Suramya's Blog

Visit suramya.com Who am I?

February 12, 2012

Google Wallet PIN cracked on Android devices

Filed under: Computer Related,Computer Security,My Thoughts — Suramya @ 8:53 PM

The past few days there has been a lot of press around the fact that the Google Wallet Pin was cracked on rooted android phones. Lots of people including computer programmers and technologists (who should frankly know better) have reacted to this by posting messages/comments equivalent to: “rooting is bad”, “rooting causes security holes” etc etc etc… Guess they have forgotten the simple rule of computer security: “physical access is total access”, basically it means that if I have physical access to a device I can get full access to it eventually.

This fact was demonstrated it quite nicely by the news that you don’t really need to root your phone to get your pin hacked, all you need to do is reset the application data.

The problem in both cases is caused by the fact that the Google Wallet’s pin is stored locally on the phone itself instead of online so if you can get access to it you can bruteforce it or if you clear the app data it removes the pin and lets you choose another.

One way of fixing the second issue would be to force the phone to link to the internet after the local cache is cleared to sync the pin with the online secure server instead of just letting a user choose a new one. The fix for the first case is a lot harder because you can’t have a wallet that requires the phone to be connected to the web everytime you use it, and if you store it locally then you are just asking for trouble.

Another way would be for the receiving side to validate the pin sort of line how we do it for credit cards but that doesn’t seem too feasible either. Or we could salt the pin with the user’s account info/do a dual encryption, first one requires the pin to unlock the second one requires the account password.

Now if I can come up with such solutions then I am sure the people at Google and the various banks working on this issue will come up with other more secure options. Its not the end of the world. yet. This is a new technology and like all new tech it has its teething issues and I am looking forward to the final fixed product.

- Suramya

March 28, 2010

Wikibooks has a open-content textbook on Cryptography

Filed under: Computer Security,Interesting Sites — Suramya @ 11:56 PM

I don’t know if you have heard about Wikibooks yet or not. If you haven’t then you are missing out on a great resource. Basically Wikibooks is a community for creating a free library of educational textbooks that anyone can edit. Sort of like Wikipedia but specifically for Books.

One of the books they have is a book on Cryptography that is quite easy to read and follow. At the time of this writing a lot of the sections in the book still have to be added but new content is added regularly and over time I think it will become a great resource for everyone.

Check it out.

- Suramya

February 27, 2010

How to use UDP Tunneling to avoid hotspot or firewall restrictions

Filed under: Computer Security,Knowledgebase — Suramya @ 11:59 PM

A lot of times when you connect to a wireless hotspot or a network there are restrictions in place which prevent you from accessing the web without some sort of authentication or restrict the kind of connections allowed. Usually that’s not a problem but at times you need to be able to bypass the restrictions.

In normal cases the firewalls in place usually allow outgoing connections to pass through but in some cases even outbound connections are blocked or you need to pay for access. In such cases you can use UDP Tunneling to bypass any restrictions.

Keep in mind that using such methods on a network will not endear you to your network administrator and if caught might cause you trouble. You might even end up in Jail. So don’t try to use this for anything illegal or to browse porn at work.

The way it works is that when you try to browse to a website your system sends a request to a name server on UDP Port 53. On a lot of hotspots/firewalls/proxies the system waits for the Name server to respond and when it gets a response it redirects you to a login page or redirects you to a web proxy. What allows us to do a UDP tunnel is the fact that all port 53 UDP traffic is allowed out to anywhere on the web, without any kind of authentication.

So if you have a VPN configured to connect over UDP port 53 instead of the default port 1194 then you should be able to bypass the restrictions.

Basically what you have to do is setup a OpenVPN server on a public server and then configure it to use port 53 instead of the default 1194. Once you do that you can configure your VPN client on a laptop to connect to the server on port 53. Once connected all new connections will go over the VPN connection and you should be able to browser the web without issues or blocks.

Thanks to Adam Palmer for the tip.

I think I am going to set up a VPN server on my desktop so when I am away from home and need web access I can use this technique to get access.

- Suramya

January 20, 2010

List all machines connected to a LAN with additional details on each

Filed under: Knowledgebase,Security Tools — Suramya @ 12:15 AM

If you ever had to figure out how many systems are connected to a network and what IP’s they have then you will find this tip useful. It is also useful to identify any rouge machines on your network if you know how many systems are supposed to be there on that network. Like in case of my home network, where I know the exact no of machines.

There are multiple software out that, that allow you to do this. Some are free, some are very expensive. In my opinion the best one is nmap. It is free, fast and can be scripted.

To find all machines on my LAN (IP Range: 192.168.2.x) I just have to issue the following command:

nmap -sP 192.168.2.0/24

This gives an output like the following when I run it as a normal user:

suramya@Wyrm:~$ nmap -sP 192.168.2.0/24

Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-20 00:01 IST
Host 192.168.2.1 is up (0.0018s latency).
Host 192.168.2.5 is up (0.00018s latency).
Host 192.168.2.100 is up (0.00018s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.93 seconds

When I run the same command as root, it gives me additional information that looks like:

Wyrm:~# nmap -sP 192.168.2.0/24
Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-19 23:50 IST
Host 192.168.2.1 is up (0.0015s latency).
MAC Address: 00:XX:XX:XX:XX:XX (Cisco-Linksys)
Host 192.168.2.5 is up.
Host 192.168.2.100 is up (0.011s latency).
MAC Address: 00:XX:XX:XX:XX:XX (Intel)
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.00 seconds

In this case, as you can see nmap also gives me the MAC address of the machine. 192.168.2.5 is the machine I ran the scan from so I didn’t get any information on that one.

If you want additional details on a system you can issue the following command to get the system to try and identify the OS and services running in detail.

nmap -A 192.168.2.5

It gives an output that looks something like:

Wyrm:~# nmap -A 192.168.2.5
Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-19 23:52 IST
Interesting ports on 192.168.2.5:
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 8 (protocol 2.0)
| ssh-hostkey: 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx (DSA)
|_ 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx (RSA)
80/tcp open http Apache httpd 2.2.14 ((Debian))
|_ html-title: Index of /
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
631/tcp open ipp CUPS 1.4
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 – 2.6.28
Network Distance: 0 hops
Service Info: OS: Linux

Host script results:
additional information on the server

Hope you also find this useful.

- Suramya

January 19, 2010

Flaw gives AT&T users access to other user’s Facebook accounts

Filed under: Computer Security,My Thoughts — Suramya @ 11:23 PM

Recently a Georgia mother and her two daughters logged onto Facebook from their mobile phones and wound up in a strangers’ accounts with full access to their private information. All of them were using AT&T as their data provider. On the face of it, it seems pretty scary.

How prevalent this flaw is and what other services are affected is something that is still unknown. As far as I can tell no technical details have been released to explain this issue either by Facebook or AT&T. So I am going to speculate on various ways this might have happened.

1. A flaw in Facebook caused the system to falsely authenticate users based on their IP address even without an authentication cookie present.

This could happen, however if this was the case a lot more people would have hit it by now especially on networks that have their IP address allocated dynamically.

So Probability of this being the reason: Very Low

2. AT&T is using a proxy caching server and the authentication cookies used by Facebook was stored on the proxy server.

If a proxy server was being used by AT&T then when a request went out to Facebook it would check for a valid session using the server’s IP address and then check for an authentication cookie on that server. If one existed the user would then be authenticated even though this time someone else was trying to access their Facebook account.

The problem in this case would be the incorrect configuration of their Proxy server by AT&T.

So Probability of this being the reason: Very High

3. Can’t think of any other reason… Though there could be a ton of other explanations. Just can’t think of any of them right now.

Caching servers are well and good but if they are not correctly configured they have the capacity of causing a lot of havoc and security issues. So I am off to read up more about proxies and caching servers and how to configure them correctly.

Source:

FOXNews.com – Network Flaw Causes Scary Web Error.

- Suramya

March 23, 2008

Quantum Computing: Hype vs. Reality

Filed under: Computer Security,Interesting Sites — Suramya @ 1:23 PM

A lot of you must have heard about quantum computing(QC) and a lot of articles have been written by people on how Quantum Computers could break any crypto in a short time. (Even I have written about it)

So I found the following blog post a really good read. It discusses the possible future of QC in a very interesting fashion with emphasis on how it might affect the world of Cryptology. Check it out over here: Emergent Chaos: Quantum Progress

Thanks to: Schneier on Security for the link.

- Suramya

November 2, 2007

How to disable the ‘Run As’ option in Windows

Filed under: Computer Security,Knowledgebase — Suramya @ 12:13 PM

In Windows 2000 the ‘Run As’ option was introduced, the premise was that you would login as a regular user and if you needed to run a particular program as a different user or an administrator you would use it. Basically it duplicated the su functionality from the Unix/Linux world.

Now if for some reason you want to disable this feature, follow these steps:

For standalone Windows XP machines in a workgroup environment, you can disable Run As by hacking the Registry. Simply use Regedit.exe to locate the following key on each machine:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

Then create a new DWORD value named HideRunAsVerb and assign it a value of 1.

In a domain environment, you can disable RunAs using the Software Restriction Policies feature of Group Policy. To do this, open the appropriate GPO in the Group Policy Object Editor and locate the following node in the console tree:

Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies

Right-click on this node and select New Software Restriction Policies, then right-click on Additional Rules and select New Path Rule. Now type the path to runas.exe and make sure the policy is set to disallowed.

If you prefer to apply this policy to specific users instead of computers, use a GPO linked to an OU where the user accounts reside and configuring Software Restriction Policies using User Configuration instead of Computer Configuration, such as:

User Configuration/Windows Settings/Security Settings/Software Restriction Policies

Source: Disabling the RunAs command

More detailed version: Disable RunAs

- Suramya

Identify what files are being used by a given process/TCP connection

Filed under: Computer Security,Knowledgebase — Suramya @ 11:54 AM

In linux if you want to know what files are being used, all you have to do is run the lsof command which shows a list of all open files and the processes that opened them. So if you want to figure out what program is using that insane amount of RAM you can run lsof and grep by the process ID to find it.

In windows however there is no such command so we have to use alternative methods. If you are trying to identify a TCP connection you can try running “netstat -bv” (Without the quotes). It will give you the executable behind process, something like:

TCP fury:2433 imap.perfora.net:imap ESTABLISHED 2724
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
C:\Program Files\Mozilla Thunderbird\nspr4.dll
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\kernel32.dll
[thunderbird.exe]

For Windows XP and 2000 systems you can also download Fport, which is a free tool that will show you what programs on your system are opening which ports.

Hope this helps.

- Suramya

October 19, 2007

List of sites where you can get Information Security related news

Filed under: Computer Security,Interesting Sites,Knowledgebase — Suramya @ 12:40 PM

Here’s a small list of sites that security related news/resources:

This list is not a comprehensive list. I may add more sites as and when I find them.

- Suramya

How to find out who deleted a particular file

Filed under: Computer Security,Knowledgebase — Suramya @ 11:35 AM

If you want to know who deleted a particular file in Windows 2003 all you need to do is enable auditing the folder you want to keep track of. Just right click on the folder, go to “sharing and security”, then “security” tab, at the bottom click on “advanced”. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.

To track file deletion you would enable:

Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail

Once thats done Windows will log all the information in the security event log.

- Suramya

Older Posts »

Powered by WordPress