Suramya's Blog : Welcome to my crazy life…

August 12, 2018

Critique of a sextortion scam email that I received

Filed under: My Thoughts,Techie Stuff — Suramya @ 11:27 PM

Earlier this month I got an email that claimed to have photos/videos of me viewing adult sites and threatened that they would mail the photos to all my contacts if I don’t send them $7000. To make the email look authentic and scare me, they also included an old password of mind that they got from one of the many leaks over the past few years. I think this one was from a BBS that I used for a bit around 2000-2005.

The reason I am publishing this email and my critique is to show how full of crap such emails are. Basically if you ever get such emails you should never give them money because then they know that they can frighten you to pay and they will keep putting the pressure on to squeeze more and more money out of you.

On the other hand if you know that someone has managed to get their hands on some incriminating photos (they gave proof or you had sent it to them) and are blackmailing you then you should never give in to the blackmail. Instead reach out to the authorities and file a formal complaint. If you are a kid then talk to your parent and have them raise a complaint. Never ever give more photos/videos to the sick person blackmailing you because that just gives them more ammo to blackmail you.

Here are some links to sites that can help guide you:

UK National Crime Agency
Interpol Sextortion
FBI Sextortion

So lets get started, I am going to take apart the email I got to show you how useless and full of it the email is..

I know ***** is your password. Lets get directly to purpose. You do not know me and you are probably thinking why you are getting this email? None has compensated me to check you.

Umm ok… That’s an old password that I haven’t used in over a decade and even then it was used for throwaway logins that I didn’t really care about. It did catch my eye, good job adding it to the subject to catch my attention. Yes, no one compensated you initially but you sure want to get compensated now.

Well, I installed a malware on the adult video clips (adult porn) web site and guess what, you visited this web site to experience fun (you know what I mean). When you were watching video clips, your web browser started out operating as a RDP that has a keylogger which provided me accessibility to your display screen and also web camera. after that, my software collected your complete contacts from your Messenger, FB, as well as email. After that I created a double-screen video. 1st part shows the video you were viewing (you have a fine taste hahah), and second part displays the view of your webcam, and its you.

Wow! You must teach me how you did this. How did you manage to get a browser to act as an RDP, especially on a Linux machine that doesn’t even support the protocol natively? Please sensei, teach me 🙂

Actually the even more amazing trick is how you managed to activate a webcam on my computer as I don’t have any camera’s connected to it. 🙂 Did you hack the display to turn it into a camera? Or did you send nanobots via the wire to reprogram/repurpose one of the parts on my desktop to convert it into a camera?

You got two different choices. Let us understand each of these options in aspects:

1st choice is to disregard this email. In this case, I am going to send your actual video clip to almost all of your contacts and just consider about the humiliation you feel. And consequently in case you are in an important relationship, how it will affect?

Now comes the threat… how are you going to send a video that I just proved can’t exist?

Latter solution is to give me $7000. We are going to think of it as a donation. As a result, I will without delay delete your video footage. You will go forward daily life like this never happened and you would never hear back again from me.

You will make the payment via Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google search engine).

BTC Address to send to: 1FwvWtFdGBRvoiCa8BQdzqpu5QoiCSRFMa
[CASE SENSITIVE, copy & paste it]

Holy S**T! You really expect people to pay you $7000 for an email that offers no proof of this supposed video that you managed to magically capture? Lets check if anyone was stupid enough to fall for this nonsense. We can use bitref.com to check the balance of any bit coin address and here’s what the current balance is for this address: $0.0. Yup you have received a big fat 0 for your trouble. In fact I would suggest you sell your software/tech to the NSA/MI5 or other spy agencies around the world and you will get a much better payday.


The money this idiot made from this scam so far.

If you may be thinking of going to the cop, good, this email message cannot be traced back to me. I have covered my moves. I am just not trying to charge you so much, I just like to be paid for. I have a unique pixel in this email, and right now I know that you have read through this mail. You now have one day to pay. If I do not receive the BitCoins, I will certainly send your video recording to all of your contacts including friends and family, colleagues, and so forth. However, if I do get paid, I will erase the video right away. It’s a non-negotiable offer and thus please do not waste my personal time & yours by responding to this mail. If you really want evidence, reply with Yeah! then I will send out your video recording to your 6 contacts.

I am really quaking in my boots. Its been over 3 weeks since you sent out the email, and I don’t know how many of my contacts have received this magical email. Though if I had to guess I would place the number at 0. Since the entire email is a scam to steal money from unsuspecting fools. I think if the person sending out the email hadn’t been so greedy and asked for $7000 but rather asked for something in the range of a few hundred they might have made some money.

Well this is all for now. Will write more later.

– Suramya

August 8, 2018

Work-life balance, Is it something to strive for?

Filed under: My Life,My Thoughts — Suramya @ 11:42 PM

A couple of days ago I read this article by a lady who was the founder of a start-up and she had a whole different take on the work life balance question. She felt that it’s not something that you should focus on and that if your work is a major part of your life then having artificial boundaries about allowed topics of discussion / things is not correct.

The article made me think about the pro’s and cons of having a work life balance.I have in the past worked in companies where we have worked 14-18 hours a day and I have worked in companies where I was out of the office at 6pm everyday.

I think that having a work life balance is good, actually I think it’s essential. You can sustain the insane hours over a short period of time but in the long term it’s not sustainable. I am not saying that once you leave the office don’t have any conversations related to work, that is not realistic. But make an effort to disconnect frequently.It will help recharge your mental energies and let you come back refreshed and eager to work.

I am one of the last people to tell folks not to work too much because I have a tendency of spending too much time working if what I am working is something interesting. But I have seen from personal experience when I take a break from work and do something unrelated it helps me focus and get things done.

In the course of the normal day I read, watch some shows to decompress and once a month I try to go for a trek/trip and over the past two years I have seen what a difference it makes in my sanity and ability to deliver projects. When I go for these trips I don’t check office emails. I have spent some time talking about work with folks but for the most part I disconnect from work. The idea is to stop worrying about work and focus on other things for a while. If conversation or idea related to work does come up then don’t stress about it either, spend a few mins on the topic and then go back to whatever you were doing. Trust me it will help. 

I have seen that some of the best ideas I have had have come to me when I was doing something other than work/actively thinking about the problem. 

At my previous job I used to go for evening snacks with the team and one of the semi-enforced rules was that for the duration of the snacking conversations related to work were discouraged. We would talk about other stuff like hobbies, movies, travel etc. It helped us know each other better and become a more tightly integrated team. If a work related topic came up we would all discuss it for a bit and then someone or other would say something to the effect of ‘no work related talks’ and we would stop. But if the issue was interesting enough we have spent significant time discussing it as well.

So having a hard and fast rule is not a good idea. You should be flexible and take it as it happens.

What do you think? Is work life balance something to stride for?

February 7, 2018

Hacking the Brainwaves Cyber Security CTF Hackathon 2018

Earlier this year I took part in the Brainwaves Cyber Security Hackathon 2018 with Disha Agarwala and it was a great experience. We both learnt a lot from the hackathon and in this post I will talk about how we approached the problems and some of our learning’s from the session.

Questions we had to answer/solve in the Hackathon:

  • Find the Webserver’s version and the Operating system on the box
  • Find what processes are running on the server?
  • What fuzzy port is the SSH server running on?
  • Discover the site architecture and layout.
  • Describe the major vulnerability in the home page of the given website based on OWASP TOP 1. Portal Url: https://socgen-ctf.0x10.info
  • Gain access to member area and admin area through blind sql, or session management.
  • Dump all user account from member area. [SQLi]
  • [Broken Validation] Demonstrate how you can modify the limit in order management.
  • [Open Redirect] Redirect site/page to hackerearth.com
  • List any other common bug came across while on the site
    • After logging into the member area, perform the following functions:
    • Find the master hash & crack it
    • Dump all user’s
    • Find the email ID and password of saved users

Information Gathering:

In order to find the services running on the server, the first thing we had to do was find the IP/hostname of the actual server hosting the site which was a bit tricky because the URL provided is protected by CloudFlare. So, any scans of socgen-ctf.0x10.info took us to the CloudFlare proxy server instead of the actual server which was a problem.

We figured this out by trying to access the IP address that socgen-ctf.0x10.info translated to in the browser.

suramya@gallifrey:~$ host socgen-ctf.0x10.info 
socgen-ctf.0x10.info has address 104.28.15.64 

Since the site homepage didn’t do anything except display text that refreshed every 15 seconds we needed to find other pages in the site to give us an a attack surface. We checked to see if the site had a robots.txt (It tells web crawlers not to index certain directories). These directories are usually ones that have sensitive data and in this case the file existed with the following contents:

# robots.txt
Sitemap: http://socgen-ctf.0x10.info/sitemap.xml
User-agent: *
Disallow: images
Disallow: /common/
Disallow: /cgi-bin/

The images directory didn’t have any interesting files in it but the /common/ directory on the other hand had a file named embed.php in it which basically ran a PHP Info dump. This dump has a lot of information that can be used to attack the site but the main item we found here was the IP address of the actual server where the services were running (38.109.218.93).

Using this information we were able to initiate a nmap scan to get the services running on the site. The nmap command that gave us all the information we needed was:

nmap -sV -O -sS -T4 -p 1-65535 -v 38.109.218.93

This gave us the following result set after a really really long run time:

PORT     STATE    SERVICE       VERSION
23/tcp   filtered telnet
25/tcp   open     smtp?
80/tcp   open     http          This is not* a web server, look for ssh banner
81/tcp   open     http          nginx 1.4.6 (Ubuntu)
82/tcp   open     http          nginx 1.4.6 (Ubuntu)
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
497/tcp  filtered retrospect
1024/tcp open     kdm?
1720/tcp open     h323q931?
2220/tcp open     ssh           OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
2376/tcp open     ssl/docker?
3380/tcp open     sns-channels?
3389/tcp open     ms-wbt-server xrdp
5060/tcp filtered sip
5554/tcp filtered sgi-esphttp
8000/tcp open     http          nginx 1.4.6 (Ubuntu)
8080/tcp open     http          Jetty 9.4.z-SNAPSHOT
8086/tcp open     http          nginx 1.10.3 (Ubuntu)
9090/tcp open     http          Transmission BitTorrent management httpd (unauthorized)
9996/tcp filtered palace-5
19733/tcp filtered unknown
25222/tcp filtered unknown
30316/tcp filtered unknown
33389/tcp open     ms-wbt-server xrdp
33465/tcp filtered unknown
34532/tcp filtered unknown
35761/tcp filtered unknown
35812/tcp filtered unknown
35951/tcp filtered unknown
37679/tcp filtered unknown
38289/tcp filtered unknown
38405/tcp filtered unknown
38995/tcp filtered unknown
40314/tcp filtered unknown
44194/tcp filtered unknown
47808/tcp filtered bacnet

For some reason the results from the nmap scan varied so we had to run the scan multiple times to get all the services on the host. This was possibility because the server was setup to make automated scanning more difficult.

Once we identified the port where the SSH server was running on (2220) we were able to connect to the port and that gave us the exact OS Details of the server. We did already know that the server was running Ubuntu along with the kernel version from the PHP Info dump but this gave us the exact version.

Discovering Site architecture:

Since we had to discover the URL to the members & admin area before we could attack it, we used dirb which is a Web Content Scanner to get the list ofall the public directories/files on the site. This gave us the URL’s to several interesting files and directories. One of the files identified by dirb was https://socgen-ctf.0x10.info/sitemap.xml. When we visited the link it gave us a list of other URL’s on the site of interest (we had to replace the hostname to socgen-ctf.0x10.info) including the members area (http://socgen-ctf.0x10.info/members.php?p=login) and siteadmin (http://socgen-ctf.0x10.info/siteadmin).

After a long and fruitless effort to use SQL Injection on the siteadmin area we started to explore the other files/URL’s identified by dirb. This gave us a whole bunch of files/data that seem to be left over from other hackathons so we ignored them.

SQL Injection

The main site https://socgen-ctf.0x10.info/index.php?p=. appeared to be vulnerable to SQL at the first glance because when we visit https://socgen-ctf.0x10.info/index.php?p=.’ (note the trailing single quote) it reloads the page. This meant that we could write queries to it however since it didn’t display a true or false on the page a SQL injection wasn’t easily possible. (We could have tried a blind injection but that would require a lot of effort for a non-guaranteed result.

As we explored the remaining URL’s in sitemap.xml one of the links (https://socgen-ctf.0x10.info/embedframe.php) was interesting as it appeared to give a dump of data being read from the site DB. Opening the site while watching the Developer Toolbar for network traffic identified a URL that appeared to be vulnerable to SQL injection (https://socgen-ctf.0x10.info/ajax.php?cid=&p=view_channel&id=28) and once we tested the url we found that the variable id was indeed vulnerable to injection.

We used blind sql to gain access by executing true and false statements and see that it returns different results for true(displays ‘1’ on the webpage) and false (displays 0) . We checked whether a UNION query runs on the site which it did and using other queries we identified the DB backend to be a mysql database (5.xx.xxx version). Then we found out the table name (members) which was an easy guess since the website had an add customer field. After identifying the number of columns in the table we got stuck because any statements to list the available tables or extract data were failing with an error about inconsistent column numbers.

Finally, we ran sqlmap which is an open source tool for automating SQL injection. It took us a few tries to get the software running because initially any attempt to scan the site was rejected with a 403 error message. Turns out that the connections were being rejected because the site didn’t like the useragent the software was sending by default and adding a flag to randomize the useragent resolved the permission denied issue.

Once the scan ran successfully we tried to get access to the MySQL usertable but that failed because the user we were authenticating as to the MySQL server didn’t have access to the table required.

sqlmap -u 'https://socgen-ctf.0x10.info/ajax.php?cid=&p=view_channel&id=28' --random-agent -p id --passwords

So, then we tried getting an interactive shell and an OOB shell both of which failed. We finally ran the command to do a full dump of everything that the system allowed us to export using SQL injection via SQLMap. This included the DB schema, table schema’s and a dump of every table on the database server which the mysql user had access to. The command we used is the following:

sqlmap -u 'https://socgen-ctf.0x10.info/ajax.php?cid=&p=view_channel&id=28' --random-agent -p id  --all --threads 3

This gave us a full dump of all the tables and the software was helpful enough to identify password hashes when they existed in the table and offered to attempt decryption as well. In this case the password was encrypted with a basic unsalted MD5 hash which was cracked quite easily. Giving us the password for the first two accounts in the database (admin & demo).

Looking at the rest of the entries in the users table we noticed that they all had funny values in the email address field, instead of a regular email address we had entries that looked like the following:

,,,"0000-00-00 00:00:[email protected]509a6f75849b",1
,1,RU,

As we had no clue what this was about the first thing we attempted was to access the
https://socgen-ctf.0x10.info/cdn-cgi/l/email-protection URL. This URL gave us a message that told us that the email addresses in the DB were obfuscated by CloudFlare to protect them from Bots. A quick Google search gave us a 21 line python script which we tweaked to convert all the hash to email address and passwords. (The code is listed below for reference)

#! /usr/bin/env python 
# -*- coding: utf-8 -*- 
# vim:fenc=utf-8 
# 
# Copyright © 2016 xl7dev  
# Distributed under terms of the MIT license. 

""" 

""" 
import sys 
import re 
fp = sys.argv[1] 
def deCFEmail(): 
   r = int(fp[:2],16) 
   email = ''.join([chr(int(fp[i:i+2], 16) ^ r) for i in range(2, len(fp), 2)]) 
   print email 
if __name__ == "__main__":                                                                                                                                                                       
   deCFEmail() 

This gave us the email addresses and passwords for all the users on the site. Since the accounts appeared to be created by SQL injection a bunch of them didn’t have any passwords but the remaining were valid accounts for the most part and we verified a couple by logging in manually with the credentials.

OWASP TOP 10 Vulnerability

To find the vulnerabilities in the home page we tried various manual techniques at first but drew a blank so we decided to use the owasp-zap. This tool allows you to automatically scan for vulnerabilities in a given URL along with a whole other stuff.

At first the scan failed because of the same issue as earlier with the user-agent. This time we took a different approach to resolve the issue by configuring owasp-zap as a proxy server and configuring Firefox traffic to use this proxy server for all traffic. This gave us the site in the software and we were then able to trigger both an active scan and spider scan of the site.

This gave us detailed reports that highlighted various issues in the site which we submitted.

Redirecting HomePage

The redirection of the home page was quite simple. We tried inserting a customer name with javascript tags in it and were able to do so successfully. So we inserted the following into the DB and the system automatically redirected the page when the Customer list section was accessed.

Other Interesting Finds

The nmap scan told us that in addition to port 80 a web server was listening on ports 81, 82, 8000, 8080 and 8086.

Ports 82, 8000 and 8086 were running standard installs of nginx and we didn’t find much of interest at these ports even after we ran dirb on all of them. Port 8080 appeared to be running a proxy or a Jenkins instance.

Port 81 was the most interesting because it was running a nginx server that responded to any queries with a 403 error. When we tried accessing the site via the browser we got an error about corrupted content.

We were unable to identify what the purpose of this site was but it was interesting.

SSH Banner / PHP Shell

The webserver instance running on port 80 had the version set to the following text “This is not* a web server, look for ssh banner Server at private-tunel.wehostservers.ru Port 80” so we went back and investigated the SSH Banner from the ssh server on port 2220. The banner was encrypted and to decrypt the SSH banner, we continuously converted the cipherText from its hex value to ASCII value . It gave us the following results on each conversion

3333333733333333333333373333333333333336333333383333333233333330333333363333333233333336333333313333333633363335333333363336333533333336333333353
3333337333333323333333233333330333333363333333633333336333633363333333733333332333333373333333733333336333333313333333733333332333333363333333433333332333333303333
3337333333333333333633363333333333363333333133333337333333333333333633333338333333323333333033333336333333333333333633363336333333373333333533333336333633333333333
63333333433333332333333303333333633363333333333363333333533333336333333313333333633333334333733393336363633373335373436663230363132307368336c6c2e706870

3337333333373333333633383332333033363332333633313336363533363635333633353337333233323330333633363336363633373332333733373336333133373332333633343332333033373333333
636333336333133373333333633383332333033363333333636363337333533363633333633343332333033363633333633353336333133363334373936663735746f206120sh3ll.php
 37333733363832303632363136653665363537323230363636663732373736313732363432303733366336313733363832303633366637353663363432303663363536313634796f75to a #

ssh banner forward slash could lead you to a #sh3ll.php

Once we got the full decrypted text we knew that there was a potential webshell on the server but it wasn’t apparent where the shell was located. After hit and try failed we turned back to our old faithful dirb to see if it could find the shell.

dirb allows us to specify a custom word list which is used to iterate through the paths and we can also append an extension to each of the words to search for, so we created a file called test with the following content:

suramya@gallifrey:~$ cat test 
shell
sh3ll
sh311

and then ran the following command:

suramya@gallifrey:~$ dirb https://socgen-ctf.0x10.info/ test  -X '.php'

This gave us the location of the shell.


Accessing the link gave us a page with a message “you found a shell, try pinging google via sh3ll.php?exec=ping 8.8.8.8”

Accessing the URL with the additional parameter gave us a page with the following output:

February 5, 2018

Is it a good idea to stop reading news?

Filed under: My Thoughts — Suramya @ 5:40 PM

Earlier today I was browsing the web and ended up on this HackerNews Thread where one of the users had posted the following comment:

I have recently stopped reading any kind of news. As a result I find that my mind is lot less cluttered. I have realized that once you give it up, you don’t really miss it a lot.

This made me think and I was wondering what the benefits are if we stop reading the news and what the downsides are of the same.

A little while ago a lot of the news items from around the world were pretty depressing and I found that if I read my news feed first thing in the morning as I normally did I ended up feeling a bit out of sorts for a while. Not depressed per se but with more of a bleah attitude for a while in the morning. After I figured this out I stopped reading general news first thing in the morning as I figured the issue was caused due to the fact that I was reading the news while half asleep when a lot of my brain was still struggling to wake up making it harder for my usual snark from kicking in. Instead of reading all news first thing in the morning I switched to reading only the tech news feeds early in the morning and then catch up with the world news later in the day (usually in the evening on the way back home). I found that this worked best for me for a while, but after a bit I changed my reading habits again and now I read the news (both tech and general) on the way to work and am fine with it. Plus another good development is that I get out of the house sooner if I am not cocooned in bed catching up with the news. 🙂

So, is it a good idea to stop reading any news? I don’t think so even after my experience. Knowing what is going on in the world is important and shutting yourself off from the world is not an answer. There are a lot of issues in the world and the first step in fixing them is to know about the issues. I mean if you don’t even know a problem exists then how are you going to even think about a solution for it? There is a quote from Isacc Asimov that seems relevant here:

“Your assumptions are your windows on the world. Scrub them off every once in a while, or the light won’t come in.”
― Isaac Asimov

So the question becomes, how do I scrub my windows to the world? The answer is quite simple, read about what is happening in the world. There might be new discoveries, events etc happening that will challenge your thinking and maybe result in a complete change in your thought process. Don’t get put down by the constant negative news in the media. The fact is that it’s not all bad out there and there are good things happening all over the world but that doesn’t sell so the media focuses on the negative aspects to sell paper (or user views etc). Bill Gates wrote about this recently as well. In a recent study folks took 15 different measures of progress (like quality of life, knowledge, and safety) and found that the world is actually getting better inspite of the mess we keep seeing in the news all the time.

All that being said it is quite possible that you end up getting down/depressed after reading & watching so much negative news in the press. This is a normal reaction. John Scalzi who is one of my favorite authors had the following advise on how to deal with this scenario (It was published about a year ago but is still valid):

3. Disconnect (temporarily). Especially now, it might be useful for a “hard reset”: taking a week (or two! Or more!) away from most news and social media in order to give your brain the equivalent of a few deep, cleansing breaths and the ability to switch focus away from the outside world and back into your internal creative life.

It’s often hard to do this — social media in particular is specifically designed to make you feel like if you’re not constantly attached to it then you’re missing something important. But here’s the thing: Even if it were true (which it usually is not), there are millions of other people out there to deal with it while you take a week off from the world to get your head right. Let them.

What are your thoughts about this topic? Do you feel that stopping to read news is a good idea? Let me know via comments below (or via email).

This is all for now. Will post more later.

– Suramya

January 29, 2018

How can we secure a Client App so that the server side can detect tampering?

Filed under: Computer Security,My Thoughts — Suramya @ 5:09 PM

If you have been following ADHAAR in the News/Social Media recently then you must have seen the posts by some prominent cyber security folks about basic security issues with Adhaar. I couldn’t resist chiming in with my two cents and pretty soon the conversation switched from the glaring security issues with Adhaar to how we could secure applications when the client could not be trusted. Sushil Kambampati had some interesting questions on this topic and we tried having a discussion on Twitter itself for a short while but since twitter is not the best medium for long winded conversations we switched to email pretty soon and the following is a summary/expansion of my conversation with him.

Special thanks to Sushil for asking the two questions listed below thereby motivating me to write this post. Please note that all the items below are my personal thoughts and I don’t claim to know everything so some of the things below might not be the best option or might require additional safeguards beside the ones I talk about.

What are the risks if the client has been modified by an attacker?

The possibilities are endless if an app has been modified and can still successfully communicate to the server backend. The attackers can tamper with it to install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces. They can also change the app to query the server in ways that the designer didn’t expect. e.g. query the DB for all possibly values of the Adhaar no (as an example) to identify valid values. They can also attempt to perform SQL injection attacks/other attacks on the server by sending it data that it doesn’t expect.

How can the server-code detect whether the client app has been modified?

This is a very interesting problem and there is no foolproof method to ensure that the local client hasn’t been modified. However that said we can always make it harder for the attacker to modify the app. Some ways we can detect tampering are listed below along with potential ways to bypass the checks. (I am going to talk about app side checks in addition to server side since both need to be performed to secure the app). I specifically talk about Android applications here but the same is valid for any server/client system where the client can’t necessarily be trusted (and if your client is installed on a machine you don’t control then it def can’t be trusted).

  • We add code obfuscation/shrink the code using Proguard.This makes it more difficult (though certainly not impossible) to reverse engineer the code by making it harder to read a stack trace because the method names are obfuscated. Other things we can do to harden the app is to include checks to detect if the app is running in a virtual environment (emulator) and abort runs. This check should not be an easy thing to disable e.g. by setting a flag, instead the build process should add the check when building the release version or something similar while making it as hard as possible to disable. Finally we should ensure that all debug code is stripped out from the build when creating the release version. This will make it harder for the attacker.

    The communication between Server & Client should be over a secure/encrypted channel (use HTTPS not HTTP), all local data should be encrypted with a unique password that is generated at runtime (1st run) using a random seed.

  • We have the app send a checksum that the server verifies everytime an API call is made.
  • This is a very basic check that is fairly simple to bypass as any competent attacker will also modify the app to send the correct checksum value even though the actual checksum value is different.

  • Have the Server request for a byte string from a random location in the APP e.g. send me 100 bytes starting from byte # 2000 from the beginning of the file. This check would fail if any changes are made to the file in the section that the check queried.
  • The issue is that there is a high probability that the check location requested by the server is not for the location that the attacker has modified. Also, if the attacker is sufficently motivated they can append a copy of the original App to the tampered app and then modify the check function to return the values from the original app when the server attempts to verify the integrity.

  • Verifying your app’s signing certificate at runtime.
  • All applications in the Appstore are signed with a developers private key and the app signature will be broken if the APK is modified. By default android will not allow you to install an app where the signature doesn’t match. However you can potentially bypass it by changing the code / value you are checking against. Also, the app can still be installed manually if the phone is rooted.

  • Verifying the installer
  • Each app contains the identifier of the app which installed it. Therefore, with a very simple check you could have your app verify the installer ID. This can be an in app check and also triggered by a server API call. However with access to the code (by reverse engineering the app) this check could potentially be commented out.

  • Monitor your server side logs
  • This is very important, because any attempts to hack the server/bypass restrictions will leave a trace in your logs. If you have configured good log monitoring rules then this can act as an indicator of someone trying to hack your application. Then you have the option of putting countermeasures into action like blacklisting etc.

Hope this all makes sense. Please let me know if you have any further questions by posting a comment below or emailing me.

Regards,

Suramya

December 5, 2017

Dominos Pizza online has stronger password requirements than Citibank India Online

Filed under: Computer Related,My Thoughts,Techie Stuff — Suramya @ 11:59 PM

Today I decided to change my IPIN (Internet Pin) on Citibank as I haven’t changed it in a while and its a good idea to change it on a regular basis. So I logged in to my account and clicked on the password reset link and I got the following text:

The first item there is fairly standard but what really surprised me were items # 3,4 & 6. What do you mean I can’t have any special characters in my password? Why can’t I have a password longer than 16 Characters when the NIST password guidelines recommend that you allow a password of up to 64 char’s in length.

In contrast The Dominos Pizza’s Online portal has stronger security and requires you to have Upper case, Lower Case, Numeric Char and a Special Character in the password. Making it a lot more secure and harder to crack than the Citibank password.

This is not all. The best part is yet to come. I use a password manager and my generated password was 22 characters long this time, so I pasted it into the form and the system accepted the password change. Now since I am a paranoid person I decided to check if the password changed successfully by logging in with the new password. Imagine my surprise when an error message popped up on screen when I tried to log in telling me that my password can’t be longer than 16 chars. I was confused since the password change form took my 22 char password without trouble, so I tried logging in with the old password and that obviously didn’t work. Finally I tried removing the extra 6 characters from my password and was able to log in.

Basically the stupid system truncated my password to 16 and then saved it instead of warning me that my password was too long when I was changing the password which would have been the logical thing to do.

Citibank needs to update its system to follow the NIST rules and start allowing people to choose more secure passwords.

Well this is all for now, will write more later.

– Suramya

July 6, 2017

Dear HDFC Bank: Please stop making life easier for phishers

Filed under: Computer Security,My Thoughts — Suramya @ 11:32 PM

I recently had to create a HDFC account because I changed firms and needed a HDFC account in order to be paid 🙂 . Once I created the account I got a few SMS messages from AM-HDFCBK asking me to register online for Netbanking and Mobile Banking which is quite normal (though the no of messages were a bit annoying), what was scary and concerning was that the link in the message was a generic bit.ly URL. (See screenshot below)

HDFC Messages Screenshot

Screenshot of the Messages I got

For those who don’t know, bit.ly is a URL shortening service that allows you to create a short URL that redirects to a different URL. e.g. I have configured http://bit.ly/1MUISmu to redirect to https://en.wikipedia.org/wiki/Phishing. The service is most commonly used on Twitter where the max allowed characters are limited and the URL lengths are long.

However since anyone can create a bit.ly redirect there is no way of verifying that the link I got in the SMS was actually created by HDFC and points to a legitimate site and not a website controlled by a cyber criminal who is out to steal my data. The link can point to literally any website in the world that the sender wants including sites that are copies of the legitimate HDFC bank but in reality are storing your credentials to allow people to steal your money or sites that infect your system with a virus/ransomware.

There is a reason why computer security professionals tell people not to click on random links you get via email/SMS/whatsapp.

If you think that since the sender of the SMS is ‘AM-HDFCBK’ the message is legitimate and thus safe to click then think again. There are a ton of websites out there that allow you to spoof SMS sender details to anything you want at a cheap price. In fact you can also code your own software for doing this in bulk using publicly available API’s at ridiculously cheap prices. These are sites I found after a couple of mins of searching on Google, I am sure there are more secure/untraceable methods of sending fake/spoofed SMS messages on the dark web. So the risk of clicking on unknown links that I got out of nowhere is not worth it.

Normally what companies do in similar scenarios if they absolutely have to use a shortner is that they but a short domain name and use that so people getting the messages can identify the link as something pointing to the official site. But I guess someone at HDFC is trying to save money by not registering a new domain that would protect their customers. *Shrug*.

Ah well, looks like I will need to go to their official site and register my account from there.

Well this is all for now. Will write more later.

– Suramya

March 8, 2017

My Trek to Tadiandamol

Filed under: My Life,My Thoughts,Trips — Suramya @ 7:13 PM

So last weekend I went for my first trek of 2017 with NatureWalkers to this place called Tadiandamol. Don’t ask me to pronounce it because I still can’t manage without sounding silly and it took me 3 attempts to spell it correctly. The trek is a total of 8kms long round trip and the peak which is the highest in Coorg is at about 1748 m high.

Tadiandamol is on one of the most beautiful, noncommercial peaks in Karnataka, it is elevated to about 1748 m and known as the highest peak in coorg/kodagu district. The Tadiandamol trek offers adventurers an opportunity to explore the stunning vegetation, rare mountain birds and pretty butterflies flitting from tree to tree. A panoramic view from the peaks is an eye-candy for the hikers. The trial takes you through the vast expanse of the Shola forest, It is a day trek which makes it even more doable for city folks- whether avid trekkers and hikers. A famous historical landmark “Nalknad-Palace” resides at the foothills of the mountain.

This was my first trek with Nature Walkers and I loved it. A total of 18 of us were there for the trek with a wide range of trekking experience and age groups. The trip started at 10pm from Bangalore and we boarded the bus after donating a lot of blood to the Domlur mosquitoes (while waiting for the bus to arrive). We kicked off the evening with a round of introductions which included telling folks about something crazy you did and man some of the folks had donbe some crazy stuff (including me 🙂 ) We had people asking their professors to dance, setting fire in the hostel to burn notes and scaring aunts with skulls.

After the intro round ended most of the people went to sleep but a few of us weren’t sleepy so we spent majority of the night talking and after a few hours just as we were winding down and I was about to fall asleep the driver switched on the AC at full strength and played some Kannada music at high volume waking me up. So we kind of half dozed while the driver took a nap and then we were on our way again reaching the Homestay at ~7am. We freshened up and then started for the basecamp after breakfast which was about an hour from the homestay.

We arrived at the basecamp all bright-eyed & bushy tailed and started the trek on a high note. The start of the trek was fairly easy with a shallow gradient so it wasn’t too painful. Though it was bright and sunny so that made it a bit uncomfortable and soon I was sweating enough that I had to remove the cap.


Group photo at the start of the Trek and you can see the energy and enthusiasm

We walked the trek at a fairly slow pace and used the time to talk and learn more about each other, plus take a lot of photos and snapchat videos etc. A large part of the group was 12 friends who had come for the trek together and their enthusiasm was infectious. I haven’t downloaded all the pics yet and can’t post all of them in any case so here are a few pics to give you an idea about the trek and the route.

Selfie on the way to the peak
Selfie on the way to the peak about an hour into the trek


Random spot that looked interesting and was perfect for a break

After a little while the terrain became a lot steeper and it got a bit harder to climb. Since the distance to the peak is only 4 kms it was a fairly steep climb most of the way. About half way through there is a big rock and a stream so we took a break and obviously climbed the rock. 🙂


Group photo at the rock

The stream was refreshing but with barely enough water to be called a stream. We filled our waterbottels there and I got to use my water purifier to purify the water. Don’t think it was absolutely required but I needed an excuse to play with my gadgets so… In any case we spent about 15-20 mins fooling around and taking pics before resuming the trek.


The Amazingly full stream

It took us another 2 hours or so to climb to the top. Both Manoj and Amrita ensured that we all were pacing ourselves and constantly provided encouragement so all of us reached the peak together and the view was worth the effort spent to climb to the top. Thankfully it was a little cloudy towards the end of the climb and the breeze was very refreshing as well so that made it a bit easier as well.


Thanking the gods of the Peak that I made it to the top while Tejaswani and Amrita look on.


Look at how happy we all look that we made it to the top in one piece 🙂

Once at the top we all took a break to have lunch, meditate and enjoy the view while Manoj took a nap to recover from the stress of herding all of us to the peak.


Me, Jani and Shahrukh meditating at the peak


Manoj recovering from herding all of us to the peak.

We started back very reluctantly both because we wanted to extend the stay at the top and because our feet hurt 🙂 The way down was more adventurous as the path was quite slippery and everyone fell at-least once though there was a contest going on to see who would fall the most as well with the winner claiming the throne with 8 spectacular falls.

By the time we reached the base camp we were all ready to be flat on the ground and not move. But still we ended up dancing for a little while in the bus on the way back to the homestay. Interestingly our bus had a laser/disco light setup which made dancing fun. Although initially it was more of moving hands and pretending to dance than actual dancing. Once we got home and freshened up we sat outside and chatted about topics all over the place from weird food people eat to physics to astronomy and horror stories. The campfire made it cosy enough to sit outside and since we didn’t have any portable speakers we got to show off our singing skills instead of our dancing skills. The jam session continued till almost 1 in the morning and we all dragged ourselves to bed quite reluctantly.

Next morning we again made an early start and left the homestay after a lovely breakfast.


Pic with the owners of the Homestay

We were all feeling a bit more energetic after resting over night so we spent a large amount of time playing Mafia which I enjoyed for the first time. The last two times I played the game I found it very boring but with this group it was a lot of fun. I was a cop in the first game and got to play a few turns before getting killed and it was a lot of fun watching the players try to convince each other that they were not mafia. In the second game I was classified as Mafia and was there till the end of the game (We won 🙂 ) but in the last one I was the first person to be killed so didn’t get to play at all.

In the middle we stopped at Namdroling Monastery which I have visited a few times before but it was still worth the visit. It is a very peaceful place and since we got there just before the afternoon prayers started we managed to see the temple and then watched the monks start their prayers as well. We did avoid the shopping complex as otherwise we would have been stuck there for hours while the ladies shopped 😉 and were on the way back to Bangalore with brief stops for lunch & tea and lots of dancing.

We all enjoyed the trip so much that we didn’t want it to end so most of us got down at Indiranagar for dinner at Copper Chimney instead of heading home directly. The waiter gave us a weird look when the 13 of us were done with just starters and dessert but none of us were very hungry so it was good that we didn’t over-order.

Overall the trip was a great success and I really enjoyed traveling with Nature Walkers. I would highly recommend them to folks looking for a fun well organized trip.

Well this is all for now. Will post more later.

– Suramya

PS: For those of you who are wondering about what happened to posting about the previous trips, I realized that the list had gotten long enough that I wouldn’t be able to post about them (15 trips in 2016) and because I was waiting to write about the previous trips I wasn’t posting about the new ones either. So decided to bite the bullet and start with a clean slate. Hopefully this year I will be more consistent with my writing.

February 25, 2016

Indian Patent office rejects Software patents

Filed under: Computer Software,My Thoughts — Suramya @ 8:00 PM

As you know software patents are something of a scourge in the computer industry and are hated for the most part (except by the companies using them to make money/stifle innovation and competition). There is extensive debate on the topic all of which boils down to the following three questions:

  • Should software patents even be allowed? If they are then how do we define the boundary between patentable and non-patentable software?
  • Is the inventive step and non-obviousness requirement is applied too loosely to software?
  • Are software patents discouraging innovation instead of encouraging it?

The Indian patent office has ruled on 19th Feb 2016 that software patents discourage innovation by using the following three part test to determine the patentability of Computer Related Inventions (CRIs), which precludes software from being patented:

  • Openly construe the claim and identify the actual contribution;
  • If the contribution lies only in mathematical method, business method or algorithm, deny the claim;
  • If the contribution lies in the field of computer programme, check whether it is claimed in conjunction with a novel hardware and proceed to other steps to determine patentability with respect to the invention.. The computer programme in itself is never patentable. If the contribution lies solely in the computer programme, deny the claim. If the contribution lies in both the computer programme as well as hardware, proceed to other steps of patentability.

This is a great step in ensuring that useless/basic idea’s don’t get patented and stifle innovation.

– Suramya

Source: Press Release: Indian Patent Office Says No to Software Patents

January 12, 2016

Got some personality Insights from IBM’s Watson

Filed under: Interesting Sites,My Thoughts — Suramya @ 1:01 AM

I was watching Felicia Day’s Flog earlier today and in it one of the sites she talks about is Personality Insights. This site claims to be able to help you gain insight into how and why people think, act, and feel the way they do by applying linguistic analytics and personality theory to their writings.

Since I was intrigued I decided to try it out using text from two of my Blog posts from the past. The first one was using the text from Some thoughts on the mails on how folks born in x-y range are the best. According to this:

I am likely to:

  • Reply on social media
  • Buy eco-friendly

Which is about a 50% accurate as I normally don’t reply on/use social media that much. Though I do prefer to be eco-friendly when possible so that part can be taken as accurate.

I am unlikely to:

  • Buy healthy foods
  • Use a coupon
  • Click on an ad

All of which are mostly true. I don’t normally click on ad’s, unless I manage to do it accidentally. I use an ad blocker and try to filter out as many of the annoying ads as I can. Using a coupon requires way too much effort so I tend not to do so unless its relatively simple and doesn’t require too much effort. As for healthy foods, most of the time they are absolutely tasteless so I avoid them for the most part.

Other than that, the site thinks I am an extrovert (not really), assertive (which is kind of true) and my ‘ choices are driven by a desire for connectedness.’ Not sure what that means exactly but sounds really deep and inspiring. 🙂


Screen shot of the results of the test, with more details

The second entry was a more recent entry from September on the App created to tell slow people that they are bored and why this is a bad idea. The results of this one contradict the previous one in a few major area’s, although to be fair the text sample is a lot smaller so that could have skewed the result (as per the site). According to this:

I am likely to:

  • Change careers
  • Click on an ad
  • Follow on social media

This one is only about 33% accurate as I have been known to change careers quite often before I joined GS. I def don’t click on ads and rarely follow folks on social media. To give you an idea I started using twitter mid 2015.

I am unlikely to:

  • Buy eco-friendly
  • Reply on social media
  • Spend on health and fitness

This is about 60% accurate, I prefer to buy eco-friendly but rarely reply on social media and hardly ever spend on health and fitness. Other than that the site thinks I am unconventional and shrewd (first time I have had someone tell me that) who is unconcerned with art (which is true, I find most of the so called art boring and silly. Don’t even get me started on ‘modern art’ ) and chooses based on a desire of efficiency (which is true, I like to think that I am efficient)


Results from the second text sample

In all this was an interesting read and though parts of it made me laugh it does give you a glimpse of what might be coming in the near future when computers will be able to diagnose your personality and figure out your mood based on your behavior and writings.

Well this is all for now, will write more later.

– Suramya

Older Posts »

Powered by WordPress