A Hacker's Paradise

Do you know how vulnerable your system is?

My GMail password was stolen and my account taken over by Russian Hackers who tried to extort money out of me. This of course led me to ask HOW, on my system with my careful attitude to everything, they got hold of my password.

What I've found is that there are more security holes in software than even my paranoid mind suspected. I figured that a fully patched Vista, running Nod32 which is arguably the best antivirus around, Windows Defender, SpyBot S&D, a hardware firewall, firefox instead of IE, etc, I would be pretty safe. Then my Google & ICQ passwords got stolen from the Accounts.xml file of Pidgin, which is smartly stored right there all in plain unencrypted text, ripe for the picking. But I still wasn't sure how they got the file.

I'm not saying I will ever know WHICH security hole was used. But I've found several. Firefox 2.0.0.12 has a known "Directory Traversal" bug, but it is claimed to be limited to the extensions directory only so maybe it wasn't that. There's a keygen I used, but that keygen has been available for TWO YEARS, so if it had a trojan in it, you'd think it would come up when submitted to 32 different scanning engines, but they all found it clean. A Roadrunner technician required me to disconnect my hardware firewall/router before he would help diagnose my connection the day before my passwords were used to take over GMail & ICQ. I forgot to plug it back in for 12 Hours. Going without a firewall is bad, but that would imply there was a hole in a fully patched Vista system. If there is, it is unpublished. Published exploits are much more frequently used. So what software on my system contains published exploits?

Adobe Flash Player. In December, an update was released that upgraded users to version 9.0.115.0. The patch fixed several security flaws.

Unfortunately, version 9.0.115.0 of Flash Player also has a known bug - with certain ATI video cards, you cannot go full-screen with Flash Video. That means no full-screen YouTube, CBS Evening News, etc, because almost everyone uses Flash Video on the web.

So I had reverted to version 9.0.47.0 of Flash Player. It worked.

Apparently, it was also a veritable hacker's paradise. The short list of risks: "could lead to the potential execution of arbitrary code", "could potentially aid an attacker in executing a DNS rebinding attack", vulnerable to "privelege escalation attacks against web servers hosting Flash content", vulnerable to "potential cross-site scripting issues", "potential Universal Cross-Site Scripting attacks", "allow remote hackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks", "a potential port-scanning issue", "(linux) a memory permissions issue that could lead to privilege escalation", and un unspecified issue on Mac.

Whoa. And all of these are PUBLISHED EXPLOITS. Let's see... cross-site scripting, header modification, privilege escalation, DNS rebinding, and arbirtrary code execution. Is there anything they missed?

Yet, Adobe is dragging their feet on fixing 9.0.115.0, and actually recommending people revert to 9.0.47.0.

I believe I have just become a convert: Flashblock.

29,913 views 37 replies
Reply #1 Top
Jeeeeez, why is it that virtually all the stories like this come from GMail users? Is it a coinsidence? :NOTSURE: 
Reply #3 Top
Leo, I think people have problem because they don't research and look at things close enough and yes, they always just have to have it because it's the new toy out.  :NOTSURE: 
Reply #4 Top

Quoting Philly0381, reply 3


Leo, I think people have problem because they don't research and look at things close enough and yes, they always just have to have it because it's the new toy out.   

End of Philly0381's quote

Flash is the "new toy out"? IM is the "new toy out"? GMail is the "new toy out"?

Don't buy into that - my point is that it *IS NOT* just the "new toy out must clicky" people who have problems. I have used computers since 1982, been online since 1991, and have NEVER had "these kind of problems", which is why I make such a big deal out of this. I have a very secure system - the fact is that you can NEVER have a completely secure system unless it is unplugged from the net.

I am definitely NOT one of those who believes like many do now that losing passwords and getting hacked is "normal" - it is far from normal for careful users. Which is why when it DOES happen, it points out just how insecure computers really are.

Reply #5 Top
You used an "autocomplete" service for your passwords. No, it's not "normal," but it greatly increases your risk.
Reply #6 Top

You used an "autocomplete" service for your passwords. No, it's not "normal," but it greatly increases your risk.
End of quote

Yes, I had Pidgin save passwords for the SIX DIFFERENT LOGINS it has. Do you type 6 seperate passwords every time you reboot your computer?

Insecure, somewhat. Storing all 6 of those passwords in a plaintext file in the user's home directory? Extremely insecure. Pidgin developers claim that to encrypt the file would not help. I disagree. My eBay password, my Paypal password, etc, are all stored by Roboform in an encrypted file. Were they stolen? No. The stolen passwords were the low-hanging fruit - clear text passwords stored in an easily readable file.

Fact is, 99% of users out there click the "save password" button on their IM clients. There is an expectation that the software would treat those passwords responsibly, and in the case of Pidgin, it did not do so. I just checked Trillian, and it stores obfusicated passwords. Are they hackable? I have no idea - I don't know what level of encryption the developers used - that's why they are developers and I'm a user. But at least it isn't clear text.

Anyway, the point of this article was about how hackers can get into your system. The number of holes in Flash Player is incredible - I had no idea that such a ubiquitous application was so insecure.

Reply #7 Top
Actually...I use about a dozen different passwords on a regular basis, and I do remember them all. I had to learn how to memorize sometimes arcane combinations for a previous job.

I do sympathize. Getting hacked really sucks (for lack of a better term), and I'm sorry you went through such an ordeal. I'm also surprised that Flash has so many holes, though I shouldn't be - it tries to do way too much.
Reply #8 Top
Okay, I'm reading this and since I don't have Vista you will need to perhaps enlighten me a bit. Anytime I've had problems has been a result of my own stupidity of connecting to the internet from a administrator account with full privileges.

Having AV, Firewalls, etc is the equivalent to leaving your keys in the ignition of your car, locking the doors and figuring everything will be fine. Chances are someone who knows what they're doing will be able to open those doors and steal your ride.

I agree with you that storing the passwords unencrypted in text format especially in today's world is a big blaring error. Sadly I'm not surprised and a little tour through my registry in the past has turned up other app's that store unencrypted passwords there.
Reply #9 Top

This of course led me to ask HOW, on my system with my careful attitude to everything, they got hold of my password.
End of quote

A Roadrunner technician required me to disconnect my hardware firewall/router before he would help diagnose my connection the day before my passwords were used to take over GMail & ICQ. I forgot to plug it back in for 12 Hours.
End of quote

You answered yourself. Ten minutes is all they need - 12hrs is a lifetime. Are you sure only passwords (kept in plain text...egads) went missing?

I wouldn't be suprised to find your pc is a zombie.

Reply #10 Top

Quoting Fuzzy, reply 9


This of course led me to ask HOW, on my system with my careful attitude to everything, they got hold of my password.
A Roadrunner technician required me to disconnect my hardware firewall/router before he would help diagnose my connection the day before my passwords were used to take over GMail & ICQ. I forgot to plug it back in for 12 Hours.
You answered yourself. Ten minutes is all they need - 12hrs is a lifetime. Are you sure only passwords (kept in plain text...egads) went missing?
I wouldn't be suprised to find your pc is a zombie.

End of Fuzzy's quote


A fully patched Vista system should not be compromised without a hardware firewal, and I challenge you to show me that it can - not counting 3rd party software flaws (which appears to be what this is about).

Reply #11 Top

A fully patched Vista system should not be compromised without a hardware firewal, and I challenge you to show me that it can
End of quote

It is this naivity which got you hacked. Even a modest expert can hack Vista in under ten minutes.
By all means go ahead thinking you are secure, I wish you well...

Reply #12 Top
This is why you memorize passwords instead of saving them on your system
End of quote


Yeah, exactly. although that totally sucks that that happened to you.

~I love Fuzzy Logic's icon. Spock! wow, I'm a nerd. although that was on last night

anyhoo..... yeah, vista is full of holes. what you have does make you significantly more secure but I'm bias and I say just get a mac. oh wait, no stardock stuff for Mac. um..... stardock should make stuff for mac, that'd be sweet!
Reply #13 Top
?
So if I got it right about Firewalls
the firewall that comes with XP or Vista are not good enough by them selfs?

Reply #14 Top
Fuzzy's right. In fact, I think I recently read somewhere that certain virus's can invade your system and can be in your boot up files which are not detectable by the usual commercial AV programs. If it's a 'key logger' then even remembering your passwords is not going to help as every move on your keyboard is being watched. This is how I read it but I maybe getting 'things arse about face'. I'm sure it was on the BBC website and I think they mentioned a program that I had never heard of that could deal with this problem :NOTSURE: 
Reply #15 Top

So if I got it right about Firewalls
the firewall that comes with XP or Vista are not good enough by them selfs?
End of quote

Right. The built in firewall has no outbound protection. That means trojans and malware can communicate out, it also means once a hacker is in, the firewall may as well not be there. Vista pcs are just as prone to becoming zombies as any other.

If you are unsure, test your pc security here WWW LINK to Shields Up You may be in for a shock ;)

Reply #16 Top

I tested my pc security with that site there, Fuzzy, just for the heck of it ;)

Was I shocked? No, not at all. More like surprised......

The results:

File sharing:
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE!

Common ports:
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.

All service ports:
Solicited TCP Packets: RECEIVED (FAILED)
Unsolicited Packets: PASSED
Ping Echo: PASSED

One of 1056 ports were detected as 'open'

Messenger spam:
Dunno what the heck this test did, but nothing what so ever happend......

Browser headers:
Did what it said it did..... not that I fully understood it ;)

-------------------

And what type of "security" apps am I running?
One word: NADA!
Apart from Avast and Vista firewall I have nothing "protecting" my pc ;p

Reply #17 Top
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

Common Ports
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

All Service Ports
GRC Port Authority Report created on UTC: 2008-02-25 at 00:21:28

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

The Messenger test was negative. I recieved noting on MSN.
Not sure about the Web Browser test. Secure and unsecure pages were exactly the same....
Reply #18 Top

Quoting Fuzzy, reply 9

I wouldn't be suprised to find your pc is a zombie.
End of Fuzzy's quote

Does it make you feel good to paint me as a clueless n00b? Does it make you feel more secure?

Fact is, I have taken every precaution I could. I do not believe it was a firewall issue, as there are much more obvious security exploits available that do not require getting around a firewall. I don't believe I was being targetted personally, so a "drive-by" exploit is most likely - and they are extremely common.

I have been using the internet since 1994 and BBS systems before that on a DAILY BASIS and have never gotten a single virus on my system, perhaps until now. Very few people have that kind of track record. I never got a Gator Infection, never had IE stuffed so full of toolbars I couldn't use it, and have had a hardware firewall ever since I've been on broadband.

You try getting a technician to reset your internet connection when he won't talk to you unless you detach your router. Apparently RR can read through the modem what is connected to it - he told me the brand of my router and refused to continue unless I took the router out of the loop. I reiterate, however, that I do not believe it was the router.

I have identified numerous KNOWN holes in POPULAR software that I used on my system. None of these are actually holes in the base OS. I'm not saying there aren't holes in the base OS, and I'm not saying that an experienced hacker couldn't get in. What I AM saying is that most of these kinds of hacks are done using PUBLISHED EXPLOITS. There's no need for a Russian Hacker to sit there and hack at my system when he can put up a website which takes advantage of a hole in a plugin such as Flash or Acrobat, or Pidgin, or Firefox, etc, and can just grab info from any random Joe that lands on that website. This is how it is done. If a hacker personally targetted and hacked my system, I'm sure he would have bothered to get things such as my PAYPAL or EBAY password, for instance. Instead, it was low-hanging fruit.

I have taken additional security measures - such as reinstalling my OS - even though I am relatively certain it was itself clean. I do not take chances, as you seem to imply.

You seem to believe that you are somehow immune - I propose that you have been fortunate. Proper security measures definitely make you MUCH safer - I can attest to that with my own lack of problems over the years - but you are never 100% safe unless you are completely unplugged from the internet. In fact, that's not even safe if you consider cases such as the recent fiasco where digital photo frames sold at several retailers had a particularly nasty virus in the firmware this holiday season. How many people got infected by that who had taken all the necessary security measures?

Reply #19 Top
Buy a computer. Wrap it in bubble wrap. Put it in a air-tight box. Place the box in a firesafe. Dig a hole 12ft deep. Bury the firesafe. Then you won't get a virus :P
Unless you don't use the computer, you could always get a virus. Thats why you gotta be secure.
Reply #20 Top
If you are unsure, test your pc security
End of quote


Hey Fuzzy, thanks for the link, after a first failed test, two ports open, I removed some not required items from the exceptions list of WindowsXP firewall and second test was a pass, completely stealth.
Reply #21 Top
In a home environment, you can easily keep a notebook with passwords, account numbers and log-ins, and the like by the machine. If someone breaks into your house, well, you've got other issues. I never keep potential blackmail bait on here - any "private" photos or the like are placed on a disk and cleared from the hard drive. The idea is not just to make it difficult to get into my machine, it's to make it not worth the energy spent. If someone does get on here, well, they can look at pictures of giant robots. :LOL: 
Reply #22 Top

It is this naivity which got you hacked. Even a modest expert can hack Vista in under ten minutes.By all means go ahead thinking you are secure, I wish you well...
End of quote

I once setup a computer with a fresh install of XP Pro ....and AVG...went online and downloaded the AVG sig update and logged off again.

Ran the update and scanned the machine...I was dirty already.  Probably online not much longer than a minute or so...;)

Reply #23 Top
Same here, Jafo. I did a clean and reinstall for a friend a couple of years ago and in the three minutes we were on line getting the AV downloaded the damn machine was infected and I had to start all over again.
Reply #24 Top
I have been using the internet since 1994 and BBS systems before that on a DAILY BASIS and have never gotten a single virus on my system, perhaps until now. Very few people have that kind of track record.
End of quote


Actually, Lotherius....I've NEVER had a virus on my PC. EVER. Period. And I've had the 'net since....ummm....well, a long-ass time ago anyway. I'm a freak about internet security. Probably comes out of being obsessive-compulsive.

I change my passwords frequently. I run my AV scanner daily (as well as a spyware scanner). I don't go to websites I know nothing about. I don't trust GMail, Hotmail (although I do have a Hotmail account for MSN Messenger), or any other web-based email proggy (I like my Outlook Express).

I don't store passwords on my PC, encrypted or otherwise. I've got them stored in the safest place of all...my memory. And unless someone wants them bad enough to put bamboo slivers under my nails or threaten to kill my loved ones, well....I figure they are safe from hackers in my brain.

There is no perfect one-fix for hacker prevention. But with the right combination, you can sure stump the hell out of 'em!
Reply #25 Top
I like to put all my files in strnage file formats( I store my Pictures in Stardock's .SDC format, since I figured it out). So if someone breaks into my comouter it will be somewhere along the lines of: "WTF??!?! HOW DO I OPEN THIS **** THING!" Since there is no SDC extractor that I know of,(except the one I made that a Wizop told me not to post.) Maybe you should invent your own archive format? .bob maybe?