The Espionage

Introduction

Spyshakers.com Ghostpad is now available!  All relevant Ghostpad information will appear in this post.

The Spyshakers.com team has been researching spyware for well over 7 years.  Ghostpad is a product of that research.  Ghostpad is a javascript graphical keyboard that diffuses spyware on a password box (or a text box if you choose).  Any website that supports javascript can implement.  A demonstration can be seen on our Ghostpad Youtube Video.  You can also play with Ghostpad on our Ghostpad Demo Page.

Why implement Ghostpad?  Because some of your customers have a lot to lose.  Some of your customers are the targets of identity theft wherever they go.  Your website is always available.  Anti-spyware is not always available.  Your website can BE the anti-spyware.

The Ghostpad Script

Ghostpad is composed of (1) license called license.txt (1) javascript file called keyboard.js and (1) css file called keyboard.css.  Download these and save them in a directory of your choice on your web server.

• http://www.spyshakers.com/ghostpad/license.txt
• http://www.spyshakers.com/ghostpad/keyboard.js
• http://www.spyshakers.com/ghostpad/keyboard.css

Set up (Step 1)

The first step to use Ghostpad is to include the keyboard.js file and the keyboard.css file in your web page code. Your path to these files may be different depending on where you saved keyboard.js and keyboard.css on your web server.

<script type=”text/javascript” src=”keyboard.js” charset=”UTF-8″></script>
<link rel=”stylesheet” type=”text/css” href=”keyboard.css”>

The Password Box (Step 2)

If your password box does not have a class associated with it yet, this is going to be really easy.  Simply add the property class=”keyboardInput” to the properties of your password box.

 <input id=”pw_box” type=”password” class=”keyboardInput”>

Your done.  Save and view web page.  Ghostpad should function properly.

Does your password box already have a class associated with it in code?  Not a problem.  Examine the id of your password box (or assign the password box an id if it does not have one).  Now simply add css code to the new keyboard.css file to style the password box correctly.  For example, our password box has an id of pw_box.  We could just add this css to the end of the keyboard.css file to style the password box properly.

#pw_box{whatever css you want; you can probably just paste the css from your old class;}

That should do it!  Save and refresh your web page.  Ghostpad should now be working properly.  Ghostpad is free to test.   There is a fee for verification.  Verification allows us to keep track of who is implementing Ghostpad.  There is a verify link on each instance of Ghostpad.  Think of this as your Ghostpad “certificate of authenticity”.  It also works as a nice anti-phishing feature as well.  The cost for verification is only $199 per year.  Check and money order are accepted at this time (U.S. dollars).  Digital payment options will be coming soon.  When you are ready to verify simply email us at staff@spyshakers.com with the subject “Ready to Verify Ghostpad”.  We will then email you a short form to fill out and email back.

You are free to edit the colors to the Ghostpad icon or the background of the Ghostpad keyboard for use on your website.  Here are the images:

See the Ghostpad review on Security Tube here.

Your website can be spyware proof in one day.  Email us with any questions or concerns at staff@spyshakers.com subject “Ghostpad Question”.  Thank you for your interest in Spyshakers Ghostpad!

Share It!

 As I mentioned in my previous post (Securing Your Web Hosting Account) the File Transfer Protocol (FTP) is not secure by itself.  FTP usernames and passwords are transmitted in clear text.  That means that your FTP username and password can be monitored and stolen over the internet.  There are some exceptions.  If you are underneath a virtual private network (VPN) then your credentials are encrypted by the VPN.  Regardless, it is a good idea to use Secure FTP (SFTP) to upload and download your files when possible.  In this post I’m going to show you how to set up WinSCP securely.

It must be noted that not all web hosts offer secure ftp capabilities.  Your web hosting account must enable SSH access.  Three web hosts that provide SSH access are Midphase, Host Monster and Host Gator.

WinSCP

WinSCP is an outstanding SFTP Client (for windows) that can be downloaded for free at http://www.winscp.com/.  Download WinSCP and then launch the application.  You will see a button labeled “New” when you launch WinSCP.  Click on that button to set up a new secure ftp connection.  Here is a screenshot of the new connection screen:

A typical host name is something like ftp.yourwebsite.com. If your ip is dedicated to your domain name then you can simply enter the ip address as the host name.  The most important selections in this screenshot are the port and the protocol.   The port should be set to 22 and the protocol should be set to SFTP.  Save the connection.  Select the connection and attempt to login.  WinSCP will ask you to generate a key the first time you login.  If you are successful you will authenticate and see the files on your web server appear.  You can now drag and drop files from your computer to the web server (and vice versa) securely!

Notepad++

WinSCP will help you upload and download your files securely.  But what about editing those files?  There is a free editor for windows that can make writing your scripts much easier.  You can download it at http://notepad-plus.sourceforge.net/uk/about.php.  Notepad++ has a plethora of options that normal Notepad does not support such as syntax highlighting, auto completion, and more.

WinSCP and Notepad++ 

You can use Notepad++ in collaboration with WinSCP.  This way when you edit files in Notepad++ they will save out to your web server securely via the WinSCP application.  I will show you how to set this up.

Launch WinSCP.  On the left you will see a link to “Preferences”.  Click on it.  In the middle of the screen you will see a button labeled “Preferences”.  Click on it.  On the left you will see a link to “Editors”.  Click on it.  Find the button that says “Add”.  Click on it.  Choose the “External Editor” radio button and then browse for the Notepad++ executable file.  Save and exit.

Now whenever you launch WinSCP you can right-click on files on your web server and choose “Edit”.  The file will launch in Notepad++ automatically.  When you save your changes, WinSCP will update the file on your web server securely.  Try it!

Share It!

When we first get acquainted with web hosting we have plenty of questions.  Many years ago I remember being on the phone asking web hosting tech support how do I edit the files for my website.  I certainly didn’t have the slightest idea how to edit the files securely.  So I thought maybe I would cover this topic in more detail.  It can be confusing and some web hosts aren’t quick to shed light on the subject.

Whenever you sign up for a hosting package your web host will likely provide you with a control panel environment to modify files and settings.  I recommend looking for web hosting that supports cpanel instead of their own custom control panel.  Why?  A lot of web hosting providers support cpanel, so if you are not satisfied with your web hosting you can migrate everything over to another web host easily.

Lets explore the security of the control panel first.   Once you have a web hosting account running cpanel you can access the control panel in the web browser with something like this  “http://www.orangewidgets.com:2082/”.  That will bring up the control panel login screen.  Unfortunately this is not the secure version.  Instead lets try “https://www.orangewidgets.com:2083/”.  That is the secure version (notice the https).  Much better.  Most web hosts don’t really explain this too well.  If your not using the secure version someone else can steal your username and password and hijack your account.  Maybe they should tell you that!

Lets move on to actually editing the files on your website.  You can edit your files in the control panel environment.  It can be done securely (as long as you see the https on the edit page in your browser its secure).  Unfortunately this gets old in a hurry.  All of your code is in black and white.  Its hard to read.  Sometimes you will submit a change but the website will freeze.  Its just not an ideal solution.  There is a better way.  Its called FTP (file transfer protocol).

We aren’t out of the woods yet with just FTP.  FTP is not secure by itself!  Once again that means someone can monitor your website and hijack your username and password.  How to escape this nightmare?  We need to take it one step further.  We need Secure FTP (SFTP).  Secure FTP will encrypt your username and password and all files transmitted.  Perfect.  So how do we set this up?  Well, your going to need a web hosting account that allows secure shell access (ssh access).  It is not provided in many basic web hosting packages.  Fortunately Midphase provides ssh access in their unlimited web hosting package.  You may want to consider Host Monster or Host Gator as well.  They use cpanel and they feature ssh access at low cost (but I have not used either of these two web hosts just yet).  In our SFTP Tutorial I’ll explain how to download a free SFTP client and set it up properly with your web hosting account.  Then we will set up a free text editor that will work with the secure ftp client to make your life easy breezy.

Share It!

I know what your thinking. Your thinking “you know, soon we won’t need passwords. We will just scan a fingerprint or something.”  I am here to tell you that this is most likely naive.  I don’t want to rain on anyone’s parade but there are some big problems combining biometrics and the internet. Big problems. I’m not talking about the current finger scanner solution found on your state-of-the-art laptop. That is a locally stored biometric secret used to manage your identity on your laptop. That is not so bad.  I am talking about large, centralized databases of biometric secrets.  I am talking about a system where I can use your finger scanner to access my files over the internet.

If a biometric identifier is a value computed strictly from physical trait(s) then THAT VALUE IS STATIC. Fingerprint, palm, footprint, retina, dna. It doesn’t matter. Any one of them. Any two of them. All of them combined. They all add up to one large string of characters that never changes. All you need to know is this. If your biometric value is obtained by some stranger AND that stranger can feed your value into the authorization channel then guess what… Your identity is compromised for the life of the system. It is not my intention to slight biometric efforts. But think about what the current solution would be. The internet is currently susceptible to spyware. Slap a biometric device on the front. The internet is still susceptible to spyware. Only now its worse. The internet becomes susceptible to biometric spyware.

I know there is research being done on something called irrevocable biometrics. This is the study of biometric secrets that can change value. IBM is currently conducting research on irrevocable biometrics. The IBM paper is a complicated read. Good luck to those gentlemen. I am unable to follow the math. But I do follow the logic in their charts. I still see vulnerability with spyware immediately after the biometric feature has been scanned.

Which brings us back full circle to the password. Biometrics are derivations of the body. Passwords are derivations of the mind.  One of them can be changed easily. I suggest using both to best emulate identity.

Share It!

I found this story over at Digg today about preventing spyware and hijacks on your computer. The story is written by Christopher Null of Yahoo! It has some helpful tips.

Share It!

Last post I described several hazards to an internet identity on the user end. Spyware was talked about a lot. It is the 800 pound gorilla in the room that no one ever wants to talk about. I explained why anti-spyware isn’t always good enough to save you. That amplifies the problem. It’s just not popular enough yet to fear. But spyware products are innovating. They are scary stealth and sophisticated. With every revision, they get simpler to use. You can’t ignore that. That’s a gorilla riding a bull in a china shop.

You could approach the solution in several ways. You could cross your fingers and rely on anti-spyware. You could rely on an identity management system that authenticates directly between the local operating system and the websites themselves (I think this is what Cardspace does, but I am not sure of all of its spyware resistant features). Maybe other identity systems try to resist spyware as well. In our case, we are going to try to build a web-based, spyware resistant solution.

Now, if this spyware resistance I speak of cannot be done with a simple user experience in mind, then I say take the losses and scrap it. But follow me. What would it take? What would it take to build a website that is spyware resistant? Can we get phishing resistant too? I know we can. Consider the following bullets (with some of the points taken from my previous post The Internet Security Monster). I will describe how we implemented these bullets in an upcoming post.

• Phishing relies on a common authentication experience. If you stagger the authentication to show personalization before all credentials are supplied, your website becomes phishing resistant.

• If you build in authentication that does not require typing then you avoid all keyloggers.

• If your authentication is not somewhat innate, it will be unintentionally forgotten.

• If your authentication is too simple, it can be guessed.

• If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

• If your authentication does not require clicking, then it is hard to take a screen shot on a click.

• If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

• If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

• If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

Share It!

I have been talking a lot about philosophy and identity. I wanted to mix it up with this post. Let’s talk security. Let’s talk about internet security. Ohhh man. Here we go. I am going to call this post The Internet Security Monster. What is the Internet Security Monster? He is a mysterious creature.

I’ve heard that the Internet Security Monster does whatever he wants. And no one can do anything about it. That is what I have heard. I have encountered this monster more than most. I will try to define for you the skills of the Internet Security Monster. Please note. These are end user hazards. I am not including security breaches that occur on the back end of websites. That’s a different monster. That’s the Network Security Monster.

1. Deceptive.

The monster will show you websites pretending to be other websites. We call that phishing.  Monster phishes all day long.

2. Intelligent.

Monster uses spyware as his weapon of choice. Typed credentials are captured by spyware. The target web page is captured by spyware. Monster wins.

3. Stealth.

The monster tricks you into believing that anti-spyware will destroy him. Anti-spyware weakens the monster but it does not kill him. Anti-spyware definitely eliminates many threats. But it does nothing against hardware keyloggers or stronger keyloggers that run at the kernel level. It is also difficult for anti-spyware to detect spyware that it is not familiar with. Sometimes the monster is there but you can not see him.

4. All knowing.

Monster knows all. He knows you think that auto-completing all of your passwords saves you from spyware because you are not typing passwords. Spyware can capture your auto-completes. Monster 1. You 0.

5. If he doesn’t know he will guess.

Not all threats come from spyware. Your passwords must have some degree of complexity and length to save you from a brute force hack. Some say eight characters is safe. Some say ten. Monster says three digits. Don’t listen to the monster.

6. X-ray vision.

The monster can see through your house right to your computer screen, so it seems. Sophisticated spyware has screen capturing built in to the program. Pictures can be taken of your computer screen on a tight frequency if this kind of spyware is running (technically down to the second, but more practically once every 30 seconds or so). Some spyware can take screenshots when the mouse is clicked. Pictures are then sent off to a remote location. Scary.

7. Advantageous.

It is innocent, but it happens. You have a few friends over for poker night. You take out the trash. When you come back you are greeted to a screen full of those pictures of your girlfriend that no one was supposed to see. What a shame. Don’t auto-complete the credentials to your email. Bad move. Damn you monster!

8. Mobile.

We know. Your home computer is authenticated by a biometric face scan. Your firewall issues third degree burns, and you run anti-virus, anti-spyware and anti-aircraft weapons. But when you use your friend’s computer, you may be high and dry. The monster can set traps on other people’s computers. Beware.

9. Sticky Fingers.

Damaged, lost, or stolen flash drives means that your collection of passwords could fall into the wrong hands. Monster hands. Hopefully you backed up the flash drive so that you can recover most of the passwords. It gets worse if the password that was protecting the flash drive is weak. In that case, the flash drive can be brute force hacked by the monster. Now your identity is stolen. Here is a box of tissues. You will need them.

10. Copycat.

Copy and paste can be monitored by spyware with clipboard monitoring built in. Monster knows you don’t care, but it’s still true.

In an upcoming blog I will show you how to stop this menace.

Share It!

Many people are too scared to use a password manager because they do not trust the service. I will show you a trick to get of all the privacy you shall ever need. We will use partial passwords. Partial passwords are the power supreme!

Step 1 - Edit Passwords at the Real Websites:

Let’s say I have an E-trade account. Say my E-trade username is Stockinator and my password is m@dddMONEY. Those are decent credentials. Now I establish my partial password. Use the partial password as a suffix which goes on the end of the normal password. I used to have a 1997 Camry (not really). 1997camcam sounds pretty good. I log in to E-trade. I change my password from m@dddMONEY to m@dddMONEY1997camcam. Now we are talking password, baby! Repeat this process at other websites of importance. Remember, we haven’t touched the Password Manager yet.

Step 2 - Edit Passwords On The Password Manager:

I clicked on a Google Ad that said “Store Your Passwords Online With The Devil”. Sure why not. So I signed up and put all of my credentials in my online account at satan-stores-passwords.com. When I added E-trade to my favorites, I entered my username as Stockinator and my password as m@dddMONEY. Months later a scandal breaks. Turns out satan-stores-passwords.com was running a shady operation. Who knew? All of my accounts are compromised. Not quite, broseph. My real password over at E-trade is m@dddMONEY1997camcam. My E-trade account is safe. I was storing a partial password. I can get even sexier. I could store my partial password as a fake password in a fake favorite. Now I don’t even have to remember it. Well sort of. I still have to remember which favorite is the fake. You get the point.

Advantages of Partial Passwords:

• Eliminate the need to trust the password manager.
• Critical passwords become twice as strong.

Disadvantages:

• One more thing to remember.
• Problems with any kind of automated authentication.

Share It!

This is the first in a series of posts explaining the challenges behind building Spyshakers. The first thing I want to say is that I spent eight months in the dark thinking this thing through. Eight months in the dark is a long time to think about anything. Some days I would come home infuriated. Infuriated because I couldn’t prove things. How can you prove that you really don’t know what your customer’s credentials are? How can you prove it, Grant? On the first day I couldn’t. On the last day I couldn’t. Somewhere in there I started to believe that proof doesn’t exist in the real world. I can find reasonable doubt. I can find burden of proof. Isn’t that interesting. I did not know the opposite of reasonable doubt until I did a search for “not reasonable doubt”. Up came a legal term called “burden of proof“. Attaching the word “burden” seems to indicate proving things in the real world is very hard. Clearly someone has thought this through before. Maybe proof is impossible?

So we move on to the next best thing. If we can’t establish as fact, we can try to convince. Can I get a witness! That is when I found out about the Truste organization. You can see the Truste Mission Statement. Because we can’t prove, we use Truste as our primary witness. Compliance with their program is not easy. They are like a super witness! I hope that our compliance in their program helps to establish trust. I am always pursuing more witnesses. The Better Business Bureau is probably next. It never hurts to have several super witnesses haha.

So establishing witnesses is important for trust. What exactly are we establishing trust for? Well, Spyshakers acts as a password manager. The process needs trust to interact. Trust is dependent on the secrecy of your passwords. How is this done? We do not store your master password. We store a one way hash of it (like a footprint). Your master password lives on your computer (technically in the parameter string). Computers only see it. Administrators do not. It decodes and encodes all secrets.

This makes Spyshakers garbage in garbage out. You send garbage to Spyshakers. We store garbage. You request garbage from Spyshakers. You get garbage. The master password turns the garbage into gold along the way. We love storing garbage in our database. That means it is not as appealing to hackers. Now you know!

Share It!

Trinity: Morpheus believes he is the one.
Cypher: Do you?
Trinity: It doesn’t matter what I believe.
Cypher: You don’t, do you?
Trinity: Did you hear that?
Cypher: Hear what?
Trinity: Are you sure this line is clean?
Cypher: Yeah, of course I’m sure.
Trinity: I better go.

Are you sure this line is clean? What line? What does that even mean? Let’s use The Matrix to further define identity systems.

Remember our definition of identity? An identity is the perception of an entity by a witness within the context of space time. When Trinity asks Cipher if the line is clean in the beginning of The Matrix, she is really asking Cipher if there are any unwanted witnesses. Have you ever excused yourself from the room because of a cell phone conversation? Why did you do that? You did that because the secrets exchanged in the conversation were to be shielded from unwanted witnesses. This is privacy. Security is the shield for doing so. In this case, what shield is used? Simply space time. Relocating puts unwanted witnesses out of earshot. The shield is not always that simple.

Internet transactions generally rely on the Secure Sockets Layer (or SSL) to exchange secrets. SSL depends on encryption for its shield. Data is encrypted on the origin computer by a key. The encrypted message is then sent over the channel. The destination decrypts the message by the same key. This is how the internet shields its private messages.

Share It!