RSS
 

Archive for the ‘hacking’ Category

Facebook code leaked.. but was it Hacked too ?

11 Aug

Everyone would be talking about this soon. Someone leaked the source of the index page of facebook on a website called facebook secrets.

Update: Brandee Barker from Facebook responded to Nic on Techcrunch.

Hi Nic-

I wanted to clarify a few things in your story. Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.

Thanks to you and the TC readers for helping us out on this one.

Brandee Barker
Facebook

What is not clear is whether this was a hack or was someone inside involved. This is what Nik Cubrilovic from TechCrunch has to say…

“There are a number of clear ramifications here. The first is that the code can be used by outsiders to better understand how the Facebook application works, for the purposes of finding further security holes or bugs that could be exploited. Since Facebook is a closed source application, without access to the code security holes are usually found through a process of black-box testing, whereby an external party will probe the application in an attempt to work out how the application behaves and to try and find potential race conditions. In closed source applications it is common that developers rely on the closed nature of the application to obfuscate poor design elements and the structure of the application. An attacker getting access to the source code more often than not leads to further security holes being discovered. It is for these reasons that it is often claimed that open source software is more secure than closed source software, since there are many more eyes auditing the code and obfuscation can’t be used as a security measure.

The second implication with this leak is that the source code reveals a lot about the structure of the application, and the practices that Facebook developers follow. From just this single page of source code a lot can be said and extrapolated about the rest of the Facebook application and platform. For instance, the structure doesn’t follow any object oriented development practices, and it seems that the application is one large PHP file with a large number of custom functions living in the same namespace (they also seem to be using the Smarty templating engine). “

 
Comments Off

Posted in hacking

 

The “me too” phenomenon and Identity theft

05 Aug

A very interesting article from Muhammad Saleem on the “me too” phenomenon. My problem with this phenomenon is that this might make stealing identity easier than before. In this new web 2.0 world, if I need your passwords or mother’s maiden name, all I have to do is build an interesting application which you would like to try out at least once. Once I have your password or other key information (which most likely be the same across all your applications), I can shut the side down and do other interesting things. I’m an open advocate of OpenID which attacks some of the issues, but its no silver bullet.
More from Muhammad’s blog..

“Everyday a new company announces a ‘new’ product which is nothing more than the old product with slight modifications or a few small additional features. This mentality is not only bad for users but also for marketers and even the startups.

A prime example of this phenomenon can be witnessed by comparing Dodgeball, Twitter, Jaiku, Tumblr, Pownce and a plethora of other microblogging tools. 90% of the services these different tools offer are the same, and the 10% that differentiates them is not significant enough to make most users switch.”

 
Comments Off

Posted in hacking

 

Dzone: Digg for developers

16 Aug

Dzone
I found a new site for called  Dzone  today. Unlike Digg its focuses on programming, coding tools, processes and practices. The feature which made this site uniquely stand out among the other 100 digg replica’s is its ability to take “webshots” of the URL being linked which is shown as a thumbnail.

dzone fills a void which in a developers life which sites like digg and slashdot can’t fulfill because of their unfocused news items. Lately digg has been trying hard to develop more focused pages, but its no where close to what developers are currently looking for.

 
1 Comment

Posted in hacking, programming

 

The Blue Pill – 100% undectable malware

09 Aug

During Code Con 2006 7 months ago I first heard about the existence of virtual machines based rootkits. I’ve also been reading about hypervisor technology and about products like Xen which are trying to build a better virtual machine engines. Amd and Intel now, officially, have hooks in the processor itself to support this. Unlike traditional virtual machines which “emulate” all the processing within another OS, using this new technology, each OS could infact live along with each other talking directly with the processor.
But what took me by surprise is that within this short time of all this happening, there is a new technology called the “Blue Pill” which has been demonstrated and discussed in the underground world, which makes use of the virtualization features of the processors to make 100% undetactable malware.

Here is an extract from authors description of blue pill..

All the current rootkits and backdoors, which I am aware of, are based on a concept. For example: FU was based on an idea of unlinking EPROCESS blocks from the kernel list of active processes, Shadow Walker was based on a concept of hooking the page fault handler and marking some pages as invalid, deepdoor on changing some fields in NDIS data structure, etc… Once you know the concept you can (at least theoretically) detect the given rootkit.

Now, imagine a malware (e.g. a network backdoor, keylogger, etc…) whose capabilities to remain undetectable do not rely on obscurity of the concept. Malware, which could not be detected even though its algorithm (concept) is publicly known. Let’s go further and imagine that even its code could be made public, but still there would be no way for detecting that this creature is running on our machines…

References

 
1 Comment

Posted in hacking, programming, security

 

Notes: WikiMapia, Digg, IPv6, flock and Google Sync.

25 Jun

WikiMapia

  • This is the first time I happen to stumble upon WikiMapia, which looks like a wiki of maps. Very interesting and creative idea. WikiMapia uses Google Maps API and allows users to mark places and add text to locations around the world.
  • Its like  a large world map with people scribling all over it. Google recently updated its global map database to include some very high resolutions satallite images around the world which makes WikiMapia an even more very interesting new service to look out for.

Digg

  • Digg has been around for just over a year and has already surpassed slashdot in traffic volume. The Digg 3.0 release party demoed some really interesting new tools which are set to come out soon after 3.0 release on monday. The one tool which already exists is Digg Spy.

IPv6

  • US Government has plans to enable IPv6 on backbone routers by 2008.
  • Comcast is probably the first large organization who has already started deploying IPv6. Here are some interesting presentation slides from one of their talks.
  • I looked up ARIN and noticed that Google, Microsoft and Cisco all have /32 assigned to them which is a significant allotment. Even though ARIN policy kind-of states that /32 allotments requires the aquiree to act as an ISP and give away atleast 200 blocks to smaller ISPs or organizations in 5 years, I don’t think this is enforced. Cisco for example has its IPv6 block since 2000 and is well past its 5 year limit.
  • Aparently, during IPv6 I also found out that while IPv6 is being deployed, multihoming is not yet standardized.

Flock

  • If you like Firefox you’ll like Flock too. Just like the web is slowing moving towards web 2.0, flock is kind of an extention to the firefox experience which gives you “web 2.0 rich” experience.
  • Features like social tagging, blogging and photo sharing are built into the browser. But what I liked the best in flock is its implementation of the RSS new reader.
  • Flock beta 1 was released on June 13th.

Google Sync

  • Google Sync is a firefox plugin which claims to synchronize your browser settings with your gmail account so that you can carry them with you when you switch desktops.
  • Unfortunately though flock is based off firefox, its not supported which is a shame cause I primarily use flock. However, there is a hacked version of Google Sync which will work for flock here.
  • BTW, I think that Google Sync is far from mature, ’cause over the weekend Google Sync successfully locked up my Firefox browser on windows XP and even reboot doesn’t bring it up anymore.
 
Comments Off

Posted in blogging, google, hacking

 

Two-way Two-factor SecureID

05 Mar

A lot of companies are moving towards two factor authentication which is a great because it tries to reduce the risk of weak authentication credentials. What it doesn’t do, unfortunately, is reduce phishing risk, which will become the next big problem after spamming. I wrote a few words on detecting phishing attacks a few days ago. This is the continuation of the same discussion.

Passmark” and similar authentication mechanisms are one of the best current solutions in use today. Unfortunately, Passmark is one of those mechanisms which are built to be broken. The strength of this authentication mechanism, in this care, depends on the number of images in the Passmark database which according to the website is currently at 50000.

50000 variations might be alright for now, but we would be short-sighted if we stop at this. One of the serious drawbacks of this mechanism is that if the user guesses the users logon name, or captures that information in some other way, Passmark authentication effectively reduces to a one-way password authentication.

For example, if an attacker wants to steal a victims session and has somehow guessed the users logon name, all they have to do under the “passmark mechanism” is to go to the real website once with the users logon name and extract the image shown by the real website. Once this is done, since the image doesn’t change at all, ever, the attacker can prompt the victim with the cached image whenever the user logs on.

I think the day is not very far when companies like RSA will come out with two-way authentication mechanism where the token provided by the server keeps on changing. RSA already makes excellent two-factor one-way authentication, which changes based on time. They can easily extend it by doing a “two-way two-factor” authentication. If such a two-factor two-way authentication existed, even if the attacker knew victims logon name, he/she would have to go the real bank every time the user logs on, to get the latest SecureID token which the user could look for. Its just a mater of time after that for someone at the actual website to figure out phishing activity.

Before I end today’s rant, I’d like to admit that its totally possible that someone has already done this, and that I’ve just not seen it yet. If so, I hope it gets deployed fast.

 
Comments Off

Posted in hacking, phishing, security

 

Detecting Phishing sites

02 Mar

wikipedia [ "phishing is a form of criminal activity utilizing social engineering fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords." ]

According to Anti-Phishing.org there were 5490 more phishing sites reported in the month of December 2005 as compared to a year ago. And if you run a business which involves any kind of monetary (or identity) transactions, its just a matter of time before you become a victim.
A lot of companies today are working together to solve this problem, which is at least as hard, if not more, than shutting email-spam. The underlying reason why phishing is still a good business model is because the users aren’t technical enough to identify a phishing attack. As an example, one of the most common misconception among the users is that a secure website (running over ssl) with a valid ssl certificate is completely trust worthy. Unfortunately most users don’t know that getting a certificate is almost as simple as buying apples from a store. SSL certificates does help in encrypting traffic to a target server but it can’t tell you that you are going to https://www.ebey.com instead of https://www.ebay.com.

Help is on the way though. Some organizations are working on building visual tool (or a plugins) for the browsers which can intelligently identify and visually alert the user about a possible phishing attack. IE7, which is still in beta, aparently will have this tool built-into the browser itself. The sad part, however, is that most of these mechanisms still depend on the user to download and install, which may not happen overnight.

Most organizations which deal with sensitive data, are aware of the phishing problem and have a very reactive security team to identify and shutdown such websites. A few even take time to train its users. The lag between a phising website going operational to the point when its shutdown is still significantly long.

The technology behind such a detection engine for phishing attacks is not very different from that of a spam filter. They both rely on some kind of signature which have their share of false-positives and false-negatives. And just like spammers have been managing to get through our spam sensors, its just a matter or time before phising attacks will become more sophisticated.
For websites which have a more urgent need of anti-phishing intelligence, and cant wait for IE7 deployed everywhere, are resorting to a other interesting ideas. One which I have personally witnessed and appreciate is something called PassMark, which uses a two-way authentication mechanism instead of the standard two-factor authentication. In two way authentication, the server authenticates to the user before the user authenticates to the server. One example is where you select an image from a random set of images on the banking site. Before you enter your password to login, the banking website will show you the image you had previously selected. Since its easier to identify a change in image than detecting a minor variation in URL, this mechanism works well with technically-challenged users as well.

For a Phishing website to be setup by an attacker, the attacker has to mirror the real website. This is another area where security experts can setup their alerting agents. Unlike most search engines, attackers who want to mirror websites might download pages and images using automated tools which could behave differently than how a human operated browser will. Detecting such patterns might give the website sufficient heads-up to analyze and disable the offending website before the attack is launched.

But if the attacker succeeds to copy the content to setup a replica and moves to a different subnet, it might be hard to track and shutdown such websites. In order to maximize the number of victims caught in the trap (maximize profit) Phishing websites try their best to minimize service disruption for the users. Some websites will transfer users to the actual website almost as soon as username and password are types. One of the way to detect such attacks would be to analyze apache/www logs to look for “Referrer urls”. Since Referrer urls are reported by the browser for every HTTP request, there is a good chance that the Phishing site will leave a trace of its existence. If the server side application could detect “Referrer urls” coming from an un-authorized site it could proactively warn the user and shut the session down.

As I said before there are a lot of companies trying to solve this problem. I heard about one at CodeCon 2006 and I them fascinating. I hope we have some of these implemented very soon so that we IT folks can stop worrying about training the users and get down to do some real work.

 
2 Comments

Posted in hacking, internet, phishing, security

 

Macromedia credits me for finding a bug in Jrun

12 Apr

Macromedia credited me for a bug I found last year. Read more here. DevNet Article

 
Comments Off

Posted in hacking, security

 

ReplayTV hacking

10 Feb

ReplayTV coding is not exactly related to security, but I’m adding it here, cause its all about hacking. I’ll keep posting replaytv scripts I work here http://www.royans.net/security/projects/replaytv/

 
Comments Off

Posted in hacking, interesting