One way to prevent hackers from finding vulnerabilities on your website is to keep them busy with fake ones. For instance few years ago when I was graduating in my undergrad programme, I developed a web based application to faciliate the data collection and publishing of my batch's Yearbook. The application provided the users interface to complete their profiles, write comments about their friends and upload photographs, of course after logging in.

The login procedure was much like any other site: user authenticated themselves using username and password which were matched from the database. However, if there was a single-quote in the user's provided username or password, the system gave an error message showing a query string which failed to execute. Not that it was a SQL injection vulnerability, I'd the message intentionally to see how people react after finding a potential vulnerabilty. Of course it only showed the message and didn't give the user any extra access.

Here is a code snippet of the authentication module:

    // SQL Injection 'TEST'
    if( strpos($username,"'") !== false || strpos($password,"'") !== false )
    {
        $sqlInjectionError = "
                <p><font size=2>Microsoft ODBC MySQL Drivers Message:</font></p>
                <p><B>Error in the query:</B></p>
                <p>[Microsoft:ODBC 1045] SELECT UlluKaPatha FROM UlluKePathay WHERE GadhayKaRollNo = '".$_POST['username']."' AND GadhayKaPassword = '".$_POST['password']."'
                ";
    }
    // End SQL Injection 'TEST'

e.g. if someone provided username admin and password x' OR '1'='1, he she got the response:

Microsoft ODBC MySQL Drivers Message:

Error in the query: [Microsoft:ODBC 1045] SELECT UlluKaPatha FROM UlluKePathay WHERE GadhayKaRollNo = 'admin' AND GadhayKaPassword = 'x' OR '1'='1'

I'd initially included it as humor but later found out that some of my fellows didn't get the joke and started getting excited about the "vulnerability". They got challenged and tried all sorts of SQL injection attacks. I started logging those breaking in attempts and found some further clever techniques being applied I wasn't aware of before. This simple snippet served as a HoneyPot, attracting hackers and giving away some important information as to what they are trying to do and what different techniques they apply once they see some potential as well as diverted their attention away from find some other subtle vulnerabilties which actually existed.

I found that using simple social engineering it is trivially possible to make someone alter an entry in their mobile phonebook. This can be used by an attacker to redirect a victim's SMS messages and voice communication intended for a specific person, to attacker's own phone. The attack works by sending the victim an SMS from a new number, claiming to be another specific person B who is already in the victim's phonebook. The SMS claims that it is the new phone number of Person B and this message is being sent to all friends to update their phonebook. People are too occupied to verify such updates.

Imagine that you get an SMS from a new number and it says "Hello friends. This is my new number. Please update your phonebook and use this number from now onwards - Person B". In most of the cases, you wouldn't bother to verify it is indeed Person B sending this message and you'll quietly update your phonebook. Onwards, any message coming from attacker's number will appear from Person B's name. Having some prior knowledge about you and the Person B, the attacker can ask directed questions and get confidential information. For instance if you share a password with Person B and the attacker asks, you'll probably text it away.

A more interesting variation of this attack leads to true Man-In-Middle: The attacker manages to update phonebooks of two persons having acquitance with each other. Both of them's phonebook entries now start pointing to one number. The attacker forwards their SMS to each other after storing them on his own phone. In some cases voice call can also be covered with clever call forwarding. 

This attack works best in the countries where telecom proliferation is high. In such countries it is easy to buy a throw-away off-the-shelf SIM so having a new number on a spare phone is extremely convenient. Also, in such regions most of the communication is done over SMS instead of calls which is favourable for this case because in case of voice the person is easily recognized.

I tried it on few friends and it worked really well. I took the role of person B as well as the attacker and sent them the mobile number update request from a new number. Later I asked them some confidential questions related to them and me. It turned out that all of them had updated their phonebooks as well as responded to my queries without actually verifying it was me!

On a sidenote, a friend of mine wanted me to update his number in my mobile's phonebook and I tried to verify his identity. Here's how conversation went:

+92321xxxxxx: Hi, this is my number. Please update it - Ali A.
Me: Anyone can claim that he is Ali A. Please authenticate yourself!
+92321xxxxxx: Ask a question which only Ali A. can answer.
Me: What is his GMail password?
* no response *

Later I called up the claimed number to make sure that it was indeed Ali :-)

Ever wondered how many access points are there in your city? Last week I did an interesting thing: Wardriving in my city Lahore.

Wardriving is act of searching for WiFi wirless networks on the go using laptop or other mobile devices. It is legal in most parts of the world but ethically it comes under gray area. I personally do not find anything unethical with it as far as the discovered networks are not misused. Hence I did it :)

I used my HTC P3300 equipped with builtin WiFi and GPS to scan the networks using an interesting PocketPC application called WiFiFoFum. It promisciously looks for wireless networks and records each access point's information (MAC, SSID etc) alongwith geo-coordinates and allows you to later map it on Google Earth for better visualization. It is free as long as you use it for non-commercial purposes.

I war-drove my way from home to office which is 15 kilometers. The areas I passed roughly include Garhi Shahu, Canal,  Gulberg Main Boulevard, Cavalry Ground, Walton Road, DHA Main Boulevard and LUMS.

What I discovered was quite surprising. My office is 15 kilometers from my home and in that span I found more than 90 access points. I wasn't expecting Lahore to be that hi-tech! More interesting was the fact that most of these access points were insecure with their default SSIDs such as 'linksys', 'netgear' etc. I did not try connecting to any of these but I'm sure many of them would be using default passwords. Those with named SSIDs suggested that many of the insecure networks were of offices.

Here is a screen shot of Google Earth's mapping at high level. The green ones are insecure while the red ones are those having some level of authentication or encryption.

With insecure wireless networks it is very easy for even a script kiddie to steal your bandwidth as well as invade your privacy. Make sure you keep your network secure, or alternatively you can have some fun

When I was graduating from FAST-NU, I designed a web based system in PHP/MySQL for collecting data for Yearbook of our batch. Each student of our batch was given a username and password using which s/he could enter the personal data, make comments about friends, give nicknames and other such features. At that time there was no server in our university available on which it could be deployed and the only place to host it was a Windows based machine in the labs on which all files in wwwroot folder were readable to anyone logged into the machine. But it did not mater as the MySQL database was secure and I did not mind anyone getting my PHP code. The only problem was that the password to MySQL had to be stored in a PHP config file and it could be read by anyone. I knew one naughty junior was already looking forward to the deployment of the application and I did not want to take any risk. On the other hand I wanted to get it deployed ASAP as well. I thought about encrypting the password but the key had to be stored at a world readable place. I thought about many other possibilities but found loopholes in each of them. Finally I came up with a clever scheme. After applying it my config file looked like this: $db_host = “localhost”; $db_user = “yearbook”; $db_pass = “********”; Two days later the kid showed up looking a bit frustrated. He said “How the hell did you mask your password in a PHP file? I have looked all over web and I couldn’t find any info about password masking in PHP or any other text file”. With a smug look I replied “I rewrote the NTFS to do that”. He went away looking a bit angry as well as disappointed. I wish the poor chap had thought about the possibility of using eights asterisks as my password.