Twitter and Legal Hacking

November 11th, 2011 by - No Comments »

I’ll admit I haven’t read through the whole article in the link below, but the government legally hacked someone? The fact that “legal” and “hacked” appear in the same sentence is a little concerning.

That being said, it is feasible that there are times when something like this might need to happen – National Security etc – and this was with reference to Wikileaks …but, what rights do we really have? Are liberties taken, or do we even believe that the liberties should be taken.

My thought is it can go either way, but if you are going to take away someone’s right to privacy, there had better be a darn good reason. That being said, I’ve heard talk of traffic traveling over and IP (what a concept) doesn’t belong the the person that is using the IP, therefore, can be intercepted. Really? That’s a little low don’t you think?

Soap box aside, like I said this conversation could go either way, here’s the link. See what you think about it – here, courtesy of the Guardian, UK.

Posted in: Tech |
Tags: , , , , ,

Watch out for “Firesheep”

October 25th, 2010 by - No Comments »

There’s a new Firefox plug-in out there that allows you to sniff unsecured wireless traffic, and gain access to other peoples Facebook, Twitter accounts etc – basically session hacking. Sounds too simple right? Unfortunately it is that simple. Techcrunch did a write up on it and I decided to install and test it – it works – oh dear!

The basis is that you are using a secured login to get into your social media accounts, but that’s about the extent of the security. Very few encrypt the cookie, and that’s what Firesheep is looking for. When you gain access you are basically masquerading as the hijacked user. Remember though, this is on unsecured networks so logging into your Facebook account from your local coffee shop or public wireless is going to be an issue!

To quote the author of the tool, Eric Butler: “As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed” in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user’s site with their credentials.” He said he created this tool to expose the severe lack of security on the web. “We spend so much time quibbling over the minutia in privacy policies, we lose sight of the forest, or in this case, gaping security holes.”

There are ways to prevent this from happening, one of which is outlined in another Techcrunch article here, which requires you to use another Firefox extension called “Forec-TLS”. Force-TLS tries to force those sites to use the HTTPS protocol, therefore making user cookies invisible to Firesheep. Other things to do – well – don’t access password protected websites on unsecured networks. Doing that is a recipe for disaster regardless of Firesheep – IMHO.

Posted in: Tech |
Tags: , , , ,

Five security lessons to learn from the Twitter worm

October 5th, 2010 by - No Comments »

Five security lessons to learn from the Twitter worm | IT Security | TechRepublic.com.

I hate to say it but here is a classic example of how not to code. Much as I love Twitter for following information security trends etc, this just shows how not following tried and tested processes can drop you deep in the guano. Here’s a quote from the text itself.

A number of important lessons should be taken from this chain of events:

  1. Sanitize all input, and always prefer sanitizing methods that are already tested and proven effective, all else being equal.
  2. Double-check your output to make sure it does not affect the end user in surprising ways, such as the mouseover effects in Web browser clients.
  3. Use version control when developing software to help protect against errors creeping into code through source mismanagement.
  4. Use automated testing suites to protect against regressions and other errors that might otherwise slip by your developers.
  5. Do not underestimate the effect of a given vulnerability when it falls into the hands of someone with a more devious mind than yours.

If you are not coding for a secure application at the very start you will hit major issues along the way. The ‘startup’ mentality cannot be allowed to supersede the security of an application that lives on the web. If executive staff don’t understand the risk, you have a lot of work to do.

Posted in: Tech |
Tags: , , ,

Ruby script to unblock people on Twitter

September 22nd, 2009 by - No Comments »

From: Mubix’s Links

I created this script because I couldn’t really find anything out there for it. Both the Twitter support page and all the Twitter APIs out there had the ability to unblock people, but only if you knew who you wanted to unblock. Recently I tried the Twitter Karma service that could Mass unfollow / block people (hence my last couple scripts). I clicked the wrong button one time and it blocked a whole bunch of people. But say your not a klutz like me, maybe you just forgot who you’ve blocked over time.

This script will dump the list of people you block and unblock them all. Now you could expand this to get the names of each individual that you block but that’s an API call for each. Let me know if there is a better way, right now, the only way to figure out who was unblocked is through the 302 response that is generated with each request that sends you to the users page that you unblocked. (Push this script through a proxy to see it.)

#!/usr/bin/env ruby

require 'net/http'

require 'rexml/document'
include REXML

use_proxy = false
proxy_srvr = "127.0.0.1"
proxy_port = "8080"
proxy_user = ""
proxy_pass = ""

twitter_user = "joeuser"
twitter_pass = "password1"

header = {
'User-Agent' => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
'X-Requested-With' => "XMLHttpRequest",
'Cookie' => "__utma="
}

data = "authenticity_token=&twttr=true"

doc = "temp"

if use_proxy == true
Net::HTTP::Proxy(proxy_srvr, proxy_port, proxy_user, proxy_pass).start('twitter.com') {|http|
req = Net::HTTP::Get.new('/blocks/blocking/ids.xml')
req.basic_auth twitter_user, twitter_pass
response = http.request(req)
doc = Document.new response.body
}
else
Net::HTTP.start('twitter.com') {|http|
req = Net::HTTP::Get.new('/blocks/blocking/ids.xml')
req.basic_auth twitter_user, twitter_pass
response = http.request(req)
doc = Document.new response.body
}
end

blocks = doc.elements.each('//id') { |f|
if use_proxy == true
Net::HTTP::Proxy(proxy_srvr, proxy_port, proxy_user, proxy_pass).start('twitter.com') {|http|
req2 = '/blocks/destroy/' + f.text
response2 = http.post(req2, data, header)
puts response2.code
}
else
Net::HTTP.start('twitter.com') {|http|
req2 = '/blocks/destroy/' + f.text
response2 = http.post(req2, data, header)
puts response2.code
}
end

puts "Unblocking: " + f.text
}

[download id="34"]

Posted in: Tech |
Tags: , , , , , , , ,

Python Script to unfollow people on twitter

September 22nd, 2009 by - No Comments »

From: Mubix’s Links

This is exactly like the last script with a few minor changes. 1st, the last script only has the ability to force people to unfollow you if you aren’t following them. 2nd, the api call and the request URL are different. GetFollowers instead of GetFriends, and friendships/remove instead of friendships/destroy. Don’t forget to fill in the same 4 fields that were missing/wrong in the last one.

#!/usr/bin/python

import twitter
import urllib2

headers = {
'User-Agent' : "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
'Cookie' : "__utma=",
}

data = "authenticity_token=&twttr=true"

api = twitter.Api(username='joeuser', password='password1')
for b in range(1,100):
users = api.GetFollowers(page=b)
for i in users:
request = http://twitter.com/friendships/remove/ + str(i.id)
req = urllib2.Request(request,data,headers)
post = urllib2.urlopen(req)
print post

[download id="33"]

Posted in: Tech |
Tags: , , , , , , , ,

« Older Entries