2009-01-29

TwitterFox Easy To Hack

Twitter is a very popular social networking site, which has already been in the news in the recent past for its inherent security weaknesses. If that wasn't enough, there also exists a security flaw in TwitterFox, which is a popular Firefox plugin that users use to quickly and conveniently send and receive messages from Twitter. At the time of me writing this article this plugin has been download over 1.1 million times, from addons.mozilla.org alone..!!

Unfortunately, TwitterFox is not too secure. Every time a user wishes to refresh his/her messages, the plugin sends the User ID and Password unencrypted to the server. The plugin only uses Basic Access Authentication Method, which as detailed below, is as good as communicating in plaintext.

Hence, if a hacker manages to capture the data-packet that is sent over by your browser to the Twitter's server, your credentials can easily be compromised. All the attacker needs to do is setup a sniffer on your network, which isn't too hard if you are on your office or college network, or do a simple MITM attack.

Now most of the users (like myself) use common passwords over multiple accounts. Hence, an attacker could even manage to gain access to much more than the user's Twitter account.

My advise - Stop using TwitterFox, at least till the time we have a more secure version of this plugin.


Here is the Proof of Concept for this vulnerability:

(1) At regular intervals (or when explicitly requested by the user), TwitterFox sends a request to the server for any new messages that this user may have received after the last sync

(2) This request contains the user's login credentials that are sent over using Basic Access Authentication Method. This protocol is NOT a security protocol and does not provide any security whatsoever. (For further reading check Wikipedia entry on Basic Access Authentication)


(3) There are a number of desktop and even web based tools available to convert this captured string, which is Base64 encoding, to plaintext. One of the web based tools is available here.

2009-01-24

Recommended Software: Regshot

We all know how messy the Window's Registry is. It could cause your system to slow down, crash or even stop booting up completely.

Regshot is a light-weight, open-source utility that can take snapshots of the registry and compare it with another clean snapshot taken at an earlier stage, when the system was known to have been working properly.

This could come in handy while investigating issues that come up after the installation of a new software, or just to know what happens behind the scenes. From a security perspective, it is a handy tool to keep an eye on your registry and be forewarned in case a virus or a trojan messes up your machine.

Grab your free, portable copy at: http://sourceforge.net/projects/regshot/

2009-01-22

Is Someone Reading Your Emails?

Would you get to know, if somebody hacks or guesses your email account's password? What if the hacker logs on to your email account, reads your emails and then logs off without making any obvious changes? Is there any way to catch this type of an attack?

Here is a very interesting article that tells you not only a way to know if somebody has been snooping over your emails, but can also capture the intruder's IP Address.

Are you Sure your Email isn’t being Hacked?

2009-01-15

Phishing Attacks Targeting Experienced Users

Looks like phishers are getting even more sophisticated and determined. This latest attack requires the user be logged into their (lets say) bank website, when they access the attacker's website. They are targeting experienced users, who may not necessarily get fooled by the traditional phishing attacks.

2009-01-14

TOP 25 Most Dangerous Programming Errors

The first step of Info Sec, is always to secure your app's at the code-level. Developers and Coders should always make sure they do not leave any vulnerabilities in their programmes. SANS has come up with a list of 25 common programming flaws. A must read for everyone related to Software Development Life Cycle.

Update: Now Gary McGraw has released an article, giving 11 reasons why these type of lists do not work in real life. Hmmm, I guess this is like the usual cat-and-mouse game..!!

2009-01-13

Top 10 Myths

Came across an article written on FinanceTech that talks about some popular Info Sec myths. Pretty interesting, considering my blog (almost) has the same title as their write-up..!!

The Top 10 Information Security Myths

Password Sniffing

Wanna learn how hard it is to sniff passwords traveling over your network in clear text? Not hard at all, takes under a minute to do this attack. All that needs to be done is ARP Poisoning, and a simple Man In The Middle Attack (MITM) is accomplished..!!

Take a look at the IronGeek's video. For some background details, take a look at Wikipedia's entry on Arp Spoofing.

2009-01-09

Twitter Under Attack

Twitter, a popular social-networking site, has been the recent target of some phishers.

Twitter accounts of a number of celebrities, including Britney Spears and Barack Obama, also got hacked. Earlier the rumors were that this hack was accomplished with the help of the fake (phished) website. However, later twitter officials confirmed that a hacker managed to get into one of their admin-tools and hence was able to get access to these accounts.

SSL Certificates - Who To Trust?

StartCom tells us about the Certification Authorities (CA's) that we should steer away from.

Untrusted Certificates


Well, Comodo isn't the only CA who is in trouble. The certificates issued with a MD5 hash may not be too reliable as well.

MD5 collision creates rogue Certificate Authority

Update 16-Aug-2013:
Microsoft finally takes a decision to block MD5 certs

Bypassing Anti-Virus Softwares

Irongeek explains how easy it is to fool Anti-Viruses and sneak malwares, trojans or viruses to a victim (using Metasploit).

Bypassing Anti-Virus with Metasploit

Biometrics - A Dependable Authentication System?

Bruce Schneier talks about the pros, cons and challenges of Biometrics.

Tigers use scent, birds use calls – biometrics are just animal instinct