Cybersecurity

How serious is this hacking...

I noticed if I went to Delicious' https login page via my user page (http://delicious.com/[username]) then Firefox always gave a 'there is unencrypted content included in this https page' warning, and further that if I attempted to then log in the cursor jumps back up to the user name text box from the password box a few seconds after typing in my user name, which would normally result in the password being typed into the clear text user name box my being totally oblivious to the fact the cursor had backtracked on itself. This is standard hacking I am used to. Note though if I instead login via the Delicious home portal page (Delicious) then there is no such warning from Firefox and no evidence of any malware on the login page. [Edit: This seems to have fixed itself by the next day, the login page now opens without any content errors from my user page.]

Apart from my ruling out virtually all possible opportunity for installing malware on my computer with security measures etc. otherwise, I think the above is self evident in itself that this is a MITM attack, and specifically targeted at myself? (That is the main question of this post

I don't propose to describe the install, accept to say that I have various security measures in place (firewall, VM, etc., though not the level of security a network engineer could put in place unfortunately not being one myself), however without running Tor (i.e., using an encrypted vpn alone) I have found the browser is hacked quite quickly. (With Tor I have found in the past that as Tor changes servers any browser hacks clear, though having said that my current install with Tor seems to be keeping all browser hacks out, or at least so far.)

If anyone can make any sense of the above, or maybe point me in the direction of the log files to start studying, etc. I'd be truly grateful


G.

Library Web (UK) - Library Culture on the Web

---------- Post updated at 01:00 AM ---------- Previous update was at 12:55 AM ----------

LOL, that last post just posted itself without my pressing the submit button, I'm not sure whether to laugh or cry!!

---------- Post updated at 11:53 AM ---------- Previous update was at 01:00 AM ----------

Firefox has a policy of essentially not notifying of mixed content encrypted pages, the about:config settings to change this:

Code:

security.warn_viewing_mixed = true
security.warn_viewing_mixed.show_once = false

---------- Post updated at 12:13 PM ---------- Previous update was at 11:53 AM ----------

As I said above if I don't use Tor hacking very quickly (at some point later in the day) renders the browser virtually unbearably sluggish, text entered into text boxes is also changed as I am typing, etc. However using Tor I'm now at the point where I can note suspect behaviour of specific websites, ergo!:

1) the bit.ly page that renders when using their bookmarklet to shorten a webpage being viewed is corrupted: sometimes the row displaying the shortened URL is duplicated (i.e., there are two rows for the one bookmarklet), I've had also a corruption of the 'customise | copy text' to, e.g., 'customise |'; the bookmarklet works cleanly on a fresh install for a while before exhibiting this behaviour subsequently on each use; would a https bookmarklet fix this? [Edit: Page HTML attached.]

2) http://www.infosniper.net -- I've had an episode of sorry.google.com errors from infosniper's page with the google map not rendering subsequently (closing the browser tab fixes this, could do with a https site to do the same here I think) [Edit: Page HTML attached.]

3) Switched to Chrome, unable to access the secure login page of my electricity supplier and with the same error, encrypted page includes non-encrypted content: https://www.britishgas.co.uk/Login/L...toploginbutton With dummy login info the page instead of reporting a login error redisplayed itself identically. The next dummy login resulted in what I assume was the correct red text and login error. The same https error occurs whether Tor is running or a direct connection or following restarting the tor service, both from the guest and host (firefox). Note though the same page opens securely on my Android. (HTML of the page giving the error attached.)

4) The Chrome delicious plugin works intermittently, with various bugs randomly exhibited (the popup redisplaying itself cleared on submit; the popup form incorrectly laid out and/or of varying height; predictive tag completion text not displaying [edit 6/5/11: displaying predictive text tags twice in the select list).

Netstat on both host and guest do not show anything that I would consider unusual (I am not a network admin. though). If anyone can point me in the direction as to what to look at next?

[Quick update to the above, about an hour or so later the network lost its sluggishness, the British Gas secured login page became fully accessible without any errors, and the Delicious plugin is working flawlessly (as it should!).]

A quick epilogue to this one.

I'm using Tor here, this could have been a bad exit node - I had though incidents when restarting tor fixed a hack observed on a webpage, but also it got to the point where this did not fix the problem, but this could have been malware installed on the computer at that point.

I have anyway tightened up on security procedures in terms of so-to-speak physical access to the machine (and it's I think worth noting here that TEMPEST technology would enable someone to know when you have an admin. console open). Also I've plonked the browser into a sandbox.

I am though still getting https pages showing 'this page contains unencrypted content errors', note though only on first visiting the page (notwithstanding Firefox's default setting to only show this once), the second visit to the page and the error is not there (the Moz. developer Javascript page being one such page, also a gmail Webware email - as I am using a sandbox I'm going to have to figure how to save these pages so no html for now).

---------- Post updated at 10:48 PM ---------- Previous update was at 01:27 PM ----------

Continuing this thread as a log.

I believe my SSL VPN passphrase was compromised in this last install - I felt uneasy after realising that I had left it lying around on my Android mobile for far too long (I use the mobile to set the passphrase), and intermittently more often than not when I opened Firefox the default first use page had CSS information missing; also the sandboxed browser was showing signs of hacking otherwise (nuisance hacks).

The issues from today I think are:

1) Are mobiles secure, I've found myself only being able to log into the website of my VPN providers once or twice before the Android browser refuses to load the page; however a workaround is to use the mobile formatted page provided as an option to a google mobile search. This worked fine for me for a while, but I have just found today the Android browser is reporting certificate errors when I try to login to the VPN provider's website (cert. not issued by a valid authority I think if I remember correctly - and this is all from the point of a completely reset handset accessing the mobile's own data network).

2) (a) VPN providers could do to provide a way for the passphrase to be set by uploading a file, so that the phrase can be set without being displayed on the screen. (b) Also, as iVPN does, an option to set the passphrase once and have to reset if you need to be reminded, i.e., set once, no possible way to find out what it is afterwards, and certainly not display it openly on the screen when you login (AceVPN I am talking about you (c) VPN providers as well could do to include a list of symbols their passphrases cannot include to facilitate scripts autogenerating a strong key. (d) I think VPN providers could put more effort into providing secure ways to set the VPN passphrase: dedicated mobile apps perhaps (that can be MD5 sum checked prior to launching), a ssh login, etc. (NB While on the subject of VPNs, I have found a udp port more secure than TCP, so if a VPN provider can always make one available (TorVPN omits this).)

(A note on the Android, recently started reporting errors while connecting to the App Store, which is usually the first or second thing most people would do after resetting the 'phone.)

---------- Post updated 12-05-11 at 11:36 AM ---------- Previous update was 11-05-11 at 10:48 PM ----------

Past 24 hrs:

- A twitter user https page gives a this page contains nonencrypted content error - looking at the source there is no obvious content that might cause this in what the user has tweeted (a few http:// links, but that is all), and the error is no longer there 12 hours later, with however only a few additional tweets to the page. (This user I might add is the main organiser of a current legal action by a community against local civic administrators.)

- SELinux sandbox bug, the mouse pointer, instead of traversing between the sandboxed browser and desktop, becomes stuck in the sandbox window (the window has to be closed at that point (though the browser may have fixed itself once when this happened if I remember correctly); possibly a link between the above type of error and this occuring - FF 3.6.17, SL6, TWM).

---------- Post updated at 02:58 PM ---------- Previous update was at 11:36 AM ----------

The google inbox itself reporting an unencrypted content in page error - I was already logged in to gmail in one tab, but opened a second gmail window in another tab, this error appearing.

---------- Post updated at 02:58 PM ---------- Previous update was at 02:58 PM ----------

The google inbox itself reporting an unencrypted content in page error - I was already logged in to gmail in one tab, but opened a second gmail window in another tab, this error appearing.

---------- Post updated at 03:01 PM ---------- Previous update was at 02:58 PM ----------

(Note the double post above was not a result of my double clicking the submit button - the post was taking a good while to submit for some odd reason but I did patiently wait.)

---------- Post updated 13-05-11 at 02:48 PM ---------- Previous update was 12-05-11 at 03:01 PM ----------

Quick update, in the next 24 hrs:

- A computer criminal has figured out how to close my Internet connection down (has to be restarted) - annoying little sods!
- At one point FF went haywire: clicked on the google docs link, which opened up docs about half a dozen times in new tabs, every time I closed one a few more opened; the browser took over control of the keyboard itself, injecting junk characters text boxes, selecting random control keys. This only happened the once though.
- Someone seems to have figured a way to crash the browser also (one repeated attack of this late last night).

I'm still assuming at this point that the computer itself has not been compromised (i.e., no hacking outside of the sandbox). I've tightened up openvpn a touch, and procedures for protecting the physically machine when accessing an admin. login, but there is a limited amount of time I have to become a system admin. and security engineer - so by no means as much security work as could be done.

(And by way of a footnote - I managed to get some work done! For anyone interested in personal cash flow forecasting and cyclic income and outgoings calculations: http://bit.ly/moneygoround)

---------- Post updated at 03:13 PM ---------- Previous update was at 02:48 PM ----------

In short, the problem is to figure how I'm still getting incidents of MITM style data injection over a SSL vpn to a https webpage! (I can't do any more to make the physical machine itself more secure either - so I am assuming this is not the problem, and I'm not running any dodgy software otherwise; besides which none of the hacks experienced at the moment are permanent - restarting the browser in its sandbox has essentially been all that is needed to fix things.) The only reason I myself can think of for this is if the page on the webserver itself has been compromised - which I think can be ruled out.

Interesting one popped up, literally - the browser has started popping up the nonencrypted content on encrypted web page warning after it has been sitting on the same webpage for 15 mins or so. The web page was the Google Spreadsheet Google apps script editor, only a few other man pages open otherwise in addition to the spreadsheet itself. Possibly in the past I have had the same phenomena followed by the open tab changing itself to my open gmail account.

Just surfaced, a hack seems to start with the encrypted page contains unencrypted content warning popping up, but sometime after the page loaded (i.e., randomly). E.g., this has happened just now: the warning error, followed by the keyboard missing letters as I typed into the FF search box or text boxes on the webpage (this is a standard hack for FF). (Reminder, SL6, baremetal X install, FF running in a SELinux sandbox, firewall closed accept to allow a udp encrypted vpn connection).

Changed VPN provider from one of the $20 a month ones to $5 a month. The former seemed only to maintain one regional server while the latter has half a dozen or so.

First off it appears computer criminals have to make some adjustments to the new VPN (a change of IP?) - it took approx. 4 hours before the usual hacks started to surface.

It appears not all VPN providers are equal, a lot of old hacks that I haven't had while using the expensive VPN resurfaced - one of those being the browser search box works OK for a while, but for some inexplicable reason switches to defaulting to a French, or German etc. search (the Google SSL search fixes this; note the VPN server does not change when this change happens). The VPN provider thinks this is a Google issue.

However a new phenomena not experienced before - the BBC webpage at one point (not ongoing) seemed to think my IP was an overseas IP[1] while all ip lookups reported my IP as a UK site.
[1] If you are not in the UK the BBC serves ads with its pages (apparently the reason adverts are repeated is to condition your mind - I'm not sure exactly what the BBC's philosophy and rational is here

I wonder if setting up OpenVPN using e.g., Amazon servers, might be worth the effort. I noted Tor put a stop to hacking completely (changing IP every 15 mins) - while it worked, so I wonder if maybe setting up tor servers using hosting such as Amazon might be worth the effort also (i.e., so the integrity of the tor server could be guaranteed - the cost of Amazon hosting seems about comparable to a reasonable VPN).

I though I'd make a quick test post having just signed up with StrongVPN - note there is no OpenVPN password with this provider, it's all done with certs by the looks.

Anyway as soon as I login to unix.com the mouse point usually gets locked into the SELinux sandbox, within a few minutes - I thought I'd try though with StrongVPN - and sure enough, the mouse pointer will not exit from the browser sandbox window.

StrongVPN also though has quite a few options (e.g., connection port of your choosing) - so I will duly experiment.


---------- Post updated at 03:49 PM ---------- Previous update was at 03:09 PM ----------

OK, have changed the openvpn port to a random setting and this login to unix.com hasn't gone doolaly yet (the mouse pointer can freely move between SELinux sandbox and desktop), also I was getting an encrypted page contains unencrypted content error after logging into StrongVPN which is now no longer there, and also the usual same error which pops up after approx. 5 mins of being logged into Google docs has not materialised yet.

If local crime has a TEMPEST setup (I get the feeling they have at least one that they move around) then they would have been able to see the new port.

---------- Post updated at 04:20 PM ---------- Previous update was at 03:49 PM ----------

The unencrypted content in encrypted page error has just popped up on Google docs (note the page was open for about 15 mins, I hadn't just navigated to it - a few spreadsheets open at the same time).

---------- Post updated at 05:11 PM ---------- Previous update was at 04:20 PM ----------

Mouse has just locked itself in the browser sandbox on the StrongVPN forum. The usual hacks getting through it seems, though not the worst as yet.

---------- Post updated at 05:46 PM ---------- Previous update was at 05:11 PM ----------

In short, I think with whatever these computer criminals have installed it is a change of IP that causes them inconvenience, not much else.

---------- Post updated at 11:02 PM ---------- Previous update was at 05:46 PM ----------

StrongVPN went rapidly downhill, some of the details can be found here: Unencrypted content on StrongVPN https page? (Page 1) - Security Discussion - StrongVPN Forum - including the messages log from openvpn connection attempts - I wonder nowadays if when openvpn fails to connect this is not symptomatic of hackers breaking the connection.

iVPN seems about the best VPN I've used so far.