Reveal TinyURL Links

January 15, 2009 – 1:31 PM

TinyURL is a very handy service for shortening long URLs but it can also be used maliciously.  Anytime somebody wants to hide where they are sending you they can easily generate a TinyURL and you will not know where you will end up.  It could be a phishing site.  It could be a site that tries to install malware upon loading the page.  It could be an advertising site.  It could be an e-commerce site with a hidden affiliate ID so that the link sender will actually get paid if you stay and purchase something.  Etc. Etc.  There are countless ways that TinyURLs can trick you.

I’ve been looking for the best way to reveal these links before actually visiting the final page.  Here is a quick summary of the options that are available:

Firefox Plugins

Long URL Please – This is an experimental plugin that replaces short urls with the originals so you can see where links actually link to.

Example:

Before:

After:

LongURL Mobile Expander – This is another experimental plugin that displays the true URL in a popup title box when you hover your mouse over the link.

Example:

Greasemonkey Scripts (Firefox still required)

TinyURL Popup Preview – This script displays a title popup whenever you are hovering your mouse over a TinyURL link.

Example:

Tin Foil Hat – Tin Foil Hat finds out what the real destination is and makes the link display that information in a tooltip.

Example:

Bookmarklets (works in all major browsers)

Embiggen – Embiggen uses a Dapper service to expand any mysterious TinyURLs into their full version.

Bookmark this link and run on demand:
Embiggen

Example:

Before:

After:

Hmm, these are great for the browsers but what if I get a TinyURL link via email, or get sent a link in an IM window?  I won’t have a chance to “reveal” it before I get redirected.  Problem solved.  TinyURL itself offers a Preview option.  When enabled, TinyURL will place a cookie on your machine and it will stop the immediate redirect, take you to the TinyURL Preview page and show you the URL that you are being redirected to.  You then can choose to continue or not.

Enable TinyURL Preview:
http://tinyurl.com/preview.php?enable=1

Disable TinyURL Preview:
http://tinyurl.com/preview.php?disable=1

Remember this is controlled with a cookie.  You have to allow the cookie and set the preference for each browser/machine that you use as your default.

Preview Example:

Posted in Internet, Privacy, Security | No Comments

Encryption programs open to kernel hack

January 15, 2009 – 11:24 AM

Many popular Windows encryption programs that hide files inside mounted volumes could be fatally compromised by a new type of attack uncovered by a German researcher.

According to a paper published by Bern Roellgen, who also works for encryption software outfit PMC Ciphers, such OTFE (on-the-fly-encryption) programs typically pass the password and file path information in the clear to a device driver through a Windows programming function called ‘DevicelOControl’.

Although it is impossible for a malicious program to get hold of this data directly – a competently-written encryption program will overwrite memory locations caching this data – it could be retrieved if the attacker has found a way to compromise the Windows kernel itself.

Dubbed, the Mount IOCTL (input output control) Attack by Roellgen, an attacker would need to substitute a modified version of the DevicelOControl function that is part of the kernel with one able to log I/O control codes in order to find the one used by an encryption driver. Once found, the plaintext passphrase used to encrypt and decrypt a mounted volume would be vulnerable.

Source:
http://www.networkworld.com/news/2009/011509-encryption-programs-open-to-kernel.html?fsrc=rss-security

Posted in Privacy, Security, Windows | 1 Comment

Symantec Gets Good Vibes From Virtualized Browser

January 14, 2009 – 6:42 PM

Security vendor Symantec is using new virtual machine technology to protect Web surfers from online attack.

Called Vibes, the software bounces between three different virtual machine sessions, depending on what the user is doing on the Web. When Vibes spots the SSL (Secure Sockets Layer) protocol used for secure Web transactions, it puts the user into a “trusted” virtual machine designed for things such as logging into banking sites. If the user starts running untrusted applications off the Web, then Vibes moves into a “playground” virtual machine where untrusted software can be run.

There is also a regular “user” machine mode for most day-to-day Web surfing.

Because Vibes runs inside a virtual machine, even if the user somehow installs malicious software on the PC, the virus can’t access anything important and it disappears when the virtual machine session is closed. “We want to prevent malicious programs from damaging end-users’ machines,” said Tzi-cker Chiueh, a senior director with Symantec’s research labs, at a press event in Mountain View, California, on Wednesday.

Source:
http://www.pcworld.com/article/157082/symantec_gets_good_vibes_from_virtualized_browser.html?tk=rss_news

Posted in Internet, Privacy, Security | No Comments

TOP 25 Most Dangerous Programming Errors

January 13, 2009 – 4:22 PM

Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.

The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 – and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.

People and organizations that provided substantive input to the project are listed below. They are among the most respected security experts and they come from leading organizations ranging from Symantec and Microsoft, to DHS’s National Cyber Security Division and NSA’s Information Assurance Division, to OWASP and the Japanese IPA, to the University of California at Davis and Purdue University. The MITRE and the SANS Institute managed the Top 25 Errors initiative, but the impetus for this project came from the National Security Agency and financial support for MITRE’s project engineers came from the US Department of Homeland Security’s National Cyber Security Division. The Information Assurance Division at NSA and National Cybersecurity Division at DHS have consistently been the government leaders in working to improve the security of software purchased by the government and by the critical national infrastructure.

What was remarkable about the process was how quickly all the experts came to agreement, despite some heated discussion. “There appears to be broad agreement on the programming errors,” says SANS Director, Mason Brown, “Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify.”

Source:
http://www.sans.org/top25errors/

Posted in Coding, Security | No Comments

Foxmarks Uses Vulnerable MD5 Certificates

January 13, 2009 – 5:57 AM

I decided to try the ever popular Firefox plugin called Foxmarks that lets you sync and back up your bookmarks and passwords across multiple computers.  I didn’t feel comfortable using the password sync quite yet because it will take me a while to trust a 3rd party with that kind of information, but I did want to try the bookmark sync and see what all the hype was about.  I got it downloaded and installed and started the registration process through the browser interface and when you are done it sends an email to verify that you’ve given a real email address.  I get the email a few seconds later and click the verification link and another Firefox plugin I have called SSL Blacklist alerted me with this error:

Yep, Foxmarks is still handing out vulnerable MD5 certificates that are now known to be even more vulnerable than ever.  I certainly do not want to be sending all my account information and website passwords over to their servers now.  I think I’ll explore the other option they have that allows you to store your information on your own servers (SSL via SHA1 hashes).  I would trust that a lot more.

Note: This problem has since been fixed.  See the comments.

Posted in Internet, Privacy, Security | 2 Comments