Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Pæs

Pages: 1 ... 52 53 54 [55] 56 57 58 ... 157
Can you talk a little about man in the middle attacks on cell phone data? I know that they're a thing but I'd like a little more detail.

Do you mean man in the middle attacks targeting a cell phone's connection to the internet or its connection to anything? Typically if comyou want to intercept a phone's connection to its provider, you need to make an unauthorised cell tower with a stronger signal to the legitimate one. Phones are designed to connect to the strongest signal, so if a local cell tower is set up, it'll connect to that giving an attacker the opportunity to view/modify that communication before forwarding it on to the real tower.

I like to think that the more people post using this service, the more their real voice gets diluted until everyone sounds like spambots.

I kinda feel like a master troll for convincing PD's BIP-style Discordians to post a thread full of word salad.

As a reminder to myself, things I am intending to post in this thread in future include:

Information about baseband hacking. Phone operating systems like Android and iOS are pretty advanced. They're good at drawing pretty menus on the screen and handling a whole lot of connected but separate functions like your contacts and clock and snapchat but they're too far away from being binary instructions to efficiently manage communication over radio. Communicating with a cell tower is a very precise interaction and so has to be controlled at a very low level by an entirely separate operating system which is effectively a little black box inside your phone. Android and iOS send signals to it and it sends signals back but very few people know what happens inside it.

Recent research indicates that way down deep in your phone is a mysterious bug-ridden operating system, unexploited because it only listens to cell towers and the source code has only been seen by a select few... but dropping hardware costs and open source cell tower software is starting to make it possible to interact with this part of the phone, using undocumented and poorly understood protocols to tell every cellphone in the area to turn on its microphone, forward all calls, send SMS or execute arbitrary code at a very low level.

Also, more stuff about serialisation formats. JSON, XML, YAML. All designed to make data portable but the parsers and readers which take them and turn them into usable data are much too clever. These parsers contain little known features which mean they're all too happy to execute code supplied to them by users in ways that most developers don't know to be possible.

I think cross site scripting has hit enough blogs and forums that developers are pretty aware of it, even if they're not entirely aware of every way the issue can emerge from their code. There are a lot of noble attempts to sanitise input to remove anything that might be interpreted as instructions for the browser, but Pratchett said it best with “Ninety percent of most magic merely consists of knowing one extra fact" which is all an attacker needs to have to thwart your defences.

It's starting to become understood that perfect defence of a system is not possible and all over infosec people are assuming compromise has occurred and putting their focus into detection and mitigation.

I think the new SQL injection is XPath injection, which seems to be becoming more popular and is basically a variation on the same concept.

A bit of background:

XPath is a query language for retrieving data from XML. XML to store login information might be structured  like this:

So to check whether login input (the stuff you provide in the login form) matches anyone the site knows about, you might supply the following
Code: [Select]
"//user[name/text()='" + request.get("username") + "' And password/text()='" + request.get("password") + "']";
This looks at every user in the database and checks whether the user supplied input matches both the username and the password for any valid user. The addition symbols in this query concatenate terms, so what we wind up with is name/text()="whatever you supplied as username" and password/text()="whatever you gave as your password". Each of these will come back as either true or false depending on whether the supplied values match what's in the database.

"And" is a logical operator which makes the entire statement true only if both expressions are true.

You have a login form using this code to authenticate users. The user gives "Alice" as their username as "password123" as their password. This code will iterate through the database and come up "false" for every entry because none of them match. One of them has the right username but the password is different, so the query as a whole doesn't match. It's asking each of the entries on record whether name="Alice" AND password="password123"

However, if you supply this query with username "Whateveryoulike" and password "fakepassword' or 'a'='a" you automatically get in. This is because when you add this to the original query what you wind up with is:

Code: [Select]
//user[name/text()='Whateveryoulike' And password/text()='fakepassword' or 'a'='a'];First it will check whether the username matches. It doesn't, so you've got FALSE AND password/text()='fakepassword' or 'a'='a'].

It's going to use a shortcut here and not check the password because it knows that the AND operator won't ever pass if one of the values is false, so that entire "username matches AND password matches" expression evaluates to false, so now we have:

FALSE OR 'a' = 'a'.

OR is another logical operator but this one will pass if either side evaluates to true. 'a' does equal 'a', so the expression as a whole passes. Essentially what you've done is injected your own query into the existing one and redefined the test for whether a user is valid or not to say that a user is valid if either of the following is true:

a) Username and password match
b) 'a' is the same as 'a'.

A lot of people assume that serialised data (data formatted to be easier to transport between systems, basically) is totally safe to work with and because XML is a fairly simple expression of data, they don't protect it as well as they would a more serious looking database.

XPath 2 is a less used but more modern standard which is actually advanced enough that you can inject into it instructions to open files on the server, which can lead to passwords to the machine being disclosed and the machine itself being totally compromised.

Tech stuff in this post got fairly heavy in some places, so I'm happy to go into things further if anyone wants.

So I'm just going to tiredly ramble about stuffs until people have questions.

Vulnerabilities in web applications are typically introduced by accepting user input. Showing people a website isn't too hard but as soon as you start caring about what users have to say, you open yourself up to all sorts of trouble. One example of this is the cross site scripting attack.

When the internet gives you browser a page, it sends something like the following.

Code: [Select]
A bunch of meta stuff like the title for the top of the browser, information about how to format the document.
Actual content of the page. Pictures and text and all sorts of buttons and shit.
<script>References to scripts that run on the page are also in here between tags like this.
These might be bits of code to tell the page how to animate the dropdown menu or do cool dynamic shit.
It can be as simple as sorting a list of items or as complex as the rules of a browser-based game.</script>

The browser hides the head and the script and uses them as instructions.

Now, take a page which has a single name change box for text input on it. It wants to know your name and will then display that name to other users. The developer has an issue here because they've designed the box with the expected input in mind. They haven't considered that the user isn't bound by their expectations. If the user tells the box that their name is "Steve", that's what will appear on the next page. If the user says their name is "<img>link to an image</img>" there's going to be an image on the next page because the browser reads those tags as instructions to display an image.

The real trouble comes when the user says their name is "<script> some malicious code </script>" and this data is dropped into the next page and then interpreted as code to execute. If this is setting your name for a blog or a forum, all users who can see your name have this code executed by their browsers all.

Sometimes the buttons on a blog which tell it to post are coded in JavaScript. If the user can execute script in your browser, they can tell your browser to activate these buttons.

Sometimes the buttons on a blog which tell it to reset your password are coded in JavaScript and suddenly everyone who visits the forum has their password reset.

Techmology and Scientism / Re: Bang/No Bang?
« on: November 16, 2013, 06:19:38 am »
not to sound like I know what I'm talking about, but what about going for the side of the knee (LCL), or barring that, straight for the junk?

The junk is good.  Don't miss.
Their balls have to wind up in their stomach. Any less and I've seen some people just get really angry about a kick in the junk.

The Richard Nixon school of ballet and the arts / Re: BIP: Moving words.
« on: November 16, 2013, 04:13:17 am »
The lines do an unfortunate fuzzy thing on that one.
Yeah, I think what I learned from that one is that I need to zoom right through previous slides instead of leaving them in the scene.

The Richard Nixon school of ballet and the arts / Re: BIP: Moving words.
« on: November 16, 2013, 02:17:17 am »
One of LMNO's "Who are we?" cut off early while I play with some other stuff.
[development page taken offline]

Techmology and Scientism / Re: Bang/No Bang?
« on: November 15, 2013, 09:54:57 pm »
The trick with a riot baton is not getting it taken off you.

The benefit of a riot baton is that you can keep it up your sleeve and then with one movement extend it and bring it into your hand, so a fully extended baton appears from nowhere. Often doing that with a flourish and saying "PRESTO" is enough to make someone reconsider engaging with you.

I typically just go straight to the horrible bit, rather than threaten.  But that's because I am fucking annoyed by people who can't behave themselves.  Also, 10% of the time, the guy comes at you anyway, and now he knows you have the baton.

Also, when hitting someone with a baton, you always come DOWN with it, and not side-to-side.  It's harder to duck out of the way, and the proper place to hit someone is the collar bone.  It won't kill them, but they won't be using that arm until they've spent a while in a brace.
Threatening is generally a bad idea, yeah. Safer to go straight to the horrible bit rather than gamble with threatening anyone. Like you say, you don't want to let them know you have anything.

Techmology and Scientism / Re: Bang/No Bang?
« on: November 15, 2013, 09:38:51 pm »
The trick with a riot baton is not getting it taken off you.

The benefit of a riot baton is that you can keep it up your sleeve and then with one movement extend it and bring it into your hand, so a fully extended baton appears from nowhere. Often doing that with a flourish and saying "PRESTO" is enough to make someone reconsider engaging with you.

In this thread, y'all spags can post questions about techy things and I'll try to explain them. If anyone doesn't quite grok that explanation, ask for more! Other tech types are totally invited to jump in with supplementary informations.

Background: I'm not a security researcher or a penetration tester (someone who breaks systems for a living to prepare businesses for real attackers) but I do work tangentially to information security, spend a lot of time at work documenting vulnerabilities in our software and socialise with these types of ne'er-do-wells. I'm looking at moving into this area professionally in the future.


The Richard Nixon school of ballet and the arts / Hey Shub.
« on: November 15, 2013, 08:32:43 pm »
Welcome back. I almost forget why some people disliked you. I certainly forget the specifics and I can't be bothered to read your UNLIMITED thread to hold any of that against you.

One thing, though.

Describing yourself as "PD rape bait" seems in very poor taste, as if perhaps you mean to equate your negative experience here with sexual assault. I would like you to change that custom title to something less trivialising of rape.

I'm asking nicely.

The Richard Nixon school of ballet and the arts / Re: BIP: Moving words.
« on: November 15, 2013, 01:24:16 pm »
I like it!

Will you be considering font options for a later version?
Yeah, definitely. I didn't add any styling for this one, except the odd white background to hide the background layers. Later versions will have a bunch of different things going on.

Important Update It's pretty likely that your Facebook page is totally not using the radio.

Hulk Hogan started a web crawler for stylometric experiments.

So nobody is taken by surprise at the wedding, I'm going to spam you with the logistics and delivery more than three things an hour per driver.

So nobody is taken by a bright orange token and fortunately many of my identity in my name, and doing the thing isn't for sleep.

That's the experiment.

Finally hacked my way out of the morning. You don't go to Z service station before waking up properly.

Pages: 1 ... 52 53 54 [55] 56 57 58 ... 157