Makl Ndrix

The Internet as we use it today, has very little privacy left. We all say that Facebook and Google know “too much”, only to realise that they don’t know anything aside from what we feed them, or do they?

Welcome the “widget”. A piece of html (with css, javascript..) to be included in another page, often to socially spread content (Facebook Like, Google +1, LinkedIN share, etc), or other added value (Analytics, sharing, etc) will tell many “providers” what content you are accessing.

It is difficult now to find a popular page without any widgets. Pages pack “like” buttons, “share this” widgets or tweet options to give you a instant way of sharing their content in your social network – banking on good ‘ole word of mouth marketing. If your friends like something, you might be interested also, even if it was only for peer pressure.

The problem that when something (such as the widget) is requested, browser data (such as your session’s information and the referer) also flow to the widget provider’s webserver. This provider will know what page you’re on and usually who you are (assuming you stay logged in into google, twitter, facebook, etc)

Thinking “but if I like a page, facebook will know it anyways“. This is true; the problem lies in the fact that providers know you’re accessing a page, regardless of performing any action (liking, sharing, etc). If you read X number of pages on a new model smartphone, chances are big you want to buy another one – and targeted ads become more… targeted.

From that advertising point of view, it creates mixed feelings. It’s like somebody overlooking your shoulder while you’re reading a magazine and changes the ads accordingly to which article you were staring at longer.

From a website owner point of view, this does create added value. If you can convince to have websites publish your widget code, you can track people’s interests, even before they ever came to your website. This (unidentifiable) user eventually ends up on your web app, identifies him/her self and you have great information. I’m just not sure how ethical this is, and even though Facebook’s outdated law enforcement guidelines don’t hold “webpages visited” in particular, they would have access to it.

Is this such a bad thing? Perhaps. “Widget providers” offer added value to website owners, who in turn decide what goes into their webpages. Vague idea, but maybe a browser extension could prevent the loading of these widgets, replacing them with a pseudo equivalent (fake buttons, etc) and only dynamically load the target script upon a click?

Food for thought. Now, look at the buttons below, they know you’ve been here already.

The Internet, as it is today, is a mash-up of JavaScript enabled services, often included from external websites. Internet companies offer so-called widgets, which are JavaScript tools that can be used in your own page. Popular examples of this are site analytics (Omniture, Google Analytics, etc) or share-abilities (AddThis, AddToAny, …). It’s by overwriting Javascript libraries on a page, that we can do other things, such as recording keystrokes.

“Overwriting” javascript libraries, or rather “inserting javascript” can be done in several ways. Cross Site Scripting is one of them, but for the sake of this blog post, I will act as a malicious proxy administrator, and overwrite the Google Analytics DNS entry (www.google-analytics.com) and “fake” the ga.js javascript file.

For this, you’d need only 2 files:

• Javascript keylogger
• PHP backend script

This javascript file, found here, holds 3 parts: JQuery, a base64 encoder and the keylogger code itself: Continue reading…

A particular aspect in IT security is injecting malware into websites. Often leading to so-called “drive by downloads“. This malware is often inserted due to a browser vulnerability which gets executed by, say, Javascript. The latter is usually “inserted” in a legitimate website using a hidden <IFRAME> tag or similar.

How can this be stopped? Modern websites include, because of widgets, several external Javascripts onto their own sites. When going to the gadget popular website engadget.com, a total of 17 hosts are contacted… Continue reading…

I love SSH. SSH is the de-facto service for remote server management, especially in a CLI environment.

Being a avid Linux user, and spending quite a bit of time on OSX lately, I often SSH into several servers remotely. Being subject to “username conventions”, you don’t always share the same username across machines. And I always wondered how one could just type ssh hostname instead of providing the username.

Seems that, by creating a .ssh/config file with following contents:


Host server.example.com server
  User username


WIll make life easier, as you can in the future only do a “ssh hostname”. I didn’t know this.

A newly discovery vulnerability made Microsoft release a security patch aside from it’s usual cycle, the notorious Patch Tuesday. This “Patch Tuesday” is normally every second Tuesday of the month.

MS08-067 fixes a bug in the RPC handling of the Windows Server service.

The bug was deemed as “critical” on pre-Vista machines, which is still the majority of Windows clients.

Google came out with a new browser, called Chrome. A company that pushes so much into a browser, made their own browser with minimalistic design (as usually done by google) multiple features, such as the incognito windows (wont leave traces in your sites’s history), the built in javascript console, V8 Javascript engine.

See it as a firefox with your necesarry plugins, in a new jacket.

Very interesting product. And it seems that places.ae renders correctly in it, which is probably due to the borrowed Firefox code.

I am afraid that IE(8)’s days are counted.

Thank you,
Michael

An Egyptian secretary guessed the password of a yahoo account of an Emirati UN employee, and was sentenced to three months in jail and deportation.

The “hacker” emailed the victim that he broke into her email account, and was going to release pictures and “other secrets” of her, according to GulfNews.

Not the cybercrime caliber of russian extremist webmasters being “accidentially” executed, but still.