Posts Tagged ‘hacking’
Posted on May 26, 2011 - by Sarath
Protecting yourself from Facebook vulnerabilities
Facebook is a great social networking platform in which each of users have got a profile and wall. Over the recent month, facebook has been flooded with lot of malware applications and spammers. In such a risky environment on Facebook, it is very important to understand how to protect ourself from being the target.
Spam and Malware
To keep away from spammers and malware, the best mode of protection is to keep away from clicking untrusted and doubtful links and posts. Do not click ‘Allow’ blindly when some of application asks for permissions to access. Always read the type of permissions that an application uses, when it pops up ‘Allow’ – ‘Deny’ window. Give Allow permissions only to the trusted users. If you are not aware of how a facebook application works, here is short description. Facebook is a platform which provides several interfaces to the application developer to access the data related to users, pages, friends, events, photos, etc (The SocialGraph API). The application developer uses the API and writes the program that can manipulate the data provides through Facebook. They applications are hosted on the developer’s own servers. The facebook team doesn’t look at the application code to see what are these applications doing internally. Using the data access limits specified by the Application permissions, the developer can do any manipulations using the data.
Facebook Mobile – Vulnerabilities
Facebook mobile is an additional interface that Facebook facilities to use you mobile device to update wall, add friends, reply to friends, comment, upload, etc. There are good number of activities that facebook mobile can perform. See the facebook mobile page http://www.facebook.com/mobile/
There are a few open vulnerabilities in Facebook. Two of them are Facebook Upload via Email and Facebook via Text Message.
Facebook via Text Message – The real villian ( Post on Anyone’s wall vulnerability)
I became a victim of Facebook via Text Message last day. Frankly, I never used Facebook via Text Message before and I didn’t sign up for the feature until today. Yesterday, It happened to see a new post on my facebook wall. It was just a ‘.’ in the post and seen that Posted using Text Message. I recently had installed Facebook app for android on my Nexus S. I thought that it is some bug in the Facebook App on mobile made the wall post. I tried to regenerate the same post on the wall using mobile. Later I understood that the badguy used the feature called Facebook via Text Message which I never used. I signed up for the service and tried out how it works.
I found that, once we link a mobile number to a facebook profile, if we send SMSmessages to 92FACEBOOK (9232232665) from our linked mobile number, the message will be posted on the wall. I was shocked to see such an insecure procedure. Even if you are not signed up with Facebook mobile – Text Message feature, your profile is exposed for vulnerability. If you had added a contact mobile number and verified it through facebook mobile verification process, that means you have subscribed vulnerability from facebook 
The Facebook via Text Message system uses the sender’s mobile number to identify to which profile’s wall the text message is to be posted. Not only we can manipulate wall but also we can perform several activities through Facebook via Text Message. That means the vulnerability facilities the attacker to have complete control over your facebook activities.
SMS spoofing is one of the vulnerabilities in the SMS design. It is easy to send SMS messages to a person by changing the identity of the sender. In India, though all the SMS gateways do not allow spoofing of SMS message senders ID, there are still many paid and free SMS spoofing services from outside India. You can easily send SMS by tampering the Identity to anyone else.
If you have access to such an SMS spoofing service, you can set the mobile number (sender) corresponding to the facebook user whose wall is to be updated. By sending a spoofed SMS, we can easily update another one’s wall.
Protection:
Facebook should really introduce some additional authentication token along with the SMS (Eg. a temporary authentication passcode along with SMS). From a user end, the best mode of protection is to remove the mobile number linked to the profile.
If you want to show your contact number along with the profile, add the contact number. But do not confirm the verification of the contact number asked by Facebook verification system. Thus your profile will be able to display your mobile number, at the same time you are protected from the attack.
Facebook Upload via Email
Facebook upload via E-mail is comparitively secure feature. If you navigate to the facebook mobile website, you can see a email address similar to darner986injure@m.facebook.com. This is a secret email address. By sending email to the specific email address attached with the facebook profile, the email messages will be posted to the wall. It is important to keep this e-mail address as secret and should not be exposed to your friends and strangers. Incase, you feel that it got exposes to someone you can reset the special email address linked with the account. Click find out more -> Refresh your upload email.
I request everyone to be aware of this serious vulnerabilities on Facebook and take preventive measures to protect your profile and your identity over internet.
Thank you.
Posted on June 1, 2010 - by Sarath
InCTF hacking challenge, my team r00tkit @ second position
Recently I participated in India’s first Capture the Flag style hacking challenge, InCTF. 160 teams from all over India participated in the CTF contest. Each team consisted of at most 5 members.
The finals of the event was really fun. We had real reach machines on the network connected through a VPN. The scores are based on attacking other machines, defending, giving ethical advisories. Scores are based on Flags submission. Flags can be captured from vulnerable services on machines of other teams.
Each team is given a vulnerable virtual image of a GNU/Linux system with four services. We have to patch it to prevent others attacking and capturing flag from our host. We have to exploit other’s services and capture the flag.
The most exciting part of the game was that, we exploited a service called therasus and got a root shell.
We did rm -rf / on many machines of oponents and had fun watching their systems getting down 
My team r00tkit had only two members, my friend Syamlal and I. It was the first time we were participating for a realtime CTF event.
We reached second position in the hacking challenge.
Good work Team BIOS, CTF organizers.
For more see, http://inctf.amrita.ac.in/
Posted on May 31, 2009 - by Sarath
Distromania !
Today I was filtering out junk CD roms aka e-waste at home. I found a lot of GNU/Linux distro CDs and thought of doing this. Have fun!
It recalls me those days bitten by Linux bug !
 |
| From life.blog |
 |
| From life.blog |
Posted on May 30, 2009 - by Sarath
Progress with Pardusman
Hey all.
I have been getting extremely lazy to blog enough these days. I have came across lots of new updates with pardusman project. The first improvement is with the UI graphic design. After building the UI layout I was staying tuned for comments and suggestions for improvement. Hiran came to me and told that he is interested to help me regarding UI. HIran is a UI guy on inkscape, Gimp, fonts etc.
We had a 1 hour IRC meeting that evening and discussed the UI plan. I got the UI for the first page in a couple of hours and I loved it. I found it awesome. I also grabed rest of the pages from Hiran of Human Factor Interface team. Have a look at the new designs.
Posted on May 12, 2009 - by Sarath
ATNGW100
I bought an AVR-32 ATNGW100 embedded experimentation board. It runs a minature version of GNU/Linux on AVR archietecture. The NGW100 has two Ethernet ports, SD and MMC card reader, and connectors for USB and JTAG. It boots up soon after it is given power supply. The version of OS includes decent services like SSH, SAMBA, FTP etc.
My initial plan is to build an internet gateway with iptables hack. Also I plan to cross-compile SQUID for AVR so that I can have an embeded tiny sized proxy server with all controls. That can be used at hostel for sharing internet connection Tux powered Looking forward to it.
Learn more from ATMEL Website
My Book
Follow
Random Photos
Solve real-world shell scripting problems with over 110 simple but incredibly effective recipes.