Browse the Planet: Anonymously

Big Brother got you down? Really really really want to watch the latest episode on Fox but, alas, you are not in the United States so you get the "I am sorry but you are not cool enough to watch this" page. Want to listen to Pandora while overseas? Or just don't want 'the man' to know where you are, or what you as a person are searching on?

Enter: CyberGhostVPN

Now there are a bazillion types of VPN/proxies around the internet. I am not saying CyberGhostVPN is the best, however, its free to try and allows 1GB of traffic. The free option is not good for you people who like to **cough** torrent, but its good when you are in the coffee shop and want to check your e-mail/facebook quickly. This also protects you from people sniffing wifi, as your connection to the VPN server is encrypted with 128-bit AES key. This key is re-established every time you connect, so every coffee shop you visit your key is different.

Below are the steps for getting GhostVPN running:

1. First you need to download the software (duh). You can grab it here: https://cyberghostvpn.com/en/product/download.html
The MD5 hash for the version 4.7.0.0 is: 6576ca7fa2a048fb1356d149b0e39e81
HOW TO CHECK THE VERSION: Right click on the downloaded program icon, Go to Properties, then click the Version tab.
WHAT IS AN MD5: MD5 is a one way hashing operation which provides a unique (enough) hexadecimal string for a file. Its useful for ensuring you have not downloaded a malicious/unofficial release of a file. With Windows you have to download a program to do an MD5, I like this one. You do not HAVE to do this, its optional!

2. You also need to create an account: http://cyberghostvpn.com/page/registration.php. This means you need to submit an email (it can be real/fake, up to you) and also create a username and password. Note if you give a fake email and you forget your password, you are SOL.

3. OK--- click on the downloaded file icon (right) and awayyy we go!

4. Choose the language you prefer, click Next.

5. You also have to decide where you want to save the program to, where you want to place the program in the Start Menu, or if you want a QuickLaunch icon and/or a Desktop icon. Generally the defaults are good.
* The screenshot to the right is the GhostVPN installing a driver on the machine, if you do not allow it, the VPN will not work*

6. Restart your computer... see you in a few

--- minutes pass ---

7. When you click on the snazzy GhostVPN icon, you have the option of creating your account now or skipping ahead to the log-in.

8. For first time set-up, you can specify what mail services you use on mail programs (like Yahoo!, Gmail, Microsoft, etc) as GhostVPN by default shuts down these ports

9. You also have the option of choosing the server you wish to log into (when you have the free account, you really don't have a choice) and if you want your history and cookies deleted after you close the browser. This option is only available with IE.

10. Finally, log-in using your username and password. The connection is established with 1024 bit SSL encryption. Feel the love.

11. Ok, so you are not connected YET. Its pretty obvious from the big red bang (!) and the YOU ARE NOT ANONYMOUS text. To fix this, connect the 'Connect to VPN' button...

12. ... and voila! You are now connected. As you can see I am connected to a German IP (check the flag). To prove this, I browsed to Google and ta da! Guten tag Deutschland!

So if you love this service, you can choose from 3 different options, each increasing the bandwidth as well as traffic allowance. You also get the ability to choose what servers you want to connect to. So, those IP based web sites beware!!

Bring Your Phone to Work Day... or Not

I never complained about my Blackberry. Well, maybe a few times-- there was this one time the battery inexplicably died and I had to return the entire phone to our distributing center (oddly enough cell phone stores in Germany did not carry the battery... I found this perplexing and utterly annoying). However, despite this, I was grateful that I had a phone which usually worked, had the internet and e-mail at my fingertips, and I never saw a phone bill.

But ohhhh how I wanted an iPhone :( I would drool with envy when I saw all the apps my friends had on their phones, and the usability of the thing. Why don't more corporations use Androids and iPhones? (ironically enough Symantec started allowing iPhones right before I left, figures)

It seems I am not the only one who feels the same way. In a report released by ComputerWorld, half of the workers surveyed (only 500 total, not a large sampling) would prefer the choice of mobile devices to be used for work. Some were even willing to give up some perks including -gasp- paid leave days.

So now the question remains, why can't we? Are Blackberries more secure than the other two? Everyone remembers last year the big to-do in the Middle East, with countries like the UAE and Saudi Arabia banning the devices because messages are encrypted and sent to RIM. Read: They want the keys so they can be on the look out for terrorists and other nefarious actors. Blackberry also allows certain functions to be disabled when dealing with corporate phones. For example I was not allowed to post pictures on FB (however I could go thru the web rather than the app to circumvent that issue). Can the same be done on the other platforms? Like a ACL for mobile devices?

The apps though allowed by the other two devices are astonishing, and really could help in increasing the efficiency of the worker. Apps which aid in PowerPoint presentations, brainstorming, chatting, blogging, etc are astounding. Apple also offers in the US something called the App Store Volume Purchasing for Business. With this companies can buy in bulk applications they want their employees to use, thereby gently steering them towards work-friendly and approved apps. They also offer getting custom apps built for your company which can link to back-end business databases to further empower the mobile workers. Neat.

How about Android? It seems like Android has a ways to go in terms of business applications, although there are a few handy ones around. I would not call them 'business focused' as a lot of them I thought would be great for personal use, especially keyring.

How about security? Iphones are of course a serious market to hackers (I even blogged about one earlier this month) due to their popularity. If a corporate iphone is popped, what threat is there to the corporate backend? I suppose it depends on what is stored on the iPhone (username/passwords/IP addresses/corporate files) It is possible to run metasploit and nmap on the jailbroken iOS...

Android also seems to have its share of nefarious woes, especially with nasty apps. This shows all phone makers the need for a robust filtering process when allowing apps to be sold on the official phone application store. If you jail break it... well its kinda your own fault for just blindly trusting. Of course don't we do that all the time? Oh man such a condundrum!

McAfee offers some protection for Andriod and Apple mobile users via its Mobile Security Division. This is what $30/year gets you:

• Backup and data restoration;
• Remote locking;
• Alarms in case a device is stolen;
• Remote data removal;
• Anti-malware software and phishing detection;
• A portal to manage multiple devices.

McAfee even have a $20 option called WaveSecure which seems to be more about tracking and wiping in case the phone is stolen/lost... still it is a step in the right direction. Strangely enough it does not saw it support iOS on its website, however I found the app in the AppStore. It even works for Blackberry!

Hey-- yeah Blackberry, what about them? A quick perusal did not reveal too much, however I know the golden egg would be hacking the BES (Blackberry Enterprise Server). This one was disclosed earlier this month. That is not to say the device itself is a bastion... here is the vulnerability that was used at Pwn2Own earlier this year.

I think limiting phones comes down to money and streamlining. Tying users to one phone type means less headaches to the IT staff and much easier to manage. Regardless, steps need to be taken to protect the devices and the servers behind them to ensure they are as secure as they can reasonably be. At the end of the day, its a corporate device-- if you don't like it I guess you gotta get your own phone. And don't connect it to the work network-- for the love of God.

Razors vs Lasers: Vision Surgery Explained

Today I headed into town to see if I qualify for corrective eye surgery. After the rigorous testing, including the ever dreaded air puff test (which measures pressure and tests for glaucoma) I got to sit down and get my options laid down for me.

Laser-Assisted Sub-Epithelial Keratectomy (LASEK is a bit easier to say) is the type of eye surgery I remember from the the earlier days. With this the epithelium- a thin layer of cells separating the external (the air) environment from the internal (your inner cornea) environment - is weakened with an alcoholic solution and then removed from the laser treatment area, and then replaced after the cornea is then reshaped using an excimer laser (which uses UV light) or a microtome (I wish I could use a better analogy than a razor, but sorry its the best I can do). The epthielium regrows itself quickly, the inner cornea however does not regrow. This is a good thing, because it was just reshaped to improve your vision. This is also why however, you have to dress like a pirate while sleeping for your first week or so because the last thing you want is to rub your eye and move the epithelium around and distort your vision. NOT a good wake up.

Laser-Assisted In Situ Keratomileusis (LASIK in this case) is the more popular method now. Instead of removing the epithelium, a flap is created and then replaced after the surgery is completed. How is this flap created... with a microkeratome (so still with a blade... ick). However, with this flap method recovery is a bit quicker. The cornea is again blasted (maybe not the best choice of words, but wikipedia uses vaporize which I don't find any more reassuring) with an excimer laser. You still have to sleep like a pirate however because the flap is also prone being jostled if you rub your eyes.

Custom Wavefront: So... contacts and glasses are not really specifically created for your eyes. Based on the shape of your cornea the optometrist determines the best power lens for you and gives you that, of course accounting for things like astigmatism as well. Regular LASEK/LASIK works the same way. Wavefront technologies however, give the laser a specific layout of your eye (more points of reference if you will), therefore giving you a more customized eye surgery. This means you get better vision than if you went with standard eye surgery (and surprise, it costs more). According to one website, "surgeons can use Wavefront surgery to identify, measure and correct individual's eyes 24 times more precisely than with conventional methods used for glasses and contact lenses"(opticalexpress.co.uk). This is also highly recommended if you have aggravated conditions of astigmatism, myopia, or hyperopia.

IntraLase: Do the thought of little razors near your eye freak you out? Well for more money (of course) you can have a laser create the flap for LASIK rather than a microtome.

You can do a Youtube search and find LASIK/LASEK surgery videos so you can get a better understanding of exactly how the procedure works. Or you can watch the video below. I will warn you its a bit graphic, but personally I would rather know what is going on, like I said its your vision, which is pretty important.


One of the most important thing is if you wear contacts you do not wear them a week before surgery. Contacts actually morph the shape of your cornea (freaky) so if you wear contacts the day before then go for surgery, you run the risk of too much or too little being vaporized/blasted off. When dealing with something like eyesight I don't think this should be taken too lightly. Hard contacts are worse, and industry suggests not wearing those for a month before surgery. Ouch.

So-- a concern I had with this was SCUBA. As some people may know this is my favorite hobby. How long will I have to be sidelined from SCUBA if I get this procedure done? The recommendation for any watersports is one month, but they suggest and extra 2 weeks (6 weeks total) for something like SCUBA. And considering where I am living, this is not a huge deal.

Flying? Fear not. People have done eye surgery and flown the same day.

Google lends a hand...

Although a bit sketchy on the details, Google will let people know if their computer may be host to malware based on the proxies the computer has been sending requests thru. From the article:

"Google is putting up a notification at the top of Google web search results to users whose traffic is coming through the proxies. The notice warns uses that their computer is infected with software that intercepts their connection with Google and other sites, Damian Menscher , a Google security engineer said in the post."

Malware likes to set up proxies so baddies can intercept web-traffic. Naturally these proxies have to belong to the baddies, or at they at least have to have some control over them. Also, known malware tests to make sure its online by going to a well known IP (like Google) via a proxy to ensure that the machine is online. Well Google puts a nice banner at the top of your
search results letting you know it thinks badness is afoot. The official Google Blog is posted here.



It's an interesting concept, your search engine not only giving you search results but also telling you if can possibly be infected. Such a nice idea-- like someone is looking out for you. But is it also kind of creepy? Or-- is it a sigh of relief? More importantly-- why aren't AV companies picking up on it?

Everyone is Out to Get You: Including your iPhone and Mom

Remember the X-Files? TRUST NO ONE was Mulder's (*sigh*) favourite saying. Well, thanks to joys in technology you can't really trust anything either.

Skype: Now this one is your classic cross-site scripting oops. According to German security researcher Levent Kayan, a user can insert javascript into their mobile phone field on their profile. Now, when your friend (or mom) logs into Skype YOUR profile is updated on THEIR computer, and the javascript is maybe executed.

Maybe? Well there seems to be some mitigating factors. First, you have to be friends with the person (duh) and it needs to be someone you talk to a lot (ie shows up on your main page). So you talking to your significant other could suddenly become more dangerous than talking politics to your mother.

Skype is downplaying this based on the factors I just described above, and are releasing a patch this week (according to the CW article).

iOS: Now I will be honest this may have been fixed already, but this one utilizes malicious PDF files on a iPad or iPhone. So when a person jailbreaks an iPhone (or an iPad) they are basically hacking their own machines and allowing code to execute which allow a user to do more than originally intended for the machine (use any SIM, download homebrew apps, whatever). Now, what is to stop nefarious people to take that same hole which allowed for jailbreaking and exploit a machine? None. Just the poor user thinking grandma sent them a PDF for the recipe for those cookies they love so much, but really is carrying the exploit and nasty code (maybe it also includes a recipe for cookies, but not the one you wanted.... drats!).

This was brought up by the 'Bundesamt fuer Sicherheit in der Informationstechnik' (BSI) which is a German government entity. Basically unless you downloaded an updated iOS recently you are vulnerable and watch out of sketchy PDF's. Or if you ::cough:: have a jail-broken device, the guys who developed the jailbreak (JailBreakMe) have released a patch called PDF Patcher 2 and is available in the Cydia App Store.





Windows BotNet: Zombies come in three flavours in my mind. There are the really slow (physically and mentally) ones which would be easiest to fight or flee from (think Shaun of the Dead). Then you got ones from 28 Days Later, which are a bit faster and just a tad more scary. No worries, a few more precautions and we are good. Now...imagine zombies that are smart as the things in I am Legend.

Crap.

People are now talking about a botnet called TDL-4 which seems to be the juggernaut of botnets. Coming back to zombies. Cutting the hand (infected node) from the zombie does nothing, that thing is still moving and infecting other. So, learn a thing from the zombie flicks: you gotta cut the head (c2c nodes). TDL uses its own funky encryption, infects the MBR (master boot record) so its has longer shelf life, and utilizes P2P networks in such a way it makes command and control (c2c) difficult to take down.

Man I like this post... any time I get to mention zombies its a good day.

More detailed analysis can be found here at Sergey Golovanov's (Kaspersky) Blog. If you now feel trapped in a sea of zombies and its just better to give up- fret not. Guys like Richard Boscovich of Microsoft, who have slayed other botnets such as Waledac, Coreflood and Rustock say nothing is indestructible... you just have to think it thru a tad (or maybe a lot) harder.

So, based on this post, your best bet is to switch to Linux and get a flip-phone.

How its Made: Exploits

So-- I understand the 10,000 foot view of how exploits work. Someone discovers a vulnerability, and then someone attempts to create an exploit which subverts normal security via the said vulnerability. This usually done by making some pointer in the code point to another location where it shouldn't be pointing to (jmp's, buffer overflows, etc) ... namely evil code and then it gets executed and viola, instant magic.

But seriously... how does one get from point A to point B? A one Joshua Drake painstakingly blogs about researching a specific vulnerability (regarding DNS resolution) and trying to figure out how to exploit it. Now I am going to readily admit this is way over my head; machine language and debugging was never my thing. However you have to admire these guys who spend countless hours writing and testing and perfecting code (and sometimes with no luck) so others can use it for penetration testing.

This article made me think a few things: The first being how I have such a long way to go in the world of computer security, two how maybe its a good thing not all vulnerabilities are exploitable (as if baddies and researchers do not have fodder), and three wow I have such a long way to go....

So the next time you whip out metasploit and think how bad-ass you are... think about all the work involved in that exploit you are using, and begin to appreciate all the work that goes into such a product. It's a humbling experience.

So here's to you, vulnerability researcher -- I hope I never piss one of you off :)

BTW- you can still participate in Metasploit's Exploit Bounty until July 20th