Wednesday, July 27, 2011

Reverse Image Search

Google have recently launched a new set of reverse image search functionality for their image search service. For the uninitiated, “reverse” image search allows you to use an image as the jumping off point for your search, instead of boring textual keywords.

And why exactly would we want to do this? I can think of a few reasons:

In the simplest case this can be a more interesting, or intuitive way to image search.
Perhaps you find a 5 year old JPG in your home area and you just can’t remember where it came from. Maybe Google remembers?
You need to find a HD version of your desktop wallpaper for that shiny new monitor. No problem...
Maybe you’re a rights-holder trying to track your own images. You wouldn’t be the first.
Being scammed by online dater fakers? Reverse search that profile picture - oh yes, that *is* Pierce Brosnan.

Now this isn’t an entirely new idea, an early player in the game was TinEye. TinEye are still operating and hopefully they’ll stay around some more, giving us double the image searching fun.

Google’s new functionality comes in two pieces.
At the core is ‘Search by Image’ within Google Images. Using the search query box, you can now choose to search with an image of your choosing. This can be a link to an image available on the web, or you can upload one from your local machine. Browser permitting you can even drag and drop a file, which is cute.




As we can see the result set allows us to discover locations on the web where the desired image can be found. We can also specify a different size for the image and locate those too.
Google’s algorithm will make a best guess at the topic of your search and this “trail” can be followed in the normal way - using the suggestion as a search term.

Further down the page we find the second part of the functionality, ‘Visually similar images’. This is where it gets interesting. We can now search around other images found to be similar to our input image. Effectively we can “bootstrap” the image search process with an image of our choosing. This is a great way to find something very particular, or something hard to spell, or indeed... pornography.



Clearly this can be used to find content without stating your intention in the form of keywords. For Corporate or Education networks this might be an AUP circumvention risk. Hence, filters must move with the times. Here at Smoothwall we’ve added a new category for Reverse Image Search services, as it may not be appropriate for all users. We’ve also worked to ensure Force SafeSearch, Search term filtering and Deep URL Analysis are compatible with Google’s latest developments.
Screenshot 2 was generated behind Smoothwall Guardian, demonstrating those features. Just for fun, here’s a screenshot using A. N. Other web filter...

Note: Censored to be (semi) safe-for-work.

Monday, July 25, 2011

Security? Turns Out It's Not That Difficult!

This afternoon, I was sent a link by a colleague to some useful information. The Australian government - specifically the Department of Defence "Defence Signals Directorate" (cool department name winner, 2010-2011 season) - have tastefully tabulated a bunch of targeted phishing mitigation techniques, along with their effectiveness, and various metrics indicating how hard these techniques are to apply. Check out the table here.

So far, so good - the interesting thing, however, is how some of the simplest advice is the most effective. For example, keeping your regular users from having administrative privs is rated as an "excellent" defence - and these days, is relatively easily done, as most software is well behaved with regard to needing to run as admin. Where desktop software vendors could make our lives easier though is keeping up-to-date on things like Java, Acrobat, Flash and company - Microsoft Update does a decent job... but something integrated and simple for other software might help use institute another "excellent" defence more easily.

I would imagine that this advice applies as well to other kinds of attack - this document being fairly specific to targetted phisning attacks - as they use similar vectors. Probably having up-to-date antivirus would make up a couple of notches and email whitelisting might not get an "excellent" if we were looking at a more general case. Still, it's worth a read, just to get the little grey cells working in a security type way for a few moments!

Sunday, July 3, 2011

Account security when visiting other peoples’ computers and the additional danger of federated authentication - use Incognito!

You know when you need to access your email or a document or look up information on a CRM but you are not on your computer? Perhaps it’s a colleague's or a customer's PC. Have you ever considered that you may be leaving passwords or cookies which would allow them access to your personal or company secrets on that computer? Often closing the web browser’s window or clicking ‘Do not remember password’ is not enough - there could easily be authentication cookies left around. You might, accidentally, allow the browser to remember the password. In addition, federated authentication makes this even easier to leave yourself logged in.

I’d like to make a bold statement;

The level of knowledge a person is required to have, right now, to be secure using modern technology such as web applications, is higher than even normal IT-literate users currently have.

I’ll give you an example. If you use federated authentication, then you may end up logged in to both what you expected to be logged in to and the authentication provider. E.g.. log in to Clarizen.net (just an example) by clicking the G button and put in your Google credentials. Now log out of Clarizen. You would think you were logged out - not so. Now go to mail.google.com. See that you are also logged in to Google. Did you realise that before now? I bet you did not.

The mistake that Clarizen are making is that they failed to realise that users expect single-sign-on and but also single-sign-off. The mistake users are making is not realising that single-sign-on does not mean single-sign-off.

The solution for Clarizen and others is to make their log out link redirect to the Google (or other) log out URL. I have recently used this technique with great success with an integration project. Naturally you will want to warn the user that it will do a full log out.

The solution for users, including me, is to always always always use an Incognito Window. Never log on to another user’s computer without using one. What this does is ensure that nothing gets saved on the computer (except downloads) - even if you accidentally allow it to remember passwords or save authorisation on the computer. Once you close the incognito window, all traces that you were there, cookies, passwords, user names, history, etc, are gone.

Incognito also allows you to browse knowing that there will be no history so that if you are looking for something online that you would not like your partner to see, your secret is safe. (I am thinking presents...).

Incognito is available in:
  • Google Chrome - Tool menu > New incognito window
  • FireFox 4 - Tools > Start Private Browsing (Ctrl+Shift+P)
  • Internet Explorer 9 - Cog menu > Safety > InPrivate Browsing
  • Safari - Edit menu > Private Browsing
  • Opera - Menu > Private Tab / Private Window
Remember though, it is only going to ensure nothing is left on the computer. If the computer is infected with a key logger and you’re not using two factor authentication, then your account is screwed anyway. Also, if the network admin is using a good web filter, such as Smoothwall Network Guardian, then he will know exactly where you’ve been - even if you tried to hide it.

More info can be found on this Wikipedia article.