Thursday, January 17, 2013

A Technologist Speaks on Security


I’ve always been intrigued by titles and set expectations for my career based on these terms. As a youngster, my goal was to be a scientist. I ended up an engineer … I guess that’s pretty close. In fact, at one time, at IBM, my formal titles was Senior Associate Engineer / Scientist. So, in that regard, I made it.

I’ve been an electronics engineer, a programmer, a software engineer, an instructor / course developer as well as an adjunct professor. I’ve been a project manager and even a senior technical staff member … the strangest title of all.

But, as I’ve collected my thoughts and tried to merge all those titles into a single, meaningful term, I’ve arrived at this: I’m a technologist. That fits. It sort of encompasses all the engineering and programming and teaching stuff into a single title.

One thing noticed in this modern age is how well young people adapt to technology. Of course, even senior citizens use email and surf the web, but the ease with which the young mind seems to grasp technology is often noted by about everyone that notices.

I’m an exception. I’m an old guy that gets technology. Now I doubt I understand it as well as a twenty-something that lives and breaths computers and web sites and RSS, etc. But I’m pretty well versed in the technology of the times. There’s always something new and I’m not a Silicon Valley guru, more of a Colorado guru. But I do get along with this stuff pretty well, although … sometimes … I’m as stumped as anyone.

I was recently delving into HTML as I tried to clean up a mess that an automatic HTML tool had made. One “feature,” if you can call it that of these simple editors that automatically create HTML from plain text is that the various commands to create specific fonts and formats, etc. are repeated for each paragraph. Lots of </span> to identify the individual sections of text. The tool didn’t even recognize where to use <div>.

Being somewhat compulsive, I was deep into the HTML source, editing the commands manually and cleaning up what was a giant mess of automatic programming. That got me to thinking about HTML and browsers and security … security is always on my mind as I concern myself with how easy it would be for hackers to access and bring down our utility grids and power plants … but that’s for another note at another time.

This time I was thinking about privacy and all the ways our information is released as we surf the web. Most of you know that it is dangerous to download a program to your computer unless your pretty sure it is not a dangerous program or malware that would compromise your computer and all the information on it.

Well, do you know how a web page appears in your browser? As I said, I’m a technologist. I can tell you how. You download a program to your computer. The program is written in HTML, and CSS (Cascading Style Sheets), and JavaScript, and possibly several other languages, and it is downloaded to your browser for display.

We all know how complex web pages can be and how they can provide services and views for the user with powerful features like changing part of the page when your mouse hovers over it or showing videos and playing music.

What you may not realize is how those same browsers can give out all kinds of private information to the web site that knows how to ask. The Internet was designed to deliver information, and you might be surprised just how much personal information may be provided due to security flaws that no one seems to be in a hurry to fix. I think that, if the general public knew just how much personal information they unwittingly provide anytime they connect to a web site, they would be a lot more careful in their browsing. If they click just one time on a suspicious web site, even more personal information including their name, hometown, school, marital status, lists of friends, photos, what other websites they are logged into, their bank, credit union are all provided to the web site, and they even open up access behind their companies firewalls and private networks.

Today’s popular browsers, from Internet Explorer to Firefox to Chrome to Safari all have flaws that open up that information to any web site contacted. Several new security features have been added to browsers over recent years, including automatic updating and protection from malware, yet these basic attacks still are not blocked. It will take some changes in browsers and Internet standards to close all these open doors … open to the next burglar that walks by.

Let me give some examples. These attacks use normal web page commands, so they are not immediately identified as an assault on your personal information. They take advantage of features of the Internet intended to make web pages easier to use.

Here is one example. HTML allows a web site to provide graphics and pictures actually loaded from another web site. For example, you may be connected to www.friendly-web-site.com and it may contain HTML code such as this:

<img src= "http://some-other-web-site/image.png”>

This instructs the visiting browser to send a web request to this other website automatically to load the image. The developer may add some JavaScript to verify that the image loaded successfully or if there was an error:

<img src= "http://some-other-web-site/image.png"
onload= “successful()” onerror= “error()”>

If the image loaded correctly, the successful() subroutine is executed. If there was an error, then the error code is run. This is a perfectly normal practice and quite useful.

But suppose the image file is only available if the user is logged onto the website. For example, the image could be loaded from Facebook or Twitter or a local bank web site. That would inform the original website of the existence of the login.

In fact, loading a possibly bogus image is not necessary. This code is even more direct:

<img src= "http://some-other-web-site/loggedin.png"
onload= “loggedIn()” onerror= “notLoggedIn()”>

This can be used to discover what social websites, email sites, and basically any other web site the user is logged into. A series of similar instructions in the web page being viewed could probe all the possible sites that the user might be … well … using.

Now let's assume the malicious website owner might want to go one step further and determine the name of the person visiting the site. Assume that the visitor is logged into a social site such as Twitter, Facebook, Google+, etc. It is possible to create an invisible frame that is located under the cursor using the iframe command and then, when the visitor clicks anywhere on the web page, the invisible frame will execute an FB "Like" or a Google+ "+1" command. This is called "clickjacking." After tricking the user into taking this action, they can check on Twitter or Facebook to see "User X Followed you" or "User X liked Page Y." Now the unscrupulous web site knows the name of "User X."

There’s a lot more that can be determined from this and similar attacks. It is the use of social websites which users are often continuously logged into that allows all kinds of information to be mined from an unsuspecting user. As I described, the seemingly innocuous “Like” in Facebook can be activated by unscrupulous web site designers to determine all kinds of personal information.

Setting high privacy limits on social web sites helps, but is not a guarantee. Things on the web are always in flux and most people treat social websites as big parties and share all kinds of personal information, little suspecting just how many illegitimate uses can be made of that information.

Remember, when you browse a web site, any website, you are allowing that code to be run on your computer and due to weaknesses and rather dubious features of web browsers, the web site can determine a lot of personal information from some simple and clever programming.

Interestingly, the young people of today, those that I started by saying that they had an intuitive grasp of technology, they don’t seem to be concerned about this leakage of private information to surreptitious web sites. They seem perfectly happy with releasing all this private information to “who knows whom.” Maybe they do understand the technology.

I could write another long article why no one seems to be interested in closing these security holes in popular browsers. I could also go on and on about more exploits that open up your private information from the misuses of the iframe command to problems with old versions of the Secure Socket Layer protocol.

I guess in a day and age where people are willing to put their confidential information up into the cloud, believing all the assurances of the vendors that nothing can go wrong … go wrong ……go wrong … go wrong …

Sorry about that. The next release will fix that bug.

What really worries me is when the criminals start targeting the banking logins of users out there. Bad news. They already have. First they get your name. Then they find out what bank you use. If your secret password is the names of your children, they’ll soon find that out when they gain access to your Facebook account. Name of your pet; mother’s maiden name; first school you attended; here’s my favorite: birthday! Think of all the people that post their birthday on Facebook of Google +.

We now live in a technological society, a technical neighborhood. I see all these people leaving their technological doors, not just unlocked, but wide open. It’s a good time for burglars.

Maybe my next career will be as a computer security consultant. I think that business will be booming soon.

No comments:

Post a Comment