Monday, March 17, 2008

Reflections on Trusting Trust

For those who have never read the classic "Reflections on Trusting Trust", you can find it here.  Reflections is a easy read on the perils of running un-trusted code on your machine.  It's a concept that's foreign to many users as we typically run "un-trusted" HTML and clientside scripts from web sites thousands of times a day, praying that he browser sandbox and same origin policy saves us...  I mean.. can you really trust the underlying content from this blog?

   

Of course, downloading and running code on you machine is EVEN MORE DANGEROUS.  It doesn't matter what kind of browser protections you have, once you execute code from an untrusted source, you're at the mercy of that developer.  Do you really trust the publishers of all those plugins and add-ons you are running?  A perfect example of this... is G-Archiver.  G-Archiver is a program that can be used to backup your Gmail messages to an offline source.  Apparently, after some tinkering with DotNet Reflector (great tool btw), Dustin Brooks discovered a HARD CODED Gmail username and password in the source.  Upon further investigation, Dustin realized that users of G-Archiver were silently getting their Gmail Creds posted to a Gmail account belonging to the creator of the G-Archive tool (John Terry).  Here's a screen shot of what Dustin saw:

   

gmail-password-thief-screenshot1.png



     

Luckly, I've been conditioned (mostly by the pranksters at the Advanced Security Center in Houston) not to trust anything...

   

Links and Links

7 comments:

  1. haha, the ASC definitely makes you paranoid. but then there are some of us who just never learn. nice find

    ReplyDelete
  2. haha, the ASC definitely makes you paranoid. but then there are some who just never learn. nice find.

    ReplyDelete
  3. Hi Billy

    Since you are so conditioned to be aware for untrusted code, can you list here how may applications you have running on your computer at the moment? (Windows, Office, Winzip, Firefox, Flash, etc...). Feel free to stop when you reach 20 :)

    And who installed them?

    The bottom line is that we install and run untrusted code all the time, that is how we have been conditioned to do (in order to get value from our computers).

    G-Archiver is just a too obvious example which was discovered by accident.

    Dinis

    ReplyDelete
  4. Dinis,

    The last sentence was actually a bit of an inside joke (shoutz to MW), but you're completely right and I agree... we put ourselves at risk EVERY TIME we install software. Some may feel that its a little easier to trust orgs like Mozilla, M$FT, and Adobe (notice I didn't say Apple, thanks to Nate) than it is to trust some random devs creating a GArchiver like tool.

    To make matters worse, we run untrusted code inside our browser thousands of times a day... maybe I can trust big-search-engine.com, but can I really trust the third party ads being served by big-search-engine.com?

    BK

    ReplyDelete
  5. Hahaha, shoutz to MW. Terrible. Sorry guys, some of this article can only be truly appreciated if you are or were a member of Ernst & Young's Advanced Security Center.

    -Nate

    ReplyDelete
  6. Random InfoSec GuyMarch 24, 2008 at 4:30 PM

    Shoutz to MW ? ...

    ReplyDelete
  7. @ Random InfoSec Guy

    MW is actually a guy named Mike Wood... Me and some buddies at the Houston Advanced Security Center used to test out 0-dayz and other attacks against him... he's a good sport...

    Another mention of MW can be found here:
    http://blogs.zdnet.com/security/?p=997


    BK

    ReplyDelete