Thoda sa main...(A little bit of me)

Have heard this question so many times from many friends & well wishers lately.

Yeah! You read it right. Someone is trying to hack me!

While you'll be reading it as "HACK me", I'm still thinking "hack ME".

Dear Attacker,
I don't have anything interesting enough for you to break into my machine and steal it.

a) I don't have anything related to national security on my laptop which you can make use of
b) I'm not a billionaire that you can scoop off something, rather people know I'm as broke as any other average guy :)

c) Info about my clients & future plans goes somewhere else & no traces of that will be found on my laptop/phone/home network

----------------------------

Although I used to get gmail password reset request atleast twice a week, but this is a real good one & the attacker deserves a round of applause for it. The amount of time & knowledge he has put in here, I can offer him a very lucrative job with handsome salary (are you listening Mr AV?, we got a candidate). And with this much dedication he can break into corporate or even more secure networks.

For the knowledge & food for thought of my readers, this is how it all looks like.
As far as I know/understand, this started in the beginning of Feb 2011. My personal laptop has enough protective layers (antivirus, patches, firewall, blah blah) and as anybody would guess I keep it more up-to-date compared to many people out there.

So the attack (when I detected) was done using Metasploit, a wonderful attack/security testing framework by @hdmoore and the attacker caught me on CVE-2010-0840 which is a Java runtime vulnerability allowing remote code execution. It was sent to me via some malicious web page which I might have stumbled somehow. (I'm pretty much into exploring lot of garbage online). I know my JRE was 2 subversions older which made this attack possible.

I felt something fishy when on my home broadband (not a shared LAN) I started getting
SSL errors. Thanks to stubbornness of Google Chrome, it didn't allowed me to ignore it & made me think twice. When scanned my RAM, I found "meterpreter" running in my explorer.exe (pretty neat dude). This was the time when I knew someone is deliberately trying to get into my machine & it can't be a work of a malware.

Damn you attacker, you forced me to change 83 passwords in total.

Moving ahead I started keeping a (more) vigil eye on my machine for the attack to re-occur, I also created a honeypot with a lot of legitimate looking traffic to lure him. But seems like the attacker understood that I have found his meterpreter trick & have killed the session once. So now his attack strategy changed and looking at the strategy used further, I'm not sure if it is work of a single guy or bunch of them together or even individually. If it's by a single guy, I seriously have a good job for him waiting.

This time the attacker seems to have got access to the firmware of my home router or wifi access point (I'm still to investigate my firmware). I started getting SSL warnings even on my phone when connected to wifi at home but not on my GPRS. Now this can't be done with access to my machine only, for this the attacker needs access to the network infrastructure. More interestingly the SSL warnings are only for some specific sites (gmail/twitter/facebook).

The attacker presented me a fake SSL certificate for api.twitter.com and this is what he did wrong. He created a fake certificate with validity of 10 years. In no good senses , twitter will buy a certificate from verisign (twitter actually uses equifax) for 10 years in one go. This fake certificate was encountered on my phone, when I rechecked actual certificate of api.twitter.com (this time using my USB internet dongle) it is issued by equifax and for one year only. See images below & click them for enlarged view.


There are few more screenshots & reverse trace reports but I'm not posting online for legal reasons. I'd need them to be produced as evidence.

I've spent enough time on this attack, reported it to appropriate authority & want to keep my hunt on to find my well wisher. The only problem is I have a life to live & a lot of work to do, which seems like the attacker doesn't have.

----------------------------

So dear attacker,

Go and get a life, you won't find anything more juicy on my machine/phone/network. If you wanted to prove it to the world that you can "Hack Rohit", I think I have done your work easy with this blog post.

----------------------------

An open letter to all my friends, family & followers,

If you receive some garbage mail or tweet from my side (@rohit11, @_rohit11, @clubhack) be assured that it wasn't me. You can still expect garbage videos shared on my facebook wall & you know that I keep sharing those stupid videos there :)

Wish me good luck & good life to the attacker(s)

PS - If this can happen to me, this can happen to you too. I'd again request you all to be little more careful online. As in "brand new days" song, STING said "It could happen to you - just like it happened to me. There's simply no immunity - there's no guarantee"

PS - I have used "he", "his", "him" to address the attacker but I'm not being gender biased. I don't think I have a "my super ex-girlfriend" kind of ex who would take so much of pain to attack me. Having said that, I'm still not under estimating the skills of female attackers.

PS - I used word "hack" cause that's what 90% of this world understand :)

tags: Fun Blogging

You all know my passion behind ClubHack. It started with a passion of creating a platform for information security enthusiast to come under one roof & share knowledge.

That's Bruce Schneier in Indian Pagri

He also brought me his latest book "Schneier on security" with his typical autograph which is a tiny crypt in itself.

Book "Schneier on Security" & typical autograph of Bruce Schneier

If your read it correctly it reads as "ENJOYTHEBOOK" if you read from top left corner going one character down and then following the string. Pretty Cool.

In March this year, there were few shouts about US government forcing certifying Authorities (CAs) to had over SSL key to decrypt mail transfer. Personally I'm not worried till the time the decrypted data is with any govt but it would be a serious issue if anyone else reads my data.

Today twitter announced public availability of @anywhere which I thought of giving a shot.
Yes it's easy to setup and works like charm

STEPS:

1. Go to the dev site of twitter anywhere

2. Login using your twitter account & go ahead to create an application

3. All inputs asked are pretty much intuitive

4. Go to you APP detail page & take a not of your API key

5. On your website simply add the code snippet preferably at the end just before

<script src="http://platform.twitter.com/anywhere.js?id=YOUR_API_KEY_HERE&v=1"></script>
<script type="text/javascript">
twttr.anywhere(function(twitter) {
 twitter.hovercards();
 twitter(".post").linkifyUsers();
});
</script>

6. Bang you are done. Now any twitter username on your webpage will be linked to twitter hovercacrd & a mouse over will show the fun

7. If you want to add this on any blog on blogger.com, simply add a "text/html box" under design layout and paste the code snippet in it.

8. To test I have added the same in this blog & now we'll see a few example with a little shameless plug of my twitter handles ;)

Mouseover these twitter handles to see @anywhere in action

My Twitter handles:

Technical tweets - @rohit11

General fun & casual tweets - @_rohit11

ClubHack - @clubhack

.

The way internet has barged into our lives, we have been seeing the world in a very new way.
I stumbled on this image created by Byte Level research LLC which shows the new world

[click image to enlarge]

tags: Tech

A lot of tweets today informed me about launch of Damn Vulnerable Web App (DVWA) which is basically an aid for security professionals to test their skills and tools and help web developers better understand the processes of securing web applications.

I had an old list of tools/plug-ins/utilities etc which can be helpful while playing with DVWA and I'd like to share the same for you to learn WebApp Security better.

Proxy Servers:
WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
Burp: http://www.portswigger.net/suite/download.html
Paros: http://www.parosproxy.org/download.shtml

Firefox Plugins: [ https://addons.mozilla.org/en-US/firefox/collection/webappsec ]
Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/966
SwitchProxy: https://addons.mozilla.org/en-US/firefox/addon/125
SQL Inject Me: https://addons.mozilla.org/en-US/firefox/addon/7597
XSS Me: https://addons.mozilla.org/en-US/firefox/addon/7598
NoScript: http://noscript.net/getit
ShowIP: https://addons.mozilla.org/en-US/firefox/addon/590
ViewStatePeeker: https://addons.mozilla.org/en-US/firefox/addon/7167
LiveHTTPHeader: https://addons.mozilla.org/en-US/firefox/addon/3829

Injection Tools:
SQLMap: http://sqlmap.sourceforge.net/
SQLNinja: http://sqlninja.sourceforge.net/
Pangolin: http://www.nosec.org/en/pangolin.html

Some other HACKMEs:
WebGoat: http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045
Foundstone Hacme Series: http://www.foundstone.com/us/resources-free-tools.asp

While doing webapp security testing, how can someone forget rsnake. Check out http://ha.ckers.org/ & specially his list of jailfree hacking sites @ http://ha.ckers.org/blog/20090406/hacking-without-all-the-jailtime

Happy Hacking

Every time you run an application on Windows box, a prefetch file is created in "c:\WINDOWS\Prefetch". This file with extension .pf keeps information for optimizing the load time of the application (as the name suggests).

I always wanted to see what's there in the .pf file. Recently NirSoft has released a tool called WinPrefetchView which can be used to see the content of these files.

image source : nirsoft.net


Note: This website http://nirsoft.net is a wonderful resource for nice tiny utilities for many system & password plays.

On the brighter side :)
# Shifted to Delhi from Pune.
# Bought another car.
# Worked for Commonwealth Games 2010.
# Finally got married to Stuti.
# Went to Puri & then Nainital for honeymoon.
# Delivered talks/lectures in IIM Ahmedabad & IIT Madras.
# Tajmahal & Delhi tourism with Stuti along with few more places in north.
# Decided to quit Commonwealth Games 2010.
# Organized ClubHack2009.
# Organized Indo-UK cyber security roundtable conference in ClubHack2009.
# Did wardriving in Pune again
# Worked for some serious national security projects.
# & right now baking a cake for the new year :)

On the down side :(
# No bike rides this year. Need to get back there.
# No more girlfriends, those were the days...
# Very less parties, need to party more
# Didn't organized even a single BarCamp, just attended one.

In total a very happening year. Hope to have 2010 a better one

Wish you all the readers a very happy & prosperous new year.

tags: Fun Blogging

image: wikipedia

tags: Security

two one za two
two two za four
two three za six

many of us have grown up mugging this and I always wondered what is this ZA, is it a synonym of "equals to" ??

Just a casual browsing today answered this long pending query of mine

its actually

two 1s are two
two 2s are four
two 3s are six

Thanks to the anonymous who clarified this thing to me today.

If we divide the whole table in columns, I always thought that its the "1st column" being counted "2nd column" times gives you the result in "3rd column". Its actually the "2nd column" counted "1st column" time gives you the result in "3rd column".

Confused? Have fun....

Last week, Techcrunch reported rumors of the release of the Google Chrome OS. They stated that the info came from a reliable source, and indeed that source was reliable. Google had an event at their headquarters, and indeed provided new details and a demo of the Chrome OS. The Chromium Blog has some great videos that provide some additional information about Chrome OS as well.

The Chromium OS source code is available for download (Chromium OS is the open-source version of Google Chrome OS), and you can compile and build it. It took some time, but I did manage to do this on my 64-bit Ubuntu 9.04 (Jaunty Jackalope) machine. I also managed to put together a VirtualBox virtual appliance that is all ready to go. I built a torrent for it, so feel free to download it here:

Download the Chromium OS VirtualBox Appliance Torrent

Please continue to seed, as I’m sure there will be many people out there wanting to try it out.

To use it, just start up VirtualBox, click File and then Import. Navigate to the chromiumos.ovf file and select it. The virtual appliance will be imported into VirtualBox and you should be good to go.

I also included a txt file that more or less has the commands I used to build it. You may be able to run it as a script, although I haven’t confirmed that it will work. I guess you could say I more or less took “script-like notes” as I was building Chromium OS.

If you hit Ctrl+Alt+T when you first log in, you’ll get a shell prompt. You can run “sudo su” (no quotes) to log in as root, and I’ve set the password to “password” (no quotes). If you use this machine for anything serious (although I doubt you would), be sure to change the password.

You should be running VirtualBox 3.0.12, and when you import the virtual appliance everything should be configured properly. If you get an error that says “network not connected and offline login fail” when you try to log in, be sure that the virtual network adapter is set to Intel Pro/1000 MT Desktop (82540EM).

If the network adapter is already properly configured but you are still seeing the error, try logging in with the user “chronos” with the password “password” (no quotes). This should log you in and bring up the chrome browser window. If you don’t see a Google Accounts login screen, try hitting the refresh button. That should bring up the Google Accounts login screen.

It is absolutely astounding how fast it boots. It really is nearly instant-on and takes a mere few seconds to bring up the login screen.

Once you log in with your Gmail account, it launches and you’ll see the Chromium interface open up to your Gmail. There is also a Google Calendar tab and a New Tab tab. The little chrome sphere appears in the upper left corner, but when you click on it you don’t get a menu as you see in some of the Chrome OS videos. Instead, you get a Google.com account login page.

As you can see, it looks very much like the Chrome OS screenshots that had surfaced last month. Of course, being that this is running on a virtual machine without any decent video drivers on the operating system, the resolution is quite low (800×600). Your dear old granddad may be the only one that actually finds it visually appealing at this resolution.

Right now the most impressive thing is how fast this operating system loads. Of course, it should load fast because there really is hardly anything there. In any case, it is rather neat to see an early release in action. The fact that it actually works on a virtual machine is quite promising. Eventually as drivers for more hardware are incorporated into it, it should be possible to run it your own real hardware.

I just went into the Chrome OS Wave I found with the link to the VMWare disk image, and apparently the poor guy that posted that file to Amazon Web Services ran up a $380 bill so he took the file down. Here’s the torrent of the same file posted up on Pirate Bay:

Download the Chromium OS VMWare Virtual Disk Image Torrent

However, I haven’t tried using it, so I can’t confirm that it will run on VMWare without issue. Enjoy your Google Chrome OS virtual machines!

[Via GeekLad]

Mind it, this is a simple copy of the blog entry, I was quite busy in preps of http://clubhack.com/2009 and no time to test this or re-write this :)

No responsibilities if this torrent/VM doesn't work ;)