Dave's Blog - My personal views on computing (and occasionally other topics)

About me

Send feedback via email

This web page:   http://canpub.com/teammpg/de/mcgweb/blog.htm

Links:     MUSIC/SP     Sim390 ESA/390 mainframe emulator

(c) Copyright Dave Edwards, 2005, 2006


Apr 12, 2006: Security notes: Cross Site Scripting (XSS)

Keeping a system secure, even a relatively simple one, is a never-ending struggle. Here's an example of what I mean. I try to keep up to date on computer security issues, but a few days ago, by pure chance, I came across a web page that mentioned a vulnerability called "Cross Site Scripting" (XSS), and the author advised all systems people to be aware of its dangers. I vaguely remembered the term, but did not know anything about it. So I read the article on Wikipedia (an excellent article, by the way) and realized how very insidious and dangerous it is.

XSS is fairly simple in concept (but not immediately obvious). It involves a web browser, some JavaScript, and usually a little "social engineering" -- such as getting the victim to visit a web site that the attacker has prepared, and click on an innocent-looking link or button there. Nothing complicated like crafting a buffer overflow. But the results can be quite serious -- theft of the victim's web cookies and other credentials, and, in some cases, the ability of the attacker to run arbitrary JavaScript code on the victim's machine in the context of the "Local intranet" zone, which often has a lot more privileges that the normal "Internet" zone. In MS Internet Explorer, see Tools / Internet Options / Security. In the worst case, this could do very bad things to your computer.

The crucial vulnerability for the victim is to be running a web server with a CGI program that gets some input from a web page (a web form) and returns it as-is in the HTML response page that the CGI generates. (In case you don't know, a CGI - Common Gateway Interface - program is a back-end program that runs on the web server machine and processes the data from an HTML form.) The data may be something as innocent-looking as a user name entered into a text box on a web page. Almost all CGI programs handle this type of data. The problem is that the attacker can place HTML tags, including entire JavaScript coding sections, into the data. (Think of this as "HTML Injection", similar in concept to the well-know security problem of SQL Injection for databases.) If the CGI program is not careful to remove or disable such tags, the browser software will happily execute the script code, without the victim being aware. In some cases, the script runs in the context of the local machine, with much fewer restrictions than normal script code in web pages. A firewall is no protection. The script code can do nasty things like send your web cookies to the attacker, snoop at other web browser pages you have open, and perhaps even install a virus on your machine or use your machine to attack other machines on your local network.

All CGI programs must guard against an XSS attack by "escaping" the 3 HTML control characters < > & in any input data before putting it out as part of the generated response page. These characters should be replaced by the HTML character entities &lt; &gt; &amp; respectively. This tells the browser to display them as before, but not to interpret the data as HTML tags. Therefore the injected JavaScript code becomes just data and is not executed. Of course, this takes more programming effort, and often CGI programmers forget to do it, or don't know about the XSS problem. This is an example of the general rule, which can not be repeated too often: "All user input is evil, or potentially evil, and the programmer must thoroughly check it and sanitize it."

After some reflection, I realized that my system had some XSS vulnerabilities in it, and I spent a few interesting days searching for and fixing all the problems (at least, I hope I found them all). I was somewhat surprised that a problem as serious as XSS was not more widely publicized. For example, the fascinating book "Hacking Exposed" (mine is the 3rd edition, which dates from around 2001) does not even mention it -- perhaps later editions do.

Maybe some developers tend to ignore issues like XSS because they involve some "social engineering" -- getting the victim to visit a particular web site, for example. But, if you think about it, it's very easy to do. Send the person email containing a link, or host a web page with the bad link included in a list of legitimate links, or even set up a web page with lots of text that your victim is likely to search for and wait a few days for Google to index it. Curiosity defeats caution! The possibilities are limited only by your imagination. And modern browsers make it easy to disguise links and buttons as something else.


Aug 25, 2005: EXIF - Data tags hidden in your digital photos

I wonder how many people realize that the photo files created by their digital cameras contain hidden data tags that reveal the make and model of the camera, the exact date and time the photo was taken, and perhaps even the serial number of the camera. This info could be used to identify the person who took the photo, and therefore could be considered to be an invasion of privacy.

Virtually all modern digital cameras store this information as data tags inside the JPEG file for the photo, using a specification called EXIF. The EXIF format is expandable and customizable, giving each camera manufacturer great freedom in what data is stored and the format in which it is stored. The manufacturers rarely publish the full description of the tags they store. This makes it possible to hide (or at least obscure) the user-identifying tags, such as camera serial number.

Admittedly, the EXIF tags contain much useful information, including the various camera settings that were in effect when the photo was taken. There is even a "thumbnail" (reduced size) version of the photo, stored as an EXIF field within the JPEG file. All these tags can add several kilobytes to the size of the file.

There are several photo utility programs that can display the EXIF tags, including the free program Photo Studio from www.stuffware.co.uk. See also www.exif.org. Some of these can remove all the tags, and, less commonly, modify them. An easy way to remove all the EXIF tags is to open the JPEG file in MS Paint (which is included in Windows) then use File / Save As to save the file as a .jpg file under a different name.

So, if you are concerned about personal privacy, you should remove the EXIF tags (or at least edit them) from any digital photos that you make available on the Internet via web pages, email, etc.


Aug 21, 2005: Most useful computer gadget: the USB memory drive

These tiny devices plug into a USB slot on your computer and appear to your computer as a read/write hard disk drive. For example, in Windows 2000 and XP, they appear as a new drive letter in "My Computer". Capacity ranges from 128 megabytes to severa1 GB (1 GB = 1024 megabytes). For comparison, one CD holds 700 megabytes. They are inexpensive, small enough to fit in a shirt pocket, and quite rugged. I heard a story of one surviving a trip through a washing machine. Most support the USB 2.0 standard, which gives a very high data transfer speed (similar to the speed of a real hard drive). They are also automatically compatible with the USB 1.1 standard (slower but still quite fast) found on older computers. You don't have to restart your computer when you plug or unplug the USB drive. They DO work on Windows 98, but installation is more difficult since you have to provide the driver software.

They have a multitude of uses. Use them instead of a diskette drive. Use them to transfer files between machines. Use them to keep backup copies of important files (at least until you have time to copy the files to a CD).

Note: Some MP3 music players can also act like a USB memory drive.