Issue 28, May 2012

Hello friends!!

We are now in mid of 2012. As predicted by many techno geeks, this year is phenomenal for IT related technologies including security, networking and web technologies. In April cloud war is started between two big rivals Microsoft & Google. Both making sure that its going to be secure and useful for smart phone users as well. With introduction of new such technologies we must ensure security over the web. Here HTTPS comes into picture and we brought this topic in CHMag's Mom's guide. Along with it topics like Steganography(Tech Gyan), a new toolkit - Kautilya(Tool Gyan), preventing SQL injections(Code Gyan) are covered.

If you have good write up and topic that you think people should know about it then please share with CHMag. Also if you have suggestions, feedback & articles, send it on info@chmag.in. Keep reading!!

0x00 Tech Gyan

Steganography over converted channels

Security and privacy have been a concern for people for centuries. Whether it is private citizens, governments, military, or business, it seems everyone has information that needs to be kept private and out of the hands of unintended third parties. Information wants to be free but it is necessary to keep information private. That need has come about because governments have sensitive information, corporations send confidential financial records, and individuals send personal information to others and conduct financial transactions online. Information can be hidden so it cannot be seen. The information can also be made undecipherable. This is accomplished using steganography and cryptography.

0x02 Tool Gyan

Kautilya

One liner about Kautilya - Kautilya is a toolkit which makes it easy to use USB Human Interface Device (like Teensy++), in breaking into a system. Now let’s understand what does that mean.

First let’s understand Teensy++ (I will use Teensy for Teensy++ from now on). It is a USB HID which could be used as a programmable keyboard, mouse, joystick and serial monitor. What could go wrong? Imagine a programmable keyboard, which when connected to a system types out commands pre-programmed in it. It types faster than you and makes no mistakes. It can type commands and scripts and could use an operating system against itself, that too in few seconds. If you can program the device properly keeping in mind most of the possibilities and quirks it could be a really nice pwnage device.

0x04 Mom's Guide

HTTPS (Hyper Text Transfer Protocol Secure)

Hypertext Transfer Protocol (HTTP) is a protocol where communication happens in clear text. To ensure authenticity, confidentiality and integrity of messages Netscape designed HTTPS protocol. Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL (Secure socket layer)/TLS (Transport layer security) protocol. It provides encrypted communication and secure identification of a network web server.

HTTPS encrypts and decrypts the page requests and page information between the client browser and the web server using a secure Socket Layer (SSL). HTTPS by default uses port 443 as opposed to the
standard HTTP port of 80. URL's beginning with HTTPS indicate that the connection between client and browser is encrypted using SSL.

0x05 Code Gyan

Don’t Get Injected – Fix Your Code

When I began doing security review for web applications, one common issue that I encountered was ‘SQL Injection’. Developers used to pose several questions at me saying that their software is secure as they had followed several measures to mitigate this insidious issue.
The main mitigation adopted was to use Stored Procedures or input validation. While this does reduce certain type of Injections, It doesn’t prevent all. In this article, I will explain what SQL Injection is and what one can do to prevent it.

0x01 Legal Gyan

Section 66C - Punishment for identity theft

The term identity theft was coined in 1964. However, it is not literally possible to steal an identity so the term is usually interpreted with identity fraud or impersonation.
Identity Theft is a form of stealing someone's identity by pretending to be someone else typically in order to access resources or obtain credit and other benefits in that person's name.

Matriux Vibhag

How to enable WiFi on Matriux running inside VMWare

One of the most commonly asked question on Matriux forums and IRC is how to enable and work with WiFi on a Matriux instance running inside VMWare or any other virtualization software. This tutorial will take you step by step on how to do that.

For this tutorial, I am running VMware® Workstation on a Windows 7 Enterprise N Edition which is my Host machine.  The Matriux is (obviously) my guest operating system running "Krypton" v1.2. I am using a D-Link DWA-125 Wireless N 150 USB Adapter for this tutorial.