This morning I was checking out progress on the new PCLinuxOS 2007 release.
PCLinuxOS is the version of Linux that Alvis runs on her pc.
It has a LiveCD version, or can be installed directly to a local hard-drive.
I first came across it re-versioned as Wizard's Kid-Safe LiveCD. See my earlier post for details on this great solution for introducing your children to Linux. The host link is now dead, but you can still find copies of the iso floating around.
Anyway, I was so impressed with PCLinuxOS via Wizard's that I just ended up installing the full version of PCLinuxOS proper on Alvis's older, hand-me-down pc system. It handled all the old hardware along with the latest LCD monitor just perfectly. I was sold and my daughter is quite happy.
So when I saw word that the developers were going to be releasing a 2007 version I was ecstatic.
I've played with the beta versions via LiveCD format and it has blown me away. This team has slicked up the GUI as well as worked hard under the hood. This isn't your version 0.93 stuff any more.
Tuxmachines.org has a nice review of the PCLinuxOS 2007 Beta 2 version covering many of the important changes.
So I'm eagerly awaiting the Final release soon so I can upgrade it on Alvis's pc.
But that's not why I'm really posting...(as cool as this is!)...
My Name is Up
See, when I was on the PCLinuxOS's homepage, I noticed my "real-name" was in an donation solicitation ad in the left-hand column.
What?
Coincidence? I think not!
While it didn't freak me out...it did get me curious to figure out what was going on...how did PCLinuxOS know (on my Windows machine) what my name was?
Well, it's not very deep or complicated. It was almost too simple to even mention, but as an example, I thought I would post it anyway as a lesson about logging off sites when you are done...
The Ad
The ad itself displayed "Hi (your name)...PCLinuxOS. Click to Pay."
This is an Amazon Honor System ad that allows easy payment of a donation to the crack-PCLinuxOS development team. That's a "Good Thing™".
But how was it snagging my name?
The Snitch
I had a pretty good idea that it was because I may not have "logged out" of my Amazon account after a recent anime-goodness purchase last week.
Clicking the "Learn More" link in the ad took me to this page about the Amazon Honor System.
How does the Amazon Honor System paybox know my name?
When you look at a Web page, the words and pictures you see actually may come from several sources. Your browser software assembles the pieces and displays them as a single page. On the Web site you were visiting, most of the content you saw was transmitted from server computers used by the site's operator. The image made up of the paybox and your name displayed within the paybox was different--we sent it to you directly from Amazon.com. This allowed us to recognize you by name just like we do when you visit the Amazon.com Web site. Because Amazon.com's servers transmitted the image containing a paybox and your name within the paybox directly to your browser software, the site owner never saw the paybox or your name and never received any information about you.
Well, that is really nice...but in simpler terms...Amazon uses the "cookie" set on your computer and that retains information about you to be accessed by their own ads served by them, but placed (via code) on other web-site owner's pages. This is good for you and Amazon as the info is shared between the both of you and NOT the third-party site. According to Amazon, they also don't track or log which websites you roam across that use the "Amazon Honor System" payboxes.
Taking the Snitch out of Service
There are two easy methods to prevent your name appearing in the "Amazon Honor System" ad boxes when you surf.
Amazon explains that you can prevent your Amazon name display from appearing by logging into your Amazon account and updating your communication preferences.
Or (and my preferred method) is that you can just remember to log out of your Amazon account when you get done shopping there.
Despite the amount of attention I give to secure on-line shopping and browsing habits, the Amazon site continues to give me "problems". Once you have completed a shopping session you seem to be returned back to a personalized Amazon "home-page" and it is very easy to forget you are still logged into your account.
I only wish they would make a clearer transitional page after your order has been completed. One that offers to return you to shopping in your account or to log out of your account.
Once I went back to the Amazon website and "logged out" of my account (done by clicking the link at the top that says to check it if I am not me) I browsed back to PCLinuxOS and my name was no longer displayed.
No Harm-No Foul (this time)
Let me be crystal clear; I'm not griping or complaining or questioning Amazon or their security. Amazon is one of a handful of online-shopping merchants that I have used for a very long time with trust and confidence. I haven't yet been burned by them or any of their associate merchants.
And it is clearly my responsibility to remember to log out of my own accounts on-line.
I'm not fussing about their "Amazon Honor System" either. It's pretty cool and a great revenue generator for smaller, donation-supported projects.
I just wanted to bring this small matter to your attention and wish for Amazon to make a more prominent "Log Out of Account" button instead of their "Click if you are not me" method.
Cross-site (XSS) Vulnerabilities
What this does do is give a good example of how a cookie could be utilized for malicious gain.
Suppose (for example) a hacker wanted to gain access to information located in a cookie on my machine set by a merchant I conduct on-line business with. Obviously it could contain some goodies.
By exploiting a potential vulnerability in my browser and maybe getting me to visit a malicious (fake) website, they could manipulate the code to extract information from a cookie or cookies on my machine, or change the information on it...although it is not limited to just cookie exploitation and account theft, but may include sensitive page content or other objects as well. Even (depending on what data is stored in that cookie) to the point of being able to hijack my account, drain it or collect secure information about me or my account from it.
There are several readable papers and pages on this issue worth looking into:
- Real World XSS - Introduction - Sandsprite.com
- Cross-site scripting - Wikipedia, the free encyclopedia
- Cross Site Scripting (XSS) questions and answers - Cgisecurity.com
- The Anatomy of Cross Site Scripting - (PDF) Whitepaper from Net-Security.org
- Cross Site Reference Forgery - An introduction... - (PDF) ISECPartners.com
- Advanced Cross Site Scripting by Gavin Zuchlinski ... - (PDF) Whitepaper from Net-Security.org
- XSS (Cross Site Scripting) Cheat Sheet - ha.ckers.org (know thine enemy!)
Avoidance
Protecting oneself from XSS is a difficult, but not impossible task. There are some basic pointers you may want to follow:
- Always log out of secure web accounts when you are done conducting business. With the exception of one or two "tossaway" accounts on a tech-blog page or two (or Amazon when I forget) I never leave any account that I have to log into without logging out.
- Keep your web-browser fully patched and up to the latest version.
- Avoid following links, site unseen. By that I mean if you are viewing a website and it links off-site to another link, type the homepage of that site into your address bar and browse from within the home site. Of course, this takes away most of the fun (and function) of web-surfing, but there you go.
- Turn off JavaScript in your browser, or only enable it on trusted websites. See the NoScript - Firefox Add-on.
- Set your browser's Internet security settings to "High". That might make your fun web-browsing very challenging as well, however.
- Be careful on what you click on. Examine what and where you are about to go. If the link in a web-forum or "guestbook" says "Click here to see puppies" but when you hover over the link, your browser displays information showing the link goes to someplace like www.hollieshouseofpuppyhorrors.com (not a real site, BTW) then you probably want to think twice before following that link.
Be Safe.
--Claus
No comments:
Post a Comment