simple security

As you guys know, I had been complaining about the Airlink wireless router a few days ago. Phew, I was able to return it back to Fry's. Now I have installed a Netgear WGR614 router and just for the record, want to say that it rocks! The entire setup took less than 10 minutes. The router had a configuration wizard built into the router itself. It also provided an option to bypass the wizard entirely. This is a great convenience to power users like myself.

I've turned on the WPA encryption and now enjoying superior security with better speed.

This is how a product, specially an appliance, should be made. Easy to install, easy to use. It works right the first time.

MSDN Magazine describes SQL Injection as:

The basic idea behind a SQL injection attack is this: you create a Web page that allows the user to enter text into a textbox that will be used to execute a query against a database. A hacker enters a malformed SQL statement into the textbox that changes the nature of the query so that it can be used to break into, alter, or damage the back-end database.

So why am I writing about SQL injection today? Well, I ran into a prominent yellow pages site yesterday and happened to notice that the way they construct their URL's, they are inviting hackers to come in and perform SQL injection attacks. Here is their URL (no, I am not telling you what site it was on, but if you really want to know then nothing can stop you):

http://someyellowpagesite/cgi-bin/p_yellowpages.cgi?id=3&SQLQuery=SELECT%20LISTING.NAME,
LISTING.ADDRESS,LISTING.PHONE,LISTING.CONTACT,LISTING.EMAIL%20FROM%20LISTING%20WHERE%20
LISTING.BCCODE=%2248280%22%20ORDER%20BY%20LISTING.NAME&StartRec=21&EndRec=40&TotalRec=2527&
SearchName=0&SearchDir=0&SearchClass=1

Notice, how they embed the the entire SQL query right there in the URL itself. What do you think happens, if you change a parameter or two in the SQL query? Heck, what would happen if you remove that query and instead put something in which drops the RDBMS table altogether? hehe.. the possibilities are limited to your imagination.

The damage done by SQL Injection attacks depends largely on the target environment and configurations. It can be used to cause Denial of Service attacks, by having a query do superfluous tasks. It can be used to open up a port on the server, which can then lead to getting access to that box itself. It can also be used to cause corrupt the data on the backend. Endless possibilities.

So fellas, whenever you write applications, always sanitize and check the input passed in from the user. Never ever, take SQL queries or commands from the web-tier.

# posted by anand : 9:27 AM  0 comments

Just got an idea.. If there existed a mobile Pocket PC device that was WiFi capable, then you could make free phone calls to pretty much anyone in the world.

The other person would have to have Skype installed on his/her device or PC as well. You would have to install the Pocket PC version of Skype on your device and then could use it to make free phone calls to other Skype users, on their mobile devices or PC's. You would have to get an unlimited data plan from your carrier and reduce your monthly voice plan to a bare minimum. Once you have the unlimited data plan, there are no per call charges anymore. You just pay a flat fees, whether you make phone calls or not.

It could revolutionize the way the telecom industry works. But the question is, will the carriers allow the device manufacturers like HP etc to add WiFi capabilities to the mobile devices?

I like the idea, what about you?

(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. Get your copy today.

Topics that they cover in issue# 1.3 are:

• Security vulnerabilities, exploits and patches
• PDA attacks: palm sized devices - PC sized threats
• Adding service signatures to Nmap
• CSO and CISO - perception vs. reality in the security kingdom
• Unified threat management: IT security's silver bullet?
• The reality of SQL injection
• 12 months of progress for the Microsoft Security Response Centre
• Interview with Michal Zalewski, security researcher
• OpenSSH for Macintosh
• Method for forensic validation of backup tapes

I was cleaning up my computer and found a list on application level vulnerabilities and things that you need to consider when testing your application for security, that I had authored a couple years ago. It seems the items mentioned in the list are still relevant today and so I am publishing it on my blog. Here it is:

• Hidden form field manipulation
• Parameter tampering (Eg. invalid session id or an incremental user id)
• Bypassing client side input validation (turning off javascript on the browser)
  
• Developer defined application backdoors and debug options
• Cookie poisoning
• Cross site scripting and Session hijacking
• Buffer overflow
• Published known vulnerabilities for the components involved in the web application (For example if your application uses embedded software and a vulnerability is published for that embedded piece, then your application is vulnerable too)
• Sample applications or pages and known application paths (Eg. /logs or /admin)
• Examination of application-to-application interaction such as between your application and various other servers
• Brute force password attack, password guessing and password sniffing. Also of importance is the error message. The error message should only state a generic message, instead of giving out specific messages. This is bad user experience, but a better from the security standpoint.
  
• How well does the application handle client session cancellation and expiry
• Use of HTTP methods to send data over to the server. (GET requests become part of URL and are normally stored in the browse's history)

Pay careful attention to the above list while designing, coding and testing your application. A seemingly innocuous thing can have important security implications in the future.

So I bought a couple of 200 GB hard drives (these are so cheap these days. You can buy a 200 GB hard disk for around $70) and was on the look out for a network storage solution. Found the NSLU2 to be a good candidate, both for network storage as well as to hack it to install custom linux and make it work as a web server. So basically you plug this directly into your ethernet port and voila, storage is available to anyone who has access to that network. You can access this from your desktop, laptop or even your PDA if it has wifi, or some networking option. This is the cheapest way to add network storage solution to your home.

I guess, I am a little late to the NSLU party, going on here and here, but it will be fun nonetheless.

Just cannot wait for it to get delivered. Havent hacked up a device since a long time now !!!!

Turnitin.com is a plagiarism detector. Its a site used by educators and instructors to detect plagiarism in student papers. Turnitin visits sites for content and then matches up the content with student submissions to detect whether the submission was original or "inspired" from online sources.

According to Plagiarism.org

Plagiarism has never been easier than it is today. Before the Internet, cheating was labor-intensive and obvious. Potential plagiarists had to find appropriate works from a limited pool of resources, usually a nearby library, and copy them by hand. Since these resources were almost always professionally written, the risk of detection was very high.

The Internet now makes it easy to find thousands of relevant sources in seconds, and in the space of a short time plagiarists can find, copy, and paste together a term paper, article, or even a book. Because the material online is produced by writers of varying levels of quality and professionalism, it is often difficult or impossible for educators and editors to identify plagiarism.

So sites like Turnitin help detect IP (intellectual property) theft by detecting plagiarised material.

A dictionary attack is a method to break a password based authentication system using a huge subset of dictionary words. Usually an automated program is used to try out a list of common passwords and/or usernames in combinations until access is gained into the target system.

Some hacker sites allow you to download dictionaries for such attacks. They contain massive lists of words used in a particular language. Dont think that you can get away with using native word as a password. I've seen dictionaries for pretty much every language out there. That is why some sites or even your corporate security policy doesnt allow you to use simple words as passwords. They mandate the use of a combination of alphanumeric and special characters for passwords.

Some moron has been trying to get into my server with a dictionary attack method. Here is the list of usernames that have been tried so far: dictionary-attack.txt. Notice that the hacker has tried the combination of username "root" and password 909 times!!!

Wanna break MSN search? Just search for something on http://search.msn.com/. Once you get back the results, just change protocol in the URL that shows up in your address window from http:// to https:// and notice that Akamai's error page shows up.

Seems like all the top three search engines Yahoo, Google and MSN use Akamai. Hmm....

Here is an article that describes what it is like to be a Nigerian scammer.

This is a fun hack posted on TheDamnBlog that shows how to hack an elevator to go directly to your floor without stopping anywhere in between.

The designers of some elevators include a hidden feature that is very handy if you're in a hurry or it's a busy time in the building (like check-out time in a hotel). While some elevators require a key, others can be put into "Express" mode by pressing the "Door Close" and "Floor" buttons at the same time. This sweeps the car to the floor of your choice and avoids stops at any other floor.