Monday, February 28, 2005

Bypassing corporate VPN's

This great tool called the rinetd - internet redirection server comes in handy when you want to forward traffic on a particular TCP port to other machines (they might even not on be your network).
Redirects TCP connections from one IP address and port to another. rinetd is a single-process server which handles any number of connections to the address/port pairs specified in the file /etc/rinetd.conf. Since rinetd runs as a single process using nonblocking I/O, it is able to redirect a large number of connections without a severe impact on the machine. This makes it practical to run TCP services on machines inside an IP masquerading firewall.
You can use this port traffic forwarder to bypass corporate VPN's. For example, consider:

[arbitrary computer] --> [laptop on home DSL connected via VPN to office network] --> [office network]

If you setup the rinetd port forwarding server on your laptop, you could give access to anyone who doesnt have VPN to connect to the office network (albeit, only on a predetermined IP and port). The laptop has to be publicly accessible. This might mean simply opening up a port on your home router.

Thursday, February 24, 2005

Mozilla Firefox 1.0.1 is now available

Mozilla Firefox 1.0.1 is now available for download. Although the Options->Advanced->Check for Updates thing doesnt work yet (they are going to enable it in stages), you can go and directly download the browser.

The installation is painless and smooth. Everything - favorites, preferences etc gets preserved. Here are the release notes.

Have a safe browsing experience.


Get Firefox!

Tuesday, February 22, 2005

Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords

Found on a Microsoft Help and Support page:
Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords
Yikes! What were they thinking when they coded this error message, huh? The user must've died of a shock, I'm guessing. Check out the page for yourself here.

Saturday, February 19, 2005

Free long distance calls from your cellphone

Here is how you can make free unlimited long distance calls through your cellphone by using a mix of VOIP and the cheapest mobile-to-mobile unlimited calling plan. This assumes that you already have a cellphone to begin with.

1. Buy a second mobile phone. A cheap or used phone would suffice.
2. Change your existing cellphone plan to the cheapest possible. Add option to make unlimited mobile to mobile calls.
3. Add second mobile to your cell plan.
4. Get VOIP. Go with the cheapest provider that charges a flat monthly rate for unlimited calls.
5. Buy Sipura SPA-3000 (or something similar).
6. Buy Dock-n-Talk Cell Phone Station (or something similar).

Sipura SPA-3000 routes local calls from cell phones and land lines to a VoIP service provider. Dock-n-Talk Cell Phone Station allows you to dock your cell phone and use your normal corded or cordless phones to make and receive your cell phone calls.

Call routing:
[CELLPHONE]-->[CELLPHONE2]-->[DOCK-N-TALK]-->[SIPURA SPA 3000]-->[VOIP]
You call from your existing cellphone to the 2nd cellphone. The 2nd cellphone is docked into the Dock-n-Talk, which inturn forwards the call to Sipura SPA 3000. Sipura SPA 3000 asks you for the target number. You punch-in the target number through your cellphone keypad (like you do for a calling card) and then it gets sent over through VOIP to the destination. Now because you have unlimited mobile-to-mobile calling plan, you dont pay a dime for the cell call - no airtime charges. Also, you pay a fixed monthly fee for the VOIP service. This model works for large volume of calls. The more long distance calls you make, the cheaper it gets.

This article is provided for informational purposes only.

Thursday, February 17, 2005

Google maps hacking

My random surfing led me to this GoogleMaps hack wiki. Apparently, it lists down hacks that can be performed with Google Maps like making the routes animated etc.

Also, here is an online code beautifier: http://www.prettyprinter.de/

Wednesday, February 16, 2005

Here is how Adware does site spoofing

According to Wikipedia -
an Adware or advertising-supported software is any software application in which advertisements are displayed while the program is running.
Some of the worst Adware programs do something more drastic. They alter your PC's settings, so that whenever you try to go to site A, you will always end up in site B. Here is how this happens:

When you enter a URL in the browser, a local name resolution happens, followed by a DNS name resolution. Name resolution is a process through which the actual IP address of a system (or a website) is determined. This IP address is then used to connect that site/host. The local name resolution is done via a hosts file. The hosts file on most of the Unix installations is located in /etc/hosts and on the Windows installations in the C:/windows/system32/drivers/etc/hosts (or wherever windows is installed).

Lets say your hosts file contains a spoofed entry like the one shown below:
64.233.167.99 www.amazon.com

Now, whenever you type 'www.amazon.com' in your browser, it would alwats go to Google. Eventhough, your browser still shows www.amazon.com as the URL.

Some of the Adware that gets loaded via ActiveX exploits this weakness and alters the hosts file, so that when you try some popular site (like Google, Amazon, CNN etc) you would always end up on some other advertisement loaded site.

Recently a friend of mine was telling me how he always landed up on 'www.weightwatchers.com' site, even when he tried to go to 'www.cnn.com'.

As a precaution do check your hosts file for suspicious entries. On a typical home PC, it should only contain a single entry - 127.0.0.1 localhost. There are a couple of excellent programs - Ad-Aware and Spybot-S&D that do an excellent job of busting any Adware or Spyware tricks that have made through on your PC.

Saturday, February 12, 2005

Using FooBar Search Alerts to get notified about security related issues

Disclosure: I conceptualized and wrote the FooBar Search Alerts service. It is free for personal non-commercial use. This is not a shameless plug. I use FooBar Search Alerts myself to keep up with security related stuff.

First let me tell you a little about the FooBar Search Alerts (FSA) service. The concept is very simple. It allows you to monitor a certain webpage for certain keywords (any word that you want to watch out for). Whenever your keywords appears on that page, you will be notified via email.

For example, lets assume that you are a system administrator and want to be notified whenever Apache releases a security fix or an update for its http server. Now either you can manually go and read the Apache News blog everyday or you can simply create a FSA with the keyword 'release'. The FSA service would send you an email only when it finds a new entry on their blog with the word 'release'.

I have myself created various search alerts to keep up-to-date with security related news on many sites. One of my alerts is for 'security' on the apache blog itself. You can even monitor sites like CNN etc for any keywords.

Creating a FooBar Search Alert is very simple. It should take less that 15 seconds to create an alert and does not require registration, login or any of your personal details (except for email address). Give it a try, I am sure you will find it useful. To cancel you alerts, simply click on the cancellation link that is sent in your notification email.

Thursday, February 10, 2005

Vulnerability in Symantec antivirus

Normally I dont like to post these vulnerability/security announcements because these days they are just too damn many of them. But as this has to do with the Symantec antivirus itself, I am posting it onto my blog.

There was an issue in the Symantec antivirus that allowed a virus to execute while scanning it. The problem exists in how the scanning code handles a compression format known as the Ultimate Packer for Executables (UPX). An attacker could create a virus designed to exploit the UPX flaw and send it to victims through e-mail or host it on a Web site. They claim to have fixed it already (but I couldnt find a download link on their site). If you do run an Symantec (Norton) antivirus, do the wise thing and upate your copy immediately.

Wednesday, February 09, 2005

Breaking CAPTCHA

As a follow-up to my previous post explaining what a CAPTCHA is, this post is about breaking CAPTCHA.

To break a CAPTCHA there are basically two options. Either come up with some fancy algorithm that does with image analysis and character recognition or simply show the CAPTCHA to a human, and have him/her tell you what the mangled text in the CAPTCHA really is. It seems that spammers prefer the latter option which is not only simpler to implement but also offers better reliability. Here is an example of what they do:
  1. Spammer creates a free porn site with the only catch being that users have to enter the text off a CAPTCHA before they can view images.
  2. That CAPTCHA is fetched from sites like Yahoo and displayed inline on their porn site.
  3. The moment a user keys in the sequence of characters, they programmatically feed it to the CAPTCHA entry box on the free email provider's site and open a new email account. The interesting thing to note here is that spammers dont have any way to really know whether the user entered the correct word or not.
Free porn sites attract a lot of people and so spammers are able to generate as many throwaway email addresses as they need.

The seemingly trivial task of identifying the mangled text in an image, is very difficult for computers. Apart from spammers, some CAPTCHA crackers are also scientists . Breaking a CAPTCHA programmatically has important implications in the field of artificial intelligence and optical character recognition.

However difficult the generated CAPTCHA image, if you involve humans to solve the problem under false pretense (as in the above example) then it can be always defeated.

Sunday, February 06, 2005

Awstats security hole - update

There is another vulnerability found in AWStats (version 5.7 through 6.2), which allows remote command execution even if the AllowToUpdateStatsFromBrowser flag has been set to 0.

This exploit causes arbitary commands to be executed by using 'pluginmode'. Here is an example:
http://yourserver/cgi-bin/awstats.pl?pluginmode=:system("/bin/ls");

Check out this code snippet that doesnt sanitize the input, thereby allowing for the above exploit to work.

Here is the awstats.pl ver 6.1 snippet:
# AWStats output is replaced by a plugin output>
if ($PluginMode) {

my $function="BuildFullHTMLOutput_$PluginMode()";
eval("$function");
if ($? || $@) { error("$@"); }
&html_end(0);
exit 0;
}

Your options are pretty much limited at this time.
  1. Upgrade to AWstats version 6.3 or newer which might also require you to upgrade your Perl version to 5.00503 or higher
  2. Shutdown AWStats on your server (eeew - bad idea!)
  3. Resort to security by obscurity. Rename the awstats.pl file to some wierdo name like AyDablyouStats.pl and hope that no one figures out the new name.
  4. If for any reason you cannot upgrade your Perl and/or AWstats, you could actually fix the awstats.pl file. Just sanitize the input before the eval("$function"). See above snippet.
Take you pick. If you choose option #4, do post the fix by adding a comment here. Thanks and Good luck!


Thursday, February 03, 2005

Identity Theft quiz

Take this quiz on Identity theft and find out your score. It is conducted by Better Business Bureau and Javelin Strategy & Research.

My score was 15. Note that a perfect score is 0 and the worst possible score is 100; a typical score is 38.

Have fun and if possible, do post back your results via the comments on this blog

Wednesday, February 02, 2005

Awstats security hole

An update to this entry has been posted here.

There is a security hole in the AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user. However, if you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe.

See a sample exploit.

Anyone use is using the older versions must upgrade to the latest 6.3 version. Even some of the high profile bloggers like Russell Beattie and Jeremy Zawodny's servers also got hacked because of this exploit.

Tuesday, February 01, 2005

What is a CAPTCHA?

CAPTCHA is an acronym for Computer Aided Public Turing test to tell Computers and Humans Apart. You have probably seen a CAPTCHA in action on a website as a colorful image with distored text in inside it.


CAPTCHA's are used to prevent automated-bots from signing up for various web services like email or for taking part in online polls etc. Previously companies like Yahoo realized that online bots are signing up for thousands of email accounts and then using these email addresses to send out massive spam. These days CAPTCHA is used extensively by the blogging community to reduce comment spam.

The reason CAPTCHA's are used, is because its easy for humans to read the distorted text (as above), but this cannot be done by computers. (although this claim has been proven false. See here). The user has to type in the word as shown in the CAPTCHA while signing up for service. If the users input matches with the text embedded in the image, then the sign-up is allowed.

CAPTCHAs pose serious accessibility problems. Because CAPTCHAs are designed to be unreadable by machines, common assistive technology tools such as screen readers cannot interpret them.

This noble idea of using CAPTCHA to reduce spam, is being thwarted by spammers. Next time, I'll describe how this is done.

Ciao!

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.
Webmaster