Archive for the ‘Hacks’ Category

Posted on May 26, 2011 - by Sarath

Protecting yourself from Facebook vulnerabilities

Facebook is a great social networking platform in which each of users have got a profile and wall. Over the recent month, facebook has been flooded with lot of malware applications and spammers. In such a risky environment on Facebook, it is very important to understand how to protect ourself from being the target.

Spam and Malware
To keep away from spammers and malware, the best mode of protection is to keep away from clicking untrusted and doubtful links and posts. Do not click ‘Allow’ blindly when some of application asks for permissions to access. Always read the type of permissions that an application uses, when it pops up ‘Allow’ – ‘Deny’ window. Give Allow permissions only to the trusted users. If you are not aware of how a facebook application works, here is short description. Facebook is a platform which provides several interfaces to the application developer to access the data related to users, pages, friends, events, photos, etc (The SocialGraph API). The application developer uses the API and writes the program that can manipulate the data provides through Facebook. They applications are hosted on the developer’s own servers. The facebook team doesn’t look at the application code to see what are these applications doing internally. Using the data access limits specified by the Application permissions, the developer can do any manipulations using the data.

Facebook Mobile – Vulnerabilities
Facebook mobile is an additional interface that Facebook facilities to use you mobile device to update wall, add friends, reply to friends, comment, upload, etc. There are good number of activities that facebook mobile can perform. See the facebook mobile page http://www.facebook.com/mobile/

There are a few open vulnerabilities in Facebook. Two of them are Facebook Upload via Email and Facebook via Text Message.

Facebook via Text Message – The real villian ( Post on Anyone’s wall vulnerability)
I became a victim of Facebook via Text Message last day. Frankly, I never used Facebook via Text Message before and I didn’t sign up for the feature until today. Yesterday, It happened to see a new post on my facebook wall. It was just a ‘.’ in the post and seen that Posted using Text Message. I recently had installed Facebook app for android on my Nexus S. I thought that it is some bug in the Facebook App on mobile made the wall post. I tried to regenerate the same post on the wall using mobile. Later I understood that the badguy used the feature called Facebook via Text Message which I never used. I signed up for the service and tried out how it works.

I found that, once we link a mobile number to a facebook profile, if we send SMSmessages to 92FACEBOOK (9232232665) from our linked mobile number, the message will be posted on the wall. I was shocked to see such an insecure procedure. Even if you are not signed up with Facebook mobile – Text Message feature, your profile is exposed for vulnerability. If you had added a contact mobile number and verified it through facebook mobile verification process, that means you have subscribed vulnerability from facebook

The Facebook via Text Message system uses the sender’s mobile number to identify to which profile’s wall the text message is to be posted. Not only we can manipulate wall but also we can perform several activities through Facebook via Text Message. That means the vulnerability facilities the attacker to have complete control over your facebook activities.

SMS spoofing is one of the vulnerabilities in the SMS design. It is easy to send SMS messages to a person by changing the identity of the sender. In India, though all the SMS gateways do not allow spoofing of SMS message senders ID, there are still many paid and free SMS spoofing services from outside India. You can easily send SMS by tampering the Identity to anyone else.

If you have access to such an SMS spoofing service, you can set the mobile number (sender) corresponding to the facebook user whose wall is to be updated. By sending a spoofed SMS, we can easily update another one’s wall.

Protection:
Facebook should really introduce some additional authentication token along with the SMS (Eg. a temporary authentication passcode along with SMS). From a user end, the best mode of protection is to remove the mobile number linked to the profile.
If you want to show your contact number along with the profile, add the contact number. But do not confirm the verification of the contact number asked by Facebook verification system. Thus your profile will be able to display your mobile number, at the same time you are protected from the attack.

Facebook Upload via Email
Facebook upload via E-mail is comparitively secure feature. If you navigate to the facebook mobile website, you can see a email address similar to darner986injure@m.facebook.com. This is a secret email address. By sending email to the specific email address attached with the facebook profile, the email messages will be posted to the wall. It is important to keep this e-mail address as secret and should not be exposed to your friends and strangers. Incase, you feel that it got exposes to someone you can reset the special email address linked with the account. Click find out more -> Refresh your upload email.

I request everyone to be aware of this serious vulnerabilities on Facebook and take preventive measures to protect your profile and your identity over internet.

Thank you.

Posted on April 30, 2011 - by Sarath

Writing a Tic Tac Toe program using AI (Minimax)

Most of us know the Tic-Tac-Toe game. If not, you might know this game in another name. I belonged to the second category. I had played this game many times in my childhood but with another localised name. This game said to be a simplest example of programming with a game tree. Tic-Tac-Toe also seems to be a common interview coding question for Software Engineer – Developer positions.

Let me give a brief idea of what is this game about. It consits of a board containing 9 cells with 3×3 (rowxcolumn). It is a two player game with each player assigned with a marker symbol (X or O). During the first turn the player mark the symbol X (Marker symbol corresponding to the player) to a cell among the available cells, and the second player will mark O (Second player’s symbol) to a cell among the available cells. The game continues until it reaches either one of the conditions:
When one column, row or diagonal has X, The player assigned with X wins else if this state arrived for O, the player O wins. If the board contains no free cell left and none of the above conditions arrived, the Game ends with Draw. (more…)

Posted on October 16, 2010 - by Sarath

Producer – Consumer problem using POSIX semaphores

Operating System LAB is an interesting LAB in the seventh semester. Producer – Consumer problem is one of the exercises to be done at LAB. When I was exploring semaphores, I came across two standards, System V and POSIX semaphores. System V seems to be older standard and they are are complex. It requires little bit of setting up steps to use them. Everyone were following System V semaphores. I thought of giving POSIX a try since it is newer, cleaner and easier to use.

To those who are new to semaphores:

Semaphore is an unsigned special integer type. It is used for synchronization. It can take values 0 or any positive value. When semaphore is decremented, it possess a special property. If the value of semaphore is 0 and decrement operation is performed, it will not decrement immediately, instead it wait until the value becomes positive and then it decrements the value and proceeds to next statement after decrement operation. Semaphores are used in synchronization when a common data is to be accessed by multiple processes or threads or for resource allocation.

For more, see Wikipedia

Producer – Consumer problem is a resource allocation problem. (more…)

Posted on September 23, 2010 - by Sarath

Excel 2010 – Technical fest of Model Engineering College, Cochin

Hey,

The techfest of Model Engineering College, Cochin – Excel 2010 starts off from Sept 24. This is the biggest excel ever with variety of events scheduled for three days (24-26th of September). There are 19 competition events plus Laser show and Stephen Devassy’s concert.

Check out the website for more: http://www.excelmec.org

If you are a Free and Open Source Software enthusiast there are two tuned events for you. Don’t miss them.

Sept 24 – 2.30 pm: FOSS in real world – Talk by Atul Chitnis

Attend the talk and get inspired.

Sept 25 – 2 pm: Hackfest – Shreyas Srinivasan and Arun Raghavan

Participate in the Hackfest and learn how to contribute with opensource hands-on

For more details, checkout the website.

Posted on June 18, 2010 - by Sarath

Youtube video downloader shell script

Recently I were looking for youtube downloaders over the web. I found many websites filled with lot of ads. Few websites where there which gave some neat interface to download videos. I got interested and decided to write my own shell script to parse and download videos. By looking into HTTP requests, I came through how downloaders work.

The logic is pretty simple. By passing the video_id which is received as v=videoid from youtube video URLs, to? http://www.youtube.com/get_video_info?video_id=videoid, we obtain a metadata file which contain metadata about the video we need to download. We extract a parameter called tokenid. Again pass the video_id and token to the same URL to obtain the video. We can also specify formats in which it is to be downloaded such as mp4,flv or 3gp in different video qualities. fmt=id parameter is passed to specify file format. By carefully watching the HTTP requests from youtube page, I collected variety of fmt arguments for different formats and quality. I have compiled all these info to write a youtube video downloader shell script. Download it and have fun.

Download the scrpt from here : youtube_dl.sh