Saturday, November 30, 2013

Cảnh báo kẻ xấu lợi dụng Clickjacking extension để tạo "botnet"

Hôm nay có người bạn hỏi về extension có tên "Clickjacking Detect" trên "Chrome Web Store" có chức năng rất giống extension của mình...


Nghĩ là có bạn nào đó thấy mã nguồn của mình ở github nên cũng tạo và đăng extension dưới tên của họ để quảng cáo. Tuy nhiên cũng thấy hơi nghi nên đã tải về kiểm tra và phát hiện ra ngoài đoạn mã detect Clickjacking giống hệt extension của mình còn có một đoạn JavaScript chèn vào...

Hoạt động của extension này như sau:
  • Hiển thị các iframe ẩn clickjacking theo phương pháp của mình (vỏ bọc)
  • Nếu địa chỉ của trang đang xem có đoạn "facebook.com" thì sẽ bắt đầu hành vi xấu
    • Tải về lệnh điều khiển từ địa chỉ http://cuchay.tv/hay.php?pageid=1
    • Thực thi mã lệnh tải về nếu có.
    • Hiện tại với thông tin trả về từ server thì sẽ thực hiện 2 hành vi:
      • Like một trang Facebook có tên "SaoKlub" (id 264357593705349)
      • Like một ảnh trên Facebook

        Ảnh này thuộc một album của page "SaoKlub" ở trên, nằm trong khuôn khổ một cuộc thi ảnh dựa trên số likes.

Như vậy có thể kết luận người đăng extension này và chủ của trang CUCHAY đang cung cấp dịch vụ bán like để tấm ảnh trên giành chiến thắng (ảnh có 6654 likes, "SaoKlub" có 8836 likes). Sau khi kết thúc cuộc thi ở "SaoKlub", rất có thể sẽ thay đổi mã chạy để tiếp tục bán dịch vụ cho các bên khác.

Tóm lại, các bạn nên:
  1. Chỉ sử dụng extension từ các nguồn uy tín.
  2. Kiểm tra quyền của extension trước khi cài đặt.
  3. Mở rộng ra, khi cài ứng dụng trên thiết bị di động (Android/iOS) hay trên máy tính (Windows/Mac/Linux) cũng đều phải hết sức cẩn thận.
  4. Khi phát hiện hành vi xấu thì tìm cách báo cho đơn vị quản lý ví dụ trong trường hợp extension này thì báo cho Chrome Web Store để họ gỡ bỏ, báo cho chủ trang "SaoKlub" để họ có biện pháp xử lý tương ứng.
Cập nhật thêm tình tiết mới về người làm ra extension này. Thông tin phát tán extension bắt nguồn từ địa chỉ phathienlikean.com, kiểm tra thông tin DNS xác định tên miền này và tên miền cuchay.tv cùng trỏ về một server có địa chỉ IP 123.30.174.34 (server đặt tại datacenter của VDC). Ngoài trang PHATHIENLIKEAN, còn có 2 trang Facebook tham gia phát tán extension này là trang "Hot Clip" và "Cực Thích".

Cover của trang "Hot Clip" cho thấy trang này và tên miền cuchay.tv thuộc quyền quản lý của cùng một người.
Trang "Cực Thích" thì dù mới lập ngày 7/11 (tức là mới được 23 ngày) nhưng đã có 244k lượt likes. 

Truy tìm chủ của tên miền cuchay.tv cho thông tin về một người với các thông tin:

Truy ngược từ email thì lần ra mỗi liên kết với một tài khoản ở DDTH và soha.vn:


Từ tên tài khoản (khá đặc biệt) và số điện thoại này, truy ra thêm một số thông tin:
  • Xác nhận tên và số điện thoại (svptit.vn)
  • Sinh tháng 2, 1990 (vozForum)
  • Học CNTT (Học viện Công nghệ Bưu chính Viễn thông) (vozForum)
  • Quê Hải Phòng (vozForum)
  • Nằm quyền quản lý tên miền e-digital.vn (cũng trỏ về cùng server 123.30.174.34, chắc cả nhà cả cửa có một con dedicated)
  • Facebook ID 100000040520348 (để truy cập gõ "facebook.com/id" vào thanh địa chỉ)


Tuesday, October 29, 2013

Nghi vấn CHAOBUOISANG.NET; Hãy là người sử dụng Facebook thông thái

Cập nhật ngày 1/11/2013: Đã có hỗ trợ phát hiện các trang lừa đảo cho trình duyệt Google Chrome, Apple Safari và Mozilla Firefox. Xem ở cuối bài.
Cập nhật ngày 30/11/2013: Cảnh báo kẻ xấu lợi dụng Clickjacking extension để tạo "botnet".

Hôm nay đột nhiên thấy một số lượng lớn bạn của mình trong Facebook like một bài viết ở trang CHAOBUOISANG.NET, mà lại đúng một bài mình vừa đọc cách đây ít phút... Kiểm tra lại activity trong Facebook thì phát hiện ra chính tài khoản của mình cũng đã like bài viết đó. Có vẻ có nghi vấn nên đã mở Google Chrome Inspector và kiểm tra lại nhưng không có kết quả gì. Dự đoán là có đoạn mã nào đó tự bảo vệ chống bị phát hiện nên mình đã tạo Profile mới trong Google Chrome, đăng nhập vào một tài khoản Facebook khác để thử lại. Lần này thì phát hiện ra một iframe ẩn chạy theo con trỏ chuột đúng như dự đoán:


Sau khi kiểm tra kĩ hơn thì đoạn mã sinh ra iframe này nằm trong file /js/common_load.js, ý tưởng cơ bản như sau:

  1. Tạo một thẻ div với opacity là 0 (trong suốt chứ không ẩn, để vẫn nhận được các sự kiện bấm chuột). Trong thẻ này có chứa iframe của Facebook Like Button. Cập nhật cookie "_fl19" thành "_flb". Trang được like sẽ có hai trường hợp: nếu người xem đến từ Facebook thì sẽ cho like trang hiện tại (tạo viral), nếu người xem đến từ nguồn không xác định thì sẽ cho like một trang Facebook có tên Vietnam Pictures (mua bán likes?).
  2. Bắt sự kiện mousemove và di chuyển thẻ div ở trên để nút like luôn nằm ngay dưới con trỏ chuột. Bất cứ khi nào người xem bấm chuột sẽ dính nút like.
  3. Đặt interval mỗi 1ms thì kiểm tra xem đối tượng đang nhận focus có phải là fbframe hay không, nếu có thì sửa cookie "_fl19" thành "_fla". Đây là một cách khá hay để biết khi nào người xem dính bẫy.
  4. Dừng hoạt động nếu cookie "_fl19" có giá trị "_fla".
Đánh giá:
  1. Chiêu trò nham hiểm: Facebook Like Clickjacking.
  2. Che đậy khá khéo léo.
  3. Hiệu quả có lẽ là rất cao, không có số liệu nên không dám công bố nhưng dự đoán thì 10 người dùng Facebook vào trang này thì ít nhất có 5 bạn dính bẫy. Mình cũng bị dính :(

Phòng chống:
  1. Tẩy chay không bấm vào bất cứ đường dẫn nào của CHAOBUOISANG.NET
  2. Tẩy chay các trang cùng hệ thống ví dụ như MUONMAU.VN (cùng số điện thoại liên hệ). Sau khi vào xem thì phát hiện ra là tại MUONMAU.VN cũng có cài đặt đoạn mã tương tự...
  3. Tẩy chay trang Facebook Vietnam Pictures, đây là trang sẽ nhận được like nếu người xem dính bẫy. Dự đoán là chủ của trang Vietnam Pictures đã mua like từ chủ của trang CHAOBUOISANG.NET / MUONMAU.VN, việc làm này là vi phạm quy định của Facebook. Tuy nhiên đây cũng có thể là một đòn từ đối thủ của Vietnam Pictures, tung tiền ra để mua likes sau đó sẽ khiếu nại để dẹp trang Facebook này.
  4. Không sử dụng Facebook nữa (!)
  5. Cài công cụ hỗ trợ phát hiện (xem ở cuối bài).

Ý tưởng:
  1. Xây dựng danh sách các trang có hành vi tương tự để đưa vào danh sách đen.
  2. Thành lập các nhóm gửi khiếu nại để dẹp các trang này.

Đây là file HAR ghi lại các request đã được sử dụng: http://www.mediafire.com/?p83gv5he5uu3yvc

Cập nhật ngày 1/11/2013: đường dẫn tải về công cụ hỗ trợ phát hiện các trang có sử dụng phương pháp câu like này:

Friday, July 5, 2013

SR-71 Blackbird

Just because this story always crack me up... Written by Brian Schul (former SR-71 pilot):

There were a lot of things we couldn’t do in an SR-71, but we were the fastest guys on the block and loved reminding our fellow aviators of this fact. People often asked us if, because of this fact, it was fun to fly the jet. Fun would not be the first word I would use to describe flying this plane. Intense, maybe. Even cerebral. But there was one day in our Sled experience when we would have to say that it was pure fun to be the fastest guys out there, at least for a moment.
It occurred when Walt and I were flying our final training sortie. We needed 100 hours in the jet to complete our training and attain Mission Ready status. Somewhere over Colorado we had passed the century mark. We had made the turn in Arizona and the jet was performing flawlessly. My gauges were wired in the front seat and we were starting to feel pretty good about ourselves, not only because we would soon be flying real missions but because we had gained a great deal of confidence in the plane in the past ten months. Ripping across the barren deserts 80,000 feet below us, I could already see the coast of California from the Arizona border. I was, finally, after many humbling months of simulators and study, ahead of the jet. I was beginning to feel a bit sorry for Walter in the back seat.
There he was, with no really good view of the incredible sights before us, tasked with monitoring four different radios. This was good practice for him for when we began flying real missions, when a priority transmission from headquarters could be vital. It had been difficult, too, for me to relinquish control of the radios, as during my entire flying career I had controlled my own transmissions. But it was part of the division of duties in this plane and I had adjusted to it. I still insisted on talking on the radio while we were on the ground, however. Walt was so good at many things, but he couldn’t match my expertise at sounding smooth on the radios, a skill that had been honed sharply with years in fighter squadrons where the slightest radio miscue was grounds for beheading. He understood that and allowed me that luxury. Just to get a sense of what Walt had to contend with, I pulled the radio toggle switches and monitored the frequencies along with him.
The predominant radio chatter was from Los Angeles Center, far below us, controlling daily traffic in their sector. While they had us on their scope (albeit briefly), we were in uncontrolled airspace and normally would not talk to them unless we needed to descend into their airspace. We listened as the shaky voice of a lone Cessna pilot asked Center for a readout of his ground speed. Center replied: “November Charlie 175, I’m showing you at ninety knots on the ground.”
Now the thing to understand about Center controllers, was that whether they were talking to a rookie pilot in a Cessna, or to Air Force One, they always spoke in the exact same, calm, deep, professional, tone that made one feel important. I referred to it as the ” Houston Center voice.” I have always felt that after years of seeing documentaries on this country’s space program and listening to the calm and distinct voice of the Houston controllers, that all other controllers since then wanted to sound like that, and that they basically did. And it didn’t matter what sector of the country we would be flying in, it always seemed like the same guy was talking. Over the years that tone of voice had become somewhat of a comforting sound to pilots everywhere. Conversely, over the years, pilots always wanted to ensure that, when transmitting, they sounded like Chuck Yeager, or at least like John Wayne. Better to die than sound bad on the radios. Just moments after the Cessna’s inquiry, a Twin Beech piped up on frequency, in a rather superior tone, asking for his ground speed. “I have you at one hundred and twenty-five knots of ground speed.”
Boy, I thought, the Beechcraft really must think he is dazzling his Cessna brethren. Then, out of the blue, a navy F-18 pilot out of NAS Lemoore came up on frequency. You knew right away it was a Navy jock because he sounded very cool on the radios. “Center, Dusty 52 ground speed check”. Before Center could reply, I’m thinking to myself, hey, Dusty 52 has a ground speed indicator in that million-dollar cockpit, so why is he asking Center for a readout? Then I got it, ol’ Dusty here is making sure that every bug smasher from Mount Whitney to the Mojave knows what true speed is. He’s the fastest dude in the valley today, and he just wants everyone to know how much fun he is having in his new Hornet. And the reply, always with that same, calm, voice, with more distinct alliteration than emotion: “Dusty 52, Center, we have you at 620 on the ground.”
And I thought to myself, is this a ripe situation, or what? As my hand instinctively reached for the mic button, I had to remind myself that Walt was in control of the radios. Still, I thought, it must be done – in mere seconds we’ll be out of the sector and the opportunity will be lost. That Hornet must die, and die now. I thought about all of our Sim training and how important it was that we developed well as a crew and knew that to jump in on the radios now would destroy the integrity of all that we had worked toward becoming. I was torn. Somewhere, 13 miles above Arizona, there was a pilot screaming inside his space helmet. Then, I heard it. The click of the mic button from the back seat. That was the very moment that I knew Walter and I had become a crew. Very professionally, and with no emotion, Walter spoke: “Los Angeles Center, Aspen 20, can you give us a ground speed check?” There was no hesitation, and the replay came as if was an everyday request. “Aspen 20, I show you at one thousand eight hundred and forty-two knots, across the ground.”
I think it was the forty-two knots that I liked the best, so accurate and proud was Center to deliver that information without hesitation, and you just knew he was smiling. But the precise point at which I knew that Walt and I were going to be really good friends for a long time was when he keyed the mic once again to say, in his most fighter-pilot-like voice: “Ah, Center, much thanks, we’re showing closer to nineteen hundred on the money.” For a moment Walter was a god. And we finally heard a little crack in the armor of the Houston Center voice, when L.A.came back with, “Roger that Aspen, Your equipment is probably more accurate than ours. You boys have a good one.”
It all had lasted for just moments, but in that short, memorable sprint across the southwest, the Navy had been flamed, all mortal airplanes on freq were forced to bow before the King of Speed, and more importantly, Walter and I had crossed the threshold of being a crew. A fine day’s work. We never heard another transmission on that frequency all the way to the coast. For just one day, it truly was fun being the fastest guys out there.

Story from here.

Friday, May 31, 2013

Google Music All Access

Finally! Will see if my subscription can be renewed after the trial period.


So far so good. The streaming is fast and in good quality (at least it's good enough for my ears). The app is easy to use, especially the radio thingy. Recommendations are great, suit me well.

Sunday, May 5, 2013

Launching XFROCKS

So after a loooong time, I finally launch XFROCKS (again) with the help of Sylvie. The site is actually an experiment which provides premium support (premium = fast, accurate, personal) for freely released add-ons of mine. Only widely used add-ons got their own forum for questions:


To assist with the cost of running the site, 3 other add-ons are also available for sale:

  • Trophy Extension ($29) for [bd] Medal System: allow people to attach medals to trophies and have them show up in the posts etc.
  • User Group Extension ($29) for [bd] Medal System: similar to the above but with user group. When users purchase user group upgrade or have user group set by administrators, they will have additional medal image show up.
  • Last but not least, [bd] Attachment Store (only $19!): a completely new add-on allows sites to utilize Amazon S3/FTP as attachment storages. I have written 2 additional HOWTO post about using the add-on with Amazon S3+CloudFlare and Amazon S3+CloudFront.
The welcome post is pretty short but to the point: let's see how this goes!

Wednesday, April 24, 2013

BitTorrent Sync as a server backup mechanism

BitTorrent Labs has just released a their Sync experiment. The tag line is "Automatically sync files via secure, distributed technology.", directly aimed to compete with Dropbox, Google Drive, Mega and the likes. Using BitTorrent technology, the folders will be synchronized across devices via p2p protocol without any central server -- which is a plus, you and only you own your data. Additionally, the data is encrypted with a private key so you can be sure it is safe.

The first thing I thought when I first heard of the idea is using it to do server backup. Amazingly, the team behind BTSync provided binaries for a wide range of platforms: Windows XP SP3+, Mac OSX 10.6+, Linux with kernel 2.6.16+ in 4 different architectures ARM/PPC/i386/x86_64.

Installed the app for Mac OSX:

Connected devices. I only have one other device.

Folders to sync. BTSync supports unlimited number of folders.

Files that are being sync'd.

A simple logging system.

Preferences.

Running the Linux binary will expose a Web UI at port 8888 (configurable):

Very familiar Bootstrap look.

The Settings screen is quite basic.

In my testing with a 48MB folder containing 4164 files -- typical if you are doing server backup -- it took 21 minutes to complete. The Mac app connected almost instantly to the server when I added the private key. Impressive!

As a bonus, here is how you let BTSync start at startup on the server (I used Ubuntu):

sudo vi /etc/init.d/btsync
#!/bin/sh
/path/to/btsync
sudo chmod +x /etc/init.d/btsync
sudo update-rc.d btsync defaults

Thursday, March 21, 2013

Me and Google are so close...

Real close I guess...

Thursday, March 14, 2013

Superuser permission in Play Store

Didn't know the Play Store can display custom permission information. Awesome!

Monday, January 28, 2013

Life's Good

Yep.

Tuesday, January 22, 2013

Piracy Free!

MEGA beta has just been launched. The home page reads:

THE PRIVACY COMPANY
BIGGER. BETTER. FASTER. STRONGER. SAFER.
For a split second, I read it as "THE PIRACY COMPANY". Well, that must have to do with my impression with Mr. Kim's other service, MegaUpload... I remember the old days (not too old though) when I would download some package from MegaUpload or RapidShare and install software for free... Being able to do that and joining sites like UpdateSofts (mentioned here) or SoftVnn are huge... No matter how expensive a program is, we will just spend a few minutes (or hours, more likely) to download it, extract, install and apply "magic" to make it work!

Growing up, studying to be a software developer, I learn more about piracy and at some point a few years ago I have decided to avoid piracy as much as possible. The process probably started with me buying my first laptop (DELL 1510) by myself: it cost about 15m and came with Windows XP OEM preinstalled. For the first time, I was being able to upgrade Windows without worrying about Windows Genuine check. Good time!

And today, in the light of MEGA's launch, I checked all the app installed and happy to announce that my computer is Piracy Free! That includes virtual machines running in perfectly legal Parallels 7. I have a licensed Windows 8 Pro VM running with Microsoft Office 2010 (licensed, of course). On mobile devices, I have both Google Play Store account and Apple iTunes account to purchase contents and apps. I bought so many games for iPad and Galaxy Nexus that sometimes I regretted. Talking about games, I also have a Steam account full of games after all those irresistible sales and Humble Bundles. Oh dear, those bundles...

Wednesday, January 9, 2013

Auto invite friends to Facebook group

Quite a few Facebook friends of mine sent me some Facebook group invite these days. The target group is always bullsh!t in some way or another (e.g.: making friend, life story, love group). I didn't pay much attention until today... Too lazy to work so I spent a while to investigate the case.

Most of the groups tell you to copy and paste some script to Google Chrome's console to get list of people who visit your profile. I have made a copy of the script here.

A typical cover image of the fishy groups

Turned out they use the first degree link to get your friends list then fetch the invite dialog with each friend and finally trigger a mouse event programmatically to send our the invite. Pretty clever! However, the script kiddie is unethical in two ways: After finishing the job (inviting your whole gigantic friends list) which may take a while, they don't show the list of friends in first degree as advertised -- false advertising! And secondly, the first degree is not about people who stalk you, it orders people by how much you stalk your friends -- completely liar! So, if you happen to be invited (like me), you should at least report the group before leaving it. For good measure, please spend an additional minute to report the group admin too. Those bastards!

If you are curious to see the list of people that you stalk, you can use a cleaned version of mine available here. A minified version is also available below:

jx={getHTTPObject:function(){var e=!1;if("undefined"!=typeof ActiveXObject)try{e=new ActiveXObject("Msxml2.XMLHTTP")}catch(t){try{e=new ActiveXObject("Microsoft.XMLHTTP")}catch(n){e=!1}}else if(window.XMLHttpRequest)try{e=new XMLHttpRequest}catch(r){e=!1}return e},load:function(e,t){var n=this.getHTTPObject();if(n&&e){n.open("get",e,!0),n.onreadystatechange=function(){n.readyState==4&&n.status==200&&n.responseText&&t&&t(n.responseText)},n.send()}}};var m="please wait...";
jx.load(window.location.protocol+"//www.facebook.com/ajax/typeahead/first_degree.php?__a=1&viewer="+Env.user+"&filter[0]=user&__user="+Env.user,function(e){for(var e=e.substring(e.indexOf("{")),e=JSON.parse(e),e=e.payload.entries,t=0;t<e.length;t++)if(t<10)console.log(t==0?"Most Favourite:":t==1?"Second place:":t==2?"And the third:":"#"+t+":",e[t].text);else break}),m

Just go to Facebook, open the browser console, paste the code and press enter. You will get something like this:

The list looks about right to me
Interesting notes:

  • Google Chrome usage in Vietnamese Facebook users must be quite high
  • Facebook has patched their site from the original first degree script by blocking all cross domain script loading. Very good practice!









But seriously, do not ever listen to ANYONE who tells you to run some arbitrary code on your browser/computer/whatever machinery.