Fwd: www.dia.mil

8 views
Skip to first unread message

Bipin Gautam

unread,
Nov 1, 2008, 12:56:47 AM11/1/08
to Intelligen...@googlegroups.com, neps...@googlegroups.com
Check: http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=211800622

---------------------------My related writing---------------------------
Most governments have laws on export of government data[1], and that
normally includes meta data. Here privacy related information of DIA
job applicants is being leaked to a company based on Ireland (outside
the jurisdictional of USA without most applicants actually knowing
about it. Statcounter.com can be the weakest link in overall security
of the website www.dia.mil as its difficult to maintain security and
data protection measures for a third party as government systems. But,
DIA also may have so ties with statcounter.com and it may be their
conscious action to use the JS in the first place.


If a website includes third party JS like stat counters, advertisement
scripts, banners called from third party servers etc, the website is
in risk of having to relied on the third party as well for overall
security assurance of its website. With information leak from such
scripts probabilistic approach can be can be taken and over time that
this can also leak information like association between any two
identities online.

A third party JS can also be used for a targeted surveillance of an
identity by a third party. Such stat counter  JS can act as a passive
honeypot running across lots of websites that can be used for
surveillance and profiling as it could know every websites /content
you visited whereever such JS are used.

You may use different nick names online, use anonymous proxy servers
while browsing, clear their cookies often, dont use social networking
sites etc for your privacy concerns. But JS can leak information like,
Windows Media Player(WMP) UniqueID[2]. Operator can use a ClientID
request in browser to pull off a machine's unique default serial
number generated by WMP. There are also other applications that does
the similar and such information can uniquely identify a machine
regardless of its IP.

Impact: Say, Website_Evil1 has recorded your WMP UID and associated
some of your profile to it and shared it to Website_Evil_Gang. Now
whether you are accessing internet from your laptop from library or
coffee shop or home or in the office any website that is associated to
Website_Evil_Gang will know its you browsing about (say) "dating" in
Website_Evil1, looking about (say) "contraceptives" in Website_Evil30
and looking (say) "weight loss tips" in Website_Evil50. You could be
uniquely identified online even if you clear browser cache at every
logoff or use different IP/ISP all the time. Advertising serving
scripts, web counters, third party banners etc has the potential like
above which can have big impact on users privacy.

But sadly this is just one example that can breach your quest to
maintain your online privacy. There are lots of other ways (that vary
in reliability) using which a computer can be identified in the
internet / a region, and the machine identification features can be be
associated to online identities that uniquely point to a computer
system. From a surveillance prospective, if you have control over a
some networks/websites its easy to associate such information from
multiple source for tracking machine/software specific features and
associate this with user identity. This way an attacker
(Website_Evil_Gang) can have a wider view of your digital identity and
can track you beyond having to relie on your registration information
or IP's or cookie.

Information like Your browser name and it version, clock skew of your
system from standard time, your screen resolution/DPI, OS/ OS specific
info, fonts installed info, your internet bandwidth/delays, browser
specific features, browser plugins information about which softwares
versions are installed in your computer like open office, real player,
JRE, flash support, quick time player, acrobat reader etc can be
detected by remote website. Via css websites you last visited can also
leak. All of such information when put together can act as unique
machine identification information that can be associated to your
identity anyways.

All of such information when put together can be used to track
identities online[3]. As these info don't change often regardless of
your IP. All of such information leak when put together for analysis
prospective it will yield lots of user details.

Governments have invested a lot in their eavesdropping program to
(likely) catch ones who have something to hide. Private operators have
complied to their eavesdropping request[4], they have also run
under-cover services[5]. Attackers don't follow rules and likely use
the least expected methods to get their things done[7]. With face
recognition, voice recognition, videos and symmetric search
technologies already in the horizon our quest for digital privacy is
going to be a uphill battle.


[1] http://www.whitehouse.gov/omb/memoranda/m00-13.html
[2] http://www.geek.com/articles/news/windows-media-player-privacy-flaw-20020118/
[3] http://browserspy.dk/

---
[4] ref gov plan to immune telecom operator for facilitating them for
illegal wiretap, husmail spy etc example

[5] ref examples of FBI running bogus website to lure people to
investigate credit card fraud

[6] Ref securityfocus article where a security researcher admitted
selling 0-day to government.

[7] Gov hired bloggers to blog on their favor likely to lure, cheat
and mislead general opinions.

---------------------------Discussion-----------------------------------------------------

Forwarded conversation
Subject: www.dia.mil
------------------------

From: Bipin Gautam <bipin....@gmail.com>
Date: Mon, Oct 27, 2008 at 9:44 PM
To: full-di...@lists.grok.org.uk


A picture is worth a thousand words.

But whats so wrong about it?

:P

----------
From: Razi Shaban <razis...@gmail.com>
Date: Mon, Oct 27, 2008 at 10:52 PM
To: Bipin Gautam <bipin....@gmail.com>
Cc: full-di...@lists.grok.org.uk


So what?

----------
From: <Valdis.K...@vt.edu>
Date: Mon, Oct 27, 2008 at 11:07 PM
To: Razi Shaban <razis...@gmail.com>
Cc: Bipin Gautam <bipin....@gmail.com>, full-di...@lists.grok.org.uk


A US intelligence agency is basically betting the bank that statcounter.com,
a company apparently based in Ireland, doesn't get pwned or subverted.

Does that give you warm-n-fuzzies?

----------
From: Gary E. Miller <g...@rellim.com>
Date: Mon, Oct 27, 2008 at 11:04 PM
To: full-di...@lists.grok.org.uk


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo All!
This should be hilarious, except it is so sad.

RGDS
GARY

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: Razi Shaban <razis...@gmail.com>
Date: Mon, Oct 27, 2008 at 11:18 PM
To: Valdis.K...@vt.edu
Cc: Bipin Gautam <bipin....@gmail.com>, full-di...@lists.grok.org.uk


He's pointing out the wrong part. He's highlighted the link, which is
of no importance.

Yes, they're including a remote javascript. Then again, tens if not
hundreds of thousands of other websites include the very same script.
If statcounter's servers aren't very secure, they would have already
been compromised.

On the other hand, look at the voting machines the US gov't has
contracted. They have a tendency to screw up with technology, making
this one of their lesser problems (if you want to consider it a
problem at all).

Just my $.02.

--
Razi Shaban

----------
From: <Valdis.K...@vt.edu>
Date: Mon, Oct 27, 2008 at 11:58 PM
To: Razi Shaban <razis...@gmail.com>
Cc: Bipin Gautam <bipin....@gmail.com>, full-di...@lists.grok.org.uk


One would *hope* that a major country's spook agencies kept themselves to a
*slightly* higher security standard than Sixpack Joe's Website and
Bait-n-Tackle Emporium.  The risk/benefit analysis for the average .com and
the average .spook are a bit different.
A totally separate problem, but one that's not in DIA's jurisdiction.

----------
From: Bipin Gautam <bipin....@gmail.com>
Date: Mon, Oct 27, 2008 at 11:58 PM
To: Razi Shaban <razis...@gmail.com>
Cc: Valdis.K...@vt.edu, full-di...@lists.grok.org.uk


I am more concerned about IP address of people who visit .mil website
leaking to third party/intelligence.

If you have it, you could do some traffic analysis. Are some people
visiting the website too often? Time of day ? What are their IP's?
What are other websites /network on your control do those IP also
visit? Do some linguistic analysis if you can, do browser
fingerprinting. Now, If you (a marked IP) visit any other website that
use statcounter.com someone out there can know it its you again who
visited the .mil website in visiting different domain. Such
web-service can act like a honeypot that can passively identify the
presence an identity across different domains. Do some more
personality profiling, what type of website do they visit etc Try to
build some correlation, say; using Paterva, Maltego to process the
data. If you know someone who runs a botnet, are there any ip from the
list already infected... See if you can look around.................

The point is one with the resource can find such data valuable. The
point is if/what does this information leak value to you.

thanks,
-bipin

----------
From: Razi Shaban <razis...@gmail.com>
Date: Tue, Oct 28, 2008 at 12:25 AM
To: Bipin Gautam <bipin....@gmail.com>


.mil websites aren't really that interesting, there's very little on
there for the public to access.

----------
From: Big R <rand...@fidmail.com>
Date: Tue, Oct 28, 2008 at 12:22 AM
To: full-di...@lists.grok.org.uk


I don't know, u tell me?

------------------------------

Message: 2
Date: Mon, 27 Oct 2008 21:44:31 +0545
From: "Bipin Gautam" <bipin....@gmail.com>
Subject: [Full-disclosure] www.dia.mil
To: full-di...@lists.grok.org.uk
Message-ID:
       <754924960810270859p230...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1" -------------- next part --------------
A non-text attachment was scrubbed...
Name: dia.jpg
Type: image/jpeg
Size: 89903 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20081027/e3e3ed75/attachment.jpg

------------------------------ End of Full-Disclosure Digest, Vol 44, Issue 42
***********************************************


I don't know, u tell me?


--
been great, thanks
Big R

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: Gary E. Miller <g...@rellim.com>
Date: Tue, Oct 28, 2008 at 12:48 AM
To: full-di...@lists.grok.org.uk


And betting that the plain text from the DIA job applicants to
statcounter.com is not sniffed by anyone along the way.  If I was Russia
I would love to have the home IP for everyone that has applied to the DIA
for a job this year.  A few small bribes would make that happen.
iD8DBQFJBhCaBmnRqz71OvMRArbmAKCzlkar/tsZzQr1KTFiyM92G64ZZgCgheNh
WtECwiFpb+VX8vOrWlq3qsE=
=Zmv6
-----END PGP SIGNATURE-----

----------
From: Bipin Gautam <bipin....@gmail.com>
Date: Tue, Oct 28, 2008 at 1:49 AM
To: "Gary E. Miller" <g...@rellim.com>
Cc: full-di...@lists.grok.org.uk


And if    http://www.statcounter.com/features/    is not actually a
demo of what they already have for an agency i bet my money they have
a huge potential to be one. But aren't these old school tricks
already.

How can security audits be so careless about such a shortcoming.

The good old Microsoft saying goes almost like this, i.e " If a third
party script is embedded in your website its no longer your website (
or unless the third party is your big brothers website ) "

Once upon a time there was someone who use to blog software review's
except he had clients who paid him for he use to redirect software
downloads from a IP-list to a special spyware_infected_download.

----------

From: Adrian P. <unknown....@gmail.com>
Date: Wed, Oct 29, 2008 at 3:47 PM
To: Valdis.K...@vt.edu, Razi Shaban <razis...@gmail.com>
Cc: full-di...@lists.grok.org.uk


Welcome to the web!

1 website = content retrieved from dozens/hundreds of sites. Much more than what the browser's address bar shows ;)

Think of ad banners, analytics JS ("legit" spyware), static content served from high-speed embedded httpds, etc ...

And yes, there are security implications to this design problem.
> > :P
>
>
> So what?

----------
From: Viktor Larionov <viktor....@salva.ee>
Date: Wed, Oct 29, 2008 at 4:53 PM
To: "Adrian P." <unknown....@gmail.com>, Valdis.K...@vt.edu, Razi Shaban <razis...@gmail.com>
Cc: full-di...@lists.grok.org.uk


And maybe friends, you could explain me what's so special about dia.mil ?

I would actually understand if CIA central internal information system would
use such trackers, but if it's a public web page, what's so special about it
?
And ok, even if the information on visitors leaks - what's so interesting
about visitors statistics to dia.mil ?
What makes those visitors or the URL-s they request so special ?

Or maybe you suppose CIA will hold sensetive materials on a public webserver
? e.g. www.dia.mil/sometopsecretstuff... Well I agree, you can find stupid
things everywhere nowdays, but I surely hope that they don't do it.

I guess that visitor statistics to google.com are thousand times more
interesting than dia.mil.

>From my personal point of view dia.mil visitors statistics offer exactly the
same interest like www.desperatehousewives.com visitor statistics.
(intelligence guys, no offence :P)


Kindest regards,
---
Viktor Larionov
snr. system administrator
R&D team
Salva Kindlustuse AS
Parnu mnt. 16
10141 Tallinn
ESTONIA
tel: (+372) 683 0636, (+372) 680 0500
fax: (+372) 680 0501
gsm: (+372) 5668 6811
viktor....@salva.ee

------------
MOTD: Dream Big. Think the impossible. If you can dream it - you can create
it.

----------
From: Jorrit Kronjee <full-di...@nospam.wafel.org>
Date: Thu, Oct 30, 2008 at 10:03 PM
To: full-di...@lists.grok.org.uk


Or maybe applying for the job without getting tracked by statcounter.com
is the first part of the test.

- Jorrit

----------
From: nocfed <noc...@gmail.com>
Date: Fri, Oct 31, 2008 at 9:47 AM
To: full-di...@lists.grok.org.uk


http://www.whitehouse.gov/omb/memoranda/m00-13.html

draw your own conclusions...

_______________________________________________


dia.jpg
Reply all
Reply to author
Forward
0 new messages