Monday, March 17th, 2008

Reflections on Trusting Trust

For those who have never read the classic “Reflections on Trusting Trust”, you can find it here.  Reflections is a easy read on the perils of running un-trusted code on your machine.  It’s a concept that’s foreign to many users as we typically run “un-trusted” HTML and clientside scripts from web sites thousands of times a day, praying that he browser sandbox and same origin policy saves us…  I mean.. can you really trust the underlying content from this blog?

   

Of course, downloading and running code on you machine is EVEN MORE DANGEROUS.  It doesn’t matter what kind of browser protections you have, once you execute code from an untrusted source, you’re at the mercy of that developer.  Do you really trust the publishers of all those plugins and add-ons you are running?  A perfect example of this… is G-Archiver.  G-Archiver is a program that can be used to backup your Gmail messages to an offline source.  Apparently, after some tinkering with DotNet Reflector (great tool btw), Dustin Brooks discovered a HARD CODED Gmail username and password in the source.  Upon further investigation, Dustin realized that users of G-Archiver were silently getting their Gmail Creds posted to a Gmail account belonging to the creator of the G-Archive tool (John Terry).  Here’s a screen shot of what Dustin saw:

   

gmail-password-thief-screenshot1.png

     

Luckly, I’ve been conditioned (mostly by the pranksters at the Advanced Security Center in Houston) not to trust anything…

   

Links and Links

Posted by xssniper | Filed in Security

  • http://r00tin.blogspot.com rob

    haha, the ASC definitely makes you paranoid. but then there are some of us who just never learn. nice find

  • http://r00tin.blogspot.com rob

    haha, the ASC definitely makes you paranoid. but then there are some who just never learn. nice find.

  • http://www.owasp.org Dinis Cruz

    Hi Billy

    Since you are so conditioned to be aware for untrusted code, can you list here how may applications you have running on your computer at the moment? (Windows, Office, Winzip, Firefox, Flash, etc…). Feel free to stop when you reach 20 :)

    And who installed them?

    The bottom line is that we install and run untrusted code all the time, that is how we have been conditioned to do (in order to get value from our computers).

    G-Archiver is just a too obvious example which was discovered by accident.

    Dinis

  • xssniper

    Dinis,

    The last sentence was actually a bit of an inside joke (shoutz to MW), but you’re completely right and I agree… we put ourselves at risk EVERY TIME we install software. Some may feel that its a little easier to trust orgs like Mozilla, M$FT, and Adobe (notice I didn’t say Apple, thanks to Nate) than it is to trust some random devs creating a GArchiver like tool.

    To make matters worse, we run untrusted code inside our browser thousands of times a day… maybe I can trust big-search-engine.com, but can I really trust the third party ads being served by big-search-engine.com?

    BK

  • Felz

    It is easier to trust large organizations, since they have to have been around for a while to get large and they also have a public image they’ve worked to build which would be ruined if someone found something malicious in their code. With a large group like M$, even those of us who only use Linux, Unix, or Mac would have had to have seen Windows in use somewhere multiple times. We might find the program to be not well coded, sluggish, ugly, and just plain bad, but we know that from seeing it and the market penetration it has that there’s nothing malicious in it or someone would’ve found it/been affected noticeably by it and exposed it. There could still be risk, but experience and observation has taught us it’s small enough to be acceptable.

    Now on the other hand if I go online to Joe Smith’s site, I don’t even know if the guy behind it is actually Joe Smith, could be some hacker from another country who’d be almost impossible to track down for all I know. The author has no public image, no known history, etc, basically nothing a big company has to give me a reason to trust it. Without something good and verifiable, I’m going to be unsure about trusting his code unless I can see it all since he really doesn’t need to care about his image if someone finds malicious code in his program. If he is malicious, what he likely cares about is his key logger getting log in information to peoples bank accounts and taking a couple hundred thousand off the people who trusted his program instead of the reputation of his alias. Without a public image/face it will be hard to track him down, and if he’s smart he could be long gone before the authorities trace the web back to who he really is assuming he’s somewhere they have or can get jurisdiction in.

    On the other hand, you’re totally correct about maybe being able to trust big-search-engine.com, but maybe not being able to trust the third party ads being served by them. I didn’t hear the details about it, but I recall hearing a little while ago about problems with ads from google having malicious code hidden in them. Even with all the security measures companies like google has in place to try to prevent this, no wall is perfect online and people will find ways around them. The only options to be somewhat secure online is trust no one or use an air gap firewall (the cheapest, easiest to set up firewall around and my room mates personal favorite security method, just reach behind your box and unplug your ethernet cable or forget to plug it in after moving your box like my room mate).

  • http://blogs.zdnet.com/security Nathan McFeters

    Hahaha, shoutz to MW. Terrible. Sorry guys, some of this article can only be truly appreciated if you are or were a member of Ernst & Young’s Advanced Security Center.

    -Nate

  • Random InfoSec Guy

    Shoutz to MW ? …

  • xssniper

    @ Random InfoSec Guy

    MW is actually a guy named Mike Wood… Me and some buddies at the Houston Advanced Security Center used to test out 0-dayz and other attacks against him… he’s a good sport…

    Another mention of MW can be found here:
    http://blogs.zdnet.com/security/?p=997

    BK