Don’t forget us humans

Taken from critiques on Business Process Reengineering (BPR) from Wikipedia

The most frequent and harsh critique against BPR concerns the strict focus on efficiency and technology and the disregard of people in the organization that is subjected to a reengineering initiative. Very often, the label BPR was used for major workforce reductions. Thomas Davenport, an early BPR proponent, stated that:

“When I wrote about “business process redesign” in 1990, I explicitly said that using it for cost reduction alone was not a sensible goal. And consultants Michael Hammer and James Champy, the two names most closely associated with reengineering, have insisted all along that layoffs shouldn’t be the point. But the fact is, once out of the bottle, the reengineering genie quickly turned ugly.”

Michael Hammer similarly admitted that:

“I wasn’t smart enough about that. I was reflecting my engineering background and was insufficient appreciative of the human dimension. I’ve learned that’s critical.”

“insufficient appreciative of the human dimension”: I think I suffer from this at times, many more than not

More Lessons in Web Security / Best Practices

So one day I was browsing the Brunet homepage and saw the link to Live Webcams around Brunei, interested I clicked the link only to be greeted with the following meaningless page in Firefox.

Page view in Firefox

So thinking they implemented some IE specific page I loaded up IE and was prompted to install an Active X control. I looked at the source code of the page to figure out what it was using and was interested in what I saw

    NV1.MediaSource   = "61.6.207.177" ;
    NV1.MediaUserName = "Admin" ;
    NV1.MediaPassword = "123456" ;
    NV1.Httpport      = 80 ;
    NV1.RegisterPort  = 6000 ;
    NV1.ControlPort   = 6001 ;
    NV1.StreamingPort = 6002 ;
    NV1.MulticastPort = 5000 ;

    NV1.ASEMediaSource   =  "202.160.45.35";
    NV1.ASEMediaUserName =  "Admin";
    NV1.ASEMediaPassword =  "123456";
    NV1.ASEControlPort   =  6001;
    NV1.ASEStreamingPort =  6002;

IP addresses and user credentials… So decided to do some more exploring and found out the code is basically some copy-paste work done from ACTi documentation on their IP webcams. Found out they have freely available tools to interact with the web cams themselves. While some utilities only allow scanning web cams on the same network I found that the Snapshot utility allowed me to specify the IP addresses and user credentials and was able to generate snapshots at specific intervals. I wish they used this instead of the live streaming webcam option as it helps save on the bandwidth and makes it much more accessible from any browser that supports images, but then they’ll have to run the application on a Windows server. Oh well

After some more poking around on the ACTi site and the documentation for their webcam’s API I found out that you could visit a specific URL (eg http://61.6.207.177/cgi-bin/system?USER=Admin&PWD=123456&SYSTEM_INFO) on the server and retrieve (and possibly even change) information on webcam. Also noticing the Httpport variable I tried visiting the webcam IP (http://61.6.207.177) and was greeted by the web configuration page as shown below.

Web cam web configuration page

Entering the Admin user name and password I was given full reign on the configurations of the webcam including specifying new users and even changing the password of the Admin user itself, thus rendering all the webcam pages useless. So I email the people over at Brunei via the contacts page and got no responses. Called them up the following week and the lady on the phone said she’d refer me to a technician and that I should just wait for a call from them. A few hours later I got a call from a technician seeking to clarify this problem I found and thanked me for my mail and the next day when I checked the webcam pages it was all rectified! Nice swift work people at Brunet. A round of applause.

Lessons to be learnt:

  1. Change your default settings/password/user credentials: obvious as it is, quite a few places in Brunei that have free wireless, have not changed their passwords. Using a default passwords page found easily online can easily allow any unauthorized users to change settings and even deny users access to the service or possible DNS spoof users (meaning that even if your browser says you’re on paypal.com or facebook.com it could still be a malicious site that farms your user credentials as it points a different IP address altogether).
  2. Understand what you are doing and the security concerns that will arise. In this case, don’t just copy and paste code, see that all is working and be done with it. Analyzing the code clearly shows an administrator login. Understand that any visitor to the page can view the source and see this user credentials. I guess the fact that when people see that it works they can’t be bothered about fiddling with it, in fear of screwing things up. Another scenario would be when somebody wires up their wireless router, switches on the power and all of a sudden they can surf wirelessly they don’t care about setting a wireless password, let alone changing the router configuration password. The old saying “if it ain’t broke, don’t fix it”, just doesn’t work in security(software/ firmware/ hardware needs to be updated to fix security vulnerabilities)

These are just a few simple lessons that we can learn but in the field of computer security there is so much more to be afraid of and we as users need to be more knowledgeable. Places you can start would be Security Now and for the slightly more enthused/technical PaulDotCom Security Weekly. For the more layman kind of person do check out Security Now transcripts, show notes and old episodes as they are very useful. Both these shows are podcasts which in essence is like recorded video or audio that you can watch or listen to anytime you wish: consume the shows you want, at your own viewing pleasure – anytime, anywhere. All you need is a computer, or for audio shows: an audio/MP3 player, for video shows: a video player. A misconception is that iPods are needed to listen/watch podcasts, and that is just plain WRONG. At the least you can use your computer to listen or watch them.

Creative Twittering

As Ashton Kutcher beats CNN in terms of Twitter followers and celebrities joining the ranks (Shaq, Ellen, Oprah, Britney) what are the more creative uses of Twitter other than answering the question of “What are you doing?”?

The 2 recent ones I’ve seen are:

PS Brunei has recently seen an upsurge of Twitterers too, with some newbies being well known Reeda Malik (anakbrunei) and Rano (ranoadidas). Others to note would be David Cheok, Ali Janah, Jan Shim (Shimworld). Find more people from Brunei here (not perfect but may help)

SMARTER Brunei Charity Walk

Via anakbrunei.org tagboard in response to his post

SMARTER Dad: Those interested to join the ” Charity Walk ” please contact this number 8743777 ( Malai ) , 8734427 ( Hajijah ), 8865646 ( Major Talip ) 8769264 ( Edwin Chong ) , 8732046 ( Hj Yusuf ) … You all can join the walk from one stop or another on 2 May or 3 May . Walk for Charity …8 stop altogether the shortest being 3 km only …Reeda you can join the last to GIANT .. :biggrin:

Calling all people in Brunei to help SMARTER raise the B$1.9 million needed for their new building. Too bad I’ll be in Singapore attending a friends wedding, would have loved to join in this event

B$30+ Spectacles/Eyeglasses

After wearing my pair of specs for about 5 I decided it was time for me to get a new pair. So where do I go to find them? To the world wide web of course! I read somewhere that you could get a great deal on glasses if you buy them online and true enough I found Zenni Optical which offered frames + lens starting at US$8.00. The only thing you needed was your prescription. The shopping experience couldn’t be simpler:

  1. Pick a set of frames
  2. Customize your glasses with
    • Colour
    • Anti-Reflection Coating
    • Lens Tint
    • Clip On Sunshades
    • Lens Type
    • Prescription
  3. Add to cart
  4. Checkout!

They will ship it from different locations depending on where you are and so for me, they shipped from Hong Kong and it came within 2 weeks!

Price Breakdown
Prescription: B$5.00
Frames + Lens: US$8.00
Clip-on Sunshade: US$3.95
Shipping cost: US$9.00
Total: ~B$37.50

 

Milestone Dates
Purchased: 11th March
Left Hong Kong: 19th March
Arrived in Brunei post office: 25th March

My $30+ glasses complete with case, cloth and clip-on shades. Sweet!

My B$30 Glasses

I had the glasses checked with an optician and the glasses’ prescription is indeed correct and my only complaint is that my head is too big so the end pieces are slightly pressing against the sides of my head and I’ve had that with one of my older pairs of glasses. In face these frames have are wider than my old ones, just that the old frames end pieces were designed to curve out and in vs the straight of these from Zenni Optical. So if you have a big head you may want to take note (the pair I got is listed here and has a frame with of 137mm). But all in all I highly recommend Zenni Optical and will definitely shop there in the future!

Brunei Recycling Bins Part Deux

As a follow up to this post and in light of Earth Hour and An Inconvenient Truth we should all pitch in to help Earth sustain generations present and generations to come. So what I have is a list and location of…

Recycling bins in Brunei

You can contribute by sending me a photo and giving me a link to the location of the place. To find out the location try using Show Me Where’s It’s At!, a little something I created to help show people where a particular place is.

Show Me Where It’s At!

Ever had a person ask you if you know where a certain place is and you couldn’t get a good map to show them? Well I ran into this issue and I wanted a quick way to add a marker to the map and pass that information on to the necessary person. So here I introduce….

Show Me Where It’s At!

Just click on the map to get started. Fill in the details. Create and give the link to the person who needs the information. A quick sample: Brunei’s National Stadium

A Lesson in Web Application Security Part 2

**Read Part 1 to get the full picture of post**

Notice that there is no user confirmation that the phone number is correct and that I really do want to receive the results via SMS especially because receiving the results comes at a cost of B$3.00! Yes it does give a cancellation code which I could have sent back to not receive the results SMS. The delay between the 2 SMS’s was 3 minutes which is ample time to send a reply, if you are actively checking your phone.

Exploit #1: Overwhelming a single person with many result SMS, and having them be charged at $3.00 a piece. If the person is using a prepaid plan, you could effectively use all their credit creating a denial of service attack. If they are using a post paid account they could just rack up the charges.

Solution: Request users to send a confirmation SMS saying they do indeed want to receive the results.

Taking things a bit further I tried a few things like putting invalid data. Good enough they did validation of the data I put in.

Validation error

After some investigation I found that the problem of this validation is that lies solely on the fact that they used Javascript alone to do the validation check. Javascript being a client side processing means that it can be subject to change. Firefox users have Greasemonkey and Opera users have user scripts. Or you can do what I did and view the source of the page, copy it to a local file, make the necessary changes to the source, load it up without validation checks and send the form on. And what did I do? I registered a my friend’s foreign mobile phone number. My friend confirmed that he received the results SMS despite the fact that he is not in Brunei. This leads to exploit #2 which could effectively rack up foreign SMS charges to SMS gateway that is providing this service.

Exploit #2: By pass client side validation of data

Solution: Use server side validation of data, in this case in the PHP code

This exploit relies on the fact that the application assumes that the information it receives is valid data. This should never be the case. You cannot assume that the user will input the correct information, you must sanitize the data accordingly to ensure that you only have valid data in your application. It is things like this that lead to SQL injection which could cause catastrophic results on your server and even information theft. So whenever designing and implementing any system, you as a developer should do you job properly and factor this in and ensure your application does not suffer from this flaw.

 

PS. This being my first vulnerability disclosure was indeed an experience but and it didn’t go too well I have to say. After I emailed them regarding this issue they didn’t even get back to me. I had to call them up 2 weeks after that to ask if they got it and apparently my email just happened to disappear somewhere. Go figure… So the guy I was talking to gave me his direct email address and he thanked me for my input saying that there are some things that they could change and some things they couldn’t. After another month and 2 emails I sent asking for updates, there was still no word from them. But 3rd times a charm and I finally got a reply saying that they fixed some of the Javascript. Despite that not being the best solution I felt I had waiting long enough and came to disclose the problem. It’s not even a hard fix to implement. Oh well. I shall wait for a reply from the next organization who I sent another security concern too. So far no reply after 3 days.. So I wait….