Windows only: Free app Install-It puts a small auto-starting application on any removable drive that makes installing applications a double-click affair.
After downloading the Install-It package, you'll want to extract its files to somewhere you can reach, like your desktop, and open up the Install.ini file in your favorite text editor. This file is simply a list of program descriptions and the locations of their installer files. If you're creating a disc full of useful installers, just replace the default examples with your chosen verbiage for each app and the location/names of the setup files. You separate those two items with a comma, using slashes where necessary, and end each line with a semi-colon.
Here's an example Install.ini I made for a supposed Windows XP re-installation:
Copy all your installer files and Install-It's files into a CD-burning app, such as CDBurnerXP, and fire away.
Now you've got a CD that, on most computers, will pop up with a list of programs that can be installed without anyone having to guess which icon or cryptic filename means. If a computer isn't set to auto-start when it detects an autorun.inf file, though, you'll have to point the computer to install.exe—not a problem, though, if you've put each application in its own directory.
Install-It is a free download for Windows systems only.
Install-It [via The Red Ferret Journal
Creates Auto-Starting Installer CDs for Any Applications
How To Identify Fonts Being Used In Images
Have you ever encountered problems in identifying what fonts is being used in an image? Of course fonts being used in popular movie banners can be found easily because you have the keyword but what if you found a free template and the font is not included? You either recreate the buttons with your own fonts replacing the original, or try posting in forums and hope that someone would have seen that font before and let you know what is the font name. There are so many fonts, maybe hundred of thousands fonts available on the internet and to identify an unknown font is definitely NOT an easy task!
If you need to identify a font, don’t despair. I have found 2 methods that is able to help you identify an unknown font. If it is not able to help you identify the font, it will at least help you narrow down to the closest ones.
Identifont, a free service offered to help you identify fonts by answering a series of simple questions about its appearance.
Identifont, a free service offered to help you identify fonts by answering a series of simple questions about its appearance.
Images can be color or black & white, and they don’t have to be very high quality (although that helps). Even a digital photograph of some lettering you like can be accepted. Accuracy of results is unprecedented by previous automatic systems. [ Identify Unknown Fonts with WhatTheFont ]
Finally, if WhatTheFont system is unable to give you a good match of the font you’re looking for, you can then submit your image to WhatTheFont Forum to have your image viewed by font geeks the world over.
Finally, if WhatTheFont system is unable to give you a good match of the font you’re looking for, you can then submit your image to WhatTheFont Forum to have your image viewed by font geeks the world over.
3 Ways a Twitter Hack
Just days after popular social networking tool Twitter was hit was a phishing scam, the company is now trying to clean up a mess surrounding a separate hacking attack.
Over the weekend, some Twitter users received scam tweets, or direct messages, to visit certain sites or blogs. The URL in the message redirected users to a bogus login page in an attempt to steal login credentials for a phishing scheme. Monday, thing got worse as Twitter officials revealed several high profile accounts, such as those of Britney Spears and Barack Obama were hacked."It appears someone gained access to the tools Twitter uses to control its millions of accounts," explained Graham Cluley, a senior technology consultant at security firm Sophos PLC. "Internal tools used by the tech support team were compromised. It's not clear if it was an inside job, or outside hacker. Twitter does say they think it was an individual."
The hack, according to Cluley, is much more serious than the earlier phishing attack because it was compromise of the system that potentially exposed all Twitter users to the following dangers.
Fraudalent password use If you gain access to someone's Twitter account, you might be able to gain access to their password, said Cluley.
"We know that 41 percent of people admit to using the same password on every web site and account that they access," he said.
Hackers, while gaining access to something seemingly simply like a username and password to one account may very well be able to use the information to gain access to more important information, such as your bank account.
Malware Infection Twitter officials said 33 accounts had been attacked in the latest hack, including high-profile users such as Britney Spears and Barack Obama. The hackers used their temporary access to send offensive messages. CNN journalist Rick Sanchez found his account had been hacked with a message that read "i am high on crack right now might not be coming to work today."
The damage could have been much worse, said Cluley, if the hacker had decided to take a different approach.
"Imagine if instead, in the case of Britney Spears account for example, that the hacker had posted a link that said: 'Here's my new video. Click on this link.' Imagine how many people would have clicked on that and it could have pointed to malware? And Barack Obama is one of the most followed people on Twitter. If he said: 'I've just made a new speech. Check it out.' a lot of people would click on that link and get infected."
source:network world
Hacker opens gaping holes in CSAT score security
As the investigation into the leak of college entrance exam results rolls on, prosecutors said yesterday that the computer server at the Korea Institute for Curriculum and Evaluation, which administers the exam, had been hacked over 200 times. Not only the test results but also the institute’s internal information was stolen.
According to prosecution and police sources, a manager at a public relations firm called Inuni Co. whose surname is Kim accessed the institute’s server over 200 times between August 2007 and December 2008.
A detention warrant was filed against Kim on charges of breaking information and network laws but it was rejected by the court.
Kim easily broke into the server. In August 2007, he accessed an employee’s e-mail account at the institute. Kim obtained the e-mail ID from a press release, and the password was the same as the ID.
Kim tried to log in to e-mail accounts of other institute employees over 50 times. One of his successes was with the account of someone in the institute’s administrative office. The employee used a password identical to the romanized spelling of his name.
One of the employee’s e-mails contained an attached file containing the passwords of five other employees at the institute. The employee temporarily managed the other employees’ e-mail access information because he dealt with changes in the institute’s server. Their passwords were identical to the last seven digits of their residential identification numbers.
In this way, Kim downloaded 16 types of internal information from the institute. Among the materials downloaded were plans to grade answer sheets from the 2009 College Scholastic Ability Test, scoring schedules and the number of students who missed the test.
“Kim could look at the Korea Institute for Curriculum and Evaluation’s internal information by accessing the e-mail of seven employees,” a prosecutor said.
Kim passed the information on to VisangEdu, a private education company. VisangEdu made the CSAT score analysis public on Dec. 9, a day before the CSAT results were announced.
Kim accessed the institute’s server four times on Dec. 10 after the institute requested a probe into this case.
As the investigation closed in on him, Kim destroyed a memo containing the IDs and passwords of the seven employees. Prosecutors plan to decide what kinds of charges they will file against Kim and a VisangEdu director whose surname is Jin this week.
Get things Insurance
This is a world of uncertainties and no one can guess what may happen the next moment. To be frank you should not thing that is a way of looking things from a negative point of view. This is a step for being cautious. For instance you might have put in a good part of your savings and bought your dream car. It is also very important to get a car insurance as it will help you get a cover and get reimbursements in case some unforeseen things happen. If you are looking to get a cheap car insurance then Maczoop is he perfect destination for you. The site helps you to get various quotes, compare and contrast and then choose the best one which will fit in your requirements. They have also got some valuable information and tips on auto insurance and this will be very helpful when you are going to take one. Get things insured and stay secure!
Dissecting iMobile - Security Analysis of ICICI Mobile Banking App
ICICI Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, study it in detail and write this post. According to the website, until the Reserve Bank of India comes out with mobile banking guidelines and approves it, mobile banking is supposed to be halted. Technically, it means that, all existing users shouldn’t be able to use the service what-so-ever and new user signups should be prevented & a notification stating that they should retry later should be shown.
Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:
Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.
Which brings me to explain Step 2 in detail:
On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.
What filename do you have to give and How?
That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.
Where ICICI Bank failed?
They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 - Resource Not Found” error. Got it? Implementing this is pretty simple.
There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 - Resource Not Found” error page.
Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?
That was a long post already We still have some more to go. Lets take a break.
Image Credits
Back? Ok Now, lets dissect the actual JAR file and look into the technical details of its implementation.
The Manifest File:
Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.
Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.
Some more Holes:
Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.
What should the bank do here?
Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.
Suggestion for Users:
Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.
Thats about it !
Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.
Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:
Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.
Which brings me to explain Step 2 in detail:
On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.
What filename do you have to give and How?
That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.
Where ICICI Bank failed?
They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 - Resource Not Found” error. Got it? Implementing this is pretty simple.
There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 - Resource Not Found” error page.
Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?
That was a long post already We still have some more to go. Lets take a break.
Image Credits
Back? Ok Now, lets dissect the actual JAR file and look into the technical details of its implementation.
The Manifest File:
Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.
Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.
Some more Holes:
Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.
What should the bank do here?
Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.
Suggestion for Users:
Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.
Thats about it !
Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.
How to open mobile websites on your PC browser
There are a number of use-cases for which you would want to browse a mobile-optimized website on your PC. When you visit the mobile website on your PC’s web browser, the website displays the full content much to your dismay. However, when you visit the browser on a mobile, it displays a perfectly mobile optimized page.
In these cases, there are some simple steps that you can follow to open mobile websites on your PC:
- Download and install the latest version Firefox from http://www.getfirefox.com/.
- Visit Firefox Add-ons page and download the Modify Headers addon.
- Install the addon and restart firefox.
- From the firefox window, select “Tools” menu & click on “Modify Headers” option (Tools -> Modify Headers).
- The window will open as shown:
Click to enlarge
- Below the title bar, there’s a drop down. Select “Add” from the drop down box.
- Now in the text box next to the drop down, type “user-agent”.
- In the third text box, paste this string - Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE51-1/100.34.20; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413.
- Click on “Save”.
- The screen should look like as shown in the screen shot below:
Click to enlarge
- Using the buttons on the Modify Headers addon window, you can enable or disable particular items.
- That’s it! Whenever you want to view a mobile website, just go to Tools->Modify Headers and enable the user agent you added in step 8. When you don’t need it, just open this window and disable it.
- You can close addon window after you have enabled/disabled items.
- Enjoy!
Click to enlarge
Click to enlarge
