Wednesday 27 August 2014

[Gyan/ Knowledge] A Random Non Governmental Organization

Let us start by the familiar wikipedia definition of what exactly is an Non Governmental Organization
non-governmental organization or non-governmental organisation in English (NGO) is an organization that is neither a part of a government nor a conventional for-profit business. Usually set up by ordinary citizens, NGOs may be funded by governments, foundations, businesses, or private persons. Some avoid formal funding altogether and are run primarily by volunteers. NGOs are highly diverse groups of organizations engaged in a wide range of activities, and take different forms in different parts of the world. Some may have charitable status, while others may be registered for tax exemption based on recognition of social purposes.
So what is a post about an NGO doing on this blog focused towards the learning of technologies and hacking? Well basically, after finishing my graduation and before applying to universities for further studies or joining any company, as an Engineer I had so much amount of time that I was desperately trying to be busy by picking up internships and hacking websites and participating and getting my name into various Security Hall(s) Of Fame. While all this happened, I got called to come visit this NGO by a genius, geeky and a very old neighbor of mine called Sharath Ram Chandra (My thanks and gratitude to you).

First Visit

Even though I value time a lot, my first visit to this place started off pretty bad with me being about 15-20 minutes late. However, once here, I was received and introduced to this place called the CIS-India by Sharath. Further on, I went on to get introduced to the Executive Director Sunil Abraham, Elonnai Hickok and Beli (Pardon me if I got any names wrong), ending up with a small project and an opportunity to conduct pro bono penetration tests on them.

First Hack

I would term my finding vulnerabilities on various places of CIS as a hack, rather I'd say everything I learn here is a hack. Starting with networking with people who absolutely do not belong to your domain or understand what you do and vice versa. I must say, being a person involved with only technology and nothing more than a bunch of codes with a mind full of ethics and beliefs, working with a bunch of people making policies to help techies like us to convert our beliefs into real life practice is probably the MOST MOTIVATING FACTOR. I am a person who believes in open and free knowledge, probably would mean that I am a hardcore Wikipedia person, and here I was in CIS, an NGO that worked day and night to start and improve various communities in Wikipedia and helping out to provide an Open Media. Anything and everything I saw here would surely keep me motivated for the rest of my life.

Staff Meeting

I had previously experienced staff meeting in various internships that I had done. But none of them has been worthy of talking let alone praising. This staff meeting was held on a conference call between the New Delhi and Bangalore with everyone having a distraction box with internet connected to it in front of them. Here was the first time I felt as if I experienced a motivating leader (Sunil). Starting off the meeting with his speech about punctuality in a very different and unique way that would only make one think how much of a burden he/she was to the team in turn making them guilty conscious without really hurting any feelings. This meeting surely showed an innovative way of keeping all their persons aware even though almost everyone present had a laptop connected to the internet. Sunil surely set up himself as an idol by being I think one of the only persons in the room, listening and grasping almost everything that was being said in the room. This meeting was surely a place you could learn a lot about various fields CIS was working with, technically put I’d call this staff meeting something like the Internet Relay Chat but only with voice. But really, hats off to this charismatic leader - Sunil Abraham.


What I think

CIS is definitely a small office, but the work culture and the community feeling between everyone here surely is a wonderful place to be at (I’d actually call it more like a small home). If you have a mind for Open Internet or Free and Open Knowledge you should probably volunteer up at CIS and work with all these wonderful people. Finally, Even though you might feel a bit out of place as a person working in the core of technologies, I surely think if you are anywhere close to believing in Hacking or Openness and haven’t volunteered at any place that is working hard to bringing the world together, you are missing out on a wonderful experience and probably doing not doing the best thing.



Friday 8 August 2014

[TIP] Session Authentication Management

The reason I am writing about this type of vulnerability is the enormous availability of "let-it-be" attitude by most of the developers. Let us first define what a session is and what happens in a website during a session.

A session is the time in which a user logs in and uses his account. To maintain this time slot, website use a session cookie that would store information and authenticate the user to make changes from his or her profile.
Now when this type of faith exists, the session cookie becomes a maximum target for every single attacker. This is because, by compromising a session cookie, the attacker can take out the entire user account. This is a true fact as you see that techniques like XSS and CSRF take advantage of the session cookie somehow or the other, and manage to exploit various services. To understand the effect of a session cookie, let us try out a small test:
1. Open any website where you have an account.
2. Log into your ID.
3. Now use any cookie editor and copy all the cookies you have in that website.
4. Launch another browser and go to the same website.
5. Import all cookies from your logged in browser.
6. Do you see a complete compromise of your ID? Well yes! You can. :)

Mitigation came into existence as soon as the exploit was available. Forms utilize CSRF tokens to prevent many attacks, which is a good coding practice. But, why wait for such an exploit to occur? It is a known fact that new vulnerabilities keep surfacing, exploiting the older coding practices. So how can we stop them? Well we always have the old saying,
Prevention is better then Cure.
This is what most developers fail to understand. Why hackers are always successful is because of the reason that they are security paranoids. So the best feature of a good developer is a paranoid. :)
So what can be done to prevent this? Obviously logging in with the same cookie and different browser isn't the right thing that is happening. However, User Agent spoofing is also something that hackers can employ when doing such an attack.

Best Mitigation Technique:
Someone once said, "It is a session cookie, let it be. It is meant to do that work, it is a foolish person who would lose such an important thing." 
But think about the billion people using the internet. How many of them actually understand what exactly is a cookie? How can we leave everything up to them? So ask me what can be done?
It is almost nothing that can be done after a session cookie is compromised is a mistaken notion. What I would recommend is to have password checks at important places. To have password or a 2 Factor authentication at every field would just be stupid, but how about password or an 2 Factor authentication at total hijacking fields like changing Email ID or Changing Password. Such mitigation is way better than checking for IP or checking for UA on the session cookie, and the only way to be totally compromised is to have lost your 2 Factor authentication device or your password, which is better than having lost a single entity called the "SESSION COOKIE".

Maybe you guys can implement this point while building your website next time, and not call anything stupid.

Wednesday 6 August 2014

[Porting to Linux] Youtube Downloader

One of the regular sources of my learning is the internet and the youtube. However, due to a low bandwidth and unstable internet connection (Yes, I am poor dude!) I always download youtube videos and watch them. This was comparatively easier to be done on Windows, however on Kali Linux, I had a million problems trying to download youtube videos. After testing a gazillion software I finally found a software that is easy to install and use (AND COMES WITH PROXY SUPPORT) - Youtube-dl :)

Installation:
1. Curl(or wget) the website and get the file -
sudo curl(or wget) https://yt-dl.org/downloads/2014.05.12/youtube-dl -o /your/local/directory/youtube-dl

2. Make the file executable
sudo chmod a+x /your/local/directory/youtube-dl

Downloading tutorials using Youtube downloader -
./youtube-dl <youtube video or playlist link here>
If your video download was interrupted (like mine is always), you can use these commands -
-i  => continue downloads that had errors
-c => resume downloads

Youtube-dl is also available for windows users (although I haven't tried it on windows). It shouldn't be much hard for windows. Either it is going to work for them or not going to work. Because troubleshooting in windows is a pain in the Donkey. :P

Saturday 10 May 2014

[Porting to Linux] Run Chrome as Root

Recently I removed my Windows 8.1 student licensed OS and switched over completely to Kali Linux. So in the next few blogs I might be only writing about all the configuration changes I did which might be needed by every Windows addict, who in time would face the "side effects" of using windows, and crib about the numerous differences and the ease to use. However, if you are able to understand the basic configurations you are required to do as a Linux user, your life would be made a hell easier than what you'd expect in case of any type of error that needs debugging. Also, the security is "imba" compared to Windows.

This post is focused on Google Chrome. As a windows user, there was basically no problem in installing and running chrome! As a result, I got my browser sync'd to my email, and the bookmarks, the addons, the data is basically my life.

Installing Google Chrome:
The install setup can be got by going to the webpage of google chrome and downloading the setup for your system. As I am using amd64 Kali Linux, which is a debian based distro, I'd continue with the amd64 .deb package. To install, just traverse to the setup directory via terminal and type
  1. dpkg -i filename.deb

With this, the installation is done. However, there is a problem! Google chrome doesn't run as root. To fix this, we follow a few simple steps:

  1. Open Terminal
  2. Traverse to the chrome directory
    cd /opt/google/chrome
  3. Open the Google Chrome file on your favorite editor
    nano google-chrome
  4. Traverse to the end of the file and at the last line, add
    --user-data-dir
    So, the last line should now look like
    exec -a "$0" "$HERE/chrome" "$@" --user-data-dir
That is it. With this change of settings, you should be able to run chrome as root, without any problem.
Now enjoy surfing on your Chromium :)

Sunday 9 March 2014

[Gyan/ Knowledge] Indian Hacker Space - Home for fraudsters

In India, it is a sad scenario to see young minds become motivated by what they see in Television. The Social  Media holds the power to brainwash and mobilize anyone, and it is extremely sad to see how the social media takes advantages of its power. A few days back, on the Internet Relay Chat, we were having a conversation about which country had the best hacker. Being a obvious patriot I obviously supported India. But then, suddenly, the entire cyber space go against me calling Indians nothing but a bunch of fraudsters. But why did this happen?
Some time ago, I was having this conversation with this kid. A young mind, extremely enthusiastic about becoming a hacker. Being a hacker enthusiast in your early teens is a incredible thing as long as you are willing to put long hours into it and make it your 1st and foremost commitment. However, this kid was talking something about a certification - A Hacker Certification from a Indian "Premier" Hacker Institute. Ok! Now, this broke all the laws of being a Hacker. Not only does the definition of hacker lose the meaning of "Free Knowledge", but also Institutes terming these certifications as "Ethical Hacking" just abuse the term "HACKING" and are completely ignorant to its ethics.
So how and why did this happen? On talking further to that kid, I realized that he was watching a TV Show called "MTV What the hack" with a person name "Ankit Fadia" often referred as Ankit "Fraud?ya!" on the cyber world. This script kiddie show, encourages young minds to lose the hacker way of gaining knowledge and teaches them to use script kiddie (skiddie) tools leaving them to be ignorant about the "Real Deal" that happens. Yes! Just like the "Anonymous group of Hackers" that are a bunch of script kiddies sitting and using a bunch of tools made by the 1337-Anon hackers, calling themselves "hacktivists" that "take down" websites of the corrupt, ultimately not even knowing what DoS and DDoS are.

The Skiddie Name Ankit "Fraud? Ya!"

In the Hacker world, someone gaining fame as being "one of the best hacker" obviously attracts attention not just from any other single person, but rather a world wide audience and hence people took notice of him and found out this self proclaimed ugly truth. Mr. Fadia, a young hero who "CLAIMS" to have helped a American Intelligence Agency when he was just 14 y/o kid. So believable! Dang! Never knew American Intelligence Agencies took help from 14 y/o who aren't even American Citizen, without any published papers. I guess American standards have too high hopes on Indians that even kids with no proficiency come ahead and get called for classified work. So classified that he can not even name this so called "AGENCY".
This guy published books for hacking with other authors that is dipped in plagiarism from the start to the end. Goes to a extent of having "ethical hacker" certifications under his name. Not sure if his students become elite hackers or just a another bunch of guys who are victimized to social engineering. But full credits to this Fraudster chap for having amazing Social Engineering skills and exploiting media.
This professional hacker that certifies other hacker even holds a record in another field. I guess he is the only hacking certification provider with his own website hacked over and over again.
A full coverage of people of this kind have been done in Errata Charlatan along with all the hacks done to his website.
When you go to Errata, there is one more thing you notice. Among the Authors of hacking books and the number of people who plagiarize materials - India ranks number 1. All of them who are credited in the Indian state and its people thanks to the social media and its coverage, are actually fraudsters and crooks who are disrespected throughout the cyber space.

Stopping these crooks

This is simple! Just start getting more aware and look for fraudsters in and around yourself. And to be a hacker, 1st gain the hacker mindset. Also probably the best tool for starting to learn hacking is "GOOGLE".

UPDATE: DEFCON RECOGNIZE AWARDS on Ankit Fadia