I came across this which reminded me of a story some time ago. I get a call from a guy asking for help. Someone from his company was leaking personal data. The problem, beyond the personal data, was who was the leaker.
Greek company is hiring. Hooorayyyy. They want some HTML/PHP/MySQL registration form. A friend of mine sends his CV along with the registration form. They contact him and schedule a presentation of the form with their chief PHP developer. Continue reading
The correct approach for this post is swearing, kicking trashcans around the room and in general bringing the total chaos. OK, I did most of the things described above.
The most important aspect of security is inspecting that everything works as it should. If people inside your organisation don’t have distinct duties, you are going to get screwed really quick.
During the greek riots of May 2010, someone threw petrol bombs (a/k/a molotow cocktails) inside a bank. The bank caught fire and three people died. More info about that here. The trial took place in 2013, because of a faulty security policy.
I’m about to recycle some thoughts that derive from the NSA incident and the greek economic crisis. For the NSA part I guess you already know what’s going on, in a nutshell, NSA is able to wiretap pretty much anyone. For the greek economic crisis part, although what I am about to say is just a small fragment of what’s going on, yet, it is valid.
Radio bubble is an independent media community from Greece, mostly empowering citizens to become journalists as things happen, spreading culture and information. Through a variety of means (web radio, twitter, blog etc) they inform citizens of what’s going on. For example, the hashtag #rbnews is used widely for greek demonstrations to report what’s going on. Beyond that, they issue a magazine with poems and stories from various bloggers and they organise music events with some cool bands from time to time. They’ve been active for quite some time now and they need our support. If you have money willing to spend then you can go here and support them.
You can find more about radio bubble here.
From time to time, I audit applications. All these years auditing source codes, reversing or simply guessing I came to certain conclusions that I am about to share with you.
- Software engineers don’t care about security
- Software engineers tend to do mistakes
- They tend to do the same mistake in many places
- Go to assumption 1.
That’s it. Four simple rules that are mostly generalisations but they reflect reality in a lot of cases.
With that in mind, if I have enough time to check for vulnerabilities, I check how the certain software engineers tend to develop things. I don’t give too much details in the technical aspect -ie does he uses a framework- but I spend a lot of time watching how he handles a problem he has, how often he debugs code, how often he or someone else runs tests and finally I have a conversation regarding security. 90% of the times, the software developers will mention that they know about security and they take countermeasures to avoid vulnerabilities. 80% of them has no idea about security but yet he’ll try to convince you that he does.
Today I was auditing a source code of a web application, the developer was presenting me his source code, which was mostly bad code, and suddenly he says “I take extra care of GET parameters passed to the application”. Being provocative I asked “Why not POST as well?” “It is easier to put shit in GET parameters than in POST” and suddenly my face was like “OH REALLY? LEMME SHOW YOU”. I started to explain to him that when a user gets a response from a webserver, it is because the user contacted the server and since this request comes client-side it is possible for the attacker to change POST, GET, COOKIES, even HTTP Headers. And here comes the magic. He didn’t care, he tried to evade the question by showing me the same web application with AJAX requests. Eeermmm… Allow me to show you a neat trick “+AND+1=0/*” you are a cool programmer etc but I didn’t want to end up there mate. Even the best programmers make mistakes, you are not the best, just stop wasting my time and fix your bug.
Dear software engineers, when your company brings in an auditor for whatever reason, they bring in an auditor, not a cop. Act accordingly and please bear with us, we appreciate cooperation more than you think.
Long story short, I found the entrance to Google’s Moma. In my opinion, I shouldn’t know that. I also found the google employees login page as well. I am missing the valid credentials/exploit/bypass/do-something-beyond-getting-hired-to-see-what-a-google-sees yet but hopefully some day I’ll be able to check what is beyond their entrance.
The problem is not what I found out but how I did it. I found out about this domain because of this video. Check the url shown in the video 😉
And then I ended up here. They use a two-factor authentication, password and an OTP(not pad, One Time Password 😛 ) . I think his handle is nlevin because of this url (check the URL 😉 ).
That’s all. Google PRETTYYY PLEAAAASE WITH SUGAR ON TOP ALLOW US TO SEE WHAT’S BEYOND THE ENTRANCE OF YOUR INTRANET.
me iz out.