The new Internet Explorer 7 blocks a lot of (Javascript) scripting for security reasons, which means that clicking on “link” in the Wordpress editor gives the warning message above. You have to select “Temporarily Allow Scripted Windows” to be able to use the WP editor buttons. But if you save the post and the editor window is refreshed, you have to do that whole procedure again. Security is nice, and we know why IE makes a point out of it, but it shouldn’t interfere with convenience too much.

Luckily there is a way to let IE switch the security warning off for URLs that are under your own control (like your blog, for instance):

Add your own URL to the Trusted Sites (Options/Security/Trusted Sites) and you do not get the scripting warning anymore. Happy posting!

No related posts.

THE PROBLEM
Who knows the passwords you use for your email accounts? Who knows the password you use for your FTP account? Who knows the password to your blog admin page? There might be more than you thought!

Imagine user John Doe, with username jdoe who has the ’strong’ password “p@ssw0rd“. Let’s take a look at what conversation happens when his Outlook/Thunderbird email client connects to check for new messages, or when he uploads a new version of his website with Filezilla/Dreamweaver:

This is a typical FTP conversation:

Response:	220 (ID of the FTP server)
Command:	USER jdoe
Response:	331 Password required for jdoe.
Command:	PASS p@ssw0rd
Response:	230 User jdoe logged in.
Command:	...

This is a typical POP3 (email) scenario

Command:	USER jdoe
Response:	+OK Password required for jdoe
Command:	PASS p@ssw0rd
Response:	+OK jdoe's maildrop has 2 messages (320 octets)

(remark: POP3 does have an APOP command that does not transfer the password in clear-text. It is however typically used for 2nd and following POP3 connections, using a piece of information that was given in the first transaction)

Even more scary: when you log in to your blog/CMS software (that does not use a Google, Yahoo, MSN or Passport account), how does your password reach the server, you think? Encrypted? Not!

In all those cases, the password was sent to the server in clear text, i.e. readable and copy-able. Why is that bad? Anyone that is in the possibility to intercept the conversation, will have access to your password. You think that’s improbable? Well, let me introduce you to an elementary tool of any system administrator: the packer sniffer (e.g. Ethereal). This program will tell a network card to switch to ‘promiscuous mode‘ (listening to all network traffic instead of just those he participates in). It then allows the program to record any network conversation that passes on the local subnet (your office LAN, the Wifi network).

• a LAN administrator (that guy with the “I read your email” t-shirt) can sniff anyone’s email (POP3) password and even the actual emails as they are downloaded by mail clients. I’m not saying he does, but he can.
• that municipal Wifi network you connect to in that bar might also include a PC that records all FTP/POP3/HTTP conversations when they happen. You wouldn’t know.
• same thing on conferences, meetings, when you just plug in or connect via Wifi to a network you don’t know.

Are FTP (RFC959 from 1985) and POP3 (RFC1939 from 1988) bad protocols? Not necessarily, it’s just that they were developed in an era where knowledgeable hackers were few, sniffing tools weren’t that prevalent and security wasn’t that big an issue. SMTP (RFC821 from 1982) (for sending email instead of receiving) also started out with clear-text authentication, but since it was mostly used with only IP verification and without user/password, that was less of an issue.

SOME SOLUTIONS

1. PROTOCOL LEVEL: most modern protocols have been created/adapted to provide a more secure way of authentication, typically using salts, hashes and/or challenge-response systems, resulting in exotic names like e.g. CRAM-MD5.
   Protocol changes are tricky, because there is (certainly for SMTP, POP3, HTTP and the likes) a huge installed base of ‘old’ servers and clients that all have to be updated/patched to accept the new commands. Thanks to SMTP’s historical lack of security/authentication features, we now have an enormous spam problem (because anyone can send email on behalf of anyone to anyone else). Numerous proposals have been made to solve this, but if they include changes to the protocol, typically they don’t happen.
2. TRANSPORT LEVEL: there is a generic mechanism based on PKI to start an authenticated and encrypted communication channel between two parties. It is called TLS (successor of SSL). Its best known application is HTTPS (URLs that start with https:// and where the little lock is shown in the browser). But there is also FTPS, POP3S, SMTPS, IMAPS, … Since the protocol itself does not change, the server and client can be unaware of the fact that they run over a secure channel.
   A concrete example: using stunnel to serve as secure proxy of an insecure server; all connections are encrypted between the outside world and the secure proxy, and the proxy just sends everything as-is to the actual server (but this insecure traffic is only visible on the server itself).
3. CONNECTION LEVEL: going still a level deeper, we can encrypt all traffic between two points (as opposed to the previous transport level, where it is always about the encryption of 1 channel, between 1 client and 1 server). VPNs work like that: you connect the client to the VPN server once, and all further traffic between them is encrypted. This is great for remote office connections and the like, but not an option for communicating with random servers.
   This model was also used by Google VPN for Wifi: you connect to any (insecure) Wifi network and the first thing you do is create a connection to the Google VPN gateway. From that moment, all traffic goes encrypted to the gateway and only then to the Internet, so that any rogue clients on the local Wifi network cannot see/understand the traffic that is passing by. Google has however limited access the software to the users of Google Wifi, the network operated by Google in San Francisco.

Next time: introduction into PKI encryption!

Related posts:

1. Removal of Serflog/Sumom worm My little niece had been trying for a while...

• The virus is a worm called W32.Serflog.A, Win32.Bropia.U, Worm.Win32.Sumom.a, W32/Crog.worm or WORM_FATSO.A, depending on what anti-virus company site you visit. I used the information on the Symantec (Norton Antivirus) site to see how it locked itself to the PC.
• The worm does several things:
  • it tries to infect other PCs through Messenger (and eMule, but not too aggressively).
  • It does not prevent users from ‘working’ (surfing, email, …) so I can see some people doing nothing about it while the program keeps trying to multiply.
  • And, most importantly, the worm makes it very hard for even an experienced user to desactivate or remove it.
• The worm starts itself up when Windows starts. Alas, you cannot use Task Manager to see and terminate this process. The invader immediately kills any window starting up that has “Task” in its title. You cannot visit the site of a vendor of antivirus software, because they have all been made inaccessible. You cannot delete its entries from the Registry because it kills the Regedit or Regedt32 applications from the moment they start. You cannot start a DOS Prompt, because … you get the picture.
• So what you do is the following: create command prompt with a different name. Go to the C:\WINNT\system32 (Win2K) or C:\Windows\System32 (WinXP) folder and copy the cmd.exe file to e.g. whatever.exe. Now doubleclick the last file, and you should get a command prompt (DOS box). The worm will not detect this.
• The worm works through 3 hidden .exe files: %System%\formatsys.exe - %System%\serbw.exe - %Windir%\msmbw.exe. We will deactivate them by making them accessible (non-hidden) and renaming them:
  attrib -h serbw.exe
ren serbw.exe die_sucker.dead (and the same for the other 2)
  I first tried to delete the files, but that did not work. Renaming did work, though.
• Restart your computer. The worm will try to start up by one of the three .exe files, since they are now gone, it will not run. Now start up regedit and delete the hooks the worm had placed in the Registry (see Symantec page for details).
• Go to the hosts file (most likely in %SYSTEM%\drivers\etc\hosts) and delete the lines that made the antivirus vendors unavailable. (See Symantec page for details)
• Switch off the computer, hit yourself on the head and go and buy an antivirus program. What were you thinking? The virus would have been detected and cleaned by: F-Secure – Norton – Sophos – McAfee – TrendMicro – …
  If you have been infected by it, you know you are too gullible to surf the Internet without protection.

These instructions should work on any Windows installation. You might use Symantec’s removal tool, but I had no Internet connection when I was struggling with the intruder. Took me about thirty minutes to figure out a way to circumvent the vicious sucker.

Is this a really nasty piece of software? Yes. Do I admire the person who wrote it? Not at all. It’s not clever engineering, just malevolent.

Technorati: virus

No related posts.