Thoda sa main...(A little bit of me)

Someone is trying to hack me!

0 comments Thursday, February 24, 2011

Yeah! You read it right. Someone is trying to hack me!

While you'll be reading it as "HACK me", I'm still thinking "hack ME".

----------------------------

Dear Attacker,
I don't have anything interesting enough for you to break into my machine and steal it.

a) I don't have anything related to national security on my laptop which you can make use of
b) I'm not a billionaire that you can scoop off something, rather people know I'm as broke as any other average guy :)

c) Info about my clients & future plans goes somewhere else & no traces of that will be found on my laptop/phone/home network

----------------------------

Although I used to get gmail password reset request atleast twice a week, but this is a real good one & the attacker deserves a round of applause for it. The amount of time & knowledge he has put in here, I can offer him a very lucrative job with handsome salary (are you listening Mr AV?, we got a candidate). And with this much dedication he can break into corporate or even more secure networks.

For the knowledge & food for thought of my readers, this is how it all looks like.
As far as I know/understand, this started in the beginning of Feb 2011. My personal laptop has enough protective layers (antivirus, patches, firewall, blah blah) and as anybody would guess I keep it more up-to-date compared to many people out there.

So the attack (when I detected) was done using Metasploit, a wonderful attack/security testing framework by @hdmoore and the attacker caught me on CVE-2010-0840 which is a Java runtime vulnerability allowing remote code execution. It was sent to me via some malicious web page which I might have stumbled somehow. (I'm pretty much into exploring lot of garbage online). I know my JRE was 2 subversions older which made this attack possible.

I felt something fishy when on my home broadband (not a shared LAN) I started getting
SSL errors. Thanks to stubbornness of Google Chrome, it didn't allowed me to ignore it & made me think twice. When scanned my RAM, I found "meterpreter" running in my explorer.exe (pretty neat dude). This was the time when I knew someone is deliberately trying to get into my machine & it can't be a work of a malware.

Damn you attacker, you forced me to change 83 passwords in total.

Moving ahead I started keeping a (more) vigil eye on my machine for the attack to re-occur, I also created a honeypot with a lot of legitimate looking traffic to lure him. But seems like the attacker understood that I have found his meterpreter trick & have killed the session once. So now his attack strategy changed and looking at the strategy used further, I'm not sure if it is work of a single guy or bunch of them together or even individually. If it's by a single guy, I seriously have a good job for him waiting.

This time the attacker seems to have got access to the firmware of my home router or wifi access point (I'm still to investigate my firmware). I started getting SSL warnings even on my phone when connected to wifi at home but not on my GPRS. Now this can't be done with access to my machine only, for this the attacker needs access to the network infrastructure. More interestingly the SSL warnings are only for some specific sites (gmail/twitter/facebook).

The attacker presented me a fake SSL certificate for api.twitter.com and this is what he did wrong. He created a fake certificate with validity of 10 years. In no good senses , twitter will buy a certificate from verisign (twitter actually uses equifax) for 10 years in one go. This fake certificate was encountered on my phone, when I rechecked actual certificate of api.twitter.com (this time using my USB internet dongle) it is issued by equifax and for one year only. See images below & click them for enlarged view.

There are few more screenshots & reverse trace reports but I'm not posting online for legal reasons. I'd need them to be produced as evidence.

I've spent enough time on this attack, reported it to appropriate authority & want to keep my hunt on to find my well wisher. The only problem is I have a life to live & a lot of work to do, which seems like the attacker doesn't have.

----------------------------

So dear attacker,

Go and get a life, you won't find anything more juicy on my machine/phone/network. If you wanted to prove it to the world that you can "Hack Rohit", I think I have done your work easy with this blog post.

----------------------------

An open letter to all my friends, family & followers,

If you receive some garbage mail or tweet from my side (@rohit11, @_rohit11, @clubhack) be assured that it wasn't me. You can still expect garbage videos shared on my facebook wall & you know that I keep sharing those stupid videos there :)

Wish me good luck & good life to the attacker(s)

PS - If this can happen to me, this can happen to you too. I'd again request you all to be little more careful online. As in "brand new days" song, STING said "It could happen to you - just like it happened to me. There's simply no immunity - there's no guarantee"

PS - I have used "he", "his", "him" to address the attacker but I'm not being gender biased. I don't think I have a "my super ex-girlfriend" kind of ex who would take so much of pain to attack me. Having said that, I'm still not under estimating the skills of female attackers.

PS - I used word "hack" cause that's what 90% of this world understand :)

ByRohit Srivastwa

at6:38 AM

Misty Rhythms - What a music band

0 comments Saturday, February 19, 2011

I remember in good old days when I was in school & I heard this music band called "Misty Rhythms".

The album was called as "Aye Laila" & had one song with a music video which got somewhat popular due to fresh born MTV in India those days. (Can anyone point me to the actual music video of that song?)

I had the "cassette" of this album but slowly with death of tapes, I lost this album. I searched online many times to buy a CD/DVD version but never got one till date.

Finally today I searched again and found that someone has uploaded the mp3s on rapidshare. I know its a crime to listen to this MP3 version but I'm ready to pay (double or more) if anyone can get me the legitimate CD/DVD

I found the songs & my day is made.

Now you must be thinking what's SO great about this album which has this crazy song & why does it deserves a blog post. So let me tell you this is one of the finest music I have loved. If possible go ahead and listen to other songs of this album. "Aye Laila" is the only one which is funky, rest all are so melodious & wonderfully written that I'm sure many of you would love it.

Its a wonderful fusion of Classical + Reggae + African + God knows what. Its really a hypnotic music album. I'm not a music expert or have sat for any session of music appreciation but still this whole album is very close to my heart.

# Songs like "Big Blue Eyes", "Far far away", "Cuckoo" & "Voice from Stone" has magical lyrics.

# Songs like "Dancing raindrops" & "Dance of Shiva" have the wonderful Indian classical music touch

# Song "Hand in Hand" always reminds me of Bombay theme music

That's not all, there are interesting facts about the band members

Ramana Gogula - Was MD of Sybase India & Co-founder of Liqwid Krystal, an IT startup in bangalore. Then moved to South Indian film industry as music director

http://en.wikipedia.org/wiki/Ramana_Gogula

Kush Khanna - is a BS graduate and CEO of Bazaar of India Imports, the largest importer of ayurvedic product and musical instruments into the USA.

Ramana Gogula and Kush Khanna, both were based in the US and had formed a musical collaboration and named their band as Misty Rhythms

Sources - http://www.expressindia.com/ie/daily/19980626/17750734.html

Before I end this post, another song @ youtube which you can enjoy

Ramana, Kush

Wherever you are, my best wishes to you & would love to get more of such music.

ByRohit Srivastwa

at3:19 AM

A dream come true

0 comments Sunday, December 05, 2010

You all know my passion behind ClubHack. It started with a passion of creating a platform for information security enthusiast to come under one roof & share knowledge.

While this was my passion I had a dream too. My dream was to have the international fame information security guru Bruce Schneier as a guest in my event. In this 4th year of ClubHack, the Keynote address was delivered by my idol.

Bruce Schneier delivering his keynote address @ ClubHack2010

Yeah I was excited as well as proud to have him here in ClubHack2010. It was indeed a dream come true for me. We welcomed him in a traditional way by tying a pheta on his head and he loved it too

That's Bruce Schneier in Indian Pagri

He also brought me his latest book "Schneier on security" with his typical autograph which is a tiny crypt in itself.

Book "Schneier on Security" & typical autograph of Bruce Schneier

If your read it correctly it reads as "ENJOYTHEBOOK" if you read from top left corner going one character down and then following the string. Pretty Cool.

Finally I met my guru Dronacharya & I'm on my cloud number 9 for that :)

ByRohit Srivastwa

at6:30 AM

Free or Cheap Google TV alternatives

3 comments Monday, October 04, 2010

Google announced launch of http://google.com/tv and everybody including me is very excited about the whole concept as well as the product.

But for a lot of those geeks who don't want to bleed from their pockets for the same

Those geeks who can't wait for GoogleTV to come to their country have 2 nice options

Remember, these are opensource products hence free for personal use but might need some hardware, hence calling them as "cheaper options"

1) Myth TV http://www.mythtv.org/

MythTV is a Free Open Source software digital video recorder (DVR) project distributed under the terms of the GNU GPL. It has been under heavy development since 2002, and now contains most features one would expect from a good DVR (and many new ones that you soon won't be able to live without)

Myth Today has gone beyond a simple DVR and has almost all the features of GoogleTV.

Watch and record analog and/or digital TV, including HDTV.
Pause, skip, and rewind live TV shows.
Completely automatic commercial detection/skipping, with manual correction via an intuitive cutlist editor.
Intelligently schedules recordings to avoid conflicts.
Parental controls to keep your kids out of the good shows.
Watch youtube directly
Watch and archive DVDs and other video files.
Listen to your digital music collection.
Schedule and administer many functions remotely via a web browser.
Share your TV/Media library in different rooms over UPnP.
You can add browser to this and do a normal surfing too.
Many more...

Moreover a complete distro called Mythbuntu is available today which as the name specifies, is Myth over Ubuntu. No installation hassles, no config worries. As simple as it can be :)

Here are some screenshots

Personal Note - I have tried it & found it working very fine on my atom machine with 1G RAM. I was not able to find a correct TV tuner card which supports the cable. Rest everything including a web browser makes it a perfect home entertainment library. You get a lot of themes to change the look and feel too. It can even fetch info on demand from IMDB including details, images, plot etc about movie collection you have.

2) LinuxMCE http://linuxmce.com

LinuxMCE is much beyond a entertainment setup. It even includes home automation wherein you can do

Lighting control - Turn on/off lights
Climate control - Manage AC, window blinds
Security - Alarm management, CCTV feature using normal webcam
Telecom - Home EPABX with bundled asterisk
& Media - Play your Media Files, DVDs, CDs, TV whereever you are

As per the website, the media part of LinuxMCE can

Organize media with special metadata tags
View/Listen to media in any room
Media automatically follows you through your home
New media is automatically detected - even if it's on other devices like another computer on your network or Network Attached Storage (NAS)
Control all your A/V gear through LinuxMCE (using IR, USB, Ethernet, or RS-232) including automatically powering everything on and setting the proper inputs on each device
Together with the lighting part of LinuxMCE, lights in the room where video is being watched are dimmed when you start the movie.
Together with the Telecom part of LinuxMCE, the media is paused, when a call comes in, and continued when you hang up.

As you might have guessed by now, to exploit real power of LinuxMCE, you need to be a geekhead. But once you do it, its a great product to live with. Here are some screenshots

Personal Note - Haven't dived deeper into LinuxMCE. Have tried only camera and media setup which works like charm again on an atom machine with 1G RAM

Interested, ping me if you need any help in setting this up. Once you do it I'm sure you'll love it. If you know or have been using some other product for same, do let me know.

ByRohit Srivastwa

at10:36 PM

3 comments

am I your ssladmin ?

0 comments Friday, April 30, 2010

In March this year, there were few shouts about US government forcing certifying Authorities (CAs) to had over SSL key to decrypt mail transfer. Personally I'm not worried till the time the decrypted data is with any govt but it would be a serious issue if anyone else reads my data.

Old school hacks using fake SSL were popular till sometime where the adversary used to issue a fake certificate and client application (mail client/browser) would throw a warning. Those attacks were banking on stupidity of users to ignore the warning and move forward.

Then came a time (I'm not sure if it is over yet) where shady CAs would provide certificate without proper verification.

Now latest findings says few webmail provider were not careful enough to disable few admin-like accounts due to which anyone could have generated a genuinely fake certificate and conduct man-in-the-middle account without ANY warning from any software.

So I thought of conducting the same test on Indian webmail providers which are still popular and may people use it for mailing. I choose following 4 popular services and tired to create an account ssladmin@

1. indiatimes.com

2. rediff.com

3. india.com

4. sify.com

Here are my findings

1. Indiatimes.com - the account creation interface gave an error saying the account is already in use

2. rediff.com - denied saying this username is not allowed

3. india.com - denied saying the username is forbidden

4. sify.com - Oops! sify.com allowed me to create the account. Which means I could have gone to a CA and asked for a SSL certificate.

I got in touch with sify.com authorities but no one responded and they didn't either disabled my account for more than a week. Then I had to get in touch with head of portal business via LinkedIn and finally the account was closed. I'm still to receive a note of acknowledgement but atleast sify users are safe now.

Happy & Safe Browsing

ByRohit Srivastwa

at10:47 PM

How to setup twitter anywhere

0 comments Thursday, April 15, 2010

Today twitter announced public availability of @anywhere which I thought of giving a shot.
Yes it's easy to setup and works like charm

STEPS:

1. Go to the dev site of twitter anywhere

2. Login using your twitter account & go ahead to create an application

3. All inputs asked are pretty much intuitive

4. Go to you APP detail page & take a not of your API key

5. On your website simply add the code snippet preferably at the end just before


<script src="http://platform.twitter.com/anywhere.js?id=YOUR_API_KEY_HERE&v=1"></script>
<script type="text/javascript">
twttr.anywhere(function(twitter) {
 twitter.hovercards();
 twitter(".post").linkifyUsers();
});
</script>

6. Bang you are done. Now any twitter username on your webpage will be linked to twitter hovercacrd & a mouse over will show the fun

7. If you want to add this on any blog on blogger.com, simply add a "text/html box" under design layout and paste the code snippet in it.

8. To test I have added the same in this blog & now we'll see a few example with a little shameless plug of my twitter handles ;)

Mouseover these twitter handles to see @anywhere in action

My Twitter handles:

Technical tweets - @rohit11

General fun & casual tweets - @_rohit11

ClubHack - @clubhack

ByRohit Srivastwa

at12:30 PM

The world with a new look

1 comments Sunday, April 04, 2010

The way internet has barged into our lives, we have been seeing the world in a very new way.
I stumbled on this image created by Byte Level research LLC which shows the new world

As per Byte Level

Each ccTLD is sized relative to the population of the country or territory, with the exception of China and India, which were restrained by 30% to fit the layout. At the other end of the spectrum, the smallest type size used reflects those countries with fewer than 10 million residents.

[click image to enlarge]

ByRohit Srivastwa

at12:37 PM

Free WebApp Security Testing Tools

1 comments Tuesday, February 23, 2010

A lot of tweets today informed me about launch of Damn Vulnerable Web App (DVWA) which is basically an aid for security professionals to test their skills and tools and help web developers better understand the processes of securing web applications.

I had an old list of tools/plug-ins/utilities etc which can be helpful while playing with DVWA and I'd like to share the same for you to learn WebApp Security better.

Proxy Servers:
WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
Burp: http://www.portswigger.net/suite/download.html
Paros: http://www.parosproxy.org/download.shtml

Injection Tools:
SQLMap: http://sqlmap.sourceforge.net/
SQLNinja: http://sqlninja.sourceforge.net/
Pangolin: http://www.nosec.org/en/pangolin.html

Some other HACKMEs:
WebGoat: http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045
Foundstone Hacme Series: http://www.foundstone.com/us/resources-free-tools.asp

While doing webapp security testing, how can someone forget rsnake. Check out http://ha.ckers.org/ & specially his list of jailfree hacking sites @ http://ha.ckers.org/blog/20090406/hacking-without-all-the-jailtime

Happy Hacking

ByRohit Srivastwa

at8:04 PM

Prefetch files (.pf) - How to view them

0 comments Saturday, January 09, 2010

Every time you run an application on Windows box, a prefetch file is created in "c:\WINDOWS\Prefetch". This file with extension .pf keeps information for optimizing the load time of the application (as the name suggests).

I always wanted to see what's there in the .pf file. Recently NirSoft has released a tool called WinPrefetchView which can be used to see the content of these files.

image source : nirsoft.net

Note: This website http://nirsoft.net is a wonderful resource for nice tiny utilities for many system & password plays.

ByRohit Srivastwa

at1:10 AM

The year 2009

1 comments Thursday, December 31, 2009

On the brighter side :)
# Shifted to Delhi from Pune.
# Bought another car.
# Worked for Commonwealth Games 2010.
# Finally got married to Stuti.
# Went to Puri & then Nainital for honeymoon.
# Delivered talks/lectures in IIM Ahmedabad & IIT Madras.
# Tajmahal & Delhi tourism with Stuti along with few more places in north.
# Decided to quit Commonwealth Games 2010.
# Organized ClubHack2009.
# Organized Indo-UK cyber security roundtable conference in ClubHack2009.
# Did wardriving in Pune again
# Worked for some serious national security projects.
# & right now baking a cake for the new year :)

On the down side :(
# No bike rides this year. Need to get back there.
# No more girlfriends, those were the days...
# Very less parties, need to party more
# Didn't organized even a single BarCamp, just attended one.

In total a very happening year. Hope to have 2010 a better one

Wish you all the readers a very happy & prosperous new year.

ByRohit Srivastwa

at6:25 AM

Smartphone Security Tips

1 comments Wednesday, December 23, 2009

image: wikipedia

Christmas & New year is here and its the time many people buy/exchange gifts. So if the next shiny gift in your hand is a smartphone, then remember following tips to be safe & secure your data.

1. Don't loose track of your phone.
This one goes non-technical. Don't loose the sight of your smartphone. Keep you eyes on it when you leave it anywhere, especially at the airport security checkin. The nature of data stored on phone makes it more important now

2. Turn off Wifi & Bluetooth
Keep wifi & bluetooth turned off when not in use. I'm sure you are smart enough by now not to accept unknown bluetooth connections but what about wifi. When you use wifi, always remember to use encrypted connections. BTW turning these off will also conserve your battery.

3. Do not sync everything
Its the first thing everyone tries to do after getting a smartphone, sync it up with your PC. Though it comes very handy, but avoid the temptation of syncing your password and very critical information which you often store in notes of outlook or similar apps. If the phone gets stolen, just remember you might be giving away everything.

4. Do not click on links in emails/sms.
SPAM has also gone smartphone way, now and then you might get an SMS/MMS for some offer and link to click. DONOT click any such link unless you have verified it in depth. Same goes for mails on phone, follow the similar rule of your PC.

5. Download apps with care.
The first thing anyone would love to do after getting a shiny new phone is download & install applications, that too loads of them. Always make sure you are downloading them from trusted sources. Sometime common apps are rebundled with malwares and kept for download at different websites. If you know an application, download it from its parent website only.

6. Backup your data.
Most importantly keep a backup of our data. A regular sync with PC will ensure this but still make sure you have copies of the phone data on your PC which I hope is regularly getting backed up.

Smartphones are actually the best gadget to digitise your life and really are very helpful. All you need to do is take little extra care and make it safe.

Merry Christmas & Happy New Year

ByRohit Srivastwa

at7:59 AM

two one za two

3 comments Wednesday, December 16, 2009

two one za two
two two za four
two three za six

many of us have grown up mugging this and I always wondered what is this ZA, is it a synonym of "equals to" ??

Just a casual browsing today answered this long pending query of mine

its actually

two 1s are two
two 2s are four
two 3s are six

Thanks to the anonymous who clarified this thing to me today.

If we divide the whole table in columns, I always thought that its the "1st column" being counted "2nd column" times gives you the result in "3rd column". Its actually the "2nd column" counted "1st column" time gives you the result in "3rd column".

Confused? Have fun....

ByRohit Srivastwa

at6:28 AM

3 comments

Download the Google Chrome OS Virtual Machine

0 comments Friday, November 20, 2009

Last week, Techcrunch reported rumors of the release of the Google Chrome OS. They stated that the info came from a reliable source, and indeed that source was reliable. Google had an event at their headquarters, and indeed provided new details and a demo of the Chrome OS. The Chromium Blog has some great videos that provide some additional information about Chrome OS as well.

The Chromium OS source code is available for download (Chromium OS is the open-source version of Google Chrome OS), and you can compile and build it. It took some time, but I did manage to do this on my 64-bit Ubuntu 9.04 (Jaunty Jackalope) machine. I also managed to put together a VirtualBox virtual appliance that is all ready to go. I built a torrent for it, so feel free to download it here:

Download the Chromium OS VirtualBox Appliance Torrent

Please continue to seed, as I’m sure there will be many people out there wanting to try it out.

To use it, just start up VirtualBox, click File and then Import. Navigate to the chromiumos.ovf file and select it. The virtual appliance will be imported into VirtualBox and you should be good to go.

I also included a txt file that more or less has the commands I used to build it. You may be able to run it as a script, although I haven’t confirmed that it will work. I guess you could say I more or less took “script-like notes” as I was building Chromium OS.

If you hit Ctrl+Alt+T when you first log in, you’ll get a shell prompt. You can run “sudo su” (no quotes) to log in as root, and I’ve set the password to “password” (no quotes). If you use this machine for anything serious (although I doubt you would), be sure to change the password.

You should be running VirtualBox 3.0.12, and when you import the virtual appliance everything should be configured properly. If you get an error that says “network not connected and offline login fail” when you try to log in, be sure that the virtual network adapter is set to Intel Pro/1000 MT Desktop (82540EM).

If the network adapter is already properly configured but you are still seeing the error, try logging in with the user “chronos” with the password “password” (no quotes). This should log you in and bring up the chrome browser window. If you don’t see a Google Accounts login screen, try hitting the refresh button. That should bring up the Google Accounts login screen.

It is absolutely astounding how fast it boots. It really is nearly instant-on and takes a mere few seconds to bring up the login screen.

Once you log in with your Gmail account, it launches and you’ll see the Chromium interface open up to your Gmail. There is also a Google Calendar tab and a New Tab tab. The little chrome sphere appears in the upper left corner, but when you click on it you don’t get a menu as you see in some of the Chrome OS videos. Instead, you get a Google.com account login page.

As you can see, it looks very much like the Chrome OS screenshots that had surfaced last month. Of course, being that this is running on a virtual machine without any decent video drivers on the operating system, the resolution is quite low (800×600). Your dear old granddad may be the only one that actually finds it visually appealing at this resolution.

Right now the most impressive thing is how fast this operating system loads. Of course, it should load fast because there really is hardly anything there. In any case, it is rather neat to see an early release in action. The fact that it actually works on a virtual machine is quite promising. Eventually as drivers for more hardware are incorporated into it, it should be possible to run it your own real hardware.

I just went into the Chrome OS Wave I found with the link to the VMWare disk image, and apparently the poor guy that posted that file to Amazon Web Services ran up a $380 bill so he took the file down. Here’s the torrent of the same file posted up on Pirate Bay:

Download the Chromium OS VMWare Virtual Disk Image Torrent

However, I haven’t tried using it, so I can’t confirm that it will run on VMWare without issue. Enjoy your Google Chrome OS virtual machines!

[Via GeekLad]

Mind it, this is a simple copy of the blog entry, I was quite busy in preps of http://clubhack.com/2009 and no time to test this or re-write this :)

No responsibilities if this torrent/VM doesn't work ;)

ByRohit Srivastwa

at7:02 PM