Reverse Image Search

Google have recently launched a new set of reverse image search functionality for their image search service. For the uninitiated, “reverse” image search allows you to use an image as the jumping off point for your search, instead of boring textual keywords.

And why exactly would we want to do this? I can think of a few reasons:

In the simplest case this can be a more interesting, or intuitive way to image search.
Perhaps you find a 5 year old JPG in your home area and you just can’t remember where it came from. Maybe Google remembers?
You need to find a HD version of your desktop wallpaper for that shiny new monitor. No problem...
Maybe you’re a rights-holder trying to track your own images. You wouldn’t be the first.
Being scammed by online dater fakers? Reverse search that profile picture - oh yes, that *is* Pierce Brosnan.

Now this isn’t an entirely new idea, an early player in the game was TinEye. TinEye are still operating and hopefully they’ll stay around some more, giving us double the image searching fun.

Google’s new functionality comes in two pieces.
At the core is ‘Search by Image’ within Google Images. Using the search query box, you can now choose to search with an image of your choosing. This can be a link to an image available on the web, or you can upload one from your local machine. Browser permitting you can even drag and drop a file, which is cute.




As we can see the result set allows us to discover locations on the web where the desired image can be found. We can also specify a different size for the image and locate those too.
Google’s algorithm will make a best guess at the topic of your search and this “trail” can be followed in the normal way - using the suggestion as a search term.

Further down the page we find the second part of the functionality, ‘Visually similar images’. This is where it gets interesting. We can now search around other images found to be similar to our input image. Effectively we can “bootstrap” the image search process with an image of our choosing. This is a great way to find something very particular, or something hard to spell, or indeed... pornography.



Clearly this can be used to find content without stating your intention in the form of keywords. For Corporate or Education networks this might be an AUP circumvention risk. Hence, filters must move with the times. Here at Smoothwall we’ve added a new category for Reverse Image Search services, as it may not be appropriate for all users. We’ve also worked to ensure Force SafeSearch, Search term filtering and Deep URL Analysis are compatible with Google’s latest developments.
Screenshot 2 was generated behind Smoothwall Guardian, demonstrating those features. Just for fun, here’s a screenshot using A. N. Other web filter...

Note: Censored to be (semi) safe-for-work.

Security? Turns Out It's Not That Difficult!

This afternoon, I was sent a link by a colleague to some useful information. The Australian government - specifically the Department of Defence "Defence Signals Directorate" (cool department name winner, 2010-2011 season) - have tastefully tabulated a bunch of targeted phishing mitigation techniques, along with their effectiveness, and various metrics indicating how hard these techniques are to apply. Check out the table here.

So far, so good - the interesting thing, however, is how some of the simplest advice is the most effective. For example, keeping your regular users from having administrative privs is rated as an "excellent" defence - and these days, is relatively easily done, as most software is well behaved with regard to needing to run as admin. Where desktop software vendors could make our lives easier though is keeping up-to-date on things like Java, Acrobat, Flash and company - Microsoft Update does a decent job... but something integrated and simple for other software might help use institute another "excellent" defence more easily.

I would imagine that this advice applies as well to other kinds of attack - this document being fairly specific to targetted phisning attacks - as they use similar vectors. Probably having up-to-date antivirus would make up a couple of notches and email whitelisting might not get an "excellent" if we were looking at a more general case. Still, it's worth a read, just to get the little grey cells working in a security type way for a few moments!

Account security when visiting other peoples’ computers and the additional danger of federated authentication - use Incognito!

You know when you need to access your email or a document or look up information on a CRM but you are not on your computer? Perhaps it’s a colleague's or a customer's PC. Have you ever considered that you may be leaving passwords or cookies which would allow them access to your personal or company secrets on that computer? Often closing the web browser’s window or clicking ‘Do not remember password’ is not enough - there could easily be authentication cookies left around. You might, accidentally, allow the browser to remember the password. In addition, federated authentication makes this even easier to leave yourself logged in.

I’d like to make a bold statement;

The level of knowledge a person is required to have, right now, to be secure using modern technology such as web applications, is higher than even normal IT-literate users currently have.

I’ll give you an example. If you use federated authentication, then you may end up logged in to both what you expected to be logged in to and the authentication provider. E.g.. log in to Clarizen.net (just an example) by clicking the G button and put in your Google credentials. Now log out of Clarizen. You would think you were logged out - not so. Now go to mail.google.com. See that you are also logged in to Google. Did you realise that before now? I bet you did not.

The mistake that Clarizen are making is that they failed to realise that users expect single-sign-on and but also single-sign-off. The mistake users are making is not realising that single-sign-on does not mean single-sign-off.

The solution for Clarizen and others is to make their log out link redirect to the Google (or other) log out URL. I have recently used this technique with great success with an integration project. Naturally you will want to warn the user that it will do a full log out.

The solution for users, including me, is to always always always use an Incognito Window. Never log on to another user’s computer without using one. What this does is ensure that nothing gets saved on the computer (except downloads) - even if you accidentally allow it to remember passwords or save authorisation on the computer. Once you close the incognito window, all traces that you were there, cookies, passwords, user names, history, etc, are gone.

Incognito also allows you to browse knowing that there will be no history so that if you are looking for something online that you would not like your partner to see, your secret is safe. (I am thinking presents...).

Incognito is available in:

• Google Chrome - Tool menu > New incognito window
• FireFox 4 - Tools > Start Private Browsing (Ctrl+Shift+P)
• Internet Explorer 9 - Cog menu > Safety > InPrivate Browsing
• Safari - Edit menu > Private Browsing
• Opera - Menu > Private Tab / Private Window

Remember though, it is only going to ensure nothing is left on the computer. If the computer is infected with a key logger and you’re not using two factor authentication, then your account is screwed anyway. Also, if the network admin is using a good web filter, such as Smoothwall Network Guardian, then he will know exactly where you’ve been - even if you tried to hide it.

More info can be found on this Wikipedia article.

Why Am I Not Afraid Any More?

So i've just finished watching the F1 qualifying on Saturday afternoon, and my thoughts turn to work (hey, why not?). I've seen a few stories in the news these last 7 days, and by rights we should probably be gathering up tins of fray bentos, packing the cat, and heading for the hills.

• NHS could be hacked easily?
• Sony being hacked for sport and Nintendo can keep your data safe (maybe?)
• Facebook can track your face around the web (and would rather not ask first)
• RSA tokens, that bastion of security.. compromised
• FBI partner, lightly owned

Instead I'm wondering if we'll see rain in Montreal tomorrow and Mclaren can put in a decent race pace. What's wrong with me? Why am I not afraid any more?

One reason might be that I've become jaded, inured to breathless security scare stories by... well, people like me - other infosec professionals. I hope we haven't cried wolf, though hunting moose in packs does sound like a lark. Millenium bug syndrome - over hyped by folks that stand to benefit!

Perhaps another reason could be that we've come to expect the odd breach, just like we've come to expect we'll probably catch the dreaded summer cold at some point (another of my excuses for snoozing through the week and not blogging any of these stories, i've been under the weather!), we come to expect security breaches which kill off a few weak members of society, but most people shrug it off with little ill effect. We're now used to cleaning up after the bad guys? Familiarity breeds contempt.. and maybe a hint of complacency?

Of course, there's another option - I haven't really felt the repercussions of any of these issues this week. I don't use an RSA token, own no consoles(!), there's relatively few pictures of me acting the goat on facebook, and my medical history doesn't appear to have been indexed by google (yet, at least). Could it be I just need to have a security breach drop something on my toes?

Anyway, I promise to try and pay a little more attention to the bad stuff going on in our digital domain, but if I fail to get excited by the latest round of apocalyptic damp squibs, cut me some slack will ya? ;)

6 Easy Ways To Look Like A Security Expert

Few people have time to become an Internet Security expert, but with this post i'm going to introduce you to some websites, tools and other resources that can give you a bit of an edge, and, importantly, look impressive to the uninitiated. As a network manager, you're supposed to know everything about anything that has a cable attached - so finding time to be an all-areas expert is not going to fly. Luckily we can alter our users' perception and be seen as a security champ. We all know you're probably doing the right stuff in the background, all the unexciting bits, so let's see if we can't find something with a bit of sparkle.

1. A user asks "is this a virus" - now you can not only be more confident, but you have got a nice looking report as well, thanks to virustotal.
2. Looking like a hacker from the movies is easier than you think - network swiss-army-bazooka nmap (movie references here) has a nice graphical front-end, is easy to use and actually really handy, go get zenmap. Bump the shiny up another notch, and Overlook Fing is like a miniature nmap on android or iphone.
3. Keeping up with the latest news and views in security is tough, but if there's one guy who's opinion it is always worth reading, it's Bruce Schneier. Luckily, he publishes a monthly newsletter, Cryptogram. Sign up here.
4. We can't all keep a virtual machine knocking around to burn testing dubious looking links. Luckily, we can get a fair idea if a link is going to riddle us with zero-day hell, and a nice report to boot from the folks at wepawet.
5. Many people thought I should have included this one at number one - a great looking packet analyzer with a cool name, Wireshark (or Ethereal as it was formerly known) can be used to find out a lot about your network, and is great for seeing what's really going on. Pulling unencrypted passwords and snippets of plaintext conversation off the wire - always a good demo. Remember you can use tcpdump (on your Smoothwall or other Linux-based firewall!) to pick up packets to look at later as well. One that takes a bit of learning, but well worth it. Get Wireshark here.
6. Most of us are Windows users, but Linux has a lot to offer. Even if you don't run Linux all the time, there are a couple of live cds which will run without modifying your PC. For the security minded, there's the Trinity Rescue Kit, ever helpful for recovering "lost" passwords, and for the slightly more black-hatty among us, backtrack is the place to be. An unfamiliar and complicated looking interface will do your status with your users no end of benefit. Download and burn trk or backtrack.

I've limited my list to free tools and resources which would generally be accessible to a broad range of network managers and IT techs, but I might have missed your favourite - get in touch, and leave me a comment!

Google and Mozilla giving up on URLs?

In the past few weeks, there have been indications that two of the Internet's biggest browsers are reconsidering the central position of the URL in web browsing. Firefox and Chrome's designers are looking at ways to downsize, repurpose or remove the traditional "location bar" where traditionalists have been used to typing web addresses for years.

This comes as no great shock - even in the early days of the web, efforts were made by the likes of AOL to use keywords to navigate to websites. AOL failed, ultimately, but the concept succeeded. In today's web, entering a known URL is unusual for most people - we trust our search engines to bring back the content we require from our search terms, and we use our bookmarks to keep track of things we like - never needing to see the URL itself. Advertisers are starting to make more use of this too - it is increasingly difficult to get short, memorable domain names, and people make typos. If you can be sure your site ranks well for the name of your company, you don't need to worry about people mis-spelling your domain (and when your name is a bit tough to pronounce outside of the English speaking world.. or even in it... yeah, but we have always been called Smoothwall, so we're sticking to it, thanks!).

With the web losing some of the location-based addressing that ties content to domains and urls, and more web applications taking content from a variety of sources, this move would seem to send a warning to some popular URL-(ab)users - who needs link shorteners in a world without typing links? If everything is sent with embedded links, or transferred to meatspace as keywords rather than URL these services may see a decline. Interestingly for Smoothwall, and our users, this could accelerate the demise of the URL filter. When we no longer need sites to identify themselves as positively in URL, we can be more ambiguous - for example, bbc may no longer feel the need to have all sport under /sport - they aren't doing that to benefit a URL filter, and if there's diminishing benefit for the consumer, need they maintain these syntactic niceties?

Interesting times ahead folks.

Five Tips to Assess Your School’s Network Security this Spring

Spring is a good time to take stock of what’s working and what’s not. Students are busy taking final exams, and for School IT administrators, it might be time to test your network security solution and make sure it’s delivering what you need.

Here are five tips to make sure your network security and filtering solution is doing its job to make yours easier:

1. Appearances can be deceiving: Don’t just look at the URL, but look deeper into a page and content-scan the words and phrases. This insures that all pages are categorized, and a page can’t hide itself as something it’s not. Make sure your filter can determine context, content and construction to block out those tricky bad guys.


2. Look for “Just Right” blocking: IT administrators can be worn to a frenzy keeping up with the educators’ requests to unblock websites they need, while keeping a strong block in place. A smart filtering solution avoids over-or under-blocking and provides just the right level of blocking.


3. Go for the Interception: Students have become increasingly savvy in finding their way around blocked websites using proxy anonomizers. Look for solutions that can intercept HTTPS traffic to catch HTTP proxies as well as HTTPS proxies. With the right solution, users trying to get around blocked sites will be intercepted- achieving your goal for a safe network.


4. Be the all-seeing eye: IT administrators don’t have time to constantly scan the network. They need reporting functions that help make their life easier, not more difficult. During certain hours such as lunch or between classes, it may be good to keep a closer eye on network activity. Real-time content scanning provides valuable visibility, allowing IT administrators to nip potential problems in the bud.


5. Network Security never sleeps: It’s not just the school grounds that must be protected. Users who rely on laptops, netbooks or even Mac portables must also be protected while away from the school's network. The full policy and profile safeguards that apply while those laptops are connected on campus must apply when taken home or on field trips, and while those units are connected to the Internet at the local airport or other wi-fi hotspots. Upon return to the school's network, all reporting and tracking of web activities should be aggregated to the reports the school's administrators and teachers receive on student (or staff) activities.

Does your network security deliver these points? If not, spring is a good time to think about making a change. Once you have a network security solution in place that does its job, you can finally escape the glare of your computer screen and enjoy all that warm spring sunshine.

Thanks for reading, commenting or tweeting.