Friday, April 29, 2005
"Fuzzing" is an automated software testing technique that generates and submits random or sequential data to various areas of an application in an attempt to uncover security vulnerabilities. For example, when searching for buffer overflows, a tester can simply generate data of various sizes and send it to one of the application entry points to observe how the application handles it.So you basically throw random data at a webservice or a web application to see how it reacts to your input. I've sometimes done this type of testing, but just learned that this is called fuzzing.
It always feel good to learn something new. If you want to know more about fuzzing, check out this Wikipedia link on Fuzz testing.
Wednesday, April 27, 2005
Authentication and encryption
Encryption is the mechanism to mangle your conversation (or data) so that it only makes sense to the receipient. There are various ways to encrypt data. Encrypted data is transferred over the world wide web using SSL (https).
Whenever you start an SSL session with a website, the browser first checks the certificate on the server to ensure that it is really the server it is claiming to be. If either the certificate name and the server name doesnt match or the certificate has expired, it will usually pop-up a dialog box informing you of the problem and asking you whether you still want to accept the certificate.
Sunday, April 24, 2005
Using SSH to reduce connectivity overhead between servers
Usually, when you have this kind of connectivity requirements, you would use SSL encryption between servers to prevent data leak via sniffing. You would also setup a IP filtering or mutual authentication via certificates on both sides to prevent un-authorized connections.
Every time your application connects to the other server using a combo of mutual authentication and SSL, it is an expensive operation in terms of the CPU usage and time spent in the connection handshake.
How could you reduce this unnecessary overhead? If you setup a permanent SSH tunnel between your server and the other server, then the SSL connection handshake becomes just a one time cost. All your requests go to your local SSH end-point. SSH would encrypt all the data, send it over to the other server, decrypt it and present it for the other server to process. The only caveat being that you need an account on the other server to setup a permanent SSH tunnel between your and the other server.
Here is how you would setup the SSH tunnel:
ssh -L local_port:target_server:target_port
You just need to modify your application to send all its requests to the local_port on the local machine and it will automatically be forwarded to the target_server by the SSH tunnel.
SSH not only provides end-to-end encryption, it can also be setup to perform authentication using private/public key combo instead of passwords.
Thursday, April 21, 2005
What is a Denial of Service attack?
In a DoS attack, the goal of the attacker possibly cannot be to steal data or user information. The attacker just wants to disrupt the service.
Computers and networks need network bandwidth, CPU power, hard disk space etc to operate. Even if one of the resource is consumed in excess, then it can lead to a DoS attack. On example of consuming scare resources to cause a DoS attack is a SYN flood attack.
A Distributed Denial of Service (DDoS) attack occours, when a bunch of machines direct their attack towards a single target. Sometimes crackers infect vulnerable machines (like unpatched machines) with malicious code to orchestrate a DDoS attack on a particular target. This gives you one more reason to patch-up your computers with the latest security updates.
Monday, April 18, 2005
Thanks for your patience.
Saturday, April 09, 2005
Grabbing script source files from a server
So, lets assume that the site is run by PHP scripts. The browser makes the initial request, which is served by index.php. Now if you click the hyperlinks (that point back to more php files) on that page, the webserver is going to execute the scripts and send you back the output. What happens if you append a ".bak" to the name of the script file (assuming that there is a backup version of the file in that same directory). The webserver notices a new request and serves out the file without executing the script. It is just configured to execute ".php" files, not ".php.bak" files. What you get back is the actual script source file.
This happens because of the carelessness of the site admin or programmer, who just renames the old file to a ".bak", ".old", ".php.1" or something similar before replacing that script and then not deleting the backup version. This hack is not an easy one to pull off, because someone might have to try out different filename/file extension combinations before striking gold. The site might not even have backup versions in the first place. (But you will be suprised to know that even so many high profile websites, just leave the ".bak" files out there)
Friday, April 08, 2005
Beware of scamsters on Craigslist
Something about the response didnt seem right. Remember, if it is too good to be true, there is a rat hiding somewhere. Firstly, this guy promises to buy my monitor right-away, without any questions. Secondly, the whole western union thing got my thinking. btw, who buys stuff for friends who are out of town, anyway?
Lets say, I respond to his email and send him my fullname, address and telephone number (obviously when I respond via email, he gets to know my email address). Then, he would send me a fake western union email stating the money has been deposited into my account (or something like that). Trusting the fake email, I would have let the FedEx guy come and pickup my monitor. Not only would the monitor be gone forever, my email address might also be sold off to a spammer.
Time for some detective work. I noticed that the email was sent out via yahoo. Yahoo has a neato thing called yahoo profiles, which also tells you when the email address was created. A quick check on the profile page, tells me that the email was created just a few days ago, maybe with the only intent of scamming.
So, whenever you receive a generic enough response to your craigslist ad, please dont even bother to reply. Usually when someone responds to your ad, they would ask you a question or two, or they would want to setup a time to meet or even leave their a phone number for you to call back. Dont give out your fullname, address or phone number in the first email exchange with a potential buyer, unless you are 100% sure that the other guy is geniunely interested in purchasing your stuff.
Wednesday, April 06, 2005
Why has my spam gone down suddenly?
Why did the spam machines go quiet? Not that I am complaining, but it makes me wonder what happened? Has this something to do with Microsoft filing lawsuits agains 118 phishing sites? Donno.
Is it just me or you guys have also seen a reduction in the spam email?
Tuesday, April 05, 2005
Why is reporting phishing emails so difficult?
I immediately went over to eBay's website, with the hope of letting them know about this incident. They have a "security center" link at the bottom of their home page. Once you click on the security center link, they ask you a bunch of questions:
Answer them and after a some more clicks, they want you to sign-in to report the issue.
Now, this begs the question: Why do they want me to sign-in just to report a spoofed email? What if I dont have an eBay account? Why not make it simple enough for a user to report spoofed email? A friend of mine was telling me that Sprint PCS wanted him to write down everything on a piece of paper and mail it to them!
Just give me a simple box (textarea or something), wherein I can simply cut and paste the contents of the email and then you guys can figure out the rest. Maybe, for the advanced users, you could also give the option to paste in the email SMTP headers. Guys, just look at PayPal's report spoof page for inspiration.
Sunday, April 03, 2005
- "Index of /admin"
- "Index of /cgi-bin"
Saturday, April 02, 2005
Essential things to have on every machine
- A good antivirus. You could go with either of the market leaders, McAfee or Norton. If you are working with a linux machine or dont want to go the open source way, then consider ClamAV .
- Latest updates of the operating system. For windows, it is Windows service pack 2 with a built-in firewall. Be sure to enable the auto-updates for the OS you are working with.
- Spybot - Search & Destroy - it detects and cleans spyware.
- Ad-Aware Personal edition - another good spyware buster.
- A good personal firewall. (I dont insist too much on this, but it is nice to have).
Copyright Anand Jain 2004, 2005. All rights