Suramya's Blog : Welcome to my crazy life…

June 15, 2015

Winners for the 2014 Underhanded C Contest are announced

Filed under: Computer Security,Tech Related — Suramya @ 10:45 AM

The underhanded C Contest is an annual contest where developers are asked to write code which is clear, readable and as straight forward as possible while doing something evil in a very subtle manner. The goal behind the contest is to make people aware that even code that looks completely benign can be doing something bad either intentionally or accidentally. The contest has been around for 7 years and the solutions people have come up with are amazing. This years winner was Karen Pease and trying to understand their code made my head hurt.

Here’s an extract from the site that explains how Karen gamed the system:

  • We get the cur_time = localtime() and we want to check if
 cur_time->tm_year is a leap year
  • We call __isleap( cur_year = AUDIT(cur_time->tm_year) )
  • this expands into a line of code from nested macros
  • The first thing that happens is a call to check_clock_skew() that calls localtime() on a teensy time interval, overwriting our time structure
  • cur_time->tm_year is now 0, which satisfies all three clauses in the __isleap() macro,
  • Causing AUDIT() code to be evaluated thrice
  • Ow my head, and
  • The year (or rather, the number 0) is written to the audit record three times. This overfills the audit buffer.

  • Thus the final AUDIT call zeroes out a user’s created time, if the user was surveilled.

Looking at this code, it explains how difficult it is to prevent a skilled programmer from adding backdoors or Easter eggs in software and why code reviews are so important.

– Suramya

April 25, 2015

There is no such thing as a completely secure OS

Filed under: Computer Security,My Thoughts,Tech Related — Suramya @ 1:47 AM

Every once in a while while talking to folks about computer security I am told that I should switch to Mac’s because they don’t have security issues or viruses. I find that very amusing and I think the following comic sums up the ‘apple fanboi’ thinking quite succinctly:

Even though it is funny, unfortunately a whole lot of folks still believe in the Myth that Apple computers/devices are secure/don’t get viruses. Now, don’t get me wrong, there are a lot of good points for the Mac OS and they just work for some people. I am not one of them but that doesn’t mean that I ‘hate’ Mac OS or Windows for that matter. I like Linux, others don’t. That is their choice and this is my choice. This post is to talk about computer security and high light some of the major flaws that have hit Apple computers over the past few months:

Firmware Boot kit: Thunderbird

This was discovered by Trammell Hudson back in Jan 2015. It allows a user to quietly, persistently and virally compromise Apple Macs from boot. Since the code is stored in the firmware it is very difficult to detect and remove. It works against all Macbooks released since 2011. Apple has released a fix but it is hard to ensure that your computer isn’t already infected before applying the patch.

Details are at: Thunderstrike shocks OS X with firmware bootkit.

Shellshock: Mac’s are vulnerable

Shellshock allowed attacker’s to insert malicious pieces of code from a remote location and get full system control of a victim’s machine. The scary part of the story wasn’t that Apple computers were vulnerable (plenty of systems were), it was the fact that Apple refused to acknowledge the issue and took over 15 days to release a patch for the problem, even though it was being actively exploited in the wild. Their justification was that “The vast majority of OS X users are not at risk to recently reported bash vulnerabilities… With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services”.

So basically if you don’t use your computer to do anything other than the default configuration you are good. (for the most part) Those of us who use Mac’s to actually code or develop stuff are not a priority for Apple.

Bypassing OS X Security (Gatekeeper & xProtect)

Patrick Wardle, director of research at Synack spoke at the RSA conference a few days ago about OS X security and as per him getting around the restrictions put in by the OS X Security tools is trivial.

“Gatekeeper doesn’t verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper,”

More details on the issue are at: Researcher Discloses Methods For Bypassing All OS X Security Protections

iOS WiFi Bug Allows Remote Reboot of All Devices In Area

This one is my favorite. It allows an attacker to cause all iOS devices (iPhones/iPads) in a particular area to Crash and/or reboot. It involves setting up a rogue wireless access point (WiFi hotspot) and manipulating the traffic to it to cause all apps and iOS devices in range to crash. The best part is that there is no fix for it. The only way to resolve the issue is to move out of range of the Access Point. Even putting your phone in Airplane mode doesn’t work. Which is scary on it’s own because that means that even when you are in Airplane mode the phone is still transmitting/receiving data from wireless networks.

Since there is no fix for it yet, the researchers have not released a lot of details on the exploit but once Apple releases a fix they will give more details it. Then I can just imagine someone setting up one of these using a Raspberry Pi at a conference hidden under a table causing a whole bunch of people a whole lot of pain/annoyance.

Additional details of the issue are at: Evil Wi-Fi kills iPhones, iPods in range

There are a whole lot more where these came from. So the moral of the story is that there is no system that is 100% secure. If you want to stay safe, follow best practices, update frequently and pray.

– Suramya

November 8, 2014

Be careful of software claiming to hide your data on your Phone

Filed under: Computer Security,My Thoughts,Tech Related — Suramya @ 11:59 PM

Yesterday (well, technically today) I was trying to find some data on my old phone to copy to my new phone so I decided to copy over all the folders from the phone to my desktop to make it easier to look through it. While I was going through the data I found a folder called .keepsafe under the Android/data folder so I looked in it cause I got curious and found some interesting data. Actually before I tell you what I found lets take a step back and go over what Keepsafe is: It is an app for both iOS and android that allows you to hide photos/files on your phone and then only people with the correct PIN can view them. From their site: “You lock your rings in a jewelry box. You lock your certificates in a cabinet. Now KeepSafe makes sure your personal files are locked down and hidden, using privacy features such as PIN Pad and Fake PIN.” I had installed this version of Keepsafe a few years ago to try it out but had since uninstalled it as I didn’t find it useful.

Coming back to the folder and what I found. It had two files under it: .local and .email. The .email file had my email address in it but the contents of the .local file were shocking. It had my ‘secret pin’ in clear-text in the file. So anyone with some idea of how apps store data and access to a file browser would have been able to get my pin and view images/data that was supposed to have been protected.

Since this was an older version of the software I downloaded and installed the latest version on my S5 to see if the issue was still there. Thankfully someone at the company figured out that storing the data in clear-text was extremely stupid and in the latest version of the software the same two files are still there but the data is encrypted. Not sure how strong the encryption is because I don’t have the knowledge/skill set to try to figure that out. I did however identify where the files are being stored (they are all encrypted as well) so someone with the original image and an encrypted copy could potentially reverse engineer the encryption and assuming they are using a static encryption key decrypt the remaining files as well.

Moral of the story is that if you want to ‘hide’ data on your phone be very careful of the software you use to do it. Ideally you should avoid storing any data that is sensitive on the phone. There are plenty of ways to get access to the data if someone is interested and has time. This is not an isolated case of a badly written software, There are other cases as well where other software was found to have similar amazing security. So be careful out there.

I did find some more interesting data on the phone that I will take a stab at when I get some time.

Well this is all for now. Will write more later.

– Suramya

November 7, 2014

Free Intro to Cryptography course for programmers

Filed under: Computer Security,Security Tutorials,Tech Related — Suramya @ 1:34 AM

Security pro Laurens Van Houtven has created a free introduction cryptography course to help programmers, by giving them a bird’s eye view of how cryptosystems work and teaching them to apply the same principles in real software. This is an extension of his talk given last year on breaking crypto.

Comes with everything you need to understand complete systems such as SSL/TLS: block ciphers, stream ciphers, hash functions, message authentication codes, public key encryption, key agreement protocols, and signature algorithms.

Learn how to exploit common cryptographic flaws, armed with nothing but a little time and your favorite programming language.

Forge administrator cookies, recover passwords, and even backdoor your own random number generator.

Check it out at: Crypto 101

Thanks to The Register for the link to this great resource.

– Suramya

November 3, 2014

Use Excel to Watch Movies at Work

Filed under: Computer Related,Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 11:14 PM

Before I start, let me make it very clear: I don’t recommend that you do this at work. If you get fired for doing this then it is your fault. I take absolutely no responsibility. That being said, lets proceed. I found this very interesting because it shows that no matter how much you try to secure a system there is always a way around any restrictions people put in the system and the only truly secure system is one encased in a ton of concrete at the bottom of the ocean. In this case a user figured out how to use the VBA (Visual Basic for Applications) functionality in Excel to go around the restrictions placed on his computer by his company’s IT department to watch movies at work.

From a Hacker/ingenuity point of view I love this, but from a work perspective I don’t think this was such a good idea. If you really wanted to watch a movie at work then there are easier and safer options to do so; watching it on your phone or tablet is one option that comes to mind. I seriously doubt that his IT admin or his manager would be amused when they find out about this hack.

Behind the cascade of rectangles and in the land of the Excel macro, [AyrA_ch] took advantage of the program’s VBA (Visual Basic for Applications) functions to circumvent the computer’s restrictions. Although VBA typically serves the more-complex-than-usual macro, it can also invoke some Windows API commands, one of which calls Windows Media Player. The Excel file includes a working playlist and some rudimentary controls: play, pause, stop, etc. as well as an inspired pie chart countdown timer.

Hacking things is fun, but folks need to realize that they need stop being stupid about it. I am sure there is a lot of things I can do at work that I might not be supposed to but just because you can, doesn’t mean that you should.

Check out the original post on Reddit for a link to the file and a more detailed explanation.

Thanks to Hackaday.com for the story.

– Suramya

October 12, 2014

Take Orders From A Cat And Learn Cybersecurity

Filed under: Computer Security,Interesting Sites,Security Tutorials,Tech Related — Suramya @ 10:26 PM

Here’s an interesting site that teaches Cybersecurity to folks in the form of a game. As you know cyber criminals are getting more and more sophisticated and the best way to counter that is to train more folks on the basic principles of Cyber Security. It is targeted towards children but is good fun for adults as well.

Take cybersecurity into your own hands. In this Lab, you’ll defend a company that is the target of increasingly sophisticated cyber attacks. Your task is to strengthen your cyber defenses and thwart the attackers by completing a series of cybersecurity challenges. You’ll crack passwords, craft code, and defeat malicious hackers.

Check it out at: NovaLabs Cybersecurity
Source: Popsci.com

– Suramya

October 10, 2014

Instead of wasting time playing Sudoku you should mine Bitcoins with Pencil and Paper

Filed under: Computer Related,Computer Security,Tech Related — Suramya @ 11:58 PM

Do you like to play Sudoko? If so then you should look at using paper and pencil to mine Bitcoins instead and make some money out of your hobby. A bloke named Ken Shirriff who is an engineer at google has created a video and a detailed blog post on how this can be done. Apparently it is a slow process but the algorithms for Bitcoin generation are easy enough to crunch.

Shirriff completed a round of SHA-256 in 16 minutes and 45 seconds at which rate a full Bitcoin block would take about a day and a half, less with more practice, he said.

“The SHA-256 algorithm is surprisingly simple to do by hand,” Shirriff said.

“In comparison, current Bitcoin mining hardware does several terahashes per second, about a quintillion times faster than my manual hashing.

All I can say is, go for it if you like crunching numbers… I know I won’t. 🙂

Source: Theregister.com

– Suramya

October 1, 2014

Erase Your iCloud Drive by reseting your iPhone settings

Filed under: Computer Related,Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 5:42 PM

This has not been a good month for Tech, we are getting issues across the board on all fronts. First we had the iCloud hack (or fappenning as it was called). Then ShellShock hit followed by this new issue in iOS 8 where if you reset your iPhone settings your backups on the cloud also go bye-bye. Ouch! I hope if you are using the iCloud (or any cloud for that matter) you have a duplicate copy of your data somewhere else or you better not try to reset your phone.

The bug creeps up when you select Settings > General > Reset > Reset All Settings. Typically, this is just supposed to reset your network settings to give your iOS device a clean slate to work with, but it turns out it’s also deleting all your files from iCloud Drive.

The issue was discovered by members of the MacRumors forum. It just shows that no matter how much we try nothing is perfect and there are bugs in every system. The best way to ensure that don’t loose data is to store it in multiple places using multiple types of media/services.

I have a lot of my data backed up on a RAID array and am in the process of setting up a cloud server at home to sync it across different locations. I am not using Dropbox or other such services because I don’t want to trust my data to any external provider. Earlier I used to back up data on DVD’s/CD’s. Before that I used to store the data on Floppy disks.

Fun fact, I was recently looking for some code that I had written around 1998 and ended up searching through my old Floppy disks to find it. Interesting thing was that about 90% of the disks still worked and I was able to read the data without issues. (Well… no issues other then the fact that I had to buy a USB floppy drive as my mother board doesn’t have a connector for floppy drives…) I don’t see the same level of longevity in either DVD’s or CD’s so far. I haven’t tried Blue-Ray disks yet because of the cost and the fact that HDD’s are getting cheaper / larger.

Thanks to lifehacker.com for the initial links.

– Suramya

February 12, 2012

Google Wallet PIN cracked on Android devices

Filed under: Computer Related,Computer Security,My Thoughts,Tech Related — Suramya @ 8:53 PM

The past few days there has been a lot of press around the fact that the Google Wallet Pin was cracked on rooted android phones. Lots of people including computer programmers and technologists (who should frankly know better) have reacted to this by posting messages/comments equivalent to: “rooting is bad”, “rooting causes security holes” etc etc etc… Guess they have forgotten the simple rule of computer security: “physical access is total access”, basically it means that if I have physical access to a device I can get full access to it eventually.

This fact was demonstrated it quite nicely by the news that you don’t really need to root your phone to get your pin hacked, all you need to do is reset the application data.

The problem in both cases is caused by the fact that the Google Wallet’s pin is stored locally on the phone itself instead of online so if you can get access to it you can bruteforce it or if you clear the app data it removes the pin and lets you choose another.

One way of fixing the second issue would be to force the phone to link to the internet after the local cache is cleared to sync the pin with the online secure server instead of just letting a user choose a new one. The fix for the first case is a lot harder because you can’t have a wallet that requires the phone to be connected to the web everytime you use it, and if you store it locally then you are just asking for trouble.

Another way would be for the receiving side to validate the pin sort of line how we do it for credit cards but that doesn’t seem too feasible either. Or we could salt the pin with the user’s account info/do a dual encryption, first one requires the pin to unlock the second one requires the account password.

Now if I can come up with such solutions then I am sure the people at Google and the various banks working on this issue will come up with other more secure options. Its not the end of the world. yet. This is a new technology and like all new tech it has its teething issues and I am looking forward to the final fixed product.

– Suramya

March 28, 2010

Wikibooks has a open-content textbook on Cryptography

Filed under: Computer Security,Interesting Sites,Tech Related — Suramya @ 11:56 PM

I don’t know if you have heard about Wikibooks yet or not. If you haven’t then you are missing out on a great resource. Basically Wikibooks is a community for creating a free library of educational textbooks that anyone can edit. Sort of like Wikipedia but specifically for Books.

One of the books they have is a book on Cryptography that is quite easy to read and follow. At the time of this writing a lot of the sections in the book still have to be added but new content is added regularly and over time I think it will become a great resource for everyone.

Check it out.

– Suramya

« Newer PostsOlder Posts »

Powered by WordPress