0 comments Sunday, December 05, 2010

You all know my passion behind ClubHack. It started with a passion of creating a platform for information security enthusiast to come under one roof & share knowledge.

While this was my passion I had a dream too. My dream was to have the international fame information security guru Bruce Schneier as a guest in my event. In this 4th year of ClubHack, the Keynote address was delivered by my idol.

Bruce Schneier delivering his keynote address @ ClubHack2010

Yeah I was excited as well as proud to have him here in ClubHack2010. It was indeed a dream come true for me. We welcomed him in a traditional way by tying a pheta on his head and he loved it too

That's Bruce Schneier in Indian Pagri

He also brought me his latest book "Schneier on security" with his typical autograph which is a tiny crypt in itself.
Book "Schneier on Security" & typical autograph of Bruce Schneier

If your read it correctly it reads as "ENJOYTHEBOOK" if you read from top left corner going one character down and then following the string. Pretty Cool.

Finally I met my guru Dronacharya & I'm on my cloud number 9 for that :)

3 comments Monday, October 04, 2010

Google announced launch of http://google.com/tv and everybody including me is very excited about the whole concept as well as the product.

But for a lot of those geeks who don't want to bleed from their pockets for the same
Those geeks who can't wait for GoogleTV to come to their country have 2 nice options

Remember, these are opensource products hence free for personal use but might need some hardware, hence calling them as "cheaper options"

MythTV is a Free Open Source software digital video recorder (DVR) project distributed under the terms of the GNU GPL. It has been under heavy development since 2002, and now contains most features one would expect from a good DVR (and many new ones that you soon won't be able to live without)

Myth Today has gone beyond a simple DVR and has almost all the features of GoogleTV.
  • Watch and record analog and/or digital TV, including HDTV.
  • Pause, skip, and rewind live TV shows.
  • Completely automatic commercial detection/skipping, with manual correction via an intuitive cutlist editor.
  • Intelligently schedules recordings to avoid conflicts.
  • Parental controls to keep your kids out of the good shows.
  • Watch youtube directly
  • Watch and archive DVDs and other video files.
  • Listen to your digital music collection.
  • Schedule and administer many functions remotely via a web browser.
  • Share your TV/Media library in different rooms over UPnP.
  • You can add browser to this and do a normal surfing too.
  • Many more...
Moreover a complete distro called Mythbuntu is available today which as the name specifies, is Myth over Ubuntu. No installation hassles, no config worries. As simple as it can be :)

Here are some screenshots

Personal Note - I have tried it & found it working very fine on my atom machine with 1G RAM. I was not able to find a correct TV tuner card which supports the cable. Rest everything including a web browser makes it a perfect home entertainment library. You get a lot of themes to change the look and feel too. It can even fetch info on demand from IMDB including details, images, plot etc about movie collection you have.

LinuxMCE is much beyond a entertainment setup. It even includes home automation wherein you can do
  • Lighting control - Turn on/off lights
  • Climate control - Manage AC, window blinds
  • Security - Alarm management, CCTV feature using normal webcam
  • Telecom - Home EPABX with bundled asterisk
  • & Media - Play your Media Files, DVDs, CDs, TV whereever you are
As per the website, the media part of LinuxMCE can
  • Organize media with special metadata tags
  • View/Listen to media in any room
  • Media automatically follows you through your home
  • New media is automatically detected - even if it's on other devices like another computer on your network or Network Attached Storage (NAS)
  • Control all your A/V gear through LinuxMCE (using IR, USB, Ethernet, or RS-232) including automatically powering everything on and setting the proper inputs on each device
  • Together with the lighting part of LinuxMCE, lights in the room where video is being watched are dimmed when you start the movie.
  • Together with the Telecom part of LinuxMCE, the media is paused, when a call comes in, and continued when you hang up.

As you might have guessed by now, to exploit real power of LinuxMCE, you need to be a geekhead. But once you do it, its a great product to live with. Here are some screenshots

Personal Note - Haven't dived deeper into LinuxMCE. Have tried only camera and media setup which works like charm again on an atom machine with 1G RAM

Interested, ping me if you need any help in setting this up. Once you do it I'm sure you'll love it. If you know or have been using some other product for same, do let me know.

0 comments Friday, April 30, 2010

In March this year, there were few shouts about US government forcing certifying Authorities (CAs) to had over SSL key to decrypt mail transfer. Personally I'm not worried till the time the decrypted data is with any govt but it would be a serious issue if anyone else reads my data.

Old school hacks using fake SSL were popular till sometime where the adversary used to issue a fake certificate and client application (mail client/browser) would throw a warning. Those attacks were banking on stupidity of users to ignore the warning and move forward.

Then came a time (I'm not sure if it is over yet) where shady CAs would provide certificate without proper verification.

Now latest findings says few webmail provider were not careful enough to disable few admin-like accounts due to which anyone could have generated a genuinely fake certificate and conduct man-in-the-middle account without ANY warning from any software.

So I thought of conducting the same test on Indian webmail providers which are still popular and may people use it for mailing. I choose following 4 popular services and tired to create an account ssladmin@

1. indiatimes.com
2. rediff.com
3. india.com
4. sify.com

Here are my findings
1. Indiatimes.com - the account creation interface gave an error saying the account is already in use
2. rediff.com - denied saying this username is not allowed
3. india.com - denied saying the username is forbidden
4. sify.com - Oops! sify.com allowed me to create the account. Which means I could have gone to a CA and asked for a SSL certificate.

I got in touch with sify.com authorities but no one responded and they didn't either disabled my account for more than a week. Then I had to get in touch with head of portal business via LinkedIn and finally the account was closed. I'm still to receive a note of acknowledgement but atleast sify users are safe now.

Happy & Safe Browsing

0 comments Thursday, April 15, 2010

Today twitter announced public availability of @anywhere which I thought of giving a shot.
Yes it's easy to setup and works like charm

1. Go to the dev site of twitter anywhere
2. Login using your twitter account & go ahead to create an application
3. All inputs asked are pretty much intuitive
4. Go to you APP detail page & take a not of your API key
5. On your website simply add the code snippet preferably at the end just before

<script src="http://platform.twitter.com/anywhere.js?id=YOUR_API_KEY_HERE&v=1"></script>
<script type="text/javascript">
twttr.anywhere(function(twitter) {

6. Bang you are done. Now any twitter username on your webpage will be linked to twitter hovercacrd & a mouse over will show the fun
7. If you want to add this on any blog on blogger.com, simply add a "text/html box" under design layout and paste the code snippet in it.
8. To test I have added the same in this blog & now we'll see a few example with a little shameless plug of my twitter handles ;)

Mouseover these twitter handles to see @anywhere in action

My Twitter handles:
Technical tweets - @rohit11
General fun & casual tweets - @_rohit11
ClubHack - @clubhack


1 comments Sunday, April 04, 2010

The way internet has barged into our lives, we have been seeing the world in a very new way.
I stumbled on this image created by Byte Level research LLC which shows the new world

As per Byte Level
Each ccTLD is sized relative to the population of the country or territory, with the exception of China and India, which were restrained by 30% to fit the layout. At the other end of the spectrum, the smallest type size used reflects those countries with fewer than 10 million residents.

[click image to enlarge]

1 comments Tuesday, February 23, 2010

A lot of tweets today informed me about launch of Damn Vulnerable Web App (DVWA) which is basically an aid for security professionals to test their skills and tools and help web developers better understand the processes of securing web applications.

I had an old list of tools/plug-ins/utilities etc which can be helpful while playing with DVWA and I'd like to share the same for you to learn WebApp Security better.

Proxy Servers:
WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
Burp: http://www.portswigger.net/suite/download.html
Paros: http://www.parosproxy.org/download.shtml

Firefox Plugins: [ https://addons.mozilla.org/en-US/firefox/collection/webappsec ]
Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/966
SwitchProxy: https://addons.mozilla.org/en-US/firefox/addon/125
SQL Inject Me: https://addons.mozilla.org/en-US/firefox/addon/7597
XSS Me: https://addons.mozilla.org/en-US/firefox/addon/7598
NoScript: http://noscript.net/getit
ShowIP: https://addons.mozilla.org/en-US/firefox/addon/590
ViewStatePeeker: https://addons.mozilla.org/en-US/firefox/addon/7167
LiveHTTPHeader: https://addons.mozilla.org/en-US/firefox/addon/3829

Injection Tools:
SQLMap: http://sqlmap.sourceforge.net/
SQLNinja: http://sqlninja.sourceforge.net/
Pangolin: http://www.nosec.org/en/pangolin.html

Some other HACKMEs:
WebGoat: http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045
Foundstone Hacme Series: http://www.foundstone.com/us/resources-free-tools.asp

While doing webapp security testing, how can someone forget rsnake. Check out http://ha.ckers.org/ & specially his list of jailfree hacking sites @ http://ha.ckers.org/blog/20090406/hacking-without-all-the-jailtime

Happy Hacking

0 comments Saturday, January 09, 2010

Every time you run an application on Windows box, a prefetch file is created in "c:\WINDOWS\Prefetch". This file with extension .pf keeps information for optimizing the load time of the application (as the name suggests).

I always wanted to see what's there in the .pf file. Recently NirSoft has released a tool called WinPrefetchView which can be used to see the content of these files.

image source : nirsoft.net

Note: This website http://nirsoft.net is a wonderful resource for nice tiny utilities for many system & password plays.