Monthly Archives: November 2009

My belief: 70% of websites are vulnerable

When I was searching for a ticket in nationalrail.co.uk website, I suddenly found an XSS and also a SQL Injection vulnerabilities in it.

I reported these two vulns. to its website just for having more security. And, I think these two vulnerabilities are fixed now.

However, I believe that still 70% of webistes are vulnerable against the OWASP TOP 10!

Also, I think you should read “Survey: Majority of Web sites vulnerable” as well.

Cheers,

Soroush

Travian Game Vulnerabilities in progress…

3 weeks ago, I sent an email about some small but effective vulnerabilities in Travian online game to its providers. By using these vulnerabilities a player can make several accounts by the same email address (because of a logical flaw), and also, he/she can login to other players’ accounts (by using an XSS vulnerability which is completely proved).

Now, I’m still waiting for their final response as I don’t want to be harmful for them!

How to stop hardware key-loggers

Nowadays new generations of hardware key-loggers are emerged, and unfortunately attackers are using them intensively to steal the keystrokes of users. These key-loggers are OS independent and are in different shapes. They are even capable of stealing the BIOS password. Most of them look like a convertor for PS/2 and/or USB to PS/2 and/or USB (Fig. 1). Besides, some of them are chipsets which are embedded in the keyboard itself (Fig. 2). And others use electromagnetic features to steal the keystrokes which are put around the wire of the keyboard or work remotely by capturing the frequency spectrum of the keyboard communication[1]. The problem is that these hardware key-loggers have become very cheap and simply available[2]. Moreover, there are some free articles about how to make their circuits[3].

Simple Hardware Keyloggers

Figure 2. Embeded Hardware Keylogger

So, how can we stop it if we could not remove its hardware from our computer or there is a danger of electromagnetic key-logger?

The first and the simplest idea is using an on-screen keyboard and click on it by using a mouse. However in order to get the best result, this on-screen keyboard should be dynamic in order to prevent a hardware key-logger for the mouse itself, which captures the mouse movements and its clicks. Another way is using encryption between the keyboard and its driver. For instance, there is no doubt that by using TPM and having strong encryption methods between keyboard and motherboard (or OS itself), the keyboard can encrypt the keystrokes before sending them to the computer. But, I want to be more initiative. Another idea can be using an optical-dynamic keyboard device which shows a keyboard on your desk or on your palm, and you can touch it in order to press a key (Fig. 3). There is also an application which claims that it can detect a hardware key-logger, but I have not tried it yet and I think it is still possible to hide a hardware key-logger completely from the OS.

Figure 3.

Figure 3.

This text is completely based on my own idea, so please respect the copyright.


[1] http://keznews.com/4985_Researchers_hack_wired_keyboards__hijack_keystrokes

[2] http://www.google.co.uk/products?q=hardware+keylogger

[3] http://derek.chezmarcotte.ca/?page_id=24

.

So, how can we stop it if we could not remove its hardware from our computer or there is a danger of electromagnetic key-logger?

The first and the simplest idea is using an on-screen keyboard and click on it by using a mouse. However in order to get the best result, this on-screen keyboard should be dynamic in order to prevent a hardware key-logger for the mouse itself, which captures the mouse movements and its clicks. Another way is using encryption between the keyboard and its driver. For instance, there is no doubt that by using TPM and having strong encryption methods between keyboard and motherboard (or OS itself), the keyboard can encrypt the keystrokes before sending them to the computer. But, I want to be more initiative. Another idea can be using an optical-dynamic keyboard device which shows a keyboard on your desk or on your palm, and you can touch it in order to press a key (Fig. 3). There is also an application which claims that it can detect a hardware key-logger, but I have not tried it yet and I think it is still possible to hide a hardware key-logger completely from the OS.

This text is completely based on my own idea, so please respect the copyright.


[1] http://keznews.com/4985_Researchers_hack_wired_keyboards__hijack_keystrokes

[2] http://www.google.co.uk/products?q=hardware+keylogger

[3] http://derek.chezmarcotte.ca/?page_id=24

How to prevent phishing attacks? ‐ In 3 Pages ‐

In only 3 pages, I tried to explain Phishing attacks and prevention methods. Although there are some books about this topic, I tried to do my best in 3 pages only! :D

I hope you enjoy :)

Click here to download this mini-article!

Cheers,

Soroush

Finding vulnerabilities of YaFtp 1.0.14 (a client-side FTP application)

Abstract: In this report we are going to find the vulnerabilities of YaFtp program, a client-side FTP application, and we are also going to suggest some mitigation methods. This process will be performed by using a specific plan which plays an important role in finding the security issues and analyzing the program. First of all we must understand the problem and gather the information which is related to this program. In fact, gathering the information is the most important phase in finding the vulnerabilities which clears the problem for us. In the next phase, model of the application will be drawn. Then, possible vulnerabilities will be discussed and we will draw two possible attack trees for YaFtp program. Finally, by using some automation tools and also manually, we will find the vulnerable candidate points, and we will investigate them to find the vulnerabilities. To summarize, 9 important vulnerabilities were found in this report. And, there are some solutions and suggestions in the last section of this report for developers of this application.

Click here to download the PDF file.