HTTP smuggling & splitting, and lots of talk about "big brother" watching

Discussion in 'privacy problems' started by CoolWebSearch, Jun 15, 2009.

Thread Status:
Not open for further replies.
  1. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    I was pleasantly surprised to see this new thread, although I hope the addition of the "Big Brother" in the title doesn't detract from serious discussion about this HTTP smuggling & splitting thing.
    For example, "Who is behind this and why?"
    Questions like those allow for answers rife with speculation and conjecture.
    Since nothing can be proven, no conclusions can be made, and the dialog just goes around and around.

    I believe I do not have enough knowledge about this smuggling/splitting to ask a thought-provoking question and the procedure involved appears quite complicated.
    I think I will start educating myself by reading this HTTP specification over a few cups of coffee.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Can you please tell me what the fuss is all about?
    Mrk
     
  3. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    Some explanation for the questions raised before (I'll try to keep it very very simple without getting in details).

    -----------------------------------
    About 'man in the middle attacks':
    'Man in the middle attack' is when someone intercepts your traffic between your computer and it's destination.
    "your pc" <=> "attackers pc" <=> "remote destination"

    The most common situations that it can happen:
    1. unsecured public wifi networks
    2. home not protected wifi networks
    3. internet lan-type connections. (if your ISP provider is good it won't happen)
    4. vpn or tunneling connections (if you do not trust the provider do not use them).
    5. malicious proxie providers

    How you can protect yourself:
    a. Never use user names, passwords or other sensitive data through unencrypted protocols. Examples: use https instead of http, skype instead msn, etc.
    b. Applies to 1,2,3 and 4 if possible use a firewall that can protect against arp poisonig attacks or that at least can warn you about those attacks.

    ----------------------------------------
    About http splitting and http smuggling:
    SystemJunkie at least esagarates. I am not a big fan of conspiracy theories or anything like that.

    Are they dangerous? Yes, especially because you will not notice them. Although is a subject where I have limited knowledge I'll try to give some simple explanations.

    They can be used:
    1. to attack the cache server.
    2. to attack your browser.

    1. In this case there are used mainly for redirections. For example you request a page X and instead of that you are redirected on page Y of the same site or even to another site.
    2. When they are used to attack the browser they can be used for either redirections, exploiting, drive by downloads and buffer overflows.

    How you can protect yourself:
    1. Install snort on your machine (it can block some of these attacks).
    2. Set your browser to always clear it's cache, cookies, etc. when you close it.
    3. When you want to do online shopping or to login in a important site close all the tabs, clear the browser cache, close and reopen your browser.
    ---------------------------

    hope it helps,
    Panagiotis
     
    Last edited: Jun 16, 2009
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Re: Outpost Firewall Free 2009 v6.5 Released

    .
    Unencrypted transmissions over a wireless connection can be easily "sniffed" FROM your PC, because you're broadcasting in the open. That's different from traffic being intercepted on route TO your PC. The primary concern is protecting information that you intentionally transmit, such as the logon credentials to your online banking account or your credit card number during an online transaction. The bad guys don't care where your credit card number is going, they just want to capture it. The point is you can almost completely protect yourself from this kind of attack by keeping your system clean and encrypting your data. Use a VPN when you're on open wi-fi and only enter sensitive information on secure websites (the ones that use SSL and show the "lock" symbol in the browser). For data to be intercepted on route TO your PC I believe you would have to be intentionally targeted, hence my reference to the CIA :blink:
     
  5. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    CoolWebSearch.

    Virtually all the main firewall vendors leave ARP protection as optional. I think that pretty much sums up the likelihood average users are going to be a victim of this.

    The average user is most vulnerable in ad hoc situations. You have to protect yourself with the strongest encryption available to you, ultra obnoxiously difficult passwords, a decent VPN solution, and caution about who is looking over your shoulder. All the basics of network/internet sensibility still apply.
     
    Last edited: Jun 16, 2009
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I think everyone is affected, when it comes to HTTP-poisoned-attachments.
    Nobody can use permanent HTTPs. Sometimes you want to use search engines and then you are already part of the game. HTTP is totally insecure and perfect eldorado for all secret orgs. Related to VPN maybe someone can post some links for good, simple, reliable and easy to use VPN for all in here.

    Concerning Snort, the service doesn´t want to start on my vista 64 system and it looks like a special art to use it. Probably needs a lot of practice and time until someone can use it effectively.

    Incredible that there is no simple solution to avoid these ugly damn little poison packets. I studied them but I hate to read their primitive communications, how they track each and everything on this planet and how disrespectful, cold and crude they talk about the people. Actually I evade to use my sniffer.
     
    Last edited: Jun 16, 2009
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    For open wi-fi hotspots I've been using Hotspot Shield from AnchorFree. This is a free (ad driven) VPN service. When the service is active a small ad is placed at the top of the webpage. It's not very intrusive and if this bugs people you can use Opera (the ads don't appear). They collect the usual data so they can target the ads. Read the privacy policy after installing and connecting to the service (it's not available on the home page). The problem with a VPN service of course is you're trusting they won't abuse your personal information. It would be nice to read some third party reviews about the trustworthiness of the service.

    www.hotspotshield.com
     
  8. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Thanks for the reply pandlouk

    I think most of us here already sufficient protection from drive by downloads.

    like I say before its more of a nuisance and privacy issue rather than a actual security issue on your pc.

    nuisance being the fact that you can't load the correct web page. ie redirections.

    I have browser cache and global cookies blocked/disabled. and it is harder for my browser to be directly attacked because it doesn't even connect to the internet because it sits behind either admuncer or Proxomitron which acts as a Proxy.

    I would probably set up a SSH tunnel before I installed snort tho.
     
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    regarding HTTPS/SSl

    I wouldn't use HTTPS/SSl and I don't trust it. Blue coat which a lot of ISPs use can Literally decrypt and look into HTTPS/SSl traffic.

    https://www.sdn.sap.com/irj/scn/go/...ary/uuid/106cf640-c31c-2b10-2a84-cfb7ff000710
    http://www.bluecoat.com/news/pr/2129
    http://news.cnet.com/Blue-Coat-to-cleanse-encrypted-traffic/2100-1029_3-5940533.html

    Last year I was having certificate problems because my old ISP was playing middle man games when I was trying to log into secure websites with HTTPs.
    So I set up a SSH tunnel and logged into the HTTPs websites inside my SSH tunnel.
     
  10. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    Hmm.

    This appears to confirm my suspicion that "privacy on the internet" is an oxymoron.
     
  11. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Re: Outpost Firewall Free 2009 v6.5 Released

    Yes, but like with cancer also with computer you should/would eventually see symptoms, really.
    There are zero symptoms so far.
     
  12. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    You are welcome :)

    The biggest problem with splitting attacks is that they can be used for delivering exploiting code in chunks(truncated in smaller pieces).
    This way they can circumvent all the current defences (firewalls,avs,hips).

    And no, you will not notice that something is wrong since the malicious code resides only in ram (and is not triggered until all it's chunks are loaded) and leave no evidence whatsoever of the attack. The only way to catch it and analise it, is to perform a full dump of your ram.

    That is why I said that you should close and reopen your browser.

    Panagiotis
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes it is a privacy issue but if you think about the fact that someone could allegedly c&c a remote system with prepared udp packets it could become a security issue too.

    That is exactly what I wanted to express to the publicity as one of the most problematic threats nowadays.
     
  14. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    What tools do you recommend to dump RAM?

    I have been having trouble RAM related. The only way the problem is cleared, remove power 15-30 seconds. If not, the trouble will follow acrossed reboots.

    Would be interesting to see what is causing it.

    Also;

    I have found that Gigabit ethernet has direct memory access. Can the malicious packets jump to other memory regions?
     
  15. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    What should such a ram dump be useful for? First of all ram analysis takes a lot of time, second of all then you only see their activities but this isn´t enough for prevention.
     
  16. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247

    What do you suggest for encryption: I'm planning to use something/anything for encryption, but I don't know on what type of encryption to rely on, since I have router-lan situation/protection.
    Yes, an encryption would be nice.
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    If that's true, I would ask you for a favor, and ask if you could this test while I'm on the net and surfing?
    I know, it's a weird request, since nobody wants to get their security compromised.
    Neither do I, but I just can't help myself, it's a disease, or obsession when it comes to hackers...
     
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Read my subtitle? There is no security.. The smuggling thing is a privacy issue first, secondly it can become a security issue too, if they want or are able to.
    I guess it is better for your health not to dig as deep then I did. Calm down, stay relaxed. ;)
     
  19. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    They do not "decrypt" SSL. What they do is nothing but a MITM attack.
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    The provider is not trustworthy at all, maybe some of the poison packets are managed by them who knows. What I observed by net analysis is that they work very region specific. They observe the area where you and I are living and the people around your corner, especially those people who are very close to your home and where one connect to the net as example. Very sure is that they do this surveillance and observation globally and they always have some henchmans only some meters or some houses away from your home. I am 100% convinced about that, I did a lot of network forensics over the past two years, I watched about what they talked, which people were affected and so on. I had no problems to decipher a lot of their fragged, scrambled and anagramed packets. Whether this was/is isp, internet mafia, cia, m$, nsa, bnd or some other secret orgs it doesn´t matter, only to see how they work and communicate was from interest to me. These hidden groups and secret organizations have a superior position to all of us usual citizens because their informative advantage is unimaginable.
     
    Last edited: Jun 18, 2009
  21. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Ummm hmmm.
     

    Attached Files:

  22. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Fact is they are there and it would be better if they weren´t there where they are.
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    The most amazing thing is that they let you talk about all this instead of vanishing you .... hmmm ....
    Mrk
     
  24. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    That makes you wonder and it doesn´t makes me wondering that you think that simple and awkward.:eek:
     
  25. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    True but they do have the Ability to decrypt tho.

    back to the topic at hand.

    we need to discuss

    1. ways of filtering out HTTP smuggling & splitting traffic.

    2. Is your pc strong enough to with stand such attack if HTTP smuggling & splitting traffic gets in.

    So how would layer 7 DPI hardware firewall cope with filtering out HTTP smuggling & splitting traffic? what about Proxomitron?

    A good HIPS which monitors system memory and limits the permissions your browser can do should be able to prevent such attacks??
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.