The Espionage

Introduction

Spyshakers.com Ghostpad is now available!  All relevant Ghostpad information will appear in this post.

The Spyshakers.com team has been researching spyware for well over 7 years.  Ghostpad is a product of that research.  Ghostpad is a javascript graphical keyboard that diffuses spyware on a password box (or a text box if you choose).  Any website that supports javascript can implement.  A demonstration can be seen on our Ghostpad Youtube Video.  You can also play with Ghostpad on our Ghostpad Demo Page.

Why implement Ghostpad?  Because some of your customers have a lot to lose.  Some of your customers are the targets of identity theft wherever they go.  Your website is always available.  Anti-spyware is not always available.  Your website can BE the anti-spyware.

The Ghostpad Script

Ghostpad is composed of (1) license called license.txt (1) javascript file called keyboard.js and (1) css file called keyboard.css.  Download these and save them in a directory of your choice on your web server.

• http://www.spyshakers.com/ghostpad/license.txt
• http://www.spyshakers.com/ghostpad/keyboard.js
• http://www.spyshakers.com/ghostpad/keyboard.css

Set up (Step 1)

The first step to use Ghostpad is to include the keyboard.js file and the keyboard.css file in your web page code. Your path to these files may be different depending on where you saved keyboard.js and keyboard.css on your web server.

<script type=”text/javascript” src=”keyboard.js” charset=”UTF-8″></script>
<link rel=”stylesheet” type=”text/css” href=”keyboard.css”>

The Password Box (Step 2)

If your password box does not have a class associated with it yet, this is going to be really easy.  Simply add the property class=”keyboardInput” to the properties of your password box.

 <input id=”pw_box” type=”password” class=”keyboardInput”>

Your done.  Save and view web page.  Ghostpad should function properly.

Does your password box already have a class associated with it in code?  Not a problem.  Examine the id of your password box (or assign the password box an id if it does not have one).  Now simply add css code to the new keyboard.css file to style the password box correctly.  For example, our password box has an id of pw_box.  We could just add this css to the end of the keyboard.css file to style the password box properly.

#pw_box{whatever css you want; you can probably just paste the css from your old class;}

That should do it!  Save and refresh your web page.  Ghostpad should now be working properly.  Ghostpad is free to test.   There is a fee for verification.  Verification allows us to keep track of who is implementing Ghostpad.  There is a verify link on each instance of Ghostpad.  Think of this as your Ghostpad “certificate of authenticity”.  It also works as a nice anti-phishing feature as well.  The cost for verification is only $199 per year.  Check and money order are accepted at this time (U.S. dollars).  Digital payment options will be coming soon.  When you are ready to verify simply email us at staff@spyshakers.com with the subject “Ready to Verify Ghostpad”.  We will then email you a short form to fill out and email back.

You are free to edit the colors to the Ghostpad icon or the background of the Ghostpad keyboard for use on your website.  Here are the images:

See the Ghostpad review on Security Tube here.

Your website can be spyware proof in one day.  Email us with any questions or concerns at staff@spyshakers.com subject “Ghostpad Question”.  Thank you for your interest in Spyshakers Ghostpad!

Share It!

 As I mentioned in my previous post (Securing Your Web Hosting Account) the File Transfer Protocol (FTP) is not secure by itself.  FTP usernames and passwords are transmitted in clear text.  That means that your FTP username and password can be monitored and stolen over the internet.  There are some exceptions.  If you are underneath a virtual private network (VPN) then your credentials are encrypted by the VPN.  Regardless, it is a good idea to use Secure FTP (SFTP) to upload and download your files when possible.  In this post I’m going to show you how to set up WinSCP securely.

It must be noted that not all web hosts offer secure ftp capabilities.  Your web hosting account must enable SSH access.  Three web hosts that provide SSH access are Midphase, Host Monster and Host Gator.

WinSCP

WinSCP is an outstanding SFTP Client (for windows) that can be downloaded for free at http://www.winscp.com/.  Download WinSCP and then launch the application.  You will see a button labeled “New” when you launch WinSCP.  Click on that button to set up a new secure ftp connection.  Here is a screenshot of the new connection screen:

A typical host name is something like ftp.yourwebsite.com. If your ip is dedicated to your domain name then you can simply enter the ip address as the host name.  The most important selections in this screenshot are the port and the protocol.   The port should be set to 22 and the protocol should be set to SFTP.  Save the connection.  Select the connection and attempt to login.  WinSCP will ask you to generate a key the first time you login.  If you are successful you will authenticate and see the files on your web server appear.  You can now drag and drop files from your computer to the web server (and vice versa) securely!

Notepad++

WinSCP will help you upload and download your files securely.  But what about editing those files?  There is a free editor for windows that can make writing your scripts much easier.  You can download it at http://notepad-plus.sourceforge.net/uk/about.php.  Notepad++ has a plethora of options that normal Notepad does not support such as syntax highlighting, auto completion, and more.

WinSCP and Notepad++ 

You can use Notepad++ in collaboration with WinSCP.  This way when you edit files in Notepad++ they will save out to your web server securely via the WinSCP application.  I will show you how to set this up.

Launch WinSCP.  On the left you will see a link to “Preferences”.  Click on it.  In the middle of the screen you will see a button labeled “Preferences”.  Click on it.  On the left you will see a link to “Editors”.  Click on it.  Find the button that says “Add”.  Click on it.  Choose the “External Editor” radio button and then browse for the Notepad++ executable file.  Save and exit.

Now whenever you launch WinSCP you can right-click on files on your web server and choose “Edit”.  The file will launch in Notepad++ automatically.  When you save your changes, WinSCP will update the file on your web server securely.  Try it!

Share It!

When we first get acquainted with web hosting we have plenty of questions.  Many years ago I remember being on the phone asking web hosting tech support how do I edit the files for my website.  I certainly didn’t have the slightest idea how to edit the files securely.  So I thought maybe I would cover this topic in more detail.  It can be confusing and some web hosts aren’t quick to shed light on the subject.

Whenever you sign up for a hosting package your web host will likely provide you with a control panel environment to modify files and settings.  I recommend looking for web hosting that supports cpanel instead of their own custom control panel.  Why?  A lot of web hosting providers support cpanel, so if you are not satisfied with your web hosting you can migrate everything over to another web host easily.

Lets explore the security of the control panel first.   Once you have a web hosting account running cpanel you can access the control panel in the web browser with something like this  “http://www.orangewidgets.com:2082/”.  That will bring up the control panel login screen.  Unfortunately this is not the secure version.  Instead lets try “https://www.orangewidgets.com:2083/”.  That is the secure version (notice the https).  Much better.  Most web hosts don’t really explain this too well.  If your not using the secure version someone else can steal your username and password and hijack your account.  Maybe they should tell you that!

Lets move on to actually editing the files on your website.  You can edit your files in the control panel environment.  It can be done securely (as long as you see the https on the edit page in your browser its secure).  Unfortunately this gets old in a hurry.  All of your code is in black and white.  Its hard to read.  Sometimes you will submit a change but the website will freeze.  Its just not an ideal solution.  There is a better way.  Its called FTP (file transfer protocol).

We aren’t out of the woods yet with just FTP.  FTP is not secure by itself!  Once again that means someone can monitor your website and hijack your username and password.  How to escape this nightmare?  We need to take it one step further.  We need Secure FTP (SFTP).  Secure FTP will encrypt your username and password and all files transmitted.  Perfect.  So how do we set this up?  Well, your going to need a web hosting account that allows secure shell access (ssh access).  It is not provided in many basic web hosting packages.  Fortunately Midphase provides ssh access in their unlimited web hosting package.  You may want to consider Host Monster or Host Gator as well.  They use cpanel and they feature ssh access at low cost (but I have not used either of these two web hosts just yet).  In our SFTP Tutorial I’ll explain how to download a free SFTP client and set it up properly with your web hosting account.  Then we will set up a free text editor that will work with the secure ftp client to make your life easy breezy.

Share It!

I know what your thinking. Your thinking “you know, soon we won’t need passwords. We will just scan a fingerprint or something.”  I am here to tell you that this is most likely naive.  I don’t want to rain on anyone’s parade but there are some big problems combining biometrics and the internet. Big problems. I’m not talking about the current finger scanner solution found on your state-of-the-art laptop. That is a locally stored biometric secret used to manage your identity on your laptop. That is not so bad.  I am talking about large, centralized databases of biometric secrets.  I am talking about a system where I can use your finger scanner to access my files over the internet.

If a biometric identifier is a value computed strictly from physical trait(s) then THAT VALUE IS STATIC. Fingerprint, palm, footprint, retina, dna. It doesn’t matter. Any one of them. Any two of them. All of them combined. They all add up to one large string of characters that never changes. All you need to know is this. If your biometric value is obtained by some stranger AND that stranger can feed your value into the authorization channel then guess what… Your identity is compromised for the life of the system. It is not my intention to slight biometric efforts. But think about what the current solution would be. The internet is currently susceptible to spyware. Slap a biometric device on the front. The internet is still susceptible to spyware. Only now its worse. The internet becomes susceptible to biometric spyware.

I know there is research being done on something called irrevocable biometrics. This is the study of biometric secrets that can change value. IBM is currently conducting research on irrevocable biometrics. The IBM paper is a complicated read. Good luck to those gentlemen. I am unable to follow the math. But I do follow the logic in their charts. I still see vulnerability with spyware immediately after the biometric feature has been scanned.

Which brings us back full circle to the password. Biometrics are derivations of the body. Passwords are derivations of the mind.  One of them can be changed easily. I suggest using both to best emulate identity.

Share It!

I was watching the movie Batman Begins the other day. I bought it a while back and I have seen it several times. In my opinion, none of the sequels can beat the Tim Burton version (but the new one is a valiant effort nonetheless). In a particular scene in Batman Begins, Bruce Wayne strikes two or three keys on the piano. The door to the secret lair opens up. This is the first time I made the correlation, but I was like “man, that really reminds me of the Shaker List”. If it is good enough for Batman, it’s good enough for me hahaa.

Share It!

I found this story over at Digg today about preventing spyware and hijacks on your computer. The story is written by Christopher Null of Yahoo! It has some helpful tips.

Share It!

Can you build a website that diffuses spyware by itself? Yes! I will explain how we did this with a little javascript, a little html, and a lot of logic. We call our solution a Shaker List™. Think of it as a special captcha code.

Captcha codes are web filters. They filter out spam. A Shaker List is a web filter too. It filters out spyware, pharming, and phishing. How does it work? Your favorite websites are displayed on screen after you have authenticated partially. At that time, you select a handful of your reserved favorites.  Choosing the correct items grants full access.  With careful logic, this process can diffuse spyware (if you need briefed on how spyware attacks a web page, see our Internet Security Monster post).

Why build a website that can diffuse spyware?

• To strengthen an online identity.
• To assist anti-spyware.
• To prove that it can be done.

Any or all of these reasons will do. Consider the following.

1.) Phishing relies on a common authentication experience. If you stagger the authentication to show a personalized item in between credentials, your website becomes phishing resistant.

On the topic of phishing, identity expert Ben Laurie says “any mechanism that can be imitated by a web page is dead in the water“. The keyword is imitation. Does our Shaker List eliminate the ability to imitate? Conveniently, everyone’s list of favorite websites is custom. That makes a Shaker List hard to imitate aka phishing resistant. Correct me if I am wrong, but doesn’t that make it pharming resistant as well? Any pharming site will not know the correct list of favorites to display to the end user.

2.) If you build in authentication that does not require typing then you avoid all keyloggers.

A Shaker List is filled out by hovering over the checkboxes that appear right beside your favorite websites. No typing.

3.) If your authentication is not somewhat innate, it will be unintentionally forgotten.

Anytime you are talking about favorite things, you are talking about an innate topic. Favorite websites are part of your personality. That makes a list of favorite websites a good identifier.

4.) If your authentication is too simple, it can be guessed.

A Shaker List has scalable complexity. Build a large list of favorites if you don’t want the challenge to be simple. Choose several favorites in your Shaker List to make the challenge even harder.

A Long List of Favorites + A Handful of Shaker List Favorites = Not Easy To Guess

5.) If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

A Shaker List challenge displays all favorites in a list straight down the screen. My Shaker List runs five screens deep if scrolling from top to bottom in the browser. Thats hard to capture in one screen shot

6.) If your authentication does not require clicking, then it is hard to take a screen shot on a click.

A Shaker List is filled out by hovering over the checkboxes that appear in front of your favorite websites. No clicking.

7.) If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

If a Shaker List is being guessed at, it locks down and requires additional information. The additional information required is called a Secret Agent. If you are ever being attacked, you will need your Shaker List and your Secret Agent to bail you out!

8.) If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

The Secret Agent is extremely innate. Its not a maiden name, middle name, or zip code. Those things can be researched.

9.) If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

My Secret Agent is rather comical. I want it that way. That makes it easy to remember. It is not a diluted request like memorizing yet another password. How many other identity systems ask you to remember a Secret Agent? Not many. Good.

You can practice the Shaker List if you want to. We have a page for that here. Just a note. The Shaker List practice page does not lock down if you guess too many times incorrectly. Our implementation at Spyshakers.com does lock down though.

Share It!

Last post I described several hazards to an internet identity on the user end. Spyware was talked about a lot. It is the 800 pound gorilla in the room that no one ever wants to talk about. I explained why anti-spyware isn’t always good enough to save you. That amplifies the problem. It’s just not popular enough yet to fear. But spyware products are innovating. They are scary stealth and sophisticated. With every revision, they get simpler to use. You can’t ignore that. That’s a gorilla riding a bull in a china shop.

You could approach the solution in several ways. You could cross your fingers and rely on anti-spyware. You could rely on an identity management system that authenticates directly between the local operating system and the websites themselves (I think this is what Cardspace does, but I am not sure of all of its spyware resistant features). Maybe other identity systems try to resist spyware as well. In our case, we are going to try to build a web-based, spyware resistant solution.

Now, if this spyware resistance I speak of cannot be done with a simple user experience in mind, then I say take the losses and scrap it. But follow me. What would it take? What would it take to build a website that is spyware resistant? Can we get phishing resistant too? I know we can. Consider the following bullets (with some of the points taken from my previous post The Internet Security Monster). I will describe how we implemented these bullets in an upcoming post.

• Phishing relies on a common authentication experience. If you stagger the authentication to show personalization before all credentials are supplied, your website becomes phishing resistant.

• If you build in authentication that does not require typing then you avoid all keyloggers.

• If your authentication is not somewhat innate, it will be unintentionally forgotten.

• If your authentication is too simple, it can be guessed.

• If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

• If your authentication does not require clicking, then it is hard to take a screen shot on a click.

• If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

• If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

• If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

Share It!

I have been talking a lot about philosophy and identity. I wanted to mix it up with this post. Let’s talk security. Let’s talk about internet security. Ohhh man. Here we go. I am going to call this post The Internet Security Monster. What is the Internet Security Monster? He is a mysterious creature.

I’ve heard that the Internet Security Monster does whatever he wants. And no one can do anything about it. That is what I have heard. I have encountered this monster more than most. I will try to define for you the skills of the Internet Security Monster. Please note. These are end user hazards. I am not including security breaches that occur on the back end of websites. That’s a different monster. That’s the Network Security Monster.

1. Deceptive.

The monster will show you websites pretending to be other websites. We call that phishing.  Monster phishes all day long.

2. Intelligent.

Monster uses spyware as his weapon of choice. Typed credentials are captured by spyware. The target web page is captured by spyware. Monster wins.

3. Stealth.

The monster tricks you into believing that anti-spyware will destroy him. Anti-spyware weakens the monster but it does not kill him. Anti-spyware definitely eliminates many threats. But it does nothing against hardware keyloggers or stronger keyloggers that run at the kernel level. It is also difficult for anti-spyware to detect spyware that it is not familiar with. Sometimes the monster is there but you can not see him.

4. All knowing.

Monster knows all. He knows you think that auto-completing all of your passwords saves you from spyware because you are not typing passwords. Spyware can capture your auto-completes. Monster 1. You 0.

5. If he doesn’t know he will guess.

Not all threats come from spyware. Your passwords must have some degree of complexity and length to save you from a brute force hack. Some say eight characters is safe. Some say ten. Monster says three digits. Don’t listen to the monster.

6. X-ray vision.

The monster can see through your house right to your computer screen, so it seems. Sophisticated spyware has screen capturing built in to the program. Pictures can be taken of your computer screen on a tight frequency if this kind of spyware is running (technically down to the second, but more practically once every 30 seconds or so). Some spyware can take screenshots when the mouse is clicked. Pictures are then sent off to a remote location. Scary.

7. Advantageous.

It is innocent, but it happens. You have a few friends over for poker night. You take out the trash. When you come back you are greeted to a screen full of those pictures of your girlfriend that no one was supposed to see. What a shame. Don’t auto-complete the credentials to your email. Bad move. Damn you monster!

8. Mobile.

We know. Your home computer is authenticated by a biometric face scan. Your firewall issues third degree burns, and you run anti-virus, anti-spyware and anti-aircraft weapons. But when you use your friend’s computer, you may be high and dry. The monster can set traps on other people’s computers. Beware.

9. Sticky Fingers.

Damaged, lost, or stolen flash drives means that your collection of passwords could fall into the wrong hands. Monster hands. Hopefully you backed up the flash drive so that you can recover most of the passwords. It gets worse if the password that was protecting the flash drive is weak. In that case, the flash drive can be brute force hacked by the monster. Now your identity is stolen. Here is a box of tissues. You will need them.

10. Copycat.

Copy and paste can be monitored by spyware with clipboard monitoring built in. Monster knows you don’t care, but it’s still true.

In an upcoming blog I will show you how to stop this menace.

Share It!

Michael Arrington of Techcrunch posted an article about OpenID yesterday about the big four (Microsoft, Yahoo, Google, and AOL) becoming issuing parties of OpenIDs but not relying parties of OpenIDs.  In English that means that you can get an OpenID at Yahoo, but you can’t use your Yahoo OpenID at AOL, for example.  Even though AOL is an OpenID provider, they are not a consumer, and therefore you can’t use your Yahoo OpenID to log in to AOL.  There is an interview posted on the Yahoo Developer Network between Yahoo Rep Christian Heilmann and OpenID advocate Chris Messina concerning Yahoo’s implementation of OpenID.  In that interview, this exact topic comes up.

Christian (Yahoo Rep):  In December you published a wishlist on OpenID and support by Yahoo! was one of the wishes. Have you taken a look at what was done, how do you think we are doing so far and what would you want to see next?

Chris:  Well, I think it’s excellent to see Yahoo! become a provider. That’s huge and really gives OpenID a needed push in both its longterm viability and in validating the investment people will make in becoming OpenID consumers. But providing OpenIDs is the easy part; for Yahoo to really earn full credit, it needs to consume OpenIDs, and so I’m hopeful that that will happen in time as well.

Translation:  “You half assed it”.  To be honest, the blame should fall on OpenID.  I wouldn’t have built the libraries to allow providers denial of consumer support.  All or nothing.  But alas they did not do that.  The shame of it all is that OpenID is a good idea.  Unfortunately, the message being sent is “don’t be a consumer”.  That’s the wrong message.  You should not have given the choice.

Share It!