Ajit Gaddam: TechNews and Security

Google Image search recently got a makeover which I blogged about here.  However, a lot of people didn’t seem to like it as evident from the comments on the blog of Matt Cutts of Google who reported it first.

This new ”cleaner” Google Image Search emphasised the picture and not its domain name. Only when you moved your mouse over an image, were you shown additional information like the size of the image, the image dimensions, the format of the image and also the link to the source of the image.

I am sure Google also got a lot of requests asking to go back to the original design as a lot of people including me look at the source of the picture to decide whether the picture is from a known reliable source or a fake. One other important critieria for me is the size of the image which were hidden in the makeover design.

“Cleaner” Google Image Search results for sunset

Read the rest of this entry »

Google in the past has allowed people to add a lot of interactivity to their individual web sites. You could display video, news and local search results on your web page without writing any code.

Google released their latest wizard which generates a news bar that scrolls through recent news headlines. The News Bar is a Google AJAX Search API  application that lets you easily add application and page-controled news search results to your web pages or blog. This control, which provides search-driven bars of news results, is highly customizable: you can specify the news bar’s orientation, the number of results it displays, the list of search expressions that drive it, etc. You can control which news results it displays through both APIs, and if you like, through links on your page (e.g., The Dow, OPEC, Iraq.)

Here, I’ve customized it to show Google News search results for Google.

This news bar is also available in a vertical orientation for you to use in a column or your wordpress sidebar. You can also easily change the look-and-feel of the wizard-generated code just by adding some CSS or editing the JavaScript.

Where can you use this?

Say, you have seperate categories on your site about say Apple, Microsoft or Google or any other companies, you can use this code on those pages generating news related to that news topic or company

The wizards allow you to easily implement some of Google’s most popular solutions based on the AJAX Search API. The other wizards besides the News Bar Wizard offered by Google include

1. Google Map Search Wizard where you can allow your users to search for places on a Google map without leaving your site.

2. Google Video Bar Wizard allows you to embed Google Videos on your blog or website

3. Google Video Search Wizard allows your users to search for videos and watch ones you have selected without leaving your site

4. Google Book Bar Wizard allows you to show off books on topics that interest you on your web site or blog.

Additional Sources:

If you wish to further customize this Google News Bar, Google has provided us with a News Bar Programming Guide

This article is part # 3 in the series on Penetration Testing. The first in this series talks about Penetration testing as a profession and a general introduction. The second introduces you to some critical keywords and security tips you need to be aware of before proceeding through the rest of this series.  

When you are performing the role of a security/pen tester, sometimes just having the right tools and skills is not enough. Either they are not enough or there are easier ways to get the management to understand how easy it is for someone to walk in and walk out with the keys to their “fort”.

One of the first things I want to share with you is what my Professor of a Security Class I took while I was an Undergrad at Florida Tech shared with us. So, he was performing a penetration test at a company and he was negotiating the price for which he is willing to perform the pen test of the company’s network. Apparantly, the company was driving a hard bargain. Finally, it reached an ultimatum situation and so the company asks… “why should we pay you so many X dollars more? Are you that Good?” or something on those lines. So my professor excuses himself from the meeting room on the pretext of using the rest room. He walks around the floor on which the meeting was set up. Here is what he finds. He finds passwords on Employees monitors, including in front of an employee who had an “Emergency Response Team” sign sitting outside his cube. As he is walking past he sees the Project Manager’s laptop bag with disks and flash drives in it, sitting outside near the receptionist or an employee’s desk. He just informs the lady that he was told to bring the bag inside, takes out the flash drive. He logs into one of the terminals, grabs some credentials stored on the flash drive, makes printouts of some confidential documents and brings it back to the meeting room, all within a time frame of around 5-10 minutes. No one asked any questions. My professor got the price he asked for and more and the company had an excellent pen test analysis done.

So what is the moral of this story: No matter how strong your filters are set or firewall configured. You must always take caution against the insider attack. You are only as strong as your weakest link. In this business, sometimes, we need to employ tactics such as social engineering amongst others to get our job done. In this article, I will talk about some of these tactics.

1. Using a Keylogger:  Keystroke logging (often called keylogging) is a diagnostic used in software development that captures the user’s keystrokes. It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. A simple google search on download keyloggers gives you plenty of results. You might want to use a professional keylogger tool such as KeyKatcher or KeyGhost. While you are performing a security test on a system, keyloggers can be a helpful tool. However, please make sure that you have permission from the company to do something like this.

2. The ability to pick locks: Okay, this is one skill I don’t have too but if you are performing the role of a pen tester, remember that if something was stolen or picked from the company, it rather be you than some attacker. When performing a test, know the kinds of locks used by the company to secure its prime assets such as server rooms etc. While most companies these days are using card access, you might be in luck if they are using the traditional lock. An excellent paper highlighting the need for physical security is the “MIT Guide to Lock Picking” by an author who calls himself Ted the Tool. If you are going in this direction, contact your nearest law enforcement agency, fill out the necessary forms and get certified. The ability to pick the lock of a server room could be a valuable asset while performing a security test at a company. Again, please make sure you have permission from the company to do something like this.

Related Articles:

1. Introduction to Ethical Hacking and Penetration Testing

2. Important Computer Security Definitions and Terminologies

Been busy lately, where I am currently performing pen testing for a major company based in India. Under NDAs, I cannot disclose the name of the company.

However, the company has given me permission to incorporate some of the findings into this series: An Introduction to Ethical hacking through the eyes of a pen tester and hopefully helps anyone reading this blog on how to protect and secure a network by understanding how a Hacker operates and understanding their tools and methodologies.

Why would I want to publish such a series of articles; because, I did not want to be part of the problem anymore. The need to know and understand Computer Security has passed the realm of just security professionals. The web is an ugly place out there with hackers and crackers lurking at every corner selling their Trojans and the rest of their goods in the malicious code dept, trying to install Botnets and seeking to profit from your mistakes or rather lack of security awareness.
Every other day, you see articles on the newspaper and on the web on identity theft or credit card numbers being stolen from compromised database servers. The need for security professions who know networks and understand how Hackers operate is growing every day which companies utilizing such security professionals to test and break into their network before the bad guys do and patch up their security infrastructure. It is here that we, the “security tester” or “penetration tester” come in. 

So what will you learn in this series on Penetration Testing?
I will try to offer you a structured approach to security and penetration testing. I will also try to explain in-depth some of the tools which hackers typically use. Remember you are trying to be the Ethical hacker and you need to know how to use and implement the tools of the trade.

A network is only as secure as its weakest link. You are trying to discover vulnerabilities within a network and find that weak link before the bad guys.

Disclaimer: You will learn about some tools and methodologies which are not meant to be used for Hacking purposes. Hacking or compromising a computer or a network is illegal in many parts of the world. Please use them to further understand how computer security works.  If you are trying to take up the role as a penetration tester for a company, make sure you have a contract signed with the client and what you can and cannot do clearly defined. Also, make sure you read your ISP’s contract and their acceptable use policy defining any scanning software such as port scanners. Anytime you run something that denies a user access to a system or a network resource is illegal.

I recently lost my Cell phone while travelling abroad. Fortunately for me, I had an brand new cell phone which I got from T-Mobile for free when I renewed my contract with them, a Nokia 6010 hanging around. In most countries, there are pre-paid options for phones where you pay a provider some cash and you get a SIM card which you can plug into your phone and you are all set. However, the Nokia phone I had was locked to T-Mobile and I could not use my SIM card.

This led me to go online and see if there are any methods out there to help me unlock and use my cellphone. Now, there are plently of sites out there which give you the unlock codes for your Nokia Cell phone. However, most of them charge anywhere from $9.99 to $65 to provide you with the unlock codes. Also, some of them only take payment in Euros. So, in this post, I will introduce you to two sites who provide you with unlock codes for your Nokia Cell phone absolutely FREE.

Site # 1: Unlock.it

This site is the most popular free site for unlocking any Nokia based Cell phone and most of the cell phones out there. Some of their other brands for which they provide unlock codes include Siements, LG, NEC, Panasonic, Samsung, Sony Ericsson and Motorola based phones.

The procedure for unlocking your Cell phone is as follows:

1. Start your phone without your new SIM or any SIM card in it

2. Now hit *#06# on your cell phone. When you do it, your IMEI number, a unique global serial number for your cell phone shows up. Your IMEI number should be 15 digits.

3. Now, choose the model of your Cell phone. If you don’t know your cell phone model number, you can always find out by removing the cell/battery of your phone. The model number along with the IMEI of the phone should be present.

4. Now, select the country and the operator the phone is locked to. For example “USA- T-Mobile”

5. You are now given the unlock codes for your cell phone. A lot of people have a problem punching in the alphabet p and w while entering the unlock codes. To enter the codes, here is a visual guide below as well as the step by step procedure
Read the rest of this entry »

A Keyboard Shortcut according to Wikipedia states that a keyboard shortcut (or accelerator key, shortcut key, hot key, key binding, keybinding, key combo, etc.) is a key or set of keys that performs a predefined function. These functions can often be done via some other, more indirect mechanism, such as using a menu, typing a longer command, and/or using a pointing device. By reducing such sequences to a few keystrokes, this can often save the user time, hence “shortcut”.

Google’s Gmail service has grown to be one of the most popular web based email services out there. They were the first ones to provide 1GB of free email storage whereas other providers such as Microsoft’s Hotmail and Yahoo’s Yahoo mail only provided a storage space of 4MB and 2MB respectively. While other free webbased email solutions have tried to catch uo with GMail in terms of storage capacity and features, Google’s GMail is still the king especially among the techie and geek community. Google’s support pages do an excellent job outlining the various keyboard shortcuts, they just do a dump on you with no breakdown of your various seperate needs.  I will try to break it down by categories below and in some cases, I will use Google’s own words explaining GMail’s shortcut features.

Caution: The keyboard shortcuts in GMail are case-sensitive.

TIP: This blog allows you to print articles. Make use of the print this option in this article for a formatted page for printing.

First off, verify that you have keyboard shortcuts enabled on your GMail account. To do so, login to your GMail account, then go to Settings and under the General Tab options, you will see an option to enable or diasable keyboard shortcuts in GMail.

Searching your GMail messages / conversations:

Read the rest of this entry »

Google announced yesterday, on the Google Code Blog , that they will again be holding their annual Summer of Code in the summer of 2007.

Google Summer of Code is a program that offers student developers stipends to write code for various open source projects. Google will be working with a several open source, free software and technology-related groups to identify and fund several projects over a three month period. Historically, the program has brought together over 1,000 students with over 100 open source projects, to create hundreds of thousands of lines of code. The program, which kicked off in 2005, is now in its third year, following on from a very successful 2006.

So, How do students apply for Google Summer of Code 2007?

Students can submit their applications via the GSoC web app between March 14-24, 2007

You need to be atleast the age of 18 or older by April 9, 2007 to be eligible to participate in the Google Summer of Code 2007.  Even International students studying in the United States on a F-1 visa or an OPT can still apply for the Google Summer of Code as long as they have a valid student status.  Google will provide a stipend of $5000 of which the student gets to pocket $4500 and the balance $500 goes to the mentoring organization.

Who owns the code produced by student developers?

Each student (or her/his mentoring organization) must license all student GSoC code under a license palatable to the mentoring organization. Some organizations will require students to assign copyright to them, but many will allow them to retain copyright. If Google is a student’s sponsoring organization, then the student keeps copyright to her/his code.

Additional sources for the Google Summer of Code 2007

1. Google Code Blog

2. Google Summer of Code 2007 website

3. Google Summer of Code FAQ Page

4. Wikipedia entry on Google Summer of Code

A CAPTCHA (an initialism for “Completely Automated Public Turing test to tell Computers and Humans Apart”, is a type of challenge-response test used in computing to determine whether or not the user is human. A common type of CAPTCHA requires that the user type the letters of a distorted image, sometimes with the addition of an obscured sequence of letters or digits that appears on the screen.

Okay so I get the funniest thing in the mail today. A buddy of mine apparantly got this while he was associating his GMail Id with one of Google’s Orkut Service. He gets the CAPTCHA as “retard”

Alex over at SkunkLabs profiles an interesting web startup called Senduit.

SendUit seems to be pretty good for sharing files where they have a max restriction of 100MB. The files you upload also expire with time limits ranging from 30 minutes to 1 week.

It took me around 10 seconds to upload a 1MB file. So file transfer speed does not seem to be an issue here.

Link to Senduit, a free file upload and sharing service