How to stop getting hacked

Recently, I’ve noticed some of my friends getting hacked on Facebook and other platforms. So, I’ve compiled a list of possibilities based on my own experiences:

1. Let’s say you are reading an article from a malicious site. The author could create it so that it opens a tab automatically with a fake Facebook login page with the url facebook.com/APP_ID/…. . This Facebook hack is most often implemented using this Facebook developer app method.

1. The Facebook user gives vast permissions to a Facebook app which allows the developer to submit posts and read/send messages. The Facebook user probably didn’t read the permissions they were giving to the app and just pressed “allowed”.

Screenshot of the Facebook Write Post Permission

Screenshot of the Open Facebook General Permissions Page

If you think you’ve fell for one of these traps, do the following:

1. Change your password!
2. Revoke the app’s access through this method.

I myself have been hacked many times on the web. Through the past few years, I’ve been trying to learn how black hat hackers operate by delving through the black hat forums. I’ve also had the opportunity to learn a lot about system securities and Cisco networking through the Cyberpatriot program.

Thus, based on my experience, I thought of three key tips that will help any web user learn how to protect themselves from hackers:

1. Always make sure to check the url when you are logging into something if you are on a public network (ex: Starbucks Free WiFi). A dead giveaway is if the site doesn’t have the secure green lock in the left of the url box which means it’s not encrypted with HTTPS or SSL. If you don’t use a secure protocol like HTTPS or SSL, that could lead to a potential hack through data interception. Hackers use networking tools like Wireshark and Network Miner to read through the data transmitted on a current router. HTTPS or SSL would encrypt this data to prevent people to see sensitive data. If you are interested in the finer details of this, check out this article by Case Western University on identifying insecure website.

Screenshot of the URL bar of a site which uses HTTPS and SSL

Screenshot of the URL bar of a site which doesn’t use HTTPS or SSL

1. Double check what permissions you give sites. For example, a common thing teens use is Facebook friendship apps like this “Who will you marry?” site. This gives them access to potentially a lot of data that they can mine which could enable them to guess your password. For google apps, there are permissions that allow the app to take total control of your account (send/read emails). So, be careful!
2. Don’t trust anybody on the web! The most common tactic by hackers is social engineering. They usually first gain your trust and gains some personal information which then allows the hacker to get access to your account(s) through methods like bruteforcing.
3. Don’t run any suspicious exe or packages on your computer without running it through antivirus. I recommend Malwarebytes and AVG.

Scraping Facebook with Javascript to Get a List of Your Friends

This is the first article of a new series called “Fighting against Fake News”. For the next few weeks, I’ll be writing about my technical challenges of this digital literacy research project as well as my own thoughts on the topic of misinformation. Hope you enjoy!

To preface this, I’d like to describe briefly what this digital literacy project is all about. I’m currently working on this project with the Dav-lab group at Wellesley College to help people build digital literacy skills. With the proliferation of fake news on social media platforms like Twitter and Facebook, we thought we needed to address this issue by helping people develop digital literacy skills.

We thought a way to help people develop digital literacy skills is by developing a Google Chrome extension which gamifies the user’s Facebook news feed by allowing the user to guess which Facebook friend shared what type of news content in their news feed:

Screenshot of the Open Answer Game Format of the Extension

Initially, I programmed the extension so that it parsed through the user’s Facebook news feed and marks up every post which contained an article. Recently, I realized that this parser was quite useless due to it’s over modification of posts and realized it should only modify posts shared by the user’s friend. So, I needed to program a way to get a list of Facebook friends using Javascript for an extension I was building so that I could compare a list of posts with this list of friends to make sure I’m modifying posts shared by the user’s Facebook friends.

In a previous project, I ran into a similar issue where there were no documentation for getting a list of the current user’s Facebook Friends using the Facebook’s Graph API (Facebook got rid of the /me/friends node in version 2.0). Back then, I created a simple workaround:

window.fbAsyncInit = function() {
    FB.init({
      appId      : 'YOUR_APP_ID',
      xfbml      : true,
      version    : 'v2.3'
    });
    FB.AppEvents.logPageView();
    $( document ).ready(function() {
        FB.login(function(response) {
        if (response.status === 'connected') {
          FB.api('/me/taggable_friends?limit=5000', function(response) {
	          console.log(response);
	      });
	});
}; 
(function(d, s, id){
     var js, fjs = d.getElementsByTagName(s)[0];
     if (d.getElementById(id)) {return;}
     js = d.createElement(s); js.id = id;
     js.src = "//connect.facebook.net/en_US/sdk.js";
     fjs.parentNode.insertBefore(js, fjs);
   }(document, 'script', 'facebook-jssdk'));

Unfortunately, I couldn’t use this implementation due to these privacy requirements:

1. I didn’t want to store any data, meaning no server side requests.
2. I had to be able to use this method for a chrome extension.

So, I couldn’t use the Facebook API since it stores some of the user data server side and since it can’t be tested while developing the Chrome Extension.

Ultimately, I decided to create a scraping function using Javascript. To create an effective scraper, I inspected potential facebook links that had a clear list of friends that could be easily parsed. Unfortunately, there were no paths that led to a single full list of friends.

Luckily, I found a mobile basic version of facebook’s friend list, https://mbasic.facebook.com/friends/center/friends/?=1 , that had a clear url pattern for getting to each page of the user’s friends list. For example, https://mbasic.facebook.com/friends/center/friends/?=1 is page 1 of the user friends list, https://mbasic.facebook.com/friends/center/friends/?=2 is page 2 of the user friends list, and so on.

Here is the code I eventually came up with:

var activeTab;

var lastRequestTime = 0;
var requestInterval = 50;

var timeoutHistory = [];
var xhrHistory = [];

function get(url, done) {
	var xhr = new XMLHttpRequest();
	xhrHistory.push(xhr);
	xhr.open('GET', url, true);
	xhr.onreadystatechange = function (e) {
		if (xhr.readyState == 4) {
			done(xhr.responseText);
		}
	}
	var delay = Math.max(lastRequestTime + requestInterval - (+new Date()), 0) + Math.random() * requestInterval;
	lastRequestTime = delay + (+new Date());
	timeoutHistory.push(setTimeout(function () {
		xhr.send();
	}, delay));
}

var promises = [];


function getFriends(){
	
	var index = 0;
	var friends = [];
	while(index<=500){
		request = $.ajax({
		     url: "https://mbasic.facebook.com/friends/center/friends/?ppk="+index,
		     dataType: 'text',
		     success: function(data) {
		          if($(data).find(".v.bk")){
		          	var elements = $(data).find(".bj").children();
		          
			          for(var i = 0; i < elements.length; i++) {
			               var name = elements[i].firstChild.innerText;
			               var firstDigit = name.match(/\d/);
			               index = name.indexOf(firstDigit);
			               name = name.slice(0, index);

			               if(name.includes("Your PagesHelpSettings")){
			               		return false;
			               }
			               friends.push(name);
			          }

		          } else{
		          	return false;
		          }
		     }
		});
		index++;
		promises.push( request);

	}
	
	return friends;

}

The scraper does the following:

1. Visits the first friend page of the user, using an AJAX call to access the mobile basic version of Facebook.
2. Parse through each page based on class names, gather each name from the page and push it to the ‘friends’ array.
3. Continue steps 1 and 2 till there are no friends on the page.

That’s it! :)

Hacked With Python

A few days ago, my project PythonBuddy was hacked. The hacker hacked my server and replaced my whole site with a gif by running python code in the editor that used the open Python function. Here is what the code could have possibly looked like:

from os import open
with open('./templates/index.html', 'w') as f:
   f.write('<img ...'>

This hack was quite a wake up call. I had naively implemented PythonBuddy without any sandboxing.

After this incident, I scoured the web searching for a solution to prevent a hack like this from happening again. I wanted a quick fix.

Eventually, I came up with a quick solution to prevent people from using dangerous imports such as os:

import sys
sys.modules['os']=None
sys.modules['os.path']=None
sys.modules['pprint']=None
sys.modules['builtins']=None
sys.modules['shutil']=None
sys.modules['subprocess']=None
sys.modules['jinja2']=None
sys.modules['subprocess']=None
sys.modules['yaml']=None
sys.modules['sys']=None

This basically just blacklisted certain imports like “sys” or “os”.

While researching a fix for my program, I discovered some sandboxes that didn’t quite work out for me:

• Pypy sandbox
  • Required me to use the PyPy interpreter which would slow down my program
  • Created by a Python coredeveloper
• Simpleeval
  • Not flexible enough.
  • If I used this, I would have to parse through the document each time using regex to identify the functions being defined.
  • Also, it was quite limited and didn’t support enough functions.
• Edx’s codejail
  • Was really aimed towards the edx platform and I couldn’t really figure how to manipulate it for my own program.

Funnily enough, the person who hacked me contacted me via Reddit today and told me about the vulnerabilities in my site and how he was trying to help secure my site:

"So I found your pythonbuddy page earlier when you posted it and saw that it was defaced. I was curious how the person did it so I tried it myself. You probably discovered the Hacker gif I left you. I meant no harm. :) 

I even tried to mark the temp.py as readonly so others can't change it again.

I see you tried to fix the issue but It is still vulnerable btw. I used the open() command to overwrite the index.html

I recommend RestrictedPython or Sculpt the Javascript version you tried out.
Hope you didn't mind the harmless prank. I'm a student like you. Gl."

So, I created a different version of PythonBuddy which used RestrictedPython: PythonBuddy’s Restricted Python Branch . Unfortunately, this version doesn’t allow a lot of python functions and operators to work like “yield”.

Overall, the main takeaway here is that we should always safely execute unknown code via a protected environment such as a sandbox.

Additional Resources:

• StackOverflow Answer about Secure Python Execution
  
• The failure of pysandbox

Side Notes:

• Later today, I watched an amazing video from Pycon 2014 about Python sandboxing which made me realized if I were to create my own full-fledge sandbox, I would include functions that blacklist certain keywords, make builtins read in only, etc. But, right now, I hope to implement something more secure and well estabilshed like Pypy’s sandbox.

How to STOP Wasting so much TIME on Social Media

Last year, I spent an average of 5 hours on my phone going through Facebook, Instagram, and Twitter. Not so healthy, right?

So, I decided to go cold turkey and tried to delete the apps from my phone. After 2 days of trying this out, I redownloaded them.

Finally, I decided to create a compromise between my desire for entertainment and my desire for more time in my day.

Here are some tips that I used to cut down my social media usage from 5 hours to less than 2 hours:

Facebook and Twitter Tips:

1. Install Ublock
2. Go to Facebook and Twitter
3. Press the ublock plugin
4. Press the eyedropper tool and select the feed section on Facebook and Twitter
5. Then press “Create”
6. Refresh Facebook and Twitter
7. And Voila! When you go to Facebook and Twitter, you won’t waste your time browsing through your feed. Instead, you’ll just focus on the important stuff like messages.

Instagram tips:

• Disable account.

Helpful plugins for helping cure your social media addiction:

1. Kill News Feed: https://chrome.google.com/webstore/detail/kill-news-feed/hjobfcedfgohjkaieocljfcppjbkglfd
2. Stay Focused: https://chrome.google.com/webstore/detail/stayfocusd/laankejkbhbdhmipfmgcngdelahlfoj

Is WPA2 Really Secure? (Part 1)

After realizing my own WPA2 home network was compromised recently, I wondered how easy it was to break into a WPA2 network. I had heard about brute forcing methods but nothing fast and efficient enough to efficiently crack a network.

Let me take a step back. Before there was WPA2, there was WEP. WEP stands for “Wired Equivalent Privacy”. WEP, like WPA2, was invented to protect WIFI networks so that it would be as secure as ethernet connections networks. Before WEP (now we are going way back), network sniffer programs could tap into WI-Fi networks with no barriers.

The basic premise of WEP was simple: create a key made up of hexadecimal values. For one to access a WEP network, they would have to have the same WEP key as the router’s key. In addition, there were two different versions of WEP: 64 bit (10 digits) and 128 bit (26 digits).

Ok, so why were WEP networks so vulnerable? There were many flaws such as how it’s set up. One quick example is that WEP uses RC4 encryption algorithm aka stream cipher. Stream ciphers are vulnerable because an intruder can flip a bit in the cipher text and the corresponding bit will be revealed. I won’t delve too deeply in the flaws of WEP, but this research paper by University of California Berkeley explains it well: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Next time, I will talk about the exciting new research over the past 2 years which reveal the unfortunate vulnerabilities of WPA2. (But don’t worry. If you have a long and complex password, you will most likely not be hacked!)

Sources:

• http://compnetworking.about.com/od/wirelessfaqs/f/wep_keys.htm
• http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
• http://phys.org/news/2014-03-wpa2-wireless.html