Thursday, August 12, 2010

Sony Vaio Function (Brightness) Keys cause trouble with Windows 7

Recently, I have had to upgrade my Sony Vaio machine from Vista to Windows 7. Partly because Vista was awfully slow and had, of course, the infamous high crash rate. I bought my Vaio model in Europe (a VGN-SR4 series). I decided to perform a clean install for Windows 7, including the desired drivers for the model. After successful installation of the drivers, some of the function keys stopped working. Now, I wasn't able to change the brightness of my display with the use of the Fn + F5/F6 Keys. You can stop reading further if it doesn't bother you that much, but I found it highly irritable to always have to change the brightness through the display brightness settings. Additionally, imagine when you have to change the brightness that often (which I do). Damn, now how to solve the issue?

Sony Vaio Fn Key Win7, Brightness Fn Key not working with Win 7, Vaio Keys stop working and many others suggest varied order for utility/drivers installation to fix the issue. However, the concern here is that my Sony Vaio model (and I assume many other European models) doesn't have the Sony DLL Utils or the Notebook Utilities drivers. Bummer! Don't worry. You can still fix your Fn Key issue. In case yours is a European (or even any other) model and doesn't have the above mentioned drivers, carry out the following steps to solve the Vaio Fn Key problem in Windows 7:

(Note: It is always advisable to create a restore point after successful reboot and rollback to the desired state when you want to uninstall a driver. Many times, simply uninstalling the utility screws up the entire process and things may get awry)
  1. Follow the steps 1 - 4 according to Sony Fn Key and Win7.
  2. Install the following drivers/utilities in the exact same order as mentioned below:
    i)
    Vaio Event Service
    ii) Reboot
    iii) Setting Utility Series
    iv) Reboot
    v) Sony Shared Library
    vi) Reboot
    vii) Power Management
    viii) Reboot

Saturday, March 20, 2010

Wiseguys accused of defrauding online ticket systems: hacking the CAPTCHA mechanism

I am currently pursuing my "Master Thesis" and thought that this piece of work, also a part of my thesis (Working Title: Web Application Attacks: Modeling), was worth sharing.

Background
Recently, Wiseguys were accused of hacking into the ticket vendors' websites committing a fraud of more than $25 million. According to the 43-page Indictment, released early March, the Wiseguys were operating under the names Wiseguys Ticket, Seats of San Francisco, Smaug and Platinum Technologies, among others, to buy more than 1 million tickets online through automated mechanisms for re-sale.

Various online ticket vendors such as Ticketmaster, Telcharge, Tickets.com, Musictoday and many more were using CAPTCHAs and Proof of Work mechanisms to prevent automated HTTP Bots from buying tickets and hence providing a fair means of selling the tickets online. However, the Wiseguys circumvented their security mechanisms to earn themselves a huge profit by capturing the tickets as soon as they came out online and reselling them to the brokers at higher prices.

Let us dive into the technical details. So, how did all this work? Based on the 43-page indictment and the nj.com resources I have drawn a general work flow of the web attack and highlighted a few details worth noticing.

Outline
Wiseguys used a widely distributed network of computers that were running bots, which were used to automate the online ticket purchasing process.




Figure 1: Wiseguys Web Hacking: Automated Ticket purchasing using bots



In the Figure 1, the red arrows denote automation. Once the bots defeated the CAPTCHA, they were granted access to the ticket purchasing webpage and ,again using automation, purchased millions of tickets in a few seconds. The bots would monitor the websites and seize the tickets as soon as they were offered online. They would then select the best ones from the seized lot and release the others back into the pool of available tickets. A point worth highlighting here is that during the entire time the tickets were seized by the bots, they were rendered unavailable to the public to as to prevent valid customers any opportunity of buying the good tickets.

Security Mechanisms in place by the Online Ticket Vendors
The online ticket vendors such as Ticketmaster, Telecharge, Musictoday, etc. employed various security mechanisms on their websites so as to ensure fairness and prevent bots to access their online purchasing feature.

These mechanisms included, but were not limited to, the following:
  1. CAPTCHA: CAPTCHA, Completely Automated Public Turing test to tell Computers and Humans Apart, was one of the technologies used to prevent bots from accessing their websites. As of the latest, the online ticket vendors used the ReCAPTCHA service to employ CAPTCHAs.
  2. Additionally, they used Proof of Work mechanisms to combat and slow down the bots that were attempting to purchase large volumes of tickets instantaneously.
  3. They would block IP addresses that seemed to be using bots for automated purchasing of tickets.

Attacks Mechanisms by the Wiseguys
The Wiseguys, successfully, circumvented the security mechanisms that were put in place by the online ticket vendors. Their attacks techniques included, but were not limited to, the following:
  1. They were running bots on thousand of computers from across a nationwide distributed computer network that they deployed to perform bulk automated-purchasing of the tickets. Refer to the Figure 1.

    1. The bots would monitor the online ticket vendors' websites and as soon as the ticket offers came online they would open simultaneous connections from across the distributed computers.
    2. The bots would defeat the CAPTCHAs and Proof of Work mechanisms to gain automated fast access to the virtual queues for purchasing the tickets as opposed to a few seconds that an average human would use to solve the mechanism's challenge. In case of CAPTCHAs, the online ticket vendors were using the ReCAPTCHA service which was also being used by Facebook. Following are the steps in details for defeating the CAPTCHAs:

      1. The bots impersonated as would-be Facebook users and downloaded thousands of ReCAPTCHA service's CAPTCHAs from Facebook
      2. OCR, in case of visual CAPTCHAs, and Human Labor, in case of audio CAPTCHAs, were employed to break the CAPTCHA and get the answers to the challenges
      3. A large backend database was created where the FileIDs and the Answers were stored persistently
      4. As soon as the bots connected to the online ticket vendors websites, before being able to successfully purchase the tickets, they were greeted by the CAPTCHAs to prove themselves as humans. The bots would access their database and would answer the challenge in a fraction of a second. Upon successful validation of the answer to the CAPTCHA challenge, the bots were then granted access to the purchasing page.
    3. The bots were programmed to intentionally commit errors sometimes, so as to make the automated process appear human in nature.

  2. The Wiseguys purchased thousand of IPs (IP bank) so as to create an illusion of different individual customers
  3. They would also lease servers anonymously so as to use "watchers"(that would monitor the online ticket vendors websites) in a hidden manner and prevent them from being detected by the online ticket vendors
  4. They even seemed to have been using certain mechanism so as to bypass the "verification" page entirely and get direct access to the "purchasing page"


Monday, February 8, 2010

Ixquick Web Search and Proxy Server

I came across this search engine Ixquick that claims to be the world's most private search engine. It claims to have been awarded the European Privacy seal (valid until 2010-07 Ixquick protects your Privacy). You can read it's privacy policy here.

Hmmmmmm Ok!!! However, as many of us use Google as the primary search engine including me, I thought of using ixquick myself for a while to experience its functionality, ease-of-use and relevance of the results to my searches. Following is just an overview.




Ixquick provides an option of including Yahoo, Bing, Wikipedia and other common search engines. I found the search results quite relevant wrt the search keywords, meeting up to atleast a minimum relevance performance I experienced with other search engines. I found the UI to be quite friendly to use. The incorporation of search options for Web, Phone, Video and Pictures keeps it comparable to other search engines' minimum functionality.

To install it as a plugin simply click on "Add ixquick to your browser". See below:




Ixquick also provides a proxy server. Even though ixquick provides you complete privacy, once you click on one of the search results, you are directed to a different server outside the domain of ixquick. Thereupon, you IP Address may be recorded. However, ixquick provides you to click on the "Proxy" link (available below every search result) to open the result throught the ixquick proxy server.




All your HTTP requests/responses are directed via the ixquick proxy providing you the same privacy it claims to offers. It opens the page in a frame and an ixquick header still shows on your page to inform you of the same.




However, this ideally slows down the speed a little. I personally found that speed wasn't much affected as compared to the problem of Javascripts being blocked and hence many of the buttons not working, etc. Proxy option worked out good for me for various searches as my main aim usually while searching is to read articles, papers, journals which do not require javascript to be enabled all the time. However if you are searching for the new link to your Online Bank site you may want to avoid using the Proxy Option. You can unproxy the link anytime you want.




Have fun ixquicking. I would be interested to hear your responses about your experience with it.

Friday, January 29, 2010

Google Verification Phishing Scam

Hi all,

Today I received a funny email about google account verification, that it claims to come "allegedly" from the GMAIL TEAM. What crap? Look below:



So the attacker really thinks that we are dumb enough to believe that? If you get such an email report it as phishing. Look at the header information in the enlarged pic below. You will judge for yourself. :)

Thursday, January 28, 2010

Privacy: Where would it stand ahead?

We have been hearing so much about privacy and privacy concerns. We thought we owned the right to privacy. Didn't we? Not anymore, right? Things are changing. The business seems to have taken the right to our privacy whether we want it or not. Where are we going with it? How do you think this would effect our lives in future? Here, I would like to share my own opinion and to listen to yours. I would like to mention that this is just my personal opinion and does not claim to anything.

Google, and I believe many others, may be not to that same extent, seem to know a lot about us. What you searched for, the medical history, the love affair(s), the not-so-romantic letters to the ex, where you live, and much more. Before IT security became so technologically revolutionized and publicly available, we didn't care much about privacy. We took it as a by-default owned commodity. May be we heard something about Bill Clinton. But he is famous. Some of us thought, "Oh well, being a citizen I should have the right to know what are the morally-(un)justifiable things our President is related with".

Initially may be only NSA knew about the common people. Now the (in)security parameter has shifted to include Google, Facebook, etc. knowing (storing) much about us. As technology evolves further, I believe, privacy will be a much bigger concern and information about us would be much easily publicly available than before. However, how much of an impact would that have on our lives? One might think, well may be not much if you are Mr. XYZ whom only a handful of people know or even if you are the prom king and the entire school knows you. But what if you ran a business with thousands of employees looking up to you. Privacy is dear to everyone and should be, to the very least, of equal importance with respect to anyone, no matter how (in)sensitive the information may seem towards exposure.

Privacy is a delicate issue. A not-so-popular guy would be more helpless and might be way more devastated by his secret been revealed than the CTO of a big company, even though the reciprocal may usually be perceived to be true. The intensity of the concerned issue and the approach towards it matters. Then why is our own perspective towards privacy changing? Even though we complain about our privacy being handled in a "regularly-monitored and easily-stored" manner, we still stand head-bowed in front of the technology as it evolves.

It would not be favorable if we'd adapt, against our will, to the changing technology. Even if we did, we might be forced to throw away our then-critical concerns, though at a large cost of having new concerns corresponding to the now-new technology.

Monday, December 28, 2009

Web Application Security Podcasts

Recently my passion for web application security has increased manifold. With so much happening so fast, time is always short. I brought a new ipod shuffle just to listen to various security podcasts, interviews of security/tech experts, etc. to stay "flexibly" in touch with security while mobile.

Here are a few of those I listen to and find really nice. I haven't assessed them and its just my own opinion. Any further additions/comment/suggestions are always welcome.
  1. OWASP Security Podcast
    organization: OWASP
    rss feed: OWASP Security Podcasts RSS
    hosted by: Jim Manico from Aspect Security

  2. MightySeek Podcast Postings
    organization: NT Objectives, Inc.
    rss feed:
    hosted by: Dan Kuykendall

  3. Imperva Security Podcasts
    Podcasts by Imperva range from Data Security to Cloud Computing to Saas but also include WAF, Web Application Sceurity, etc.
    organization: Imperva Inc.
    podcast link: Imperva Security Podcasts

  4. Cenzic Podcast Series on Application Security Mythbusters
    organization: Cenzic
    rss feed: Cenzic Security Podcasts RSS

  5. Silver Bullet Security Podcasts
    Security Podcasts by Cigital are not specifically targeted to Web Application Security but cover various aspects of Security
    organization: Cigital, Inc.
    rss feed: Silver Bullet Security Podcast RSS
    hosted by: Gary McGraw

Saturday, December 19, 2009

How to add or remove an underline for links in Blogging Post

Login to your account. Go to Layout > Edit HTML.
Search for a:link (Tip: Use Ctrl + F)
You will see a similar code there as:

a:link {
color:$linkcolor;
text-decoration:none;
}
a:visited {
color:$visitedlinkcolor;
text-decoration:none;
}
a:hover {
color:$titlecolor;
text-decoration:underline;
}

The above code specifies that there is no underline as dictated by text-decoration:
text-decoration:none
Here none specifies "No Underline". To add underline simply change the command to:
text-decoration:underline

If it was originally underlined simply change it back to, yea you guessed it right ;)
text-decoration:none