In my last blog post, I introduced you to the nature of privacy issues in Web Development and touched on the subject of WHOIS data and anonymous domain registration. I will be following a similar theme in this post, but from a whole different angle: Images.
Digital images have caused almost as many problems as they have solved, not the least of which are privacy and security related. Images get distributed so frequently and rapidly that they have become a dangerously fast way to spread both good and bad information for an infinite number of purposes. Like most vectors for attack, images can present security risks in a number of ways and occur in anything from photos that were meant to remain private to stolen blueprints.
Today, I am going to be exploring another potentially dangerous feature that's included in modern digital images known as EXIF. Almost every electronic device that handles images today uses EXIF to store miscellaneous information about them including chronological data such as date and time, the camera used and it's settings, thumbnails, descriptions, copyrights, and finally, geolocation data. This is the big one because when combined with chronological information geolocation data can directly pinpoint an individuals location.
This may seem unrelated to web development, but it's closer to the subject then it appears on the surface. When you upload images to a website such as Facebook it puts them through a specific "cleaning" process. This includes cropping, resizing and removing or removing data such as Geolocation tags, for your privacy. An increasing number of image hosting sites are doing the same kind of thing. But what about your website, if you host images directly on your website, are you cleaning them first? Do you allow users to upload images publicly without prior approval? These are questions web developers must ask themselves if privacy and security are attributes they want for their website.
As with the WHOIS data in the last post, there is numerous vectors for attack that arise from EXIF geotagging being used without the knowledge of the end-user, the most obvious scenario being that an attacker could locate the publisher via geotags. But how can this form of tracking be prevented?
The safest way is to stop the problem at it's root, your phone. If you have geotags attached to your images, they almost definitely came from a smartphone. Most smartphone's have this ability set to default so you can very easily be tagging your images and remain completely oblivious. All good smartphone's should also have an option to disable geotagging, however, it may be referred to slightly more cryptically. One example of a euphemised name for geotagging is "Location Services" on the iPhone.
If you would rather deal with Exif data on your computer, there's a number of options you could take. If you use Photoshop a lot for images, there's a free script available called ExifStrip for Photoshop, written by John Price, which removes EXIF data from images and is compatible with both Mac and Windows. Another free alternative is Exif Eraser, a small tool that batch-removes the EXIF data from all the images in a particular directory, unfortunately it's only compatible with windows. As for Linux, there's a good tutorial about removing EXIF data in Ubuntu here.
If you choose to make use of geotags, your best bet would be to ensure that the images are only released in a controlled environment and distributed to trusted friends, family or colleagues. You never know when a geotagged image might come back to bite you, so use this feature wisely, if at all.
Saturday, 21 April 2012
Wednesday, 18 April 2012
Privacy Precautions in Web Development - Part 1
Privacy has been a hot topic of late among the IT Industry and the general public. With privacy breaches in the corporate world gaining media attention, along with the recurring news stories revolving around privacy (or lack thereof) in social networks such as Facebook and Twitter, privacy issues have shaken up quite a stir across both professional and unprofessional circles. But what does all this have to do with Web Development? Most business data breaches of late come from either internal corrupt employees or hackers gaining unauthorized access to information through security holes, but there is another side to privacy that most seem to miss.
As strange as it sounds, there can be "legal privacy breaches" that can occur for a number of reasons. In the age of social networking, many of us inadvertently put enough information on the internet in scattered across various places to have our identity taken. While it may be illegal to actually make use of this information for malicious purposes, nothing is stopping people from gathering it and compiling it against your will. This is often overlooked when the inexperienced register a domain or setup a website for them or their business.
As a hypothetical example of my point, I will give you a scenario which I see very frequently. Let's say we have an individual and for our purposes, I'm going to call him "John Smith". John Smith runs his own small business from home and decides to make a website. He registers his own domain and fills in all the required information without a thought of privacy because, being a layperson, he doesn't know what it's used for. Further down the track, he has a competitor who decides that he wants access to Johns private email address and hires someone to take care of this, but he only has the web address for Johns site.
So, what does our attacker do? A WHOIS lookup of course, which reveals Johns full name, address, email, phone number, etc. This is more than enough information to work with for an experienced attacker, it provides multiple attack vectors from social engineering, to further researching and even the possibility of a physical break-in on Johns house. Going down the 2nd avenue mentioned, our hypothetical attacker could then very easily locate most social networking accounts which, chances are, would contain a personal email address or further information leading to one, as well as miscellaneous data like names of pets, a date/place of birth, education and even close friends or family. This alone could allow any attacker to answer most security questions on an email account and gain access.
This is only one very simple example of how regular people can allow security breaches accidentally, sadly there are infinite possibilities when it comes to this kind of attack so I can't list every avenue or vector. How abstract an attack is comes down to the creativity and perseverance of an attacker. There is no simple solution to online privacy problems, but the possibility of an attack like this can be decreased substantially with understanding and a layered approach to privacy.
For this post, I will only be looking at the domain, but I will follow it up in posts to come. WHOIS data is very easy to retrieve and is indexed by an extremely large number of websites and databases. One of the safest ways to register a domain is "By-Proxy". A proxy is basically a go-between which hides your information from the outside world, the term is also used in other areas of computing and even other industries altogether. In the case of Go Daddy's service, the WHOIS information is replaced with something such as:
Registrant:
Domains By Proxy, LLC
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: --Removed--
Domain servers in listed order:
NS67.DOMAINCONTROL.COM
NS68.DOMAINCONTROL.COM
Both these options provide extra privacy and security for your websites WHOIS information. They are reasonably priced and WhoisGuard has free trials on some large registrars.
I hope that this post has helped enlighten you to a possible security risk that you could be preventing, and as I said earlier, I will be following up this post with further privacy advice at a later date.
As strange as it sounds, there can be "legal privacy breaches" that can occur for a number of reasons. In the age of social networking, many of us inadvertently put enough information on the internet in scattered across various places to have our identity taken. While it may be illegal to actually make use of this information for malicious purposes, nothing is stopping people from gathering it and compiling it against your will. This is often overlooked when the inexperienced register a domain or setup a website for them or their business.
As a hypothetical example of my point, I will give you a scenario which I see very frequently. Let's say we have an individual and for our purposes, I'm going to call him "John Smith". John Smith runs his own small business from home and decides to make a website. He registers his own domain and fills in all the required information without a thought of privacy because, being a layperson, he doesn't know what it's used for. Further down the track, he has a competitor who decides that he wants access to Johns private email address and hires someone to take care of this, but he only has the web address for Johns site.
So, what does our attacker do? A WHOIS lookup of course, which reveals Johns full name, address, email, phone number, etc. This is more than enough information to work with for an experienced attacker, it provides multiple attack vectors from social engineering, to further researching and even the possibility of a physical break-in on Johns house. Going down the 2nd avenue mentioned, our hypothetical attacker could then very easily locate most social networking accounts which, chances are, would contain a personal email address or further information leading to one, as well as miscellaneous data like names of pets, a date/place of birth, education and even close friends or family. This alone could allow any attacker to answer most security questions on an email account and gain access.
This is only one very simple example of how regular people can allow security breaches accidentally, sadly there are infinite possibilities when it comes to this kind of attack so I can't list every avenue or vector. How abstract an attack is comes down to the creativity and perseverance of an attacker. There is no simple solution to online privacy problems, but the possibility of an attack like this can be decreased substantially with understanding and a layered approach to privacy.
For this post, I will only be looking at the domain, but I will follow it up in posts to come. WHOIS data is very easy to retrieve and is indexed by an extremely large number of websites and databases. One of the safest ways to register a domain is "By-Proxy". A proxy is basically a go-between which hides your information from the outside world, the term is also used in other areas of computing and even other industries altogether. In the case of Go Daddy's service, the WHOIS information is replaced with something such as:
Registrant:
Domains By Proxy, LLC
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: --Removed--
Domain servers in listed order:
NS67.DOMAINCONTROL.COM
NS68.DOMAINCONTROL.COM
Obviously, your personal information could still be requested through a legal subpoena or similar, but it should stop most outside attackers, not accounting for social engineering attacks on your registrar.
Another similar alternative which is also very effective is WhoisGuard. It does a similar thing, instead replacing all the contact fields with their own information and an anonymous email address that can be redirected to the owners email. A WhoisGuard record typically looks similar to this:
Registrant Contact:
WhoisGuard
WhoisGuard Protected ()
Fax:
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
Administrative Contact:
WhoisGuard
WhoisGuard Protected (@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
Technical Contact:
WhoisGuard
WhoisGuard Protected (@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
I hope that this post has helped enlighten you to a possible security risk that you could be preventing, and as I said earlier, I will be following up this post with further privacy advice at a later date.
Security Seal - Beta
Welcome
Hey everyone!
Leon here on behalf of all of EPZ Security, I want to welcome you to our brand new blog: In-Security. We'll be keeping you up-to-date on the latest in security news, alerting you to new threats and giving out advice on how to better protect yourself in today's technological age.
We look forward to helping make the web a safer place for everyone through this exciting new medium.
Leon here on behalf of all of EPZ Security, I want to welcome you to our brand new blog: In-Security. We'll be keeping you up-to-date on the latest in security news, alerting you to new threats and giving out advice on how to better protect yourself in today's technological age.
We look forward to helping make the web a safer place for everyone through this exciting new medium.