yourself, choose to speak your truth and do so with compassion. And above all else, choose to be not afraid. If I can't dance, its not my revolution.

Return to General Chatter

Who is online

Users browsing this forum: No registered users and 2 guests

cron
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software