Tuesday, July 31, 2012

New eBooks Online

I added two new pdf eBooks for developers:

  • Ant In Brief
    This is a quickstart book on how to write ant scripts.

  • Ant Installer In Brief
    This is a quickstart book on how to write an installer using the antinstaller. The antinstaller is an extension to ant. It's pretty slick.

    You can find them at:

    http://www.kengpl.com/ebooks/

  • Tuesday, July 24, 2012

    Black Hat: Hotel Locks

    This year at the Black Hat convention, Mozilla software developer Cody Brocious demonstrated a homebrewed device made for $50 that unlocks hotel rooms. The schematics for the device are open source and available on the Web. The company's locks are found on between four and five million hotel room doors worldwide. Brocious' device plugs into the DC port that is found on the bottom of the outside portion of the lock.

    "[It] looks like a standard DC power port you'd see on something like a router," Brocious says. The hack simulates a device used by hotel room operators to program locks to accept certain master keys. The hacking device reads the lock's memory, obtains the cryptographic key information, and then sends that information to the door lock, allowing the hacker to gain entry to the room.

    Brocious explains that the key information is easily accessible and not protected, thus allowing his device to obtain it so easily.

    Testing a standard Onity lock Brocious ordered online, he was able to easily bypass the card reader and trigger the opening mechanism every time. But on three Onity locks installed on real hotel doors he and Andy Greenberg (from Forbes Magazine) tested, only one of the three opened. The third door took a second try, with Brocious taking a break to tweak his software between tests. But he believes that with more experimentation and tweaking, someone could easily access a significant fraction of hotel rooms around the country without leaving a trace.

    Thursday, July 12, 2012

    Password breaches

    You would THINK that people in charge of large companies would do the following:

    1) Prevent SQL injection. This is an old and easy method used by hackers to bypass a login screen and log in as admin. This attack has been known for YEARS.

    2) SALT their passwords. Salt is a way to encrypt passwords so that if two people have the same password, they look different when encrypted.

    3) Encrypt their passwords. This is password 101. I mean, we've been doing this since UNIX has been out.

    … or so I thought …

    Gamigo was hacked four months ago when over eight million (8,000,000) user names, email addresses, and passwords were lost. This particular account breach has been dubbed the largest so far for 2012.

    Twitter was hacked about a month ago. And apparently Twitter didn't salt their password. So all a newbie hacker had to do is sort the encrypted passwords and whichever ones showed up the most, work on those.

    And then there's Yahoo (more specifically Yahoo Voices). The hackers bypassed security using SQL injection and the passwords weren't even encrypted. SERIOUSLY????

    Hopefully the other website owners will take this as a wake up call.

    So, some of you may be wondering what's SQL Injection and what is salt?

    Let's start with salt. There are a handful of ways to encrypt data. So, lets say I have a database system and I store user logins and passwords for my website. Bob uses "sunny" as a password and for arguments sake, let's say it encrypts to a3Gh4281=+. Sue also uses the same password and it encrypts to the same value. That's an issue because now you can crack Bob's password and know that Sue's password is the same.

    So, on to salting a password. Salt is a random set of bits creating a one-way input to the password encryption function. The other input is the password itself. This "salted" is saved to the database. On subsequent logins, the salt is retrieved and the password and salt goes through the encryption algorithm again. Then the "salted" password that was generated is compared to the "salted" password in the database. If they match, the user can log in. Since every user has a unique salt, Bob's and Sue's will look different in the database.

    So, on to SQL injection. When you want to log into a website (i.e.: Yahoo Mail), you normally type your username and your password. The system uses that information and generates a database fetch command (select * from userTable where user = x). To avoid SQL injection, smart DBAs use stored procedures. In other words, the procedure is stored into the database and the program passes in the variables (username and password). DBAs that have had no experience with security might just have the command created on the fly and run on the database.

    So, how can someone do a SQL injection? Instead of entering a username, the hacker will do the following:

    username: whatever; select * from userTable where user='admin';//

    What this does is returns the admin data from the database (everything after the double slash is ignored). So the "on the fly" command now looks like this:

    select * from whatever; select * from userTable where user='admin'; // where user = x

    And now the hacker has the record for the admin and logs in as the admin. From there, they can do whatever an admin can do. Again, this is one of the oldest ways to hack a website and most web admins should be aware of this and come up with a solution to protect their database from SQL injections. Most web admins, except the ones over at Yahoo…