Bipin's experiments with life, society, programming, hacking, & other stuff
Those were the days when I used to be a Apple fan.
aah.. the harsh reality that they produce nothing more than crippled products at sky-high prices.
Moreover, Apple isn’t just about cut-throat business. It’s also about making people feel bad about themselves.
Don’t trust me?
See here yourself.
I have always loved making this phizy-phizy-phizy sound purposelessly, which I once heard in a Rob Schneider movie (which, if I remember correctly, was a pathetic movie). Anyhoo! I, now, have a set of very strong reasons to move around repeating the same lines.
First, we received a request to be involved in a discussion for a Risk Assessment Model for a Banking site. This model had to be focussed on Two Factor Authentication and Phishing. This brainstorming gave me a couple of interesting avenues to work on. Hopefully, I’ll be writing more in this pretty soon.
Secondly, Peter Thomas (one of my amazing Bosses), forwarded me the link about the latest research by Nitesh Dhanjani & Billy Rios. They virtually infiltrated the Phishers ecosystem and have come up with some very interesting information.
Thirdly, my friend Swen called me up to let me know about a phishing mail, claiming to be a Google survey, that had landed in his mailbox. He was excited for two reasons:
a) He had received a phishing mail for the first time, and I guess you all remember the excitement the first time you discovered your first phishing mail.
b) He is one of the Google fans, and is worried about the safety of the vast majority of user-base Google has. Obviously, his concern isn’t without reasons.
As I mentioned Swen informed me about the shiny phish called GoogleSurvey. It presents you a page that looks completely similar to the Google Login page and requests you to login in order to complete the survey. If you login, you are presented with 3 questions on by one. At the end you are thanked for completing the survey.
The Google Survey Phish isn’t sophisticated y ANY standards. Clearly, it’s done by some n00b, and was probably deployed using a very cheap Phishing Kit. However, it’s really interesting to understand how it works.
The first page the you encounter while analyzing is http://www.googlesurvey.co.nr/, which I must admit, looks very similar to the Google Mail login page. A look at the source code reveals that this is not the original page. The google mail look-alike page is alike page is actually located at http://googlesurvey.99k.org/. http://www.googlesurvey.co.nr/ only frames the page at with 100% width and 0px border.
Another interesting point to note is that the phisher used a free hosting service http://www.zymic.com/free-web-hosting/. Thus, theoretically he/she cannot be traced. Not via the hosting service, at least. 🙂
Now, when you enter your id and password, the data is sent to a php script on the server located at http://googlesurvey.99k.org/LoginAuth.php. Quite obviously, this script stores/mails your credentials for someone who’s not a very pleasing person.
The world of Phishing is so dark, deep, safe, easy, and seductive that a person with even a slight malign would be tempted to this farm his/her own phishes and make easy money. I set up my phishing domain for educational purposes. It also shows how quickly you can setup your very own phishing portal, sometimes even without a phishing kit. The domain I’ve setup has the following flaws (introduced to prevent me getting screwed by some half-witted law enforcer) :
1. The domain points at Yahoo!, while the page displayed is similar to the GMail login page.
2. The information entered is NOT stored. You can check it by entering garbage data.
I have used the same page used by the GoogleSurvey Phish, and also used the same free hosting service.
It’s almost impossible to prevent users from getting Phished. People will continue to click on links they receive in their inbox and </sarcasm> proceed to win an ipod </sarcasm>. Reducing phishing requires a number of things to be in place -sensible developers, well informed end user, smart browsers with phishing aware features (IE7, Fx2 etc.), a few toolbars like NetCraft to be installed, etc. etc. And even doing all this doesn’t guarantee to save a user ignorant of phshing. I mean how do you save a person who doesn’t even know that such a kind of fraud exists.
Moreover, the URI vulnerabilities have added another dimension to the whole phishing scene. 🙂
A new array syntax has been proposed (for quite some time) for defining arrays in PHP. Currently, we use array() construct to create an array. Some examples could be:
$myArray = array(1, 2, 3, 4, 5);
$yourArray = array(1 => “one”, 2 => “two”, “three”);
$herArray = array(1, 2, 3, array(4 => “four”, “five”));
The proposal is to use square brackets ( [ ] ) to define an array. If passed, we would be able rewrite the above examples as:
$myArray = [1, 2, 3, 4, 5];
$yourArray = [1 => “one”, 2 => “two”, “three”);
$herArray = [1, 2, 3, [4 => “four”, “five”]];
There’s a good deal of discussion going on in the internal mailing list with almost equal number of people voting “for” and “against” it. Rasmus, isn’t not very supportive, yet has voted for the new proposal.
To be pretty honest, I am still not very sure if it’s going to be worth the trade-offs.
Anyhoo! Let’s wait and watch. 🙂
Yahoo! launched it browser based media player written in javascript. All you have to do is link the javascript code (located at http://mediaplayer.yahoo.com/js) in a web page having links to audio file(s) .
Although it takes a while for the “player” to load completely, yet I am pretty okay with it (for now). Moreover, it’s in beta. I, however, sincerely hope that it doesn’t follow GMail beta path. urghh!
Check back again in a few hours. I’ll posting a demo of the player on my portal. A demo is here. The demo would have This demo has a special meaning for the Indians of my age (or older than) because the songs I’ll be using will be the one we all grew up with, viz. Jungle Book, Mile Sur Mera Tumhara, Baje Sargam, Byomkesh Bakshi, Malgudi Days, Surabhi, Tipu Sultan & Mahbharat. 🙂
Special thanks to Madhav for sharing them.
It brings me immense pleasure to inform you that w3af (web application attack and audit framework) has been named the Best Application Scanner in BEST IT Security and Auditing Softwares 2007 list prepared by Security Database. 🙂
I had mentioned in a few previous articles that I see immense potential in w3af. I must, however, also admit that I wasn’t hoping something like this to happen so quickly. I am glad I was wrong 🙂
Hoping that more people contribute to the project, and wishing that I get some time to make a few w3af dedicated posts (preferably targeted at developers), at least.
Have a great year ahead.