TangoRangers.com's Blog

A few days ago I was with one of my good friends who owns a computer repair shop. I love going there because he always has something new and cool to show me (and I get to change to “geek out” for a bit), plus I like helping out so I don’t forget how to fix even the most basic computer problems. While there, a long time customer of his came in to pick up his computer and a very interesting conversation came up. The customer asked why his computer won’t stay clean after bringing it down to the shop.

It’s an interesting thing isn’t it? Why is it that we as admins and security experts and never seem to keep computers clean? Even the most skilled professionals can’t keep a computer clean. Well, it’s not our fault. There are so many security issues out there, and to be very blunt, the bad guys are always one step ahead of the security experts. Sometimes the good guys get a patch out (or publish the exploit) before the bad guys get a chance to exploit the security hole.

Unfortunately even when the good guys find the security hole before the bad guys there is the problem of getting the OS patched before someone becomes a victim. For example, a short time ago there was an ActiveX Draw exploit that affected millions of Windows PCs. Basically the bad guys somehow gained access to Google’s Adsense archive (and several other advertiser’s archives) and “infected” roughly 20% of the ads in the archive. I’m unsure of how the exploit functioned. I have heard everything from nothing to allowing someone to gain full control of your computer. Now, lets say for example that you visit a site, any site. You usually have two ads. One along the top and one down the side. So with one page view you have seen two ads. You click on something, new page, four ads have now been seen. You click again, six ads. Now you have reached the mark. There is a high probability you just saw one of the exploited ads. Whether you like it or not what you see in your web browser is also stored locally on your computer. No one was at fault with this (excluding the bad guys). Microsoft put out a patch after about a week of the exploit being known and Google fixed the hole allowing the bad guys to gain access to the Adsense servers. The problem now? Actually, two problems. One, some people are still making ads that are infected and trying to get them onto your computer. Two, there are still millions of computers that have not been updated.

There are always problems like this. I never like to blame any company directly unless they know of the issue but don’t bother fixing it. Other examples include more advanced techniques. You can gain access to a computer by sending certain information to it causing a hole to open temporarily.

The $1000 question is how do we keep out computer clean. Everyone has their own ways, but we came up with just a few basics. So if you run Windows try these out: Run FireFox instead of Internet Explore. Within FireFox get the extensions Adblock Plus and NoScript. Make sure you have a good Virus Scanner and it’s up to date. Turn on Automatic Windows Updates and keep your Windows up to date. Get anti-spyware programs like Adaware (the free one is fine for me) and Spybot: Search and Destroy. Make sure you have a firewall even if it’s the one built into Windows XP (or later), and lastly, be sure your not connected directly to the internet. Most ISPs will provide you with a modem or router, make sure you have a router even if it has the modem built in! It adds just that slight bit of extra protection.

Granted, those are just a few of the things you can do to keep your computer clean. I always recommend talking to an expert when wanting to try new software. If you feel your computer may not be clean find a “hole in the wall” style computer shop. Those are often the better choice compared to the larger companies. Ask questions to the shopkeep. Will they charge you even if they don’t fix the problem? Do they guarantee their work for at least 30 days? Will they wipe your computer’s hard drive or remove personal files without asking? Will they look at your personal files or web history? The best repair shops will answer honestly and quickly. Hesitation is a bad sign.

Lastly for all your Windows users out there. Get a program called Secunia PSI. It is free for home users. This program will check almost every piece of software on your computer and see if there is an update for it. It works very well. For example a few weeks ago Adobe was consistently updating their Flash Player because of several security holes. Secunia PSI found the version I was running was insecure and provided me with a link to directly download and install the updated version! I must say it has been one of the best security programs I have seen for some time.

P.S. Just a note about NoScript. It can be hard for some users to get accustom to using it, and if you unblock the wrong script you will get infected.

As many users on facebook have seen there is an offer from TGI Fridays to get a free burger. I signed up. Why not? It’s a free burger and you don’t have to do more than give out your e-mail. Well time came to get the free burger. I went to their website and notices a few things wrong. For starters, you have to be running windows. That’s a problem for me. I run Linux, but I do have my windows inside a virtual machine. Anyways, I load up my windows and try to get my coupon, but what do I see, but I download for a program called couponprinter.exe from coupons.com. That seems a bit strange to me. So before downloading it I did some checking. I found it has been reported at a malicious program and according to many users it installs spyware.

The next day I was at my parents house and while waiting for other family members to arrive I went to check my e-mail using my Mother’s computer that I keep clean… very clean. I found that exact couponprinter.exe program on her computer. I didn’t think much of it at the time. I did my thing including backups and cleaning as I do when ever I see my family. It turns out that the very next week I was back. I checked on my mom’s computer. She said the only time it was used was to check on her e-mail. I found more spyware. I thought that was pretty interesting.

To test I removed all the spyware and rebooted. It was back. I then decided to remove the couponprinter.exe program she installed just as a test. I rebooted and nothing. The computer was clean. Now why I didn’t write down what I found I will never know. Just a lapse in judgment. Just to double check when I got back home I downloaded the installer on my Linux machine and uploaded the file to jotti’s virus scanner. Only one program reported it bad. Dr Web reported it as Adware.Coupons.34. Check it out Here. I’m pretty sure I saw more than just the one when I ran Spybot: Search & Destroy.

So, as much as I hate to say it (for possible legal issues), I would recommend NOT installing this program. Screw the free burger. I don’t want it anymore.

If you installed the program I highly recommend removing it and use free programs like Adaware and Spybot: Search & Destroy to remove any traces the coupon printer program installed. These programs are available for windows users. If your on a mac I’m not sure. I don’t have a mac nor did I test the mac version (if any) of the program to see if there was anything bad.

Recently I was asked by a comment from my previous post Using Javascript to hide single/multiple div tags with the same name on how to get multiple buttons to control multiple div tags. For example, 2 div classes need to be hidden or shown with 2 different buttons controlling them. Turns out this is fairly simple. Basically you can use some previous code and alter some variable names in the javascript, but to make things simple here is the code.

function getElementsByClass(searchClass, domNode, tagName) {
     if (domNode == null) domNode = document;
     if (tagName == null) tagName = '*';
     var el = new Array();
     var tags = domNode.getElementsByTagName(tagName);
     var tcl = " "+searchClass+" ";
     for(i=0,j=0; i<tags.length; i++) {
          var test = " " + tags[i].className + " ";
          if (test.indexOf(tcl) != -1)
               el[j++] = tags[i];
          }
     return el;
}
 
var hidden = false;
function toggle_hideme1() {
     hidden = !hidden;
     var newDisplay;
     if(hidden) {
          newDisplay = 'block';
     }
     else
     {
          newDisplay = 'none';
     }
     var showfirst = getElementsByClass("div_class_name", null, "div");
     for(var i = 0; i < showfirst.length; i++) {
          showfirst[i].style.display = newDisplay;
     }
}
 
var hiddenb = false;
function toggle_hideme2() {
     hiddenb = !hiddenb;
     var newDisplay;
     if(hiddenb)
     {
          newDisplay = 'block';
     }
     else
     {
          newDisplay = 'none';
     }
     var showsecond = getElementsByClass("div_class_name", null, "div");
     for(var k = 0; k < showsecond.length; k++) {
          showsecond[k].style.display = newDisplay;
     }
}

For the variables ‘showfirst’ and ‘showsecond’ you can call them what ever you want, just make sure they stay the same in only one function, not two. Be sure to change ‘div_class_name’ to a custom name for each field.

Also, these are setup to be hidden first, you can change that by swapping the ‘newDisplay = ‘ lines.

For the HTML code we are going to use check boxes. We need two boxes each with names that call the function.

<input type="checkbox" name="showone" id="showone" value="showone" onClick="toggle_hideme1('showone');"><br />
<input type="checkbox" name="showtwo" id="showtwo" value="showtwo" onClick="toggle_hideme2('showtwo');"><br />

If you want the boxes checked to start first swap the ‘newDisplay =’ lines, and use this.

<input type="checkbox" name="showone" id="showone" value="showone" onClick="toggle_hideme1('showone');" CHECKED><br />

As in my previous post you need to put what ever will be shown or hidden in a div class tag.

<div class="div_class_name" style="display: none;">

The style hides everything in the class until the box is checked.

That will start the boxed checked, when you un-check it the data in all div classes with that name will hide (remember the ‘div_class_name’? that’s what we are working with).

I wrote this up in just a couple minutes, so I truly help it makes scene. You can check out an example of how it works here.

First off, I want to say that Spyder wrote an excellent article that I’m kinda taking my ideas from. Check it out at spydersworld.com.

This was my 4th year attending Defcon (all in a row!) and was by far the best year. I’m going to try putting everything in chronological order, lets see how well I do.

It all started shortly after arriving at the Riviera Hotel and Casino in Las Vegas on Thursday, July 30th. We has just gotten to our room and started relaxing after the crappy plane ride when we realized that it was time to prepare for the Toxic BBQ. Having a good friend that lives in Vegas is very handy at times like these. After going to Walmart to pick up the items everyone forgets (Thanks again for paying for everything Spyder) like: Water, Ice, Napkins, Paper Plates, and Plastic Silverware, we arrived at Sunset Park. Everyone was very grateful to us for bringing ice and water. Many were dehydrated and were happy for cold clean water. We all had a great time, good food, good friends. We even ran into Winn and his daughter Ashley (maker of Hackers Are People Too). When it was time to go we piled back into the truck (with about 9 or so people in the back that needed a ride) and went back to the Riviera. It was pretty quiet after that. We all thought it would be a good idea to take it easy so we could get up early for the fun.

Friday morning was just like any other… except having to stand in line for a few hours to try and exchange our paper badges for real ones. A special thanks there goes to my buddie Mikey for getting in line early. I don’t want to go into too much detail on the days, mostly the events and special occasions.

This year I was fortunate enough to meet Johnny Long who was there to do a talk about his charity work in Uganda. If you don’t know about it goto johnny.ihackstuff.com and help out! The next day (after winning a little extra cash in the casino) I got a book called “Stealing the Network: The Complete Series Collector’s Edition” and got it signed my Johnny Long and Ryan Russell, but unfortunately Timothy Mullen wasn’t there. A special thanks goes to Ryan Russell, I can’t wait to read the book, and thank you Johnny Long for also signing my book.

I was to talk a little bit about Hacker Jeopardy. As usual Winn was awesome, and Gmark did a great job this year. As Spyder said in his post, Bansee is no longer Vynl Vanna. She always did a great job, she will be missed. The questions this year were kinda lame, Spyder and I talked to Winn about it and gave a few suggestions (they were all Spyder’s ideas), lets see if they use them next year.

Moxie’s talk about SSL was a real eye opener. Spyder has been blogging about it for quite some time, but seeing it in the presentation was a real eye opener. It’s true, security is an illusion. Scary thought, but it’s true, I have seen it with my own eyes.

Adam Savage from Mythbusters did a talk, I missed it. I wanted to see it. After the talk he was signing autographs. I found out from defcon’s twitter feed. The instant it was posted I got it on my phone and rushed to the War Room. I got there a few minutes late and a Goon kept me out of the line. If I had a beer for him he probably would have let me in, but I don’t drink beer so I was out of luck.

I was fortunate enough (also thanks to Spyder) to meet Keven (DJ Shadowvex) and talk with him for a bit. I enjoy his music and always look forward to next year’s disk. I also meet up with a few of his friends, but I’m bad with names. Sorry guys!

Over all this year was a great year and I look forward to going back next year. I think I have started to get myself known to some of the best people at Defcon and I know they will recognize me next year and I can’t wait to see them again. Special thanks to Spyder. If it wasn’t for you I’m not sure I would have made it since I couldn’t afford a room by myself. Special thanks to Mikey. You are an awesome friend. I couldn’t ask for a better one. You know how to get around town and even help me win a few extra bucks on the video poker machine. Thank you for picking us up and dropping us off at the airport, and for the ride to and from the Toxic BBQ. Thanks for everything! I feel very fortunate that I have good friends and good times. By the end I didn’t want to leave Vegas since I was having such a great time, but all good things must some to and end. So I went home and took a nap.

What was your Defcon 17 experience like? Did you meet me? Who did you meet? What fun things did you do? I was to hear all about it.

Recently I started school (which is why I haven’t done much of anything on my sites) where they have a wifi connection just like at a coffee shop. The problem with these open networks is that people (like myself) can run a packet catcher like WireShark and get user names and password for various sites such as yahoo, facebook, and myspace. Since when you log in to those you are doing so without https (encryption). Also my school logs every site to visit and when I’m bored in class I don’t want them to know I’m researching hacking sites.

To solve this I setup a Linux box on my network and point port 22 to it. 22 is the default SSH port in case you didn’t know. Then I create a secure tunnel from my laptop to my home box (my laptop also running Linux).

SSH -D 1080 username@ip

This creates what is essentially a SOCKS v5 proxy on port 1080. Anything and everything you do remotely can be routed through 1080 (any port works, I just like that number).

Now I don’t know how to setup my Linux machine so that I don’t need to configure every program I use to work with the proxy and currently have to setup everything manually. Here is how to do it with FireFox.

Open FireFox, goto Edit –> Preferences –> Advanced –> Network –> Connection –> Settings

Click “Manual proxy configuration:”, then under SOCKS Host put “localhost” port “1080” and make sure that SOCKS v5 is clicked.
Where it says “No Proxy For” you can leave localhost in, I’m not really sure, never tried. I just cleared it out and everything went smoothly.

Close the window and start surfing!

As long as you keep the SSH connection alive this will work. If you SSH connection does die you will know right away when you can’t surf. You will also need to revert your connection settings back when you are no longer using the SSH proxy. Also keep in mind that even tho you are routing via an encrypted tunnel to your remote machine, traffic will still be unencrypted after that point. Surfing may take longer than you would like. This is due to the fact that ALL traffic will be routed first to your remote machine then to you via the tunnel.

Lastly, I’m told that not every SSHd configuration allows SSH proxies. Mine does. I’m not sure why, I haven’t bothered to look into that yet. You may need to check your /etc/sshd_config file as there may be an option there. If you need help you know where to ask for it. Enjoy!