Friday, August 18, 2006

Cracking some, Securing others...

It seems that I am spending too much time and energy talking about stuff in other blogs that I don't take care of my own. Well, I'm not sure anyone else is reading this anyway so I guess it's cool :P


You VS Phishing

To begin with, here's an interesting post on managing security between producers and consumers. It is about Phishing and how it is certain that anything a user has to type in as authentication can be extracted from him/her one way or another. What security experts should be doing is stop trying to educate the users and start increasing security on the company's behalf. Social Engineering (that's what phishing really is) manipulates people and that is something we cannot deal with once and for all. And since we acknowledge that the weakest link is always the human, our efforts should focus on taking him out of the equation.


Yet Another XSS Issue

On the XSS frontier, according to this it is possible to enter specific ASCII characters in some web page which, when next to each other, form expressions or delimiters that can shape the code underneath. That way a user entry may place malicious code outside an tag but withing the realm of the HTML tag. This is so crazy my head is going to explode. No, it's not because I find it difficult to understand or anything. It's just that this stuff attack technologies like HyperText Media Language that are considered above suspicion and are widely used. Exploiting this automatically produces a number of victims equal to the Internet population.

So... let me get this straight, a problem so big that can affect the entire Internet but so obfuscated that cannot be seen and if seen cannot be realised. Everyday activites like opening HTML encoded e-mails or hitting a URL may expose the world to malicious attempts. And we are still sitting here?!


Smashing the Flash for Fun and Profit

Last night I was really bored so I decided to study a few flash games and find a way to cheat when submitting the score online. It really was easy. What most of these games do is send a POST to e.g. http://www.example.com/flashgames/game314/submit.asp?score=31400. If you manipulate that packet, changing score to 62800 and finally send it, you have successfully doubled your score! No verification, no nothing. Of course some games do a little checking to see if let's say 62800 is a plausible score (maybe it exceeds the maximum available points or sth). But that's also too easy to deal with.

You just have to decompile the file and take a good look at the source code which is ActionScript. To begin with, all flash games (.swf) are downloaded to your PC prior to execution so you have a copy of the title to look at. Secondly, since they are not compiled files but use an interpreted object-oriented language they contain bytecode (not machine code) which is executed at run time by your browser. That bytecode may be easily reversed using a decompiler (it actually doesn't de-compile but you get the picture). Finally ActionScript seems like pseudo-code, that is logical expressions describing the actual design of the game. These can be well-understood by humans, even non-programmers. To deal with these issues, protection methods are being used. These allow the game to be run but prevent a decompiler from taking it apart. But the truth is these protections aren't that good. They can be removed using freeware, google-found tools. Finally, ActionScript programmers use obfuscation techniques to protect their code (all other elements like graphics are left open to "borrow"). What they really do is piss somebody off since the code may be partly read using certain ways and ofcourse the code structure may always be studied using standard Hex Editors.

Since yesterday I've seen quite a few flash games with variable protection schemes. The hardest I've found used the hash of string containing the actual score plus some "secret" sequence of chars to make sure the submitted score had not been tampered with. This sequence was hard-coded in the game. I mean are they stupid or what? As I've already said, if someone is already skilled to discover the submitted values and crack the file, code obfuscation can do very little to him. So sooner or later the secret is revealed.

There's one golden rule in cryptography:
never rely on the secrecy of the algorithm
.

Once the algorithm is revealed, your cover is blown. I could think of and suggest ways to improve verification issues and protect copyrights but that's not my job and I have better things to do :P


e-Shops revised

Almost two weeks ago I ordered a digital camera from a popular, computer/technology store which also operates online. The same day I received an e-mailing informing me that the specified product was out of the stock and urging me to contact an employee by phone. So I did. He claimed that a "bug" in their website showed the camera as available "withing 24 hours" while they had already filled an order from the manufactor some days before. OMG. Do you say the words "bug" followed by "website" and expect someone to shop from you again? Anyway, I made clear that no charges would be made until the product had been shipped to my location. Standard thing I guess, nothing to get excited about. Today, I called the store asking for a status on the order. "We received the items yesterday and they'll be shipped to you tomorrow". Am I missing something here? What happened to "today"? What are they going to do today? Or maybe my call was a wake-up for them to check on my account? So weekend is coming up and I'll get my package on Monday (hopefully).

Come on people! Is this the best you can do? It's the summer time and I'm a bit lazy. Had it been otherwise, I would have already canceled the order and bought the camera from somewhere else.

What these people don't seem to understand is that when you go online you are competing with the world. Thousands of e-Shops are available online providing low prices, high availability and excellent service.

Had it been otherwise, I would have already bought the camera from a country "next-door" like Germany or France. Using today's courier services I could have the product here in two days and at a price possibly lower that the one I get here.

In an open market my shopping mall extends around the world and those who stick to "standard" services won't make it through the year.

No comments: