Web Application Security Forum - Privacy

Sensitive info with dhcpcd (3 replies)

fallencity — Thu, 31 Jan 2013 08:53:40 -0600

Hey guys first post here. I was analyzing some packets in wireshark a few days ago. Curious, I set the filter to bootp and took a good look at some DHCP packets. I noticed something that is a clear anonymity leak. In the packet I could see that I was transmitting not only my MAC address as seems to be the norm, I was also transmitting my dhcpcd version, kernel version, OS, and hostname. Which is way too much info for my comfort. I was wondering if there is a way to avoid transmitting this information. No other packets seem to transmit much except for my MAC address which I'm not worried about. But when I issue a DHCP request all of that is transmitted. I remember reading somewhere that you could edit your /etc/init.d/net.eth0 (or equivalent) file to include

VID=`fortune -o|head -c 30|tr "\"'\n" ' ' 2>/dev/null`
/sbin/dhcpcd -i ${VID} ${dhcpcd_IFACE} ${IFACE}

But I'm not sure what the equivalent would be, and I don't have that particular file. I'm using systemd. Any help would be amazing I've been searching this problem for quite some time.

Trouble Using SSL with Usenet (stunnel?) (1 reply)

idisappear — Tue, 27 Nov 2012 11:35:37 -0600

I hope to get SSL working for Usenet while using Windows 7, including both traditional newsreading (text posts) and posts where someone uploads NZB files. I'm using Astraweb. The info Astraweb provides for SSL is ssl.astraweb.com on ports 443 or 563.

Note that I have no problem downloading nzb files from binsearch.info and downloading their corresponding contents via SSL with sabnzbd or binreader, but neither of those programs can read regular text posts.

PAN did exactly what I want with the exception that it was through a non-SSL connection. It was able to download headers to let me access text posts, and when I double-clicked on an NZB-post the desired file would download in sabnzbd.

After a bit of Googling, I saw that people used stunnel with PAN newsreader and simply modified the configuration file (stunnel.conf) to achieve SSL while on Linux. I downloaded and installed stunnel for Windows (stunnel-4.54-installer.exe) but I do not know how to get it working. Do I need to buy a certificate or something? Or use PGP? I am stuck.

Good Secure Email Form (3 replies)

idisappear — Mon, 17 Sep 2012 02:32:07 -0500

I plan to set up a "Contact" page on a website that has an Email form and uses SSL. It will then forward whatever message the person sends to my Email account (my Email account is separate from my website account). However, I do not want the message to only be encrypted between the visitor's web browser and my website.

Instead, I want my website to use a PHP script that heavily encrypts the message before it sends the message to my external Email. I think one such example can be found here. That may very well be a great Email encryption script. However, I do not have the knowledge to confirm that and I am unfamiliar with it. Does anyone know if there is a script like that which incorporates a 256-bit PGP algoritm? Obviously, you may not use this idea for your Email, but if you had to, what would you use?

Edit: Note that I do not host my own website or Email. I use external services for each.

Fingerprint copying. (4 replies)

Skyphire — Fri, 17 Aug 2012 03:47:59 -0500

Lot of PC's have fingerprint authentication, especialy laptops.

Fingerprints are the worst possible method for authentication. If a digital fingerprint is stolen (all are digitized nowadays) unlike a password, you cannot create another fingerprint. It's fixed forever to you. Which is incredibly weak security.

So what are the methods of stealing fingerprints on PC's? are there trojans who steal them? and what could we do with them?

an article on the concept of privacy (no replies)

infinity — Wed, 11 Jul 2012 16:09:31 -0500

The Stanford Encyclopedia of Philosophy has an article on the concept of privacy by Judith DeCew, which discusses the following topics:

(1) the historical roots of the concept of privacy
(2) the critiques of privacy as a right
(3) philosophical definitions or defenses of privacy as a concept
(4) the challenges to privacy posed in an age of technological advance

http://plato.stanford.edu/entries/privacy/

"Hundreds of words to avoid using if you don't want the gov spying on you" (1 reply)

idisappear — Mon, 18 Jun 2012 18:01:10 -0500

http://www.dailymail.co.uk/news/article-2150281/REVEALED-Hundreds-words-avoid-using-online-dont-want-government-spying-you.html

Anonymous Online Orders? (1 reply)

idisappear — Mon, 18 Jun 2012 18:20:43 -0500

Suppose a person wants to anonymously order an NIC via postal mail. That way the MAC address is not tied to their name. I understand that alternatives exists, like Walking into a store and buying an NIC with cash, but I am still wondering if it's possible for other reasons. Maybe a physical book on security exploits is unavailable at a local bookstore or electronic format. The security professional might not want to create a record that ties her to the book.

Do all PO Boxes require identification? As far as I know, prepaid debit cards can no longer be purchased without revealing personal information. Are there any exceptions to that or alternatives?

Edit:
There are private companies that accept mail and forward it to a new address. With anonymous purchases these private services and using multiple private PO Boxes together, it could be interesting.

Email Privacy (5 replies)

idisappear — Sun, 13 May 2012 01:14:33 -0500

Using free web Email, everything is stored on servers of the company providing the service and that company (inferring from the ToS agreements I read) can read all of my messages. Archiving everything with a company who has every right to access my inbox also increases risk of government obtaining messages. According to the EFF, subpoenas to Email providers are more likely than wiretapping and searches. A public/private key system of encryption is strong but doesn't solve the issue. If I am assuming correctly, encryption can only be achieved if both parties (sender and recipient) communicating opt to use it. The overwhelming majority of people don't. I read an interview of a Hushmail employee who stated he never used encryption with Hushmail because almost nobody else does. If those assumptions are correct and I want to conveniently and privately exchange mail with most people, then encryption will not suffice to provide privacy. Could that interview be obsolete? Does anyone disagree with anything so far? Have I overlooked anything?

Storing Emails on my own computer is the idea I want to explore. If I set up my own Email server/host, wouldn't I need to leaving running 24/7 to ensure I can recieve an Email any time? Maybe this is a dumb question, but can I store Email messages on my computer without them being archived by an online web mail provider, and without leaving my computer on 24/7? Also, if I left the computer running 24/7, wouldn't it just open another port on my computer and just divert the potential method of attack?

Safe Spoofing (4 replies)

idisappear — Mon, 18 Jun 2012 18:08:15 -0500

Assume the goal is to be anonymous. Suppose a person goes far away from their home to use public Wi-Fi with a portable device. It seems that without any attempt to spoof the MAC address, the manufacturer and NIC information makes it possible to identify a user.

Proxies might have tracers jumping through a few extra hoops, but how can the MAC address be safely spoofed? Spoofing the MAC on Linux or FreeBSD can be done with ifconfig, but is this enough?

Is there a way for a tracer to counter that type of MAC spoof and access the hardware network card? If there is, then what precautions can be taken to avoid it? If the anonymizer is logged in for a shorter period of time, does this help anonymity?

If a person can not be identified with the portable device itself, this is also helpful for the anonymizer. Are netbooks and laptops normally permitted by sellers to be exchanged for cash without requiring disclosure of personal information?

Facebook Android App (3 replies)

thrill — Sat, 07 Jan 2012 11:55:53 -0600

Been meaning to write something up about this for a while but have been busy, you know, living life.

Most of you may be aware of their Android app, but what you might not be aware is that it has a pretty big privacy issue.

The app never logs you (or the person who last used your phone to log in) out.

Example:

Have someone log into facebook from your phone, and then promptly log out.

Go to a local strip club, take a picture of a 'dancer' with your phone and tell Android that you want to 'share it' on facebook.

Profit!

The picture is uploaded without any authentication/authorization. It just uses the same credentials that were used previously to upload the image.

Safe, ain't it.

I haven't fiddled with the OS enough to figure out whether these credentials are kept in cleartext or not, but I doubt the geniuses and privacy advocates at FB would much care if it were.. no one can hack into a phone anyway.. right? ;)

US Caller ID Lookup (3 replies)

PaPPy — Fri, 25 May 2012 16:13:57 -0500

So I came across a Twitter post from Kevin Mitnick
https://twitter.com/#!/kevinmitnick/status/96331122321006592
"Wow! ATT gives out your information to anyone. Check it out: http://tnid.us"

So tnid.us allows you to put in a cellphone number and it will give you the corresponding Caller ID information.(and some other info)

Well I noticed that they had no automation protection (other than the caller ID is in a simple image, but OCR software reads it easy).

So I put together this PHP script (on windows, with OCR software to install in comments of script). http://bitly.com/nXcfPd

That should look up ~2,335,999,708 possible telephone numbers and save the number and caller ID to a database.

After looking around on the internet, it looks like more than 200 requests will get your IP banned from the site.

So that means to fetch all 2.3b results you will need 11,679,999 IP addresses.

As I dont have access to a botnet, I figured I would publish the script.

Glad it only took me a few minutes to put it together.

Enjoy!

detecting router backdoors (1 reply)

Albino — Fri, 03 Sep 2010 14:15:26 -0500

The question is, how would you detect an IP-specific backdoor in your router if you didn't have ftp/telnet/ssh access to it? The only method I could think of was spoofing portscans to it from your vendor's IP, then checking the routers logs to see if it replied. Can anyone think of a better way?

The background;
After reading about a backdoor with a hard-coded password present in all BE routers (including my old router) at http://blogs.securiteam.com/index.php/archives/826 I started wondering about backdoors. I had foolishly assumed that the router didn't have a backdoor because when I nmap'd it from the WAN it showed no open ports, but it turns out the backdoor was just keyed to the IPs of the BE office.

How to make Smart PDF submission form work with TOR? (2 replies)

coolboy1 — Mon, 09 Aug 2010 09:12:04 -0500

One of my friends wants to make a submission in the following Smart PDF online submission form:

[url1]https://forms.australia.gov.au/forms/servlet/SmartForm.pdf?formCode=ACF[/url1]

But whenever he loads the url it opens Adobe acrobat reader which I assume will bypass TOR because the form requires Javascript to be enabled. The form will not submit unless javascript is enabled.

So how can my friend submit the adobe smart pdf form with javascript enabled while still being anonymous with TOR?

If it's not possible with TOR, what other free services could my friend use?

I have a question please. (1 reply)

the_master — Sun, 12 Sep 2010 13:00:55 -0500

i dont know, how i secure of insecure cookie handling vulnerability.
thanks

mbstring extension exploit, anyone familiar with it? (2 replies)

ktion23 — Fri, 23 Oct 2009 12:35:27 -0500

mmm, is any knowed/public way to gain shell access with it?

Regarding URL Rewriting Engines (8 replies)

dragunov — Tue, 15 Sep 2009 23:56:28 -0500

Hey guys

I was wondering if any of u know what is the proper way of detecting a URL rewriting engine implemented on the web server side.
I have seen one way in which if we find a file existing in a non-existing directory, there is probably a URL rewriting engine employed on the server side (Thats what application scanners like acunetix say).

Has anyone of u got a proper method (or methods) through which we can be sure that there is a URL rewriting engine implemented on the server side.

Thanks

getting an internal IP on IE (2 replies)

lat — Sat, 25 Jul 2009 22:59:35 -0500

I came across the following Java class that allows you to enumerate the internal IP on IE.

http://reglos.de/myaddress/MyAddress.html

In FF, I can use JavaScript to create a java.net.Socket and get the internal IP, but that method does not work in IE. The source for the class is is not available, any ideas on how this is done in Java?

- lat

www.google-anon.com (5 replies)

ciscostu — Wed, 26 Aug 2009 05:41:23 -0500

Dudes,
I just stood up this CNAME pointing to www.google.com.

Google's extensive use of relative URLs means you can search (and navigate results) without being bounced back to the 'real' google.com domain.

But...I wake up this morning and see a new form action on Google's home page-

But from other locations I see the same form action that's been there for years-

Hmmm...do I just have bad timing or have Google's precog whitehats peered into my brain and squashed my DNS fun?

If you want to try it out, search add-ons for FF and IE are available here-

http://google-anon.com

Holla at your boy,
Charlie
http://packetprotector.org

My Awesome ISP's Online Account Management (5 replies)

CrYpTiC_MauleR — Sun, 21 Dec 2008 05:01:49 -0600

https://secure.sunflowerbroadband.com/billpay2/add

Allows you to check your bill by entering your account ID. Thing is the numbers are incremented so you can find other accounts and view their info. This also allows you to verify the existence of a live account for more fun to come. (Note: many numbers will not work since many accounts will be deactivated due to this being a college town and residents constantly changing residences.) I would post an active account number to start off with, but would rather not post someone's info in case someone does something bad.

Now the fun part. https://my.sunflower.com/mybbauth/login/register
To make an account online all you need is the account ID. There is no other form of owner validation present. Doing so you can then create ISP email addresses for the account, view billing information in full, change billing preferences etc. If you are really nice you can even pay the person's bill =oP

Of course I have called them and told them of this, but their reasoning is that the information is in the phonebook so its not a privacy concern. I don't think they fully grasp the fact that someone can create email addresses to spam from, change someones billing prefs so their bill is never received and worst of all this is a clear violation of the Cable TV Privacy Act of 1984 because they allow the divulging of PII of their customers not to mention allowing someone to also see their viewing habits according to channel subscriptions.

They seem to have no idea what security and privacy is. When you call them on their customer service line they ask for the home address and then before any validation they divulge the account holder's name by saying "Is this John Doe?" Not to mention the passwords for the online accounts are not hashed because I called once about my bill not showing up and the support rep asked me if such and such was my password (64 char alphanumeric mixed password). He thought it was an error showing up. So its great reps can see my password whenever they please...

Sucks that I am stuck with them, but who's complaining...? O.O

Proxy Detection (2 replies)

Ivan — Thu, 18 Dec 2008 13:26:31 -0600

Hello everyone,

As I know there is no trustful way to find if user use proxy but there is some ways:

1. Check SERVER headers and look for specific items
2. Connecting to "user/proxy" IP, and looking for open ports that is common for proxies.
3. Set cookie trap.

Using all this methods we can find some way to expose (lame) proxy users.
I wrote some class with all this methods: http://security-net.biz/files/proxyCheck/proxyCheck.class.php.txt , I need to know what You think about this ?

If there is no any headers that tell us that there is proxy we have methods:

2. Check for open ports, but this is not very good because we must scan big range and some computers have open ports by default/needs.
And there is some firewalls that can recognise this action as attack.

3. We can set unique cookie for each user with IP as value and check every time
if that cookie have the same value each time.
This is not good because user can clear cookies or maybe there is some user who have dynamic IP.

What You think ? Is there some another way to check for proxies ... except some online services as MaxMind or Samair.ru ?

Thanks,
Ivan

facebook.com + encryption + anonymity = devicecode.net? is it secure? (1 reply)

djangoguy — Sun, 12 Sep 2010 12:57:12 -0500

i am new in the it security. so maybe some expert can help me. i used for a while enigmail (http://enigmail.mozdev.org/home/index.php). it's a gpg plugin for thunderbird. but i hate this key-ring management. most of the public-keys become out of date, and i switch to hushmail.com - a crappy and ugly webmail solution with email encryption. i am idiot - i used it over two months and then i read this article http://en.wikipedia.org/wiki/Hushmail - they have backdoors in their encryption and worked with the feds.

now i test device code (http://www.devicecode.net/). it's a kind of social network, but only with the basic features - contacts and profile management. But the real feature is the messaging encryption - they used a javascirpt encryption library (with rsa, aes and stuff) and encrypt your messages end-2-end. it's a mixture of facebook.com and hushmail.com. short: facebook.com - girls - pictures (you cannot upload a picture of you??)+ ugly design (colors?)+ encryption + anonymity + ajax + javascript rsa 1024 bit key-generation (crazy and super slow :/ - works only good with chrome!).
i try to debug the library with firebug to find a security issue (http://www.devicecode.net/about.php?topic=security), or just a chance to leak some information, but my javascript skills are too low. I cannot find any information about this service.

Have someone of you use it? If you look inside, there are only some people - but at irc i hear, that some warez groups use it for their communication. Is it really possible to encrypt SECURE with Javascript (i don't mean Vigenere/i talk about RSA)? Is there a way with XSS?

dynamic ip address history? (2 replies)

coolboy1 — Mon, 17 Nov 2008 10:00:48 -0600

I don't have a static ip address with my isp, i have a dynamic ip address so it changes every few days. I have noticed recently when i went to wikipedia it said they removed a entry that was made with my ip address, but i didn't and i'm the only one who uses my pc, and a friend told me it's because my isp uses dynamic ip addresses for it's customers.

So do these dynamic ip addresses have a history? Like can isps tell who was using the dynamic ip address before i was and how far back can the history go?

TOR on the iPhone? (no replies)

coolboy1 — Thu, 30 Oct 2008 17:56:34 -0500

Is it possible for TOR to work on the iPhone officially? I have read that TOR can be put onto a jailbroken iPhone, but TOR isn't listed in the iTunes app store, but if it was, would it work on the iPhone?
Anyone know anyone at TOR that is currently developing an official TOR iPhone app for the iTunes app store?

Data Warehousing Services (6 replies)

maria246 — Tue, 17 Nov 2009 23:32:54 -0600

Hello,

I was in the shower thinking how it's been a long time since I've gotten any so I figured I'd come spam your site from my host at 202-63-174-10.static.exatt.net.

I really don't think you're man enough to break through my host, but I look forward to you turning on my web cam for me.

Javascript Issue (3 replies)

tribalmp — Wed, 01 Oct 2008 08:46:09 -0500

Hi,

I'm posting here looking for help in building a simple keylogger in javascript. I Know that is possible and the method to retrieve is using a cookie.

Could anyone highlight something for me?

http://dicas3000.blogspot.com

file name encoding / decoding (4 replies)

unicorn64 — Thu, 25 Sep 2008 14:50:25 -0500

Hi folks,

This is my first post so forgive me if my question is "out of bounds".
I'm looking for an answer on how filenames I encounter are encoded.
It looks like uploaded pictures have a systematic way of scrambling.
Username and the image file number are part of it I'm sure.

For instance a filename is build like this:

USERNAME_randomlettersanddigits_filenumber.jpg

so USERNAME_leo93nf83jsy6km_2.jpg
(just examples)

What I figured out already:
- It's always the number of characters of the username plus 7 (might include the filenumber as well).
- if the number of the file >10 it adds up 2 characters in the scrambled filename.
- All lowercase, letters and numbers
- deleting a file and uploading a new one gives the same encoded filename. So no random generator, date or time.

here are a couple of real filenames...

LUNA6_4njuojf2aojzhs_49.jpg
LUNA6_22nynfj66smf6h_50.jpg
LUNA6_d9k5ligy9pp9hn_51.jpg

MM_u40cn3pop_4.jpg

BRIEVENBUSJE_46sdgtceowpjp3brnzk_2.jpg
BRIEVENBUSJE_akijwwfgf0wgjsewnp0_8.jpg
BRIEVENBUSJE_7pctf337zdjjzji6mzvz8_80.jpg

It looks like a code to crack...

Any suggestions?

Thanks in advance.

SSN and criminal backgrounds free online (1 reply)

ntp — Wed, 08 Oct 2008 16:38:12 -0500

Need to do a background check on someone?

Find their SSN!
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114199
Verify a name and SSN!
http://www.ssa.gov/employer/ssnv.htm
Search and find all criminal history using only name and/or city!
http://www.criminalsearches.com

Is there anyway to configure tor to do this? (1 reply)

tharms15 — Fri, 26 Sep 2008 05:54:27 -0500

Now tor has been running fine and i have all the right configurations to run it properly but i have a question. Is there a way to configure tor so that you can stop tor from automatically changing your ip(since it automatically changes in about 10mins or less) and only change your ip when you click new identity?

thank you

Opt out of double click cookies (no replies)

Gareth Heyes — Tue, 12 Aug 2008 16:08:51 -0500

Not seen it much in the news but I noticed it on a blog I read. It's possible to opt out of the doubleclick tracking cookie which collects browsing habits.

http://www.google.com/privacy_ads.html

http://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/details.html

Banks training their users to become phishing victims. (7 replies)

Jeffuk — Sun, 03 Aug 2008 10:10:53 -0500

Just logged into my online account on halifax>co>uk to see:

"Please update your contact details"

A screen I've never seen before, which made me instantly concerned, asking for personal information.. looking at it in detail.. I also notice that the URL for this page, and all the account management is now halifax-online>co>uk ... "omg how has someone pulled this off, this MUST be a scam."..

I read the page, and it says further down 'Halifax may contact you to confirm your online activity, if we do not get a response we may suspend your online account"... woah.. that could be taken straight from a phishing email, this can't be real, but I typed the URL myself, and this is a fresh install of firefox 3.0, it can't be compromised already.

It turns out... that all of this is genuine. The site is SUPPOSED to work like this. It's supposed to redirect you to another domain without warning, supposed to ask you to enter random bits of information, and supposed to enforce the oldest trick in the phishers arsenal, telling you that if you don't respond to unsolicited contact from the bank, YOU may lose out by having your accounts blocked.

Surely someone, somewhere, deserves firing over something like this... But I bet they won't be.