Friday, April 29, 2005


I attended OWASP's local chapter meeting for a presentation on Web Services Security. It was during the presentation, that I learnt a new word: fuzzing. According to SPI Dynamic's website:
"Fuzzing" is an automated software testing technique that generates and submits random or sequential data to various areas of an application in an attempt to uncover security vulnerabilities. For example, when searching for buffer overflows, a tester can simply generate data of various sizes and send it to one of the application entry points to observe how the application handles it.
So you basically throw random data at a webservice or a web application to see how it reacts to your input. I've sometimes done this type of testing, but just learned that this is called fuzzing.

It always feel good to learn something new. If you want to know more about fuzzing, check out this Wikipedia link on Fuzz testing.

Wednesday, April 27, 2005

Authentication and encryption

Authentication is a mechanism to verify the identity of the person or server you are communicating with. For example, when you log into your email account, you are challenged to provide your username and password to verify your identity. This is an example of one-way authentication. Authencation mechanisms can vary. You can use passwords, server side certifcates (like the ones issued by Verisign etc) etc. Two-way authentication or mutual authentication is performed when both the parties check each others credentials before exchanging data. Two-way authentication is usually used achieved using client-side and server-side certificates and usually performed for server to server communication.

Encryption is the mechanism to mangle your conversation (or data) so that it only makes sense to the receipient. There are various ways to encrypt data. Encrypted data is transferred over the world wide web using SSL (https).

Whenever you start an SSL session with a website, the browser first checks the certificate on the server to ensure that it is really the server it is claiming to be. If either the certificate name and the server name doesnt match or the certificate has expired, it will usually pop-up a dialog box informing you of the problem and asking you whether you still want to accept the certificate.

Sunday, April 24, 2005

Using SSH to reduce connectivity overhead between servers

Lets say that a server hosted in one datacenter needs to connect with a server located in some other datacenter. For example, your application hosted in your own datacenter needs to send out SMS messages and so it might connect to the carriers gateway in their datacenter.

Usually, when you have this kind of connectivity requirements, you would use SSL encryption between servers to prevent data leak via sniffing. You would also setup a IP filtering or mutual authentication via certificates on both sides to prevent un-authorized connections.

Every time your application connects to the other server using a combo of mutual authentication and SSL, it is an expensive operation in terms of the CPU usage and time spent in the connection handshake.

How could you reduce this unnecessary overhead? If you setup a permanent SSH tunnel between your server and the other server, then the SSL connection handshake becomes just a one time cost. All your requests go to your local SSH end-point. SSH would encrypt all the data, send it over to the other server, decrypt it and present it for the other server to process. The only caveat being that you need an account on the other server to setup a permanent SSH tunnel between your and the other server.

Here is how you would setup the SSH tunnel:
ssh -L local_port:target_server:target_port

You just need to modify your application to send all its requests to the local_port on the local machine and it will automatically be forwarded to the target_server by the SSH tunnel.

SSH not only provides end-to-end encryption, it can also be setup to perform authentication using private/public key combo instead of passwords.

Thursday, April 21, 2005

What is a Denial of Service attack?

A Denial of Service (DoS) attack happens when the users of a particular service (or a website) are unable to access or use that service because of an attack on that service. Lets say an attacker floods a particular website with so many requests at once, that the site is unable to serve its regular users. The server is so busy trying to keep up with the numerous requests (lets say about 5000 concurrent requests each second) that it seems to be non responsive to any other users request.

In a DoS attack, the goal of the attacker possibly cannot be to steal data or user information. The attacker just wants to disrupt the service.

Computers and networks need network bandwidth, CPU power, hard disk space etc to operate. Even if one of the resource is consumed in excess, then it can lead to a DoS attack. On example of consuming scare resources to cause a DoS attack is a SYN flood attack.

A Distributed Denial of Service (DDoS) attack occours, when a bunch of machines direct their attack towards a single target. Sometimes crackers infect vulnerable machines (like unpatched machines) with malicious code to orchestrate a DDoS attack on a particular target. This gives you one more reason to patch-up your computers with the latest security updates.

Monday, April 18, 2005

Been busy

Lately, I've been extremely busy working on my FooBar Search Alert, which is now in the beta release. Hence, the delay in posting on this blog. I am working on writing an entry explaining what a Denial of Service (DoS, DDoS) attack is. Also, writing up something on SSH and its various uses. I'll be posting the DoS entry before the weekend.

Thanks for your patience.

Saturday, April 09, 2005

Grabbing script source files from a server

Lets say you goto a site and see that it is run by some scripting language like PHP, Perl, ASP etc. Now, whenever you make a request to that site through your browser, the webserver is going to execute the script for which the request was made and send you back the results (not the script source file). Simple enough. Now lets see how you can grab the source files from that site.

So, lets assume that the site is run by PHP scripts. The browser makes the initial request, which is served by index.php. Now if you click the hyperlinks (that point back to more php files) on that page, the webserver is going to execute the scripts and send you back the output. What happens if you append a ".bak" to the name of the script file (assuming that there is a backup version of the file in that same directory). The webserver notices a new request and serves out the file without executing the script. It is just configured to execute ".php" files, not ".php.bak" files. What you get back is the actual script source file.

This happens because of the carelessness of the site admin or programmer, who just renames the old file to a ".bak", ".old", ".php.1" or something similar before replacing that script and then not deleting the backup version. This hack is not an easy one to pull off, because someone might have to try out different filename/file extension combinations before striking gold. The site might not even have backup versions in the first place. (But you will be suprised to know that even so many high profile websites, just leave the ".bak" files out there)

Friday, April 08, 2005

Beware of scamsters on Craigslist

Yesterday evening, I posted an ad on Craiglist to sell my 15 inch LCD monitor. This morning I received an interesting response to my ad.

Something about the response didnt seem right. Remember, if it is too good to be true, there is a rat hiding somewhere. Firstly, this guy promises to buy my monitor right-away, without any questions. Secondly, the whole western union thing got my thinking. btw, who buys stuff for friends who are out of town, anyway?

Lets say, I respond to his email and send him my fullname, address and telephone number (obviously when I respond via email, he gets to know my email address). Then, he would send me a fake western union email stating the money has been deposited into my account (or something like that). Trusting the fake email, I would have let the FedEx guy come and pickup my monitor. Not only would the monitor be gone forever, my email address might also be sold off to a spammer.

Time for some detective work. I noticed that the email was sent out via yahoo. Yahoo has a neato thing called yahoo profiles, which also tells you when the email address was created. A quick check on the profile page, tells me that the email was created just a few days ago, maybe with the only intent of scamming.

So, whenever you receive a generic enough response to your craigslist ad, please dont even bother to reply. Usually when someone responds to your ad, they would ask you a question or two, or they would want to setup a time to meet or even leave their a phone number for you to call back. Dont give out your fullname, address or phone number in the first email exchange with a potential buyer, unless you are 100% sure that the other guy is geniunely interested in purchasing your stuff.

Wednesday, April 06, 2005

Why has my spam gone down suddenly?

Seems that since the past 4-5 days, I have been getting virtually no spam (except for an odd email). I made no changes either to my mailbox or to the mailserver settings. I do get all my other emails.

Why did the spam machines go quiet? Not that I am complaining, but it makes me wonder what happened? Has this something to do with Microsoft filing lawsuits agains 118 phishing sites? Donno.

Is it just me or you guys have also seen a reduction in the spam email?

Tuesday, April 05, 2005

Why is reporting phishing emails so difficult?

The other day, I received a email that claimed that my credit card on file with eBay had expired and I would need to re-enter my account details. One glance at it and I knew it was a phishing email.

I immediately went over to eBay's website, with the hope of letting them know about this incident. They have a "security center" link at the bottom of their home page. Once you click on the security center link, they ask you a bunch of questions:

Answer them and after a some more clicks, they want you to sign-in to report the issue.

Now, this begs the question: Why do they want me to sign-in just to report a spoofed email? What if I dont have an eBay account? Why not make it simple enough for a user to report spoofed email? A friend of mine was telling me that Sprint PCS wanted him to write down everything on a piece of paper and mail it to them!

Just give me a simple box (textarea or something), wherein I can simply cut and paste the contents of the email and then you guys can figure out the rest. Maybe, for the advanced users, you could also give the option to paste in the email SMTP headers. Guys, just look at PayPal's report spoof page for inspiration.

Sunday, April 03, 2005

Google hacks

Have you ever typed in the following phrases in Google?
Give it a shot. See what you end up with. These are called 'index hacks'. By the way, you can enter these phrases in just about any search engine.

Saturday, April 02, 2005

Essential things to have on every machine

  1. Firefox.
  2. A good antivirus. You could go with either of the market leaders, McAfee or Norton. If you are working with a linux machine or dont want to go the open source way, then consider ClamAV .
  3. Latest updates of the operating system. For windows, it is Windows service pack 2 with a built-in firewall. Be sure to enable the auto-updates for the OS you are working with.
  4. Spybot - Search & Destroy - it detects and cleans spyware.
  5. Ad-Aware Personal edition - another good spyware buster.
  6. A good personal firewall. (I dont insist too much on this, but it is nice to have).

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.