Archive for the ‘Security’ Category

« Older Entries

Skills shortage leaves Australian Computer Society open to attack.

Friday, January 22nd, 2010

According to the Australian Computer Society and DIAC (The department for immigration) there is a massive shortage in Australia of “Computing Professionals specialising in Network Security/Firewall/Internet Security”.

No surprise there, whats more of a shocker is that the very people who assess the skills of would be migrants to Australia can’t even secure their own website against the most basic types of Injection attacks – namely cross site scripting (I’m guessing its down to the skills shortage)

Security flaw

Security flaw

The ACS however don’t seem to be concerned – I’ve emailed them twice at the beginning of the week about the fault and they’ve yet to reply to my email or even fix it. The carefully crafted link below will generate the above screen shot.

http://www.acs.org.au/index.cfm?action=load&temID=search&searchtxt="><h1>hello</h1><script>alert(document.cookie);</script><input type="hidden"&pageno=1&display=1&searchbtn.x=53&searchbtn.y=16

The code is not malicious, the above script will just output the current cookie to the screen. With security flaws like this lets hope the ACS aren’t “shaping our future”…

Update 27th January It appears that someone at the ACS has fixed the issue, but only to the extent of filtering the <script></script> tags from the input string… HTML injection is still possible, wouldn’t it have been easier just to use html_entities() or similar asp.net function to sanitize the string before displaying it? HTML injection is still a big security risk.

Tags: , , , , ,
Posted in HTML, Security | 2 Comments »

How not to advertise for a PHP programming job

Wednesday, October 28th, 2009

So I got an email today for a job in Tower Hill (thats central london). The job came with a simple programming test to write a script that parsed a tab separated file and produced a batch script as the output. They kindly provided a working copy of their solution on their website so you could validate the output of your code.

If I was going to advertise a job in a company and provide an online example of my own code I’d make darn sure that, unless the sole purpose of my online code was to find someone who knew what an XSS flaw was, that the link to the script I sent a prospective employee to wasnt vunerable to Cross Site Scripting attacks. Eeek. Worse still as their script seemed to accept either GET or POST variables as inputs (they were probably checking $_REQUEST rather than $_POST or $_GET in their code) it was possible to format a link that injected HTML code straight into their website.

Screenshot of the flaw with 'Cheese!!' being injected.

Screenshot of the flaw

You can mitigate the threat from these types of attacks by properly sanitizing your variables before they are displayed. If this is on a HTML page and you are expecting an integer value then intval might be a good function to use, if its a text field you might try htmlentities. If any data is going into a database then you need to be using mysql_escape_string on all of your variables.

As I’ve not alerted the company to the flaw I wont post the URL to the exploit. Luckily the page in question can’t be found within googles’ indexes. I wonder if anyone else will notice…

Tags: , , , , , ,
Posted in PHP, Security | No Comments »

Secure your wifi connection using SSL + mod_proxy

Monday, October 5th, 2009

Being ultra paranoid about using other peoples Wifi connections I’ve come up with a solution to make things a little safer. Its by no means new having been around for quite a while but it works well. Ive setup Apache on my web server to act as a proxy server for connections originating from 127.0.0.1. I then create a secure tunnel from my local machine using SSL and direct my web browser to connect using my new secure Proxy. This is great for extra security when browsing the internet and checking emails on insecure wifi networks.

If you want to setup your own Proxy you’ll need Apache installed with mod_proxy, mod_proxy_http and mod_proxy_ftp, you’ll also need ssh access to a server thats secure. Once Apache and mod_proxy are installed you need to add the following lines to your Apache config file.

ProxyRequests Off

Listen 127.0.0.1:80

<VirtualHost 127.0.0.1>
        ProxyRequests On
        ProxyPreserveHost On

        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog /tmp/proxy_log common
</VirtualHost>

The proxy requests off line is very important as you dont want anyone else who cant connect to 127.0.0.1 from using your proxy server.

Once you’ve done that you just need to setup your SSH tunnel

ssh -p 22 user@yourserver.com -N -f -L 127.0.0.1/4444/127.0.0.1/80

This will connect from your computer to the sshd server on port 22, listen on the local port 4444 and connect to your proxy running on port 80 on 127.0.0.1 on your server. Once that has been done just change your Browser Proxy Settings to connect to 127.0.0.1:4444

Your setup will go from looking like this where your data is being sent over an insecure wifi connection

A normal browsing using a WiFi enabled laptop

A normal browsing using a WiFi enabled laptop

To this setup where your data is encrypted via a tunnel and passed to a server that is connected to the internet.

Browsing using an SSH tunnel and Proxy server via WiFi

Browsing using an SSH tunnel and Proxy server via WiFi

Now your crummy wifi connection is a little bit more secure (for all requests over the proxy at least)…

Tags: , , , ,
Posted in Linux, Security | No Comments »

Disable google translate

Friday, September 25th, 2009

Got a problem with dodgy users from obscure countries causing havoc on your website? I recently noticed a huge number of people using Google translate to access a website. If you want to prevent people using Google translate on your website you can use.

<meta name=”google” value=”notranslate” />

In your HTML page inside the head section. Users don’t seem to get an error message from Google, it just gives them a blank screen instead of their translated page.

Tags:
Posted in HTML, Security | No Comments »

Detecting a fake email address using Markov chains

Saturday, August 22nd, 2009

Markov chains are a set of states where any state is only dependant on the previous state. These can be used to generate “real-looking” words from a given set of text. By the same methods we can decide if a string is a valid word or a load of garbage by assessing each letter and its subsequent letter in word. If the probability of letter N+1 coming after N is very small then we can probably say that the chance of the string being a word is very small.

When users sign up with a fake email address they tend not to put much thought into the name of the email. Something like sdfjsldkf87we@example.com is a good example. To filter these email addresses out we can take a dictionary and calculate the probability of the next letter (N+1) given the previous letter (N) and compare this to what we observe in the fake email address. If the probability of the next letter is repeatedly low then we can say that the email address is probably fake.

My algorithm scores each email, giving it a point each time a letter N+1 should never come after letter N and reducing the score by 1 for every 12 characters in the email address. This additional check helps to reduce the number of false positives. I only check the initial part of the domain – that is the part excluding the @example.com

You’ll probably wonder how the code deals with non alpha-numeric numbers? I just strip them out and convert the whole email to lower-case. There is probably a better method for doing this but my existing system seems to work quite well. The table below shows my algorithm running on a few sample email addresses. I consider an email with a score of 3 or more to be dodgy.

E-mail Score
phil.hilton@markov-email.com 0
bill.gates@microsoft.com 0
sdfioghsjfkg@gmail.com 3
tracy93@wow-markov.net 0
pzrjmt@yahoo.com 4
gquixdmd@yahoo.com 3
svcmgr1461@yahoo.com 3
hjjjh_hjjh@yahoo.com 7

This method isn’t fail-proof but it is pretty good at detecting bad email addresses and you could use it along with additional checks on the users account to detect fraudulent activity. There will be some false positives, mainly with people who use email addresses which heavily rely on their initials and I’m sure its only a matter of time before the people start committing the fraud start using Markov compliant email addresses.

Download my code There are 2 main files, markov.php which contains example code and markovChain.dat which contains a pre-calculated Markov chain.

Tags: , , ,
Posted in MySQL, PHP, Security | No Comments »

« Older Entries