unsharpTech » Security

Disable Java plugins to avoid drive by installs

sam — Mon, 24 Jan 2011 04:24:19 +0000

As a computer repair technician I clean up a lot of computers with Java based malware. Java is known for its zero-day vulnerabilities and as a popular vector for cross-platform attacks. Not to mention the fact that Java Runtime Environment (JRE) updates never remove old versions, and Java installs and enables plugins for all popular browsers (Chrome, Firefox, and IE).

Lately I’ve started disabling the Java plugin in Chrome (my main browser) on my own computers to avoid infection and I just came across someone else who had the same idea: http://superuser.com/questions/201613/disable-java-plugin-in-google-chrome

Jeff Atwood, renowned author of Coding Horror started a discussion on superuser.com regarding his experiences with drive-by-installs delivered via Java browser plugins and suggests that users should go as far as to remove Java unless you know you have to use it.

My advice to anyone looking to avoid drive-by-installs (which should be everyone) is to disable Java browser plugins (if only temporarily) to protect yourself while you browse the web. Not to mention you should update your JRE installation and remove old, exploitable versions and their browser plugins.

Thanks to TweetPhoto.com Everyone Knows Im a Pervert

sam — Thu, 07 May 2009 06:47:03 +0000

So tweetphoto.com plans to dominate the twitter photo upload market by copying twitpic.com and adding very little to set it apart… except for the built-in tracking that reveals on the front page what I really think about day and night…

BOOBS!

Yeah, that’s my Twitter avatar (and my Twitter username is embeded in the img tags’ title and alt attributes – making it viewable on hover) and yours could show up next.

This is a total breech of privacy, now everyone gets the chance to jump to conclusions and think I’m a freakin’ pervert – just because I viewed an image (which could have been from a link, with me having no prior knowledge of the the contents).

So TweetPhoto’s recently viewed feature is cute and all but MAYBE EVERYONE DOESN’T WANT TO BE TRACKED?

The fact that there isn’t even a setting to turn off user tracking is even worse, did they not realize that people like anonymity?

Just thought I’d share this great “feature” before someones wife accuses them of cheating or something even cooler.

Have a super day!

Warning: FileZilla FTP Passwords now Stored in Plaintext

sam — Wed, 21 May 2008 03:51:13 +0000

I feel that this should be brought to the attention of FileZilla users out there even though it may be a huge concern. (Lots of apps do this but potentially giving up FTP access info to a bunch of servers you are responsible for is something to be avoided). Jump to the Important Stuff

I love the FTP client FileZilla, and I used to share my filezilla.xml file between machines because it stored all my recent servers and passwords (encrypted). Recently I tried to do the same and came to find out that the most recent versions of FileZilla version ~ 3.0.9.2+ (and possibly older) store all saved FTP account connection info in plaintext .xml files. This applys to both Linux and Windows installations (Mac OS X has yet to be tested but I would bet the same applies).

In some cases this is convenient – often I connect over FileZilla then don’t have access to the password but need to use it in a different app/machine, I could just look it up in these plaintext config files.

But in other cases this is a serious problem. From a practical standpoint, let’s say we connect to our FTP server using FileZilla on a semi-public machine like at a buddy’s place where you may not be concerned about keyloggers but don’t necessarily want your stuff available in plaintext after you walk away.

And let’s not forget that someone could write an app that runs in the background, slurping up that info and putting it in the hands of people you may not trust.

Personally, I am not gonna stop using FileZilla at my primary FTP client on my Linux and Windows boxes, it really is a great app – one of the best clients if not the best. But I feel that awareness pertaining to storage of sensitive data should be a major concern to any serious user.
Text to be displayed
The following files are what you need to know about:

filezilla.xml – Stores most recent server info including password in plaintext.
recentservers.xml – Stores all recent server info including password in plaintext.
sitemanager.xml – Stores all saved sites server info including password in plaintext.

These files can usually be found in the following directories:

Windows XP/2K: “C:\Documents and Settings\username\Application Data\FileZilla”
Windows Vista: “C:\Users\username\AppData\Roaming\FileZilla\”
Linux: “/home/username/.filezilla/”

It seems that this has been brought to the developer’s attention but it also seems that this won’t be changing any time soon. There seems to be a bit of a dispute as to how this should be handled, but I say why not use weak cryptography/obfuscation like they used to, at least that way it would take someone some minor effort/know-how to get to these passwords.

If you have further information regarding the subject, please comment.

Related resources:

Security posting: http://seclists.org/fulldisclosure/2008/Apr/0511.html

FileZilla Password Recovery Apps/Scripts: (may only apply to older encryption scheme)

http://www.reactive-software.com/filezilla-password-recovery.html

http://www.ianwootten.co.uk/2008/01/05/decrypting-filezilla-passwords-with-php/