Web Bugs Trained to Track Your E-Mail

March 8, 2008 – 6:37 PM

The tracer software that Hewlett-Packard investigators used to try to sniff out boardroom leaks sounded like it had been ripped from the pages of a bad science-fiction novel. That is, until the company began talking about it in detail at a congressional probe into the spying scandal.The technology tool the company used, called a Web bug, is designed to allow e-mail senders to track the path a message takes, including whether a recipient opens the message and forwards it to another party. And it turns out the technology is widely used in e-mail newsletters to track readers and also by law enforcement in investigations, security experts say.

A spokesperson for the California attorney general’s office said that HP’s use of Web bugs is not linked to the October 4 charges of five people, including former HP chairperson Patricia Dunn and contractors, on allegations that they used false pretenses to access individuals’ phone records. That case is about the practice of so-called pretexting.

However, HP’s boardroom leak investigation did use the Web bug technology as part of an unsuccessful attempt to trick a journalist for CNet Networks into revealing her confidential source on the company’s board of directors, according to HP security investigator Fred Adler, who testified at a U.S. congressional subcommittee hearing on September 28. (Adler was not one of those named in the California charges.)

Prior to Adler’s testimony, it was unclear what technique HP had used.

You’ve Already Been BuggedRichard Smith, an information security expert who founded Boston Software Forensics, says that most people who use the Internet have been subject to Web bugs. “Any kind of commercial e-mail is probably going to have them in there,” he says.

HP turned to a small Australian company called ReadNotify.com to help track the e-mail messages. ReadNotify tracks both e-mail and Microsoft Office documents. It will tell when the e-mail you sent was read, and will guess the location of the recipient, based on the reader’s IP address.

The ReadNotify service is popular in law enforcement and also in industrial espionage investigations, said Chris Drake, ReadNotify’s chief technology officer.

In an e-mail exchange, Drake said that he was informed of the HP case by the media, adding, “This is an extremely common and effective use of our technology.” Drake said his company believes such use is legal in Australia, as well as in the United States.

How They WorkHere’s how Web bugs operate: The bug’s author puts an image on a Web server and assigns the image a unique Web site address, or URL, and then sends an e-mail that contains a link to this image. The image can be hidden from sight or displayed in plain view–a corporate logo, for example.

When the recipient opens the e-mail, that person’s computer looks up the image and in doing so sends that information to the Web server. Another way of implementing the tracking technology is for ReadNotify users to add ‘.readnotify.com’ to the end of the recipient’s e-mail address.

While Drake characterized ReadNotify’s e-mail tracking tools as sophisticated, security consultant Smith noted that the tools use the same techniques as other Web bugs.

Are They Legal?When the question of whether Web bugs are legal has been tested in the United States, courts have tended to focus on whether this type of technology violates federal wiretapping laws, says Chris Jay Hoofnagle, senior staff attorney with the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley.

Hoofnagle says state courts could take up the issue of Web bugs, considering the existence of antihacking laws in states such as California. California law prohibits certain uses of computer resources without the permission of the user, and nobody knows for sure whether HP’s actions would violate this law or similar statutes in other states, Hoofnagle says. At the hearing before House Energy and Commerce Committee members, HP’s Adler said his company had used Web bugs “a dozen to two dozen” times in the three years he had worked there and considers them to be a legitimate investigative tool.

http://www.pcworld.com/article/127444-1/article.html?tk=nl_dnxnws

New Web browser makes privacy pitch

March 8, 2008 – 6:36 PM

A new entrant to the crowded Internet browser market is attempting to put privacy issues centre stage by stressing it will not retain details of the websites it has visited.

The Browzar software has been specifically designed to protect users’ privacy, the company said, implying that the other main browser do not.

Most browsers like Microsoft’s Internet Explorer automatically save users’ searches in Internet caches and histories. Users have the option of deleting the history folder and emptying the Internet cache, but most users either don’t know how to or tend not to, leaving a trail of where they’ve been online behind them in the browser.

Browzar is being officially launched today at Browzar.com. It is free and users don’t have to register. It automatically deletes Internet caches, histories, cookies and auto-complete forms, and is the brainchild of Ajaz Ahmed, the man behind Freeserve, the first UK Internet service provider (ISP) to offer free Internet access to customers in the late 1990s. He sold Freeserve – which quickly became the UK’s largest ISP – to France Telecom in 2001 for ?1.6 billion.

“Privacy is becoming a bigger issue,” Ahmed said, pointing to the recent leak of more than 20 million user search queries by AOL. “The AOL story highlights the issue that some of the things people are searching for are very, very personal.”

The Browzar site contains a page of stories from users who have either discovered things they rather not have known about their friends and loved ones through their Web browser’s history or auto-complete feature or who have had information revealed they would have preferred kept private. For example, Ahmed cited a statistic that 35 percent of people using matchmaking websites are already married.

While Freeserve was focused on the needs of the UK market, Ahmed hopes Browzar will have global appeal, particularly anywhere users are going online on shared computers, for instance, at Internet cafes.

Browzar is small, 264Kb, and downloads within a few seconds. The browser is currently available for Windows and Ahmed plans versions for Mac OS and Linux. It is still in beta testing and should enter general availability some time next month.

http://www.techworld.com/security/news/index.cfm?RSS&NewsID=6752

Sophos Offers Free Rootkit Detection Tool

March 8, 2008 – 6:36 PM

There’s a new free tool to help PC users root out rootkits. Called Sophos Anti-Rootkit, the software from Sophos will detect and remove both known and unknown rootkits, and it will also warn system administrators if removing the software might harm operating system integrity.

Rootkits are a collection of tools used by hackers to gain administrative privileges on compromised machines. They are typically used to help hide other forms of malware–keyloggers or Trojan horse programs, for example–from antivirus software.

Rootkits Hit the Big Time Late last year, Sony BMG Music Entertainment helped to make rootkit a household word, after the company was forced to recall millions of CDs that used these cloaking techniques to hide its copy protection software. Sony’s rootkit, which was installed when customers tried to play CDs, actually compromised PC security. Hackers eventually released malicious software that used Sony’s software to hide itself on a PC.

Sophos Anti-Rootkit works with the Windows NT, 2000, XP, and Windows Server 2003 operating systems. The software features a graphical interface to help guide users through the process of detecting and removing the malicious software.

Since the Sony fiasco, the security industry has paid more attention to the rootkit problem and there are now a number of free utilities designed to identify this type of software. Other tools include RootkitRevealer, GMER and IceSword.

http://www.pcworld.com/article/126897-1/article.html?tk=nl_dnxnws

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

March 8, 2008 – 6:35 PM

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page, JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.

This scenario is no longer one of fiction.


Source: http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html

Could Your Keyboard Spy on You?

March 8, 2008 – 6:34 PM

Researchers say that small devices called “JitterBugs” could piggyback onto network connections to discreetly send passwords and other sensitive data over the Internet.

Like the current keylogger hardware used by the FBI and criminals alike to record passwords and other data, JitterBugs are small devices that attach to a keyboard and record what users type. Unlike current keyloggers, which store the data to internal memory, JitterBugs do not have to be retrieved before captured data can be read.

Although no such device has been found “in the wild” yet, researchers have developed a working prototype, and they postulate that similar ideas may have already been used in unnoticed attacks.

Researchers Theorize In a paper titled “Keyboards and Covert Channels,” University of Pennsylvania grad students explain that the device could encode data in keystrokes by introducing an extra delay between when a key is pressed and when the keyboard tells the computer that the key has been pressed. (Read the paper in PDF format.)

In applications such as telnet and remote desktop, a packet is sent every time a user presses a key. By causing calculated “jitters” in keyboard input while such a program is running, a JitterBug could slightly delay data sent over the network. Certain amounts of delay could represent a 1 or a 0 in each packet that is linked to keyboard use, allowing an attacker to send secret information in otherwise innocuous data without modifying software or initiating any new connections.

Although 1 bit per packet is not a great deal of space, an application like telnet could send enough packets to transmit a password or another small, important piece of data.

To intercept this data, a spy would need to use a packet sniffer to intercept a connection from the target computer. This would require that the attacker have access to a network somewhere between the victim and the victim’s destination–not a trivial goal, but probably easier than attaching the JitterBug in the first place.

Even if the connection were encrypted, data encoded in the delays would likely be visible to an attacker. Although additional delays could ruin the careful pattern introduced by the JitterBug, the device has some level of tolerance for this issue.

Worked Great in Tests Researchers say that in tests, the JitterBug was able to transmit data from the University of Pennsylvania to the National University of Singapore fairly reliably.

Researchers believe that such devices could pose a security threat not only because they are difficult to detect and they work across a wide variety of software and hardware, but also because they could be inconspicuously deployed on a large scale.

In what the paper’s authors term a “supply chain attack,” manufacturers would build a JitterBug into their keyboards. Such a vulnerability would be extremely difficult to detect–neither the keyboard nor the victim’s computer would appear to be doing anything unusual–but anyone who knew of the devices could decode the data they sent, getting backdoor access to thousands of computers.

This threat, however far-fetched, seems particularly relevant in light of the U.S. government’s decision in May use computers built by Lenovo only for processing unclassified data. The Chinese government owns 28 percent of Lenovo, information that sparked fears of espionage. As it turns out, numerous keyboards are also manufactured in China.

http://www.pcworld.com/article/126680-1/article.html?tk=nl_dnxnws