This is a world of uncertainties and no one can guess what may happen the next moment. To be frank you should not thing that is a way of looking things from a negative point of view. This is a step for being cautious. For instance you might have put in a good part of your savings and bought your dream car. It is also very important to get a car insurance as it will help you get a cover and get reimbursements in case some unforeseen things happen. If you are looking to get a cheap car insurance then Maczoop is he perfect destination for you. The site helps you to get various quotes, compare and contrast and then choose the best one which will fit in your requirements. They have also got some valuable information and tips on auto insurance and this will be very helpful when you are going to take one. Get things insured and stay secure!
Dissecting iMobile - Security Analysis of ICICI Mobile Banking App
ICICI Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, study it in detail and write this post. According to the website, until the Reserve Bank of India comes out with mobile banking guidelines and approves it, mobile banking is supposed to be halted. Technically, it means that, all existing users shouldn’t be able to use the service what-so-ever and new user signups should be prevented & a notification stating that they should retry later should be shown.
Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:
Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.
Which brings me to explain Step 2 in detail:
On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.
What filename do you have to give and How?
That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.
Where ICICI Bank failed?
They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 - Resource Not Found” error. Got it? Implementing this is pretty simple.
There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 - Resource Not Found” error page.
Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?
That was a long post already We still have some more to go. Lets take a break.
Image Credits
Back? Ok Now, lets dissect the actual JAR file and look into the technical details of its implementation.
The Manifest File:
Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.
Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.
Some more Holes:
Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.
What should the bank do here?
Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.
Suggestion for Users:
Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.
Thats about it !
Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.
Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:
Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.
Which brings me to explain Step 2 in detail:
On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.
What filename do you have to give and How?
That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.
Where ICICI Bank failed?
They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 - Resource Not Found” error. Got it? Implementing this is pretty simple.
There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 - Resource Not Found” error page.
Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?
That was a long post already We still have some more to go. Lets take a break.
Image Credits
Back? Ok Now, lets dissect the actual JAR file and look into the technical details of its implementation.
The Manifest File:
Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.
Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.
Some more Holes:
Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.
What should the bank do here?
Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.
Suggestion for Users:
Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.
Thats about it !
Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.
How to open mobile websites on your PC browser
There are a number of use-cases for which you would want to browse a mobile-optimized website on your PC. When you visit the mobile website on your PC’s web browser, the website displays the full content much to your dismay. However, when you visit the browser on a mobile, it displays a perfectly mobile optimized page.
In these cases, there are some simple steps that you can follow to open mobile websites on your PC:
- Download and install the latest version Firefox from http://www.getfirefox.com/.
- Visit Firefox Add-ons page and download the Modify Headers addon.
- Install the addon and restart firefox.
- From the firefox window, select “Tools” menu & click on “Modify Headers” option (Tools -> Modify Headers).
- The window will open as shown:
Click to enlarge
- Below the title bar, there’s a drop down. Select “Add” from the drop down box.
- Now in the text box next to the drop down, type “user-agent”.
- In the third text box, paste this string - Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE51-1/100.34.20; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413.
- Click on “Save”.
- The screen should look like as shown in the screen shot below:
Click to enlarge
- Using the buttons on the Modify Headers addon window, you can enable or disable particular items.
- That’s it! Whenever you want to view a mobile website, just go to Tools->Modify Headers and enable the user agent you added in step 8. When you don’t need it, just open this window and disable it.
- You can close addon window after you have enabled/disabled items.
- Enjoy!
Click to enlarge
Click to enlarge
Hacking a MySpace Account
MySpace is one of the most widely used Social Networking website by many teenagers and adults across the globe.If you’re curious about hacking a MySpace Account or preventing your MySpace account from being hacked, then this post is for you.
Here are some of the ways of hacking a MySpace account.
Phishing
Phishing is the most commonly used method to hack MySpace or any other email accounts.The most widely used technique in phishing is the use of Fake Login Pages, also known as spoofed pages.These fake login pages resemble the original login pages of sites like Yahoo, Gmail, MySpace etc.But once the user attempts to login through these pages, his/her login details are stolen away.
Phishing is proved to be the most effective way of hacking passwords and also has high success rate.The reason for this is quite simple.The users are not aware of the phishing attack.Also the users are fooled, since the fake login pages imitate the appearance of the original pages.So, you may use the phishing technique to hack your friend’s MySpace account (just for fun).
A detailed tutorial on phishing is discussed in the following two posts.
Hack Yahoo, Gmail or any other Password.
How to Create a Fake Login Page?
Spywares
The term spyware suggests software that secretly monitors the user’s behavior. Spyware programs can collect various types of personal information, such as Internet surfing habits, sites that have been visited, passwords and other sensitive information.
Keyloggers are the most widely used program, which are nothing but spywares.If you want to hack your friend’s Myspace password, then all you have to do is just install a keylogger on your friend’s PC.Hacking a MySpace account using a keylogger is very easy, but also has some limitations.
For more information on keyloggers and their usage, refer the following post
Hacking an Email Account
Hacking Services
In most cases, hacking services are scams. Always ask for proof first before paying anything.I have tried many such hacking services(just to test them), but none of them have responded back.So personally I do not trust such services.
Please pass your comments and opinions….
How to Completely Erase a Hard Disk Drive
A new year has begun and perhaps you have decided to perform a system upgrade or get rid of your old computer system and purchase a new one.But before you sell or donate your old computer, it is very much necessary to completely erase your Hard Disk Drive.Yes, every one of us are aware of this fact and so, we delete the contents of the hard disk either by using the DELETE key on our keyboard or by Formatting the hard disk.
Deleting and Formatting - Just Not Secure Enough
But the fact is, the data will still be on the hard disk even after deleting it or formatting the hard disk. Using the delete key on your keyboard will only remove the shortcuts to the files making them invisible to users. Deleted files still reside on the hard drive and a quick Google search will show many options for system recovery software will allow anyone to reinstate that data.
Formatting the hard drive is a bit more secure way to erase the hard disk. Formatting a disk will not erase the data on the disk, only the address tables. It makes it much more difficult to recover the files. However a computer specialist would be able to recover most or all the data that was on the disk before the reformat. For those who accidentally reformat a hard disk, being able to recover most or all the data that was on the disk is a good thing. However, if you’re preparing a system for retirement to charity or any other organization, this obviously makes you more vulnerable to data theft.
Erasing the Hard Disk through DISK WIPING
So it is necessary for us to use a 100% secure way to erase the hard disk.The secure way of erasing the hard disk is called Disk Wiping.Disk wiping is a secure method of ensuring that data, including company and individually licensed software on your computer and storage devices is irrecoverably deleted before recycling or donating the equipment. Because previously stored data can be brought back with the right software and applications, the disk wiping process will actually overwrite your entire hard drive with data, several times. Once you format you’ll find it all but impossible to retrieve the data which was on the drive before the overwrite. The more times the disk is overwritten and formatted the more secure the disk wipe is.
There are a variety of disk wiping products available that you can purchase, or freely downloaded online to perform more secure disk wipes.One of my favorite disk wiping software is
WipeDrive/ WipeDrive Professional
You have to use this tool by burning the iso image file onto a CD or by using a floppy disk.After burning this tool you have to boot your PC and follow the screen instructions to completely erase the hard disk.
Hack Software and Run the Trial Program Forever
In this post I’ll show you how to hack a Software and run the trial program forever.Most of us are familiar with many softwares that run only for a specified period of time in the trial mode.Once the trial period is expired these softwares stop functioning and demand for a purchase.But there is a way to run the softwares and make them function beyond the trial period.Isn’t this interesting?
Before I tell you how to hack the software and make it run in the trial mode forever, we have to understand the functioning of these softwares.I’ll try to explain this in brief.
When these softwares are installed for the first time, they make an entry into the Windows Registry with the details such as Installed Date and Time, installed path etc.After installation every time you run the software, it compares the current system date and time with the installed date and time.So, with this it can make out whether the trial period is expired or not.
So with this being the case, just manually changing the system date to an earlier date will not solve the problem.For this purpose there is a small Tool known as RunAsDate.
RunAsDate is a small utility that allows you to run a program in the date and time that you specify. This utility doesn’t change the current system date, but it only injects the date/time that you specify into the desired application.
RunAsDate intercepts the kernel API calls that returns the current date and time (GetSystemTime, GetLocalTime, GetSystemTimeAsFileTime), and replaces the current date/time with the date/time that you specify.It works with Windows 2000, XP, 2003 and Vista.
NOTE: FOLLOW THESE TIPS CAREFULLY
You have to follow these tips carefully to successfully hack a software and make it run in it’s trial mode forever.
1. Note down the date and time, when you install the software for the first time.
2. Once the trial period expires, you must always run the software using RunAsDate.
3. After the trial period is expired, do not run the software(program) directly.If you run the software directly even once, this hack may no longer work.
4. It is better and safe to inject the date of the last day in the trial period.
For example, if the trial period expires on jan 30 2009, always inject the date as jan 29 2009 in the RunAsDate.
I hope this helps! Please express your experience and opinions through comments.
Get a Call from your own Cell Phone number
Here is a trick to get a call to your cell phone from your own number.Do you think I am crazy? No, I am not…….
Just try the following steps and you’ll get a call to your cell phone from your own number.
1. Just give a missed call to this number.You’ll not be charged!
+41445804650
2. Wait for a few seconds and you’ll get a call to your cell phone from your own number
3. Receive the call.You’ll hear a lady voice asking for a PIN number.Just enter some rubbish number.
4. She say’s- Your PIN cannot be processed and the call disconnects..
ANOTHER TRICK
Instead of giving a missed call, just continue calling.The call will not be received and will get disconnected just after a while.But now do you know what happen’s?
You will get a call from the number
+501
Reason behind this trick
God Knows!!
Just try and pass your comments. Tell me whether the second trick worked or not!!
