Online Security Crash Course - Part 1
I am not a security expert nor a hacker, but I've had my share of attacks since 1996.
This post is surprisingly not about computer viruses or trojan horses, its rather about the internet & web application security which will help you understand the new/old trends hackers use to gain control or access to private personal information & how to secure yourself against them.
It's worth to note thatI wont be getting technical, this post is meant for the general internet users.
I'll split this post into two parts:
Part One
- XSS & CSRF ( aka the twin evils )
Part Two
- Wordpress Security & SQL Injection
- Your router & the cafe's
XSS ( Cross Site Scripting )
Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
XSS Demonstrated
How does it look like?
www.examplesite.com/index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-examplesite.com/";}</script>
What harm does it do?
Depending on the payload & the exploitable site, WIth XSS an attacker can:
- Steal your cookie & impersonate you
- Friend an unknown friend
- Like a page
- Follow a stranger on twitter
- Show a fake login page
- Basically, perform any action
[box type="info"]Did you know that XSS is as old as the browser?[/box]
Real life story:
Samy is my Hero, In 2005 Samy Kamkar released the Samy worm, Execution of the payload resulted in a "friend request" automatically being made to the author of the virus and in messages containing the payload being left on the profiles of the friends of the victim.
Protection & Prevention:
- Unfortunately, XSS is a website/code/server side attack, luckily modern browsers has basic protection against XSS attacks.
- Also have a look at noScript
Read more about XSS http://www.veracode.com/security/xss
CSRF (Cross-Site Request Forgery)
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing.
An attack could be embedded as an iFrame, a form or an image source (hidden) on popular sites.
[box type="note"]I'd describe it as a silent XSS, its a 100% genuine request coming from the victim's browser, no antivirus, web protection software or browser's filters that could detect this attack. [/box]
How does it look like?
<img src="https://bank.example.com/withdraw?account=myAccount&amount=1000000&for=EvilAccount">
Note: You won't be able to spot the code above in an attack as this lies in the coding part ( view HTML source )
What harm does it do?
- Query A Bank Account Transfer
- Add an email forwarder
- Place an online order
- Limitless activities
Real life story:
in 2007, Google suffered from a CSRF attack where the attacker could add a filter to forward emails to a specific/another email address (email forward), forwarding all emails that has attachments as an example.
[box type="alert"]When was the last time you checked email forwarders?[/box]
Protection:
You are on your own in this! As explained earlier CSRF attacks are way too legit for the web browser's filters to spot & stop this type of attacks, the site owner/developer should use a technique called (tokens) to stop this attack, there are of course several ways on doing so from the server side.
[box type="tick"]If you are done with your logged-in bank account session, just log out, the same goes to other sites & steer away from saving passwords [/box]
[box type="tick"]Try using two different browsers or (VM), one for sensitive web applications such as banks, email, social networks & one for general browsing.[/box]
Also try not clicking on links from untrusted resources & untrusted websites.
Read more about CSRF http://www.veracode.com/security/csrf
It's worth mentioning XHR (XMLHttpRequest) attacks, which leverage a surface for the attackers to inject various activities to the servers, carried from SQL injections to XSS, many known websites such as the BBC, Yahoo, PollDady, MySpace & more have suffered & still suffering form this silent (sorta) attack.
[box type="alert"]What I have discussed is a little bit scary, silent attacks are not noticeable its not like someone have changed your email password or hacked your twitter account, the hackers gets the feed of your entire life without you knowing so.[/box]
Bonus content: ClickJacking
Tune up for Part 2!
Resources:
- http://en.wikipedia.org/
- https:\/\/zainals.com//zainals.com\/\/zainals.com//zainals.com//www.owasp.org
- http://www.veracode.com/
Old Bahraini Passport
I have found these old Bahraini Passports with my uncle, they belong to my grandfather who passed away long time back, notice the name of the country " Government of Bahrain and Dependencies?"
Color grading - warm & cool color cast comparison FCP-X
I guess I'll call it ( the weekend experiments ), If you have watched the video you may have noticed that I've crushed the blacks a tad, the main reason why I have done this experiment is to see how can a tint of a color or a color cast can effect the mood, time of day or the location, it may look a tad cheesy yet it remains an experiment & I'm still learning :)
feel free to criticise.
Windows Phone 7 - Another VIVA first
VIVA brings to you the new?Windows Phone? 7 , with?HTC? HD7. Everything you need, easier and faster.
- Windows Phone Apps Marketplace
- 5 mega pixel camera
- Impressive 4.3? screen
- Rear kickstand
Two great packages* to choose from:
| With 12 months contract | BD 199 initial payment | BD 10 instalment per month |
| With 24 months contract | BD 99 initial payment | BD 10 instalment per month |
*Available with VIVA Postpaid packages.
Get it with free 2GB worth of data, only from VIVA
Samsung galaxy tab
This is your opportunity to be amongst the first in Bahrain to own the new?Samsung Galaxy Tab. The 7-inch tablet is portable yet powerful. Enjoy rich connections to all the entertainment and information you want with:
- 7-inch multi-touch screen
- Mobile video chat
- Web browsing with flash
- Android 2.2
Exclusively offered to you by VIVA with:
- 3 months free subscription on VIVA postpaid10, and
- 3 GB free data every month
For only?BD300.
Powered by Android Operating System 2.2, the Samsung GALAXY brings together all of Samsung's leading innovations to provide users with more capabilities while on the move. Consumers are able to experience PC-like web-browsing and enjoy all forms of multimedia content on the perfectly sized 7-inch display, wherever they go. Users will be able to continuously communicate via e-mail, voice and video call, SMS/MMS or social network with the optimized user interface.
For more information call 124 or visit any VIVA Store.
*Offer limited whilst stocks last
Source: VIVA
I am a google analytics qualified individual
I always thought?I've?published this but it seems that i haven't so...
Yes :-) I'am now officially a google analytics qualified individual!
you can grab the original "copy" from my CV - Resume section
Blackberry Banned in Bahrain & Middle East
No, its not yet banned in Bahrain ( as im writing this post ) but it looks like its coming up fast and sharp!
Below is an email received from Batelco:
------------------------------------------------------------------------------------------
Dear Valued Business Customer Batelco?s Enterprise Division is working to minimize any inconvenience for our business customers if Batelco is directed to suspend some Blackberry services such as the popular messenger or email. Despite this being outside our control, we want to assure all our Blackberry customers that Batelco is working on alternative offers to minimise any inconvenience should some services be suspended. We appreciate the importance of Blackberry services such as push email for our Enterprise customers and accordingly we are finalising alternative offers which we hope to deliver as soon as possible, if necessary. We will address all our Blackberry customers? concerns as quickly as practicable. All updates on this matter will be posted on our website batelco.com/blackberryupdate
so once again ( i lost the count ) we are about to get banned from using something, rolling back on my blog posts I remember two banning occasions:
- The internet censorship in Bahrain ( Bye Bye Age of Engage )
- Mahmood Alyousif Blog ban
What i would like to know is again why? And why in GCC countries? Aren't we by doing so stepping a bit backwards?
Why us Arabs? is it because of the porn materials ( local editions ) being shared? sad But true
Is it because we have groups that alerts people about speed cams?
Is it because of scandal materials being shared at a speed of light?
Is it because of fast information flow? And the fact that you cant monitor it/us?
how about sharing our thoughts with you? You only make the world laugh at us...
Mobile site review - Batelco 181 directory
[us_btn text="Follow me on instagram" size="18px" align="left" target="_blank" icon="fa fa-instagram" color="red" style="outlined" link="url:http%3A%2F%2Finstagram.com%2Factionscripter"]
In my previous post [The future is mobile] I have briefly pointed out that the web is moving towards the mobile web [ web apps & native apps ].
Building for mobile is tricky however, I have summarized ?building for mobile guidelines? into the following points :
- Simple options
- Lack of images
- White space
- Prioritized content / Publish the Bare Minimum
- Clean Markup
A very smart & wise initiative from Batelco is developing a mobile version of their telephone directory site that enables mobile users to search for public/private telephone numbers and their addresses.
You can fireup your safari on iphone or just browse the site on your BlackBerry device @ http://m.181.bh/ as you read.
A side note: the site detects mobile devices and redirects accordingly. [passed on iphone and BB]
Pointing your browser at the link above will lead you to this:
The site contains 4 main block elements:
- A very simple header with the title to the left and the logo to the right
- An option to switch to the full version of the site
- Language switcher [AR/EN]
- And the most important element a single search box with a title ( name ) and a search button
A user experience expert wanna-be might jump up and say: hey where are the instructions to use the site?
Here is how to shut him up, how old is the internet in Bahrain 15+ years? I guess google & yahoo embossed that function into our brains so whenever we see and input box with a button next or below it that means that the site will submit whatever keyword I input in that field and I will expect an action in return hence the baby duck syndrome.
Notice that the site supers my previous post on search as a dominant function!
Pizza, is what I used as a search term ? don?t even ask why hehe! Carrying on?
Here is how the SRP or Search Result Page for the term ?Pizza? looks like:
3 additional blocks were added to the SRP besides the records ( 5 records per page ), the 3 additional blocks are :
- The counter strip ( Displaying 1 ? 5 of 31 results )
- Refine, a smart filtering mechanism
- Next and Previous
- new search link was added on the language block
Hmmm, so why didn?t I get to choose the category from the first page before submitting the query?
Remember the screen size is too small to be able to fetch all possible categories & areas in it, However the backend is kind of smart, once you search for a term the taxonomy system will only show you related categories to your search term, in our case ?Pizza? falls into food and restaurants category & somewhere in the backend this term is somehow linked to that category ( see the image below ).
Note: If you are an Iphone user, then no problem, you will still be using the iphone User Interface to scroll through the options in the drop down box J #thankSteveJobs
There is one thing that confused me for a second and that?s the light blue circle with the letter B in it which I think it stands for Business, and R stands for Residential ?
Carrying on ?
You can see that the contact number is highlighted as a link (on iPhone Ipods only), guess what happens when you tap on it ? No, it doesn?t Dial, it will overlay the ?create new contact or Add to existing account? option, in my opinion it should have been Dialing the number out ? but hey its just me!
Click on more and it will show you more information including the map but it won?t go native, native as in using the device GPS to plot the direction from your location to the destination? but it?s still a good option to have a map of the location.
Lets jump to the site?s content size, below are to snaps the first one is before search and the second one is after search :
Ignore skype script thingy, that comes with skype when you install it, the biggest file size is a javascript file that belongs to google analytics, not really a big problem since they have placed the tracker at the bottom of the site ( the footer ) which means that it will only load when top DOM is loaded .
16 KB before search and 17 KB after search ?I like :) [ excluding skype?s JS ]
The Markup
The markup behind it looks intact so far with one error and 2 warnings, it?s a very simple error that can be fixed on the fly be specifying the <alt> tag for the image used, it will basically show the alternative text if the image is not available or if images were turned off by the client.
One thing though? the document type declaration used is :
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
I?m not very keen when it comes to mobile DOCTYPE but I think they should have used XHTML Mobile profile DTD
Conclusion
The Batelco 181 Telephone directory mobile site is very simple and easy to use; it?s probably one of the first noticeable mobile sites in Bahrain, enhancements can be applied for example, by clicking on the contact number the phone should dial that instead of copying and pasting.
I?m sure that there will be enhancements applied & that explains the GA tracking code to gather useful information, If interpreted correctly it will give a very useful insights on how to improve the site sort of business intelligence or BI data reports!
But so far, two thumbs up! ;)
A quick note on local permission marketing
"Beep Beep" an SMS alert, i pick up the phone to see the message and i go oh shoot, there ya go again, another zain message and without even reading the message i delete it with passion...
Seriously, how often do you get?interrupted?with such ads? ?whether you are checking your email or watching one of MBC's channel or probably receiving an SMS while driving, and how often do you delete that sms/email or switch to a different channel ... ?The important question is WHY?
Because you?haven't?opted-in for it at the first place, that means?interruption?marketing is not working for them nor on us anymore, it became another noise in the background...
Back to zain, i haven't asked for it, please keep it for yourself.
Batelco on the other hand got an opt-in driven sms "contest", but once you are in you can never get out ( you should probably dial 196 and click through the tree until you get a human to sort you out ) so even while you are roaming out of the country, they will spam you with their questions to death... there aren't any instructions on how to opt-out using sms!
Moral of the story #1
" Make sure to have a visible opt-in instructions and a visible opt-out instructions "
Moral of the story #2
" Even though you got an opt-in strategy it doesn't mean that you are not spamming "
Moral of the story #3
" DVRs were created to skip TV ads, not just record to record TV shows * MBC * "
Moral of the story #4
" We are witnessing the death of ?interruption?marketing, we live in a small island, be different switch to permission marketing, start by building your opt-in email lists or try viral perhaps?"
My next topic is going to be on email marketing best practices, hope the local big guys and their agencies are watching this space, it will really sort them out...