I’ve always been intrigued by titles and set expectations
for my career based on these terms. As a youngster, my goal was to be a
scientist. I ended up an engineer … I guess that’s pretty close. In fact, at
one time, at IBM, my formal titles was Senior Associate Engineer / Scientist.
So, in that regard, I made it.
I’ve been an electronics engineer, a programmer, a software
engineer, an instructor / course developer as well as an adjunct professor.
I’ve been a project manager and even a senior technical staff member … the
strangest title of all.
But, as I’ve collected my thoughts and tried to merge all
those titles into a single, meaningful term, I’ve arrived at this: I’m a
technologist. That fits. It sort of encompasses all the engineering and
programming and teaching stuff into a single title.
One thing noticed in this modern age is how well young
people adapt to technology. Of course, even senior citizens use email and surf
the web, but the ease with which the young mind seems to grasp technology is
often noted by about everyone that notices.
I’m an exception. I’m an old guy that gets technology. Now I
doubt I understand it as well as a twenty-something that lives and breaths
computers and web sites and RSS, etc. But I’m pretty well versed in the technology
of the times. There’s always something new and I’m not a Silicon Valley guru,
more of a Colorado guru. But I do get along with this stuff pretty well,
although … sometimes … I’m as stumped as anyone.
I was recently delving into HTML as I tried to clean up a
mess that an automatic HTML tool had made. One “feature,” if you can call it
that of these simple editors that automatically create HTML from plain text is
that the various commands to create specific fonts and formats, etc. are
repeated for each paragraph. Lots of </span> to identify the individual
sections of text. The tool didn’t even recognize where to use <div>.
Being somewhat compulsive, I was deep into the HTML source,
editing the commands manually and cleaning up what was a giant mess of
automatic programming. That got me to thinking about HTML and browsers and
security … security is always on my mind as I concern myself with how easy it
would be for hackers to access and bring down our utility grids and power
plants … but that’s for another note at another time.
This time I was thinking about privacy and all the ways our
information is released as we surf the web. Most of you know that it is
dangerous to download a program to your computer unless your pretty sure it is
not a dangerous program or malware that would compromise your computer and all
the information on it.
Well, do you know how a web page appears in your browser? As
I said, I’m a technologist. I can tell you how. You download a program to your
computer. The program is written in HTML, and CSS (Cascading Style Sheets), and
JavaScript, and possibly several other languages, and it is downloaded to your
browser for display.
We all know how complex web pages can be and how they can
provide services and views for the user with powerful features like changing
part of the page when your mouse hovers over it or showing videos and playing
music.
What you may not realize is how those same browsers can give
out all kinds of private information to the web site that knows how to ask. The
Internet was designed to deliver information, and you might be surprised just
how much personal information may be provided due to security flaws that no one
seems to be in a hurry to fix. I think that, if the general public knew just
how much personal information they unwittingly provide anytime they connect to
a web site, they would be a lot more careful in their browsing. If they click
just one time on a suspicious web site, even more personal information
including their name, hometown, school, marital status, lists of friends,
photos, what other websites they are logged into, their bank, credit union are all provided to the web site, and
they even open up access behind their companies firewalls and private networks.
Today’s popular browsers, from Internet Explorer to Firefox
to Chrome to Safari all have flaws that open up that information to any web
site contacted. Several new security features have been added to browsers over
recent years, including automatic updating and protection from malware, yet
these basic attacks still are not blocked. It will take some changes in browsers and Internet standards to close all these open doors … open to the next burglar that walks by.
Let me give some examples. These attacks use normal web page
commands, so they are not immediately identified as an assault on your personal information. They take advantage of features of the Internet intended to make web
pages easier to use.
Here is one example. HTML allows a web site to provide
graphics and pictures actually loaded from another web site. For example, you
may be connected to www.friendly-web-site.com
and it may contain HTML code such as this:
<img src= "http://some-other-web-site/image.png”>
This instructs the visiting browser to send a web request to
this other website automatically to load the image. The developer may add some
JavaScript to verify that the image loaded successfully or if there was an
error:
<img src= "http://some-other-web-site/image.png"
onload= “successful()” onerror= “error()”>
If the image loaded correctly, the successful() subroutine is executed.
If there was an error, then the error code is run. This is a perfectly normal
practice and quite useful.
But suppose the image file is only available if the user is
logged onto the website. For example, the image could be loaded from Facebook
or Twitter or a local bank web site. That would inform the original website of
the existence of the login.
In fact, loading a possibly bogus image is not necessary.
This code is even more direct:
<img src= "http://some-other-web-site/loggedin.png"
onload= “loggedIn()” onerror= “notLoggedIn()”>
This can be used to discover what social websites, email
sites, and basically any other web site the user is logged into. A series of
similar instructions in the web page being viewed could probe all the possible
sites that the user might be … well … using.
Now let's assume the malicious website owner might want to go one step further and determine the name of the person visiting the site. Assume that the visitor is logged into a social site such as Twitter, Facebook, Google+, etc. It is possible to create an invisible frame that is located under the cursor using the iframe command and then, when the visitor clicks anywhere on the web page, the invisible frame will execute an FB "Like" or a Google+ "+1" command. This is called "clickjacking." After tricking the user into taking this action, they can check on Twitter or Facebook to see "User X Followed you" or "User X liked Page Y." Now the unscrupulous web site knows the name of "User X."
Now let's assume the malicious website owner might want to go one step further and determine the name of the person visiting the site. Assume that the visitor is logged into a social site such as Twitter, Facebook, Google+, etc. It is possible to create an invisible frame that is located under the cursor using the iframe command and then, when the visitor clicks anywhere on the web page, the invisible frame will execute an FB "Like" or a Google+ "+1" command. This is called "clickjacking." After tricking the user into taking this action, they can check on Twitter or Facebook to see "User X Followed you" or "User X liked Page Y." Now the unscrupulous web site knows the name of "User X."
There’s a lot more that can be determined from this and
similar attacks. It is the use of social websites which users are
often continuously logged into that allows all kinds of information to be
mined from an unsuspecting user. As I described, the seemingly innocuous “Like” in Facebook
can be activated by unscrupulous web site designers to determine all kinds of
personal information.
Setting high privacy limits on social web sites helps, but is not a guarantee. Things on the web are always in flux and most people treat social websites as big parties and share all kinds of personal information, little suspecting just how many illegitimate uses can be made of that information.
Setting high privacy limits on social web sites helps, but is not a guarantee. Things on the web are always in flux and most people treat social websites as big parties and share all kinds of personal information, little suspecting just how many illegitimate uses can be made of that information.
Remember, when you browse a web site, any website, you are
allowing that code to be run on your computer and due to weaknesses and rather
dubious features of web browsers, the web site can determine a lot of personal
information from some simple and clever programming.
Interestingly, the young people of today, those that I started
by saying that they had an intuitive grasp of technology, they don’t seem to be
concerned about this leakage of private information to surreptitious web sites.
They seem perfectly happy with releasing all this private information to “who
knows whom.” Maybe they do understand the technology.
I could write another long article why no one seems to be
interested in closing these security holes in popular browsers. I could also go
on and on about more exploits that open up your private information from the
misuses of the iframe command to problems with old versions of the Secure
Socket Layer protocol.
I guess in a day and age where people are willing to put
their confidential information up into the cloud, believing all the assurances
of the vendors that nothing can go wrong … go wrong ……go wrong … go wrong …
Sorry about that. The next release will fix that bug.
What really worries me is when the criminals start targeting
the banking logins of users out there. Bad news. They already have. First they
get your name. Then they find out what bank you use. If your secret password is
the names of your children, they’ll soon find that out when they gain access to
your Facebook account. Name of your pet; mother’s maiden name; first school you
attended; here’s my favorite: birthday! Think of all the people that post their
birthday on Facebook of Google +.
We now live in a technological society, a technical
neighborhood. I see all these people leaving their technological doors, not
just unlocked, but wide open. It’s a good time for burglars.
Maybe my next career will be as a computer security
consultant. I think that business will be booming soon.
No comments:
Post a Comment