Wednesday, 28 March 2012

Port abuse 21 days later

On the 7th March I blogged about port scans coming from a remote machine  http://bit.ly/HiwIFq at the time I emailed the company owning the IP address range from which the scans where coming from and got the wonderful, this is low priority and we will look into.

Well today 21 days later I got a reply


"Thank you for your notice. The server you have provided in your log is no longer on our network. Thank you for your cooperation and please let us know if we can do anything else."

Well it took three weeks, but the final got around to replying to say it had been sorted. In a couple of days I will publishing the rests of analysing the March log files from my ADSL router.

Tuesday, 27 March 2012

Kaspersky and the BBC

For a short time today Kaspersky Lab reputation service passed comment on the BBC website as being a dangerous web resource with many of the links highlighted as being suspect as shown below.

Their customer service department did say when I sent them the Screenshot "This is a false alarm that we are working swiftly to rectify, it will be solved in the next set of Kaspersky database updates. We apologise for the inconvenience"

I can think of other web pages that could be similarly classified!

Monday, 26 March 2012

Tools (March 26th)

Weekly blog on the tools that have come to my attention over the last week, it is not a comprehesive tool list but tools that I found interesting or details of tools I use that have been upgraded.

One of the features of a Pen Test tool I feels is the ability to add to its functionality and this demonstrates why, the ability to run addition tools from withing another improves the testing capability of a tool.

Sqlmap plugin for BurpSuite http://code.google.com/p/gason/
This project contains plugins to extend BurpSuite proxy. The first release contains a plugin to run sqlmap from Burp.

OWASP ZAP http://code.google.com/p/zaproxy/
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. The current version of ZAP is 1.3.4 But they have alsoe also got a 1.4.alpha.1
I have looked at several sites where their has been problems with security certificates, this is a tool I will be looking at to see if it can help with identifying thr problems.

SSLyze http://code.google.com/p/sslyze/
a Better, faster scanner to analyze the configuration of SSL servers.
  • Supports cipher suites scanning, insecure renegotiation verification, session resumption testing, client certificates, and more...
  • Tested on Python 2.6 & 2.7 with Ubuntu and Windows 7, both 32 and 64 bits. Might work on other platforms as well.
  • Based on OpenSSL and a custom SSL Python wrapper

Friday, 23 March 2012

CPD Presentations

Starting to work on two presentations that I will be giving next month, will be revamping my Hollywood Forensic presentation that I will be giving to the Hertfordshire Branch of the BCS http://bit.ly/AcZ3TC on the 24th April, a look at how the TV and film industry portray digital forensics and a look at how it is done, sort of gentle introduction to the topic of Digital Forensics combined with a reality check for those who get a fix of the CSI an NCIS etc on a weekly basis. Will also be doing the same talk at the Bedford branch of the BCS in June, this will appear on the web page http://bit.ly/GIZbFu in the next month.

The other talk is on wireless security but looking at the home users prospective rather than industry use of wireless, this is for the Hertfordshire Section of the Instiutute of Measurement and Control http://bit.ly/GHN0Xm. This takes in my research interest that I am covering in my other blog Wireless MSc Research http://bit.ly/GIz8vM the talk will look at the issues in implementing a network using wireless technology, especially in the domestic environment. Wireless technology has a history of security problems with flaws in the implementation of WEP and recently with WPS. Secure configuration is becoming increasing more  important as a lot more users are using wireless to create multimedia entertainment systems, enabling laptops, smartphones and games console to have internet access and to create a CCTV system to monitor home security and children's playrooms. The courts have already convicted paedophiles of piggybacking neighbours wireless networks to download material and hackers of using wireless networks for pirating software, music and films and for spying on occupants using their own security cameras. I will be covering the (opensource) tools that can be used and how these apply to the home environment. The talk will include practical demonstrations of the tools and techniques discussed in the presentation and unravel the alphabetic soup of the available standards.

Monday, 19 March 2012

Tool Update 18 March 2012

Weekly blog on the tools that have come to my attention over the last week, it is not a comprehesive tool list but tools that I found interesting or details of tools I use that have been upgraded.

One of the most interesting releases that has hit the infosec world is not so much a pen test tool but the Anonymous OS, not going to go into to details but check the threads on twitter and the blogs for more details on the so called Anonymous OS that has been denied by Anonymous  and removed from source forge.

Update Seccubus V2.0 beta3 http://seccubus.com/
Tool to automatically fire regular security scans with Nessus. Compare results of the current scan with the previous scan and report on the delta in a web interface. Main objective of the tool is to make repeated scans more efficient.

Web Application Security Penetration Testinghttps://addons.mozilla.org/en-US/firefox/collections/adammuntner/webappsec/
The plugins list for firefox have been updates as the list maintainer says can not guarantee the trustworthiness of plugins but plugs provide useful functionaility to browser, there is a good range for IE, Firefox and Chrome that are useful for the web application tester


CANAPE security assessment http://www.contextis.com/news/
Context Information Security has been presenting its latest Windows security assessment tool at Black Hat Europe this week in Amsterdam. CANAPE extends the functionality of existing web application testing tools such as CAT, Burp or Fiddler in order to analyse complex network protocols.

Port scan update 19th March

After a week a few days of peace on the ADSL router a Chinese machine has come a knocking over the last few days. Have recieved 11 reported DOS on various ports, which is probably the Netgear router's way of saying it is seeing a very slow port scans for proxy servers rather than a DOS attempt.

The ports being probed are

80     HTTP
3246 DVT SYSTEM PORT
5390 Bosch Video Management
7212 Unassigned IANA (Ghost Surf Proxy)
8080 HTTP Alternative
8123 Polipo Web Proxy
Will be producing a monthly report at the end of month and it looks like March will be a bumper month for attempts.

Cyber Security Important to the UK

I attended "The Future of Cyber Security 2012" conference http://bit.ly/woU3Ed in London today, the range of topics was wide ranging from protecting mobiles, to the cyber economy, implementation of cyber security as well as the future of cyber security. When I got home there was interesting coincidence in that I found the BBC web site had an article on that UK is the ‘most internet-based major economy’ http://bbc.in/FPSugF based on a report by researchers at the Boston Consulting Group (BCG). The report claimed the "internet economy" was worth £121bn in 2010, more than £2,000 per person in the UK, they predict it will continue to expand at a rate of 11% per year for the next four years, reaching a total value of £221bn by 2016. The figures justify that cybercrime is big business, the money is in the internet and it is perceived as being easy to commit with a low chance of being caught and if you are the sentencing is lower than for a physical robbery, with highly skilled cybercriminals developing and distributing automated click and attack tools even the most basic IT literate person can go online and commit cybercrime.

As I said there were a good range of talks at the conference from all sectors of public, private and academic bodies, each talk complemented each other which the conference even better from an attendees point of view.

Cyber security is important to the UK as a substantial amount of business is conducted on the Internet as shown in the BCG report, but important to all countries. Stefan Tanase from Kaspersky alluded to the cybercrime economy maturing with organised crime planning exit strategies to escape from the illegal activities before they are caught. This very much like the organised crime expanding from criminal activities into legimate activities, the koobface gang has invested in nightclubs and other other ventures, although they have not been caught, due to being exposed they have stopped their activities. Although the risk of being caught is low, the longer they go on, the more likelihood of been caught. With cyber-criminal gangs stopping after a couple of years the investigation of cybercrime need to speed up.

Charlie McMurdie, head of PCeU gave facts and figures on the performance of the PCeU, it was given a £30million budget and told to target £504million of cybercrime, it has exceeded this in the first year of operation. This gives the indication of the scale of the crime although it is difficult to come up with a series of metrics that can be used to judge performance of security plans. If 100,000 credit card details are recovered and the potential for fraud is about £2k, it is not a simple case of multiplying out the factors as some of the credit card details would of already been cancelled and the actual value can be considerable less. However the police are making inroads into targetting the more important players rather than the foot soldiers of the gangs, taking the example of hactivism with the activities of Anonymous, the several hundred thousand of people who download the tools and took part either directly or be handing remote control of their PC over to Anonymous although identifiable and could be arrested to get some high figures of arrest it is those who developed and controlled the tools that are being targeted. AN interesting fact is that the majority of people in the UK who download the tools did on their work PC's a fact that should make public and private sector organisations sit up and reflect on the implications to their security policies.

If you were involved in cyber security in the 1990's you would of seen Malware development move from a couple of new virus per day through to the current 9 new variants per second being detected by Secunia as told by Stefan Frei. Additionally it has moved from some of the Malware being annoying but not dangerous with the screen being flipped upside down to virtual all Malware today aimed at making money with passwords and identity credentials being targeted as reported by Jeremy Spencer from Orange, if they can’t steal money from your machine, your machine becomes a resource they can sell as part of a botnet.

There were discussions on where criminal activity will be heading in the future as cyber security needs to keep up with and developing counter techniques to ensure the security of devices, protecting intellectual property as well as identity and money

A good portion of the talk was about protecting mobile devices and the trend of BYOD within organisations. Orange used the conference to launch their new product "Secure Mobility" which is combining the Orange VPN service with Mobile Iron's solution to form an end to end security platform with remote management of corporate activities. I won't go into this in detail as I'm sure Orange will be pushing the details out to corporate users.

Saturday, 17 March 2012

Ethical Hacker meme

A light hearted meme, will have to see if I can improve it.

Blogging for a month

Being doing this blog for a month now and had over 500 page views in the first month with which I'm pleased with. Will be continuing the blog with a stronger emphasis on Information Security. I am planning to do a weekly blog entry on Pen Testing tools, also planning to do a monthly blog entry on the port scans of ADSL router. In addition to the planned regular blogs I will be blogging about the activities I undertake for CPD and these will be combined with entries aimed at students and those wishing to enter the InfoSec profession. As I have been doing there will be entries about anything I feel interested in and motivated to blog about.

In the first month my top article was on "What makes an ethical hacker legal" http://bit.ly/wyekis the other popular entries where the series of blogs on Cookies and the PECR "Cookies hit headines as the ICO deadline approaches" http://bit.ly/wtsCin, "Why are cookies used on web sites? (Part 2)" http://bit.ly/z4kYkg, "Privacy and cookies (part 3)" http://bit.ly/zHOKfe, "Browsers, Cookies and Privacy (part 4)" http://bit.ly/A1ogiR, and "Cookies and the PECR (part 5)" http://bit.ly/zenFk3. I will be working on these blogs and producing an article combining all 5 entries into a single paper. There was also a lot of interest in the port scanning entries.

Friday, 16 March 2012

Working with Students

One of the activities I enjoy whilst trying to earn enough CPD points is working with the local schools and colleges and helping students who are starting or thinking about starting on a career in computer security or digital forensics to gain an understanding of what it is like to work in the industry.

Whilst I was working at the University of Bedfordshire I had great pleasure of having speakers from the Metropolitan Police give a talk, Keith Cottenden of Cy4or who regularly spoke to the students and we had an association with 7Safe with whom the University worked with on a MSc pathway for computer security and forensics.

Whilst teaching the introduction to the subject areas I have always emphasised the point of being professional and ethical in the studies and for them to continue this behaviour into their careers.

I also point out that they could come across some unsavoury material in the course of the careers, this is something there need to consider in deciding on their career path.

The last point is continual personal development, I myself feel that the more I learning there is more I need to learn and researching tools and techniques is an important part of this as well as networking with other security professionals. I will encourage students to start this as they start their courses. Of course research should be conducted with the same ethical and professional approach they apply to their studies and careers. It can be a very fine between researching to learn and crossing the line to the dark side to paraphrase a film from my youth.

In terms of a career they have a wide choice to select from ranging from penetration testers to digital forensic examiners, and from chief information security officers to network engineers with a security background. They can work in a range of organisations from the public bodies including government agencies through to the SME. Computer security affects all walks of live and there is a need for security professionals in all works of life to counter threats and protect our digital lives.

Since leaving the university I have maintained my associations with the local colleges and university and have enjoyed working with Bedford College and University of Bedfordshire at a number of activities this year. In Jan spoke to Bedford College evening and part students about Web application security. In Feb worked with IEEE Student branch at the University of Bedfordshire on a wireless security workshop. In March returned to Bedford college to discuss ethical hacking and security with their daytime students.

I am hoping that the association will continue in the future as it is great to see keen young students taking an interest in Computer Security and Digital Forensics and it is also an enjoyable way of earning some valuable CPD points.

Cookies and the PECR (part 5)

Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR)

As previously stated On 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) come into force. These amend the Privacy and Electronic Communications (EC Directive) Regulations 2003. The 2011 Regulations enhance these powers and introduce new requirements, most notably in relation to cookies.

From the ICO advice on the new cookies regulations, the introduced changes is that cookies can only be placed on machines where the user has explicitly given permission.

Regulation 6 of the PECR

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment--

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Notes:

The regulation 6(3) implies the the first time a terminal equipment of a subscriber or user they must be asked, however on subsequent visits it is nor necessary to repeat the request for consent. However it is hard to see if equipment is shared between users how the website will know if it is the same user or not.

Regulation 6(3A) does allow a website to test to see if cookies are allowed by trying to read and write a cookie which the ICO has indicated is not fully acceptable. I assume that if the site detects cookies are not allowed then it can assume consent is not given, however it can write and read cookies then it has to ask consent at which point it is too late as they have already written a cookie potentially without consent.

Regulation 6(4) exempts strictly necessary cookies from the consent request process, where strictly necessary is for operation of the web application to meet the subscribers or user expectations.

Cookies and the PECR

Previously, companies using cookies only had to inform users about their use and give such users the opportunity to "opt out" if they wanted, now it is an "opt in" requirements.

In order to determine whether people had opted out, companies are using the technique of trying to write a cookie to a browser and immediately read to test if the user had disabled the acceptance of cookies, if they could write a cookie it was assumed the user had not opted out of accepting cookies.


The Information Commissioner now advises that these are not currently sophisticated enough to allow companies to assume that the user has given consent and he advises that companies should obtain user consent in some manner.

In order to give the rules some bite the ICO has the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the rules. Along with the use of enforcement notices and undertakings as we have previously as part of the range of options available to us to make sure organisations comply with the law.

The Commissioner has said they will be able to impose a monetary penalty notice if an organisation has seriously contravened the Regulations and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

This is going to mean companies will need to look at their web sites and develop a strategy for handling gathering cookie consent

The process of cookie consent handling is showing in this flowchart

At the moment essential cookies don't need consent, if your site only uses essential cookies than no consent is required, however if you have a mix and most sites will especially if they are using Google Analytics then you will need to get consent for the strictly not necessary cookies and this is where the problems start.

What is the ICO doing?

The ICO website has a banner for requesting consent for using cookies, with a check box for accepting cookies, a continue button and a link to a privacy notice, this is all good until you click on the continue button without accepting cookies from the site, the warning changes by the addition of a line saying "You must tick the "I accept cookies from this site" box to accept, and the banner stays on all pages until you tick the box. This shows the problems of getting consent and how it affects user experience if at the top of all web pages is banner about cookies.

What is the solution for the future?

The law whilst aimed at protecting users does not reflect the current technology being used in websites and browsers.

The EU has said existing cookie controls in browsers are not flexible enough and a majority of users don't understand cookies and won't be able to configure cookies from the web site
.
Some extensions to browsers do give the functionality to allow the blocking of some and allowing others, however it takes user awareness and knowledge. Software writers developing browsers could take some of these ideas and implement them in the browser and at the first time of using the browser it could ask for setting to be configured with the default being, strictly necessary cookies are allowed all other are blocked, but how does a browser know a strictly necessary cookie form any other cookie. Here a development of a new RFC for session management is required with a new attribute of strictly necessary which can be set by the website developer. The ICO and other such agencies could that have strict penalties for incorrect setting of cookie attributes.

Tuesday, 13 March 2012

Browsers, Cookies and Privacy (part 4)

Below I have screen grabs of three of the most used browsers on a PC, showing the options available to control how the browsers interact with cookies.

Internet Explorer 9.05


Firefox 10.0.2


Chrome 17.0.963

  

The common features amongst the latest versions of browsers are
  • Block all cookies
  • Block third party cookies
  • Allow exceptions
However the different ways of implementing the controls will make it difficult for a web site owner to give instructions on how to handle consent for cookies.

Ideally a web user needs a more flexible approach to controlling cookies than the blanket controls based on options of either ignoring all cookies, ignoring 3rd party cookies or accept all cookies. The browsers above do offer some additional features of which, the exceptions option is probably the most important in where a blanket ban on cookies can be overridden on selected web sites. A good feature that a lot of browsers are now implementing is allowing session variables which are typically associated with the management of web applications but only exists for the duration of the visit. An additional handy feature is the ability of some browsers to delete all cookies as it exits, thus turning all the cookies into session cookies.

The ability to accept only session cookies or turn all cookies into session cookies by forcing the deletion of them is of fundamentally important with a modern dynamic web application where session management cookies allow the web site to function as the user expects it to. With the new regulation a lot of web sites are being forced to offer two alternatives, consent to cookies or block all cookies as they can't rely on user’s configuring the browser settings. In fact assuming consent has been given as the browser accepts cookies has been specially ruled out and it is written a site must get consent before writing a cookie to the client browser.

A user of a web site is now being forced into either accepting all cookies as they want the functionality of the web application, or block the functionality of the web site as they don't want the functionality of some of the cookies. Although the regulations say consent for strictly necessary cookies is not required, the cookie specification and browser support are insufficient to allow acceptance of strictly necessary cookies and block all other cookies, unless the web site uses session only cookies for the strictly necessary functionality and uses non-session cookies for all uses and even then the browsers will need to be correctly set.

This series of blogs will end with a look at the possible options on meeting the regulations and suggestions on a way forward.

Monday, 12 March 2012

Privacy and cookies (part 3)

So far, it seems that cookies are useful and help by making the browsing of websites a better experience for the user, so why are the EU and privacy organisations concerned about cookies? Well, hopefully you picked up some points I mentioned the previous blog entries about cookies that are the cause of the concern about privacy. For those who didn’t, it is because cookies can be used for tracking, they can be created for third parties and browsers frequently ignore recommendations in the RFCs about session management

Tracking

A company may want to track a person using their website, they do this by setting a first-party cookie, they then log the pages requested that have the cookie sent in the request header enabling them to track page views and the order in which they were viewed, they do this to obtain data to improve navigation, calculate popular pages and personalise pages offered to a user when they visit, depending on what was viewed last time.

3rd Party Tracking

Third- party companies can create a cookie on a domain other than their own if the web page includes objects, such as images requested from the third party domain embedded in the web page; this allows the creation of third party cookies with a domain different to the domain of the requested webpage.

If the third party has a series of these objects across a large number of domains, it allows what a first party cookie on its own website can do in tracks pages viewed, but now the third party can track page usage across all domains on which it has an object embedded. This can allow targeted advertising based on web sites visited, i.e. adverts for trainers if the user has visited a number of sports footwear website, but it can be used to profile a user for alternate purposes.

Reselling Internet usage

Generally with a web site to which you subscribe there is often the option to decide on how the owner of the web site can use your information and whether they can pass it on to external parties. However when it comes to third party tracking of Internet usage it is a lot harder to prevent them from reselling the derived data about your web usage, they can use the information themselves and additional sell it on to other interested parties, either for marketing purposes or for other profiling purposes.

Profiling

If a user is tracked across the Internet through 3rd party cookies, for example an advertising company that places it is adverts onto websites so the owners can generate revenue by per click advertising. It allows the advertising company to record what sites a user has visited, if for example they track a unique cookie value as having visited several horticultural sites and sites about growing cannabis etc. this level of profiling and tracking would be useful for law enforcement agencies.

Leakage of information

Additionally vulnerabilities have allowed data to be retrieved from cookies that could allow an unauthorised person to steal information about the user and/or impersonate them on web sites allowing identity theft, fraud and other crimes to be committed.

Privacy and the real world

The real danger comes when it becomes possible to link an online identity created by a unique cookie value with personal identifiable Information, allowing the online identity to be linked to an real world identity allowing a name, address to be added to data collected about their viewing habits, this could be useful for direct mail marketing companies but also could be abused by companies, criminals and other agencies.


Tool Update 12th March

Another round up of tool releases that can be useful to the Pen Tester, if you are aware of any new tools or releases of existing tools you feel should be included please contact me with the details.

The comments here are my own views and I am not recommending any one product over another, if you are looking for tools I recommend trying a few, as most have free versions and picking the one that works for you. We all have our own methods of working and a pen tester’s tool bag reflects their own personality.

New test release of NMap (9th March 2012)

http://seclists.org/nmap-hackers/2012/0

5.61TEST5. This release has 43 new scripts, including new brute forcers for http proxies, SOCKS proxies, Asterisk IAX2, Membase, MongoDB, Nessus XMLRPC, Redis, the WinPcap remote capture daemon, the VMWare auth daemon, and old-school rsync.

Vanguard Pentesting Scanner  (8th March)

http://packetstormsecurity.org/files/download/110603/vanguard-public.tgz

Vanguard is a comprehensive web penetration testing tool written in Perl that identifies vulnerabilities in web applications. It provides crawling, uses LibWhisker2 for HTTP IDS evasion, and checks for issues like SQL injection, XSS, LDAP injection and more.

Not a tool as such but useful nethertheless Mutillidae (9th March)

http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. It is already installed on Samurai WTF. Simply replace existing version with latest on Samurai. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an "assess the assessor" target for vulnerability software.

Sunday, 11 March 2012

Analysis of Logfiles (Jan & Feb 2012)

After the probes early this month on my ADSL router, I looked back through the Jan and Feb log files for records of probes and analysed the results. The router records DOS and Port Scans, with the originating IP address. For the simple analysis I looked at the total number of attacks, looked at whether there were DOS or Port Scan. With the IP addresses I identified the number of unique IP and then looked at the country of issuing of the IP address registration.
 
Month
No Attacks
DOS
Port Scans
Unique IP
Unique Countries
Feb 2012
76
74
2
60
9
Jan 2012
96
94
2
86
6

Feb 2012

Country
Attacks
Turkey
52
Ukraine
2
France
1
China
1
Egypt
1
South Africa
1
UK
1
Netherlands
1

Jan 2012

Country
Attacks
Turkey
79
South Africa
3
Hong Kong
1
Switzerland
1
USA
1
Thailand
1

This exercise will be repeated every month, with the details being added to the tables. I will also create a page with the results on the blog.


Saturday, 10 March 2012

Why are cookies used on web sites? (Part 2)

Web pages use the Hyper Text Transfer Protocol (HTTP) to transfer the page from the web server to the client’s browser, it uses Hyper Text Markup Language (HTML) to code the page and the browsers render the HTML to create the web page on the screen. When Sir Tim Berners-Lee developed HTTP at CERN the particle physics laboratory on the French-Swiss border it was a stateless protocol, each transaction of transferring a single web page was a single session within the protocol and independent of the any other session, it was not possible to transfer information between web pages.

It was not long before information was being exchanged between web pages by using Uniform Resource locator (URL) encoding in a GET request or in the body of a POST request. GET and POST are two types of HTTP request methods used by the client to request a resource from the web server. The URL of the request object is contained in the header of a request method.

Sample GET Request showing URL encoding

GET /path/script.cgi?field1=value1&field2=value2 HTTP/1.0

From: someuser@internetuserl.com

User-Agent: HTTPTool/1.0

[blank line here]

Sample GET Request showing data in the body of the method

POST /path/script.cgi HTTP/1.0

From: someuser@internetuserl.com

User-Agent: HTTPTool/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 32

[blank line here]

home=Cosby&favorite+flavor=flies

When using GET request the transferred data is visible in the address box of the browser, in a POST request the data is not so visible.

However these methods of transferring data are transient and don’t provide for persistence of data which is required for a more complex web application and for a personalised experience. As web pages are rendered on the client machines, a technique of using variables that will be stored in the client’s browser where developed, these variables are known as cookies.

The document Request for Change (RFC) 2019, Feb 1997 deals with HTTP State Management Mechanism and describes the two new headers introduced to the HTTP protocol, Cookie and Set-Cookie. The header Cookie is used in the Request object to send a cookie to the server, the Set-Cookie header is used in the response method to set a cookie on the client browser.

In the RFC 2109, 3rd party cookies where not allowed, however this was ignored by some companies and RFC 2965, Oct 200 and RFC 6265, April 2011 have redefined HTTP State Management Mechanism.

There are a number of controls built into session management by the use of cookies to try and protect the user, such as that a cookie should only be read by the domain that created it, however these controls can be by passed and the newer attributes introduced into cookie header in later RFC’s are meant to control exploiting cookies, however the browser’s themselves can be exploited to give up cookie information.

There are a number of types of cookies

Session cookie

Only lasts whilst using the website that created it, a session cookies is created when no expires attribute is provided during its creating, a browser should delete session cookies as it quits

Persistent cookie

A persistent cookie outlasts its session retaining information until the expiry or max-age is reached, allowing information to be exchanged across multiple sessions with the same domain.

Third party cookie

A third party cookie is one set with a domain not the same as the domain of the web site visited

Attributes of cookies

Domain & Path

These set the scope of the cookie; it can be a single host, all the hosts in a domain, or a folder and sub folders within a host if the part is set to a folder other than root of the domain.

Setting a domain to a top level domain (TLD) is not allowed i.e. .com, or .co.uk

Expires & Max-Age

Sets the persistence of a cookie, if an age is not set the cookie expires at the end of the session, however it is possible to set an exact date for the expiry of the cookie or how long in seconds it will last.

Secure cookie

When set limits the cookie to being transmitted by secure connections only i.e. https, it goes without saying the cookie should only be created within a secure connection

HttpOnly cookie

Only allows access to the cookie via the HTTP protocol and prevents access from within scripts by using the document object model (DOM) i.e. document.cookie

Cookies are used on web sites to allow session management, personalisation and tracking, session management allows interaction between web pages to create a web application; typically session cookies that expire at the end of the session are used. Personalisation allows data to be retained by the client about settings used on a web site, allowing for personalisation without having to get a user to authenticate to the web site every time; persistent cookie are used with a suitable expiry limit. The final use and the one that causes problems with privacy is the use of cookies for tracking a user and which pages and the sequence of visiting them is logged on every visit to the site; again persistent cookie are used.

Cookies are created by a web server sending the set-cookie header to the browser, from then onwards every time the browser requests a page from that domain the cookie header is sent as part of the request, this continues until the cookie expires. However cookies can also be set by a script on a web page manipulating the DOM if supported and enabled on the clients browser.

Cookies hit headines as the ICO deadline approaches

Cookies are starting to hit the headlines again as the UK deadline for meeting the EU Cookies directive draws nearer. The UK government had revised the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May, to address new EU requirements. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers, the ICO gave a year’s grace period starting the 26 May 2011 for companies to become compliant with new guidelines provided by the Information Commissioner Office.


Current regulation of cookies

The internet industry has tried to control the sue of cookies and protect privacy, if we look at the RFC’s about session management, they say the browsers should protect user privacy and not allow third party cookies by default, a number of the popular browser ignore the default deny of third party cookies. Some browsers allow the setting of third party cookies if they have a compact privacy policy and use a compact policy field as part of the Platform for Privacy Preferences Project (P3P) that was started by the World Wide Web Consortium (W3C) and officially recommended in 2002 but development ceased a short period afterwards.

A number of countries around the world have produced guidelines and regulations on cookies but these only affect the relevant country. In 2002 the EU developed a telecommunication privacy directive and article 5, paragraph 5 gave directive mandates that storing data on a user’s computer can only be done if certain conditions are meet. These cover giving information on how this data is used and giving the option for the user to opt out of storing the data. Data that is necessary for technical reasons are exempted for the user opting out of storing it.

In the UK the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations) implemented a European Directive - 2002/58/EC concerned with the protection of privacy in the electronic communications sector. In 2009 this Directive was amended by Directive 2009/136/EC. This included a change to Article 5(3) of the E-Privacy Directive requiring consent for storage or access to information stored on a subscriber or users terminal equipment. The UK introduced the amendments on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.

The government prior to the introduction of the Regulations expressed the view that there should be a phased approach to the implementation of these changes. The Information Commissioner agreed that businesses would need time to implement solutions. He therefore confirmed that he would exercise his discretion and allow organisations a ‘lead in’ period of 12 months to put in place the measures needed to comply. This lead-in period will come to an end on the 26th May 2012, there is just two months left of the period.

During this period the Information Commissioner made it clear that organisation should be taking steps to comply with the rules, any complaints received about web sites during this period he would expect to see a plan of action on how the rules are going to be compiled with.

What can be done?

No matter what a business view on the law is, it won’t stop the Information Commissioners Office (ICO) from taking action about complaints websites are breaking the law.

The new regulations require more than just telling users about cookies and allow them to opt out and they need to be more pro-active in meeting the regulations.

The ICO recommend these three steps

1.       Check what type of cookies and similar technologies are being used and how are there are being used.

2.       Assess how intrusive the cookie use is

3.       If consent if needed then decide upon the method of obtain consent.

Although cookies required for technical reasons are exempt, the actual scope of the exemption has been discussed in various forums and there have been some very inventive technical reasons as to why a cookie should be exempt.

In general the following are not exempt

·         Cookies used for analytical purposes to count the number of unique visits to a website for example

·         First and third party advertising cookies

·         Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

The international nature of the internet and the use of third party cookies will make the scope for implementing the regulations and the responsibly difficult to establish clear.

From the information released by the ICO it is clear and UK organisation is subject to the regulations even if their web site is hosted outside the UK. Organisation from outside European with websites designed for the European market and offering services or products within European should consider that European users will be expecting information on cookies and the ability to opt out.

The responsibility for providing information on third party cookies and gathering the opt-in permission will be with the website owner as it will be technically very difficult for the third party to do so.

Thursday, 8 March 2012

Port Scan Update

Received some additional port scans and a couple of attempted DoS on a few ports since reporting the compromised machine, I have generated a plot of the scans from the data my router collected














Not had a scan since 1pm this afternoon nor any feed back from the abuse email at the ISP that owned the address block the machine was located in other than the original acknowledgement of my email to them. Also the attacking machine now appears to be offline as I can't reach the orginal web server page or the defaced page.

Very tempted to put together a project to amalgamate router log files from as many people who want to take part, over a period of time, either a month or 3 months and plot frequency of attack and give some data on the location of the sources of the attacks. If you are interested get in touch with me via twitter