Wednesday, 27 August 2014

[Gyan/ Knowledge] A Random Non Governmental Organization

Let us start by the familiar wikipedia definition of what exactly is an Non Governmental Organization
non-governmental organization or non-governmental organisation in English (NGO) is an organization that is neither a part of a government nor a conventional for-profit business. Usually set up by ordinary citizens, NGOs may be funded by governments, foundations, businesses, or private persons. Some avoid formal funding altogether and are run primarily by volunteers. NGOs are highly diverse groups of organizations engaged in a wide range of activities, and take different forms in different parts of the world. Some may have charitable status, while others may be registered for tax exemption based on recognition of social purposes.
So what is a post about an NGO doing on this blog focused towards the learning of technologies and hacking? Well basically, after finishing my graduation and before applying to universities for further studies or joining any company, as an Engineer I had so much amount of time that I was desperately trying to be busy by picking up internships and hacking websites and participating and getting my name into various Security Hall(s) Of Fame. While all this happened, I got called to come visit this NGO by a genius, geeky and a very old neighbor of mine called Sharath Ram Chandra (My thanks and gratitude to you).

First Visit

Even though I value time a lot, my first visit to this place started off pretty bad with me being about 15-20 minutes late. However, once here, I was received and introduced to this place called the CIS-India by Sharath. Further on, I went on to get introduced to the Executive Director Sunil Abraham, Elonnai Hickok and Beli (Pardon me if I got any names wrong), ending up with a small project and an opportunity to conduct pro bono penetration tests on them.

First Hack

I would term my finding vulnerabilities on various places of CIS as a hack, rather I'd say everything I learn here is a hack. Starting with networking with people who absolutely do not belong to your domain or understand what you do and vice versa. I must say, being a person involved with only technology and nothing more than a bunch of codes with a mind full of ethics and beliefs, working with a bunch of people making policies to help techies like us to convert our beliefs into real life practice is probably the MOST MOTIVATING FACTOR. I am a person who believes in open and free knowledge, probably would mean that I am a hardcore Wikipedia person, and here I was in CIS, an NGO that worked day and night to start and improve various communities in Wikipedia and helping out to provide an Open Media. Anything and everything I saw here would surely keep me motivated for the rest of my life.

Staff Meeting

I had previously experienced staff meeting in various internships that I had done. But none of them has been worthy of talking let alone praising. This staff meeting was held on a conference call between the New Delhi and Bangalore with everyone having a distraction box with internet connected to it in front of them. Here was the first time I felt as if I experienced a motivating leader (Sunil). Starting off the meeting with his speech about punctuality in a very different and unique way that would only make one think how much of a burden he/she was to the team in turn making them guilty conscious without really hurting any feelings. This meeting surely showed an innovative way of keeping all their persons aware even though almost everyone present had a laptop connected to the internet. Sunil surely set up himself as an idol by being I think one of the only persons in the room, listening and grasping almost everything that was being said in the room. This meeting was surely a place you could learn a lot about various fields CIS was working with, technically put I’d call this staff meeting something like the Internet Relay Chat but only with voice. But really, hats off to this charismatic leader - Sunil Abraham.

What I think

CIS is definitely a small office, but the work culture and the community feeling between everyone here surely is a wonderful place to be at (I’d actually call it more like a small home). If you have a mind for Open Internet or Free and Open Knowledge you should probably volunteer up at CIS and work with all these wonderful people. Finally, Even though you might feel a bit out of place as a person working in the core of technologies, I surely think if you are anywhere close to believing in Hacking or Openness and haven’t volunteered at any place that is working hard to bringing the world together, you are missing out on a wonderful experience and probably doing not doing the best thing.

Friday, 8 August 2014

[TIP] Session Authentication Management

The reason I am writing about this type of vulnerability is the enormous availability of "let-it-be" attitude by most of the developers. Let us first define what a session is and what happens in a website during a session.

A session is the time in which a user logs in and uses his account. To maintain this time slot, website use a session cookie that would store information and authenticate the user to make changes from his or her profile.
Now when this type of faith exists, the session cookie becomes a maximum target for every single attacker. This is because, by compromising a session cookie, the attacker can take out the entire user account. This is a true fact as you see that techniques like XSS and CSRF take advantage of the session cookie somehow or the other, and manage to exploit various services. To understand the effect of a session cookie, let us try out a small test:
1. Open any website where you have an account.
2. Log into your ID.
3. Now use any cookie editor and copy all the cookies you have in that website.
4. Launch another browser and go to the same website.
5. Import all cookies from your logged in browser.
6. Do you see a complete compromise of your ID? Well yes! You can. :)

Mitigation came into existence as soon as the exploit was available. Forms utilize CSRF tokens to prevent many attacks, which is a good coding practice. But, why wait for such an exploit to occur? It is a known fact that new vulnerabilities keep surfacing, exploiting the older coding practices. So how can we stop them? Well we always have the old saying,
Prevention is better then Cure.
This is what most developers fail to understand. Why hackers are always successful is because of the reason that they are security paranoids. So the best feature of a good developer is a paranoid. :)
So what can be done to prevent this? Obviously logging in with the same cookie and different browser isn't the right thing that is happening. However, User Agent spoofing is also something that hackers can employ when doing such an attack.

Best Mitigation Technique:
Someone once said, "It is a session cookie, let it be. It is meant to do that work, it is a foolish person who would lose such an important thing." 
But think about the billion people using the internet. How many of them actually understand what exactly is a cookie? How can we leave everything up to them? So ask me what can be done?
It is almost nothing that can be done after a session cookie is compromised is a mistaken notion. What I would recommend is to have password checks at important places. To have password or a 2 Factor authentication at every field would just be stupid, but how about password or an 2 Factor authentication at total hijacking fields like changing Email ID or Changing Password. Such mitigation is way better than checking for IP or checking for UA on the session cookie, and the only way to be totally compromised is to have lost your 2 Factor authentication device or your password, which is better than having lost a single entity called the "SESSION COOKIE".

Maybe you guys can implement this point while building your website next time, and not call anything stupid.

Wednesday, 6 August 2014

[Porting to Linux] Youtube Downloader

One of the regular sources of my learning is the internet and the youtube. However, due to a low bandwidth and unstable internet connection (Yes, I am poor dude!) I always download youtube videos and watch them. This was comparatively easier to be done on Windows, however on Kali Linux, I had a million problems trying to download youtube videos. After testing a gazillion software I finally found a software that is easy to install and use (AND COMES WITH PROXY SUPPORT) - Youtube-dl :)

1. Curl(or wget) the website and get the file -
sudo curl(or wget) -o /your/local/directory/youtube-dl

2. Make the file executable
sudo chmod a+x /your/local/directory/youtube-dl

Downloading tutorials using Youtube downloader -
./youtube-dl <youtube video or playlist link here>
If your video download was interrupted (like mine is always), you can use these commands -
-i  => continue downloads that had errors
-c => resume downloads

Youtube-dl is also available for windows users (although I haven't tried it on windows). It shouldn't be much hard for windows. Either it is going to work for them or not going to work. Because troubleshooting in windows is a pain in the Donkey. :P