Someone lost his orkut account to me
Should I say someone lost his account to me or should I say someone tried to impersonate me? I don’t know. I created a new ymail account some time back and I don’t check that email frequently. One evening I checked that account and to my surprise, a mail from orkut was in my inbox asking to verify email address of the google account. Some one created an orkut account with my email address.
I was eager to know if the person was trying to impersonate me (WT*! I’m not a celebrity) or he was lazy to create an email account or it was a typo. I just confirmed clicking on the link in the mail and end of the story. The email is verified for the orkut (google) account. And the next thing, I want to log onto orkut and see if the person was trying to impersonate (rare chance). And now I need the password of the account, which obviously is an easy task. Just went to the forgot password link and the nice guys (software) at google sent me a reset password link just after verifying a captcha. This shows how sucky our current password recovery mechanisms are. Gotcha! I got the new password and the account is mine now. Logged on to the orkut account and saw the profile information. WT*! The guy has his complete postal address, phone numbers etc. on his profile.
How can people just make such stupid mistakes? It was a nice week’s time since the creation of the account. So, next time you are creating any account and your email address is your user name, be careful, don’t do such stupid mistakes. This could have been worse if google actually sends the password instead of the reset link. Most people would have same password for multiple accounts. And if I can find the person’s other email address or any other account with the same password, then it’s a complete mess of his online presence.
Had I waited with out resetting the password for some time, that would have been worse. The guy would have used the account and built his network, after which I can take control of it. Now I’m going to call him on his mobile and tell him this!
When humans help robots…
How do you say humans and computers are different? Can computers solve all the problems that can be solved by humans? There came a beautiful test called the CAPTCHA – Completely Automated Public Turing test to tell Computers and Humans Apart. It is extensively used on the Internet as a challenge to all the robots out there trying to spam systems on the Internet. But, when humans break CAPTCHAs for not-so-good reasons, what can any technologists do?
Recently, I read an article on India’s CAPTCHA solving economy on ZD Net. There are lot of companies which are involved in CAPTCHA breaking business. They receive $2 per 1000 CAPTCHAs broken. These broken CAPTCHAs can be used by attackers to register fake accounts on sites like Yahoo!, Google, Facebook etc. And robots can also use these to comment on your blog, if you are using a CAPTCHA to prevent robots.
On one side India is receiving laurels from the international community for her success in Information Technology; on the other side these immoral (to me) businesses are appealing for people who look for a quick buck.
When humans help robots, it’s a disaster for technology.
Read the complete article on ZDNet
In the name of CNN, comes the malware
I trust my mail provider to filter all the spam, but I regularly check the spam folder to avoid false positives. Any way false negatives show up in Inbox.
Email scams are normal, I’ve learnt to live with it. This is a recent scam that I saw. The email says “CNN.com Daily Top 10″ which has a lot of links (all pointing to the same page). It’s very appealing with the recent news headlines or celebrity names in the links.
The links lead to a rogue site that asks you to install an activex control. Even if you press cancel, it asks you again and again and it’s almost a DoS attack on your browser. You gotta kill the browser or install the malware.
I love Microsoft (and other browser guys) for this. What if the default setting is to automatically install ActiveX controls with out asking the user. How many of the users would change the default setting.
The minds behind this might be trying to create a bigger botnet. You definitely don’t want your computer to be a part of a world wide botnet that can pull down websites and cause a havoc on the Internet. Recently Georgia president’s website was subject to similar DDoS attack through a botnet.
Do not install any ActiveX with out properly knowing what it does.
Update: Another variant of the mail, which is more convincing mail with one link to cnn.com and one link to a different rogue site. Be careful when clicking links. Even your computer can be affected by this.
Secure Camp I
I was there today.
I expected a big crowd there after seeing the registration page, but not even half turned up. I’ve been into security stuff at Yahoo! for quite sometime, so I have fair idea of web security. The web security part there was not very interesting to me, for, I know most of it already. I dint plan to speak there, but I prepared a short presentation on the fly about basic practices to avoid XSS, XSRF, SQL attacks. My laptop ran out of power and thanks to RSA guys who allowed me to use their laptop for presentation. I dint speak more than twenty minutes, I know that was not a good presentation, but next time I will plan to talk well before.
Most interesting part of the talk was a tool presented by Yash. He could capture passwords from sites that used SSL, which created a shiver down my spine. The tool captures data before it enters the SSL tunnel between the desktop and the website. It’s not a key logger.
If I’m right, Rasmus Lerdorf, the inventor of PHP said “the internet is broken”. Yash reiterates desktop (at least Windows) is even more broken.
DoS attacks using wildcards
These days, my interest turned towards security related topics and this whitepaper caught my attention when I was browsing through some website. It’s about Dos attacks using SQL wildcards [PDF].
Wildcards is a trivial concept. Any student studying SQL knows what wildcards are. If you ask a novice programmer to write a search functionality to search records from a table, the popular answer must be “decorating” user input with wildcards on both ends. It’s just stupid. Well, I would have done the same thing if I write some code in college days.
Just look at this query:
select * from table where content like '%foo%';
This is logically perfect solution, but it doesn’t scale. Next, if the application provides an advanced search functionality that searches for all the terms, then the query would look like something like this:
select * from table where content like '%foo%' OR '%bar%';
Well, the application provides the functionality. So, you gotta live with it. This might be acceptable when the table has 200 records. What if the table has 2 million records?
Now, how can an attacker attack the application. You just get the answer by looking at the query once – using really long strings with lots of wildcards.
select * from table where content like '%foo___bar%i_am_a%{bad_boy}%do_you_want%to_be_my_friend%';
Do you feel the pinch now? Yeah, this can eat up CPU cycles and I/O. This can hang your machine up for few seconds. Oh! yeah, do you have a connection pool? How many connections? 100? 200? Just an equal number of queries at one shot can jam your server and there you go – DoS. If your code has this kind of problems, is a dial-up connection enough for a DoS attack?
Well, if you think these kind of problems can only affect database servers, you are completely wrong. Say, your web application processes all this data and shows it back to the user, and your code doesn’t check number of records that has been asked for, then your application is also affected. An application level DoS.
Now, how this can be converted to a DDoS attack?
If an application accepts search queries over GET requests then an attacker can use a “Web Spamming Tool” to auto-register to open forums, send forum posts and blog comments with the URL of this search or can send this search URL as the “src” value of an image tag. In this way attacker can use other websites visitors to attack the targeted application…
This can get really worse if the application has also SQL injection vulnerability. Attacker can do “anything” on your database.
How to protect from all this?
- Treat user input. Remove or escape wildcard characters properly from user input.
- Just thinking of a funny problem. Don’t blindly escape wildcards. Consider this string “abc\%”. It would become “abc\\%” which is definitely not what you want.
- Whitelist allowed characters.
- Set timeouts for SQL queries.
- Limit number of records that can be fetched.
- Be afraid of CSRF, use some kind of token to validate if a request is really originating from user action.
Happy coding. Remember, there is no patch for stupidity.
P.S. I like the quote “There is no patch for stupidity”, is copied from someone; don’t remember where I saw it first. Read the whitepaper for details.
Merciless Trojans
Heard of the earthquake in China recently? Did you receive an email about the earth quake? If you did, think twice before opening that. The register has reported that the email attachments download malware to your computer.
Malware/virus writers send an email in the name of a Chinese news agency. The email says “open the attachment for more information”. The attachment is an infected word document which would download malware to your computer.
Malware writers seem to exploit natural disasters to spread their Trojans. So, be careful before opening attachments.
They break the captcha
Yahoo! Chat rooms is a nice place to hang out when I’m bored. I made so many chat friends, but the problem is that most of the time the rooms are filled with dumb chat bots. Some time back Yahoo! introduced captcha verification to enter into a chat room. This system worked fine for some days, but soon the spammers seem to have found a way out.
I read a blog post sometime back explaining how a captcha system can be broken. Here is how it works:
As usual I entered a chat room, the last name looked interesting, so I pinged that user. That looked like a bot, replying to my chat. It has replies to the easy messages like Hi; asl? But when I ask “what are you?”, it replies “…umm fine… how r u”. Wow! what a reply! Then, I realized that it’s a bot.
Now, I saw the profile of the user, and clicked on the homepage link, and I saw a captcha and a text box in that site, which disappeared now. The captcha looks like a Yahoo! captcha and when some one types in the text and enters the site, the spammer might use this to enable a bot register a new Yahoo! ID or enter a chat room.
Oh my God! The Internet is broken.
