noXTRAs Posted October 11, 2012 Share Posted October 11, 2012 Hello everyone, I'm new here, but a big fan of the show. I'm wondering if anyone knows the title of an episode (if any) about securely connecting two computers. I would like to securely connect 2 computers (one of them may be virus infected AND running any ver. of Windows or OS X) and I'm looking for the easiest way. Thanks in advance for any help. Quote Link to comment Share on other sites More sharing options...
pasteywhitecoder Posted October 11, 2012 Share Posted October 11, 2012 Best way I can think of is a hard-wire ad-hoc network. Quote Link to comment Share on other sites More sharing options...
noXTRAs Posted October 11, 2012 Author Share Posted October 11, 2012 thanks for the reply whitecoder, but the ideea is to connect 2 computers in different parts of the world...The users needs to connect to a server (with graphical interface), make an action then disconnect. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 11, 2012 Share Posted October 11, 2012 I would say no connection would be secure if one of them is virus infected. But I would say SSH. Quote Link to comment Share on other sites More sharing options...
noXTRAs Posted October 11, 2012 Author Share Posted October 11, 2012 Isn't there a Hak5 episode covering this? :( One of the PC's COULD be infected...I was thinking about connecting to a virtual machine on the server, once the user (who can be infected) is finished the virtual machine is restarted and waits for another connection. What problems could appear in a connection like this? How would you hack it? Can you hijack a browsers SSL connection? What if the user has a phisical digital certificate (usb key)? Can you still hijack a VNC over SSH or browser SSL? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 11, 2012 Share Posted October 11, 2012 Maybe it would be helpful to explain the goal you are trying to accomplish by 'connecting' these computers. Remote assistance? Temporary or Permanent? Quote Link to comment Share on other sites More sharing options...
noXTRAs Posted October 11, 2012 Author Share Posted October 11, 2012 Let me elaborate my problem. I am thinking of making an online polling/voting system. I am a senior software engineer so I can secure the database and the web page from sql injections, xss, csrf and I'm also thinking of a secure system to 'anonymously' identify the user so he/she can vote once, BUT, my main problem is this: could a haker create some software to hijack the session or .... in order to steal the vote? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 11, 2012 Share Posted October 11, 2012 I will answer your question with another question: Has any software developer stopped hackers 100%? I could see this as one of those online poll type things, but it wouldn't stop users from creating a new account and voting again. You would have to grab system specific data and I'm not sure that would really fly. Quote Link to comment Share on other sites More sharing options...
noXTRAs Posted October 11, 2012 Author Share Posted October 11, 2012 Thanks for the quick reply, User registration won't be a problem mainly because they all have a membership ID. The user doesn't register, I have an entry for each member who can vote. Well, hackers are stopped 99.(9)% at the stock exchange, visa, paypal, etc. All a hacker can do is ddos the hell out of those servers. I never heard of a billion dollars stolen in fraudulent automated bot trading, or visa being hacked or paypal or the 3D secure servers (and there is a different 3D secure provider in each country)..so it's possible to 99.(9)% hackproof it. I'd like to know ways of how an attaker would go about to steal votes. Quote Link to comment Share on other sites More sharing options...
noXTRAs Posted October 11, 2012 Author Share Posted October 11, 2012 I'm thinking of a direct connection to the server, but I don't know if that can be hijacked (and how) if the user has a virus. My main ideea would be a USB stick, that boots your computer into for a virus free internet browser, but the problem with this approach is that not all PCs/MACs boot from USB by default, problems CAN occur in the boot process and users with a smartphone can't boot from a USB stick... Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 11, 2012 Share Posted October 11, 2012 Well, you don't hear about it because of bad press lol. Pretty sure most of those have been hacked you listed. But if i knew you had to register with an ID, I would try to register with random member IDs to get more votes. If they were just numbers, crank out a list and vote on ALL THE THINGS! Quote Link to comment Share on other sites More sharing options...
noXTRAs Posted October 12, 2012 Author Share Posted October 12, 2012 The users don't register. They are all in a database already, they can't register. I'm wondering if the wifi pinnaple could intercept a SSL connection? I'm now thinkng of using a PGP like system, with a public and a private key. If the vote + encrypted data generates a valid response, the user will get back a message containing his personal details, including his membership ID. The user can check if these are correct so he knows he voted on the right server and his vote reigstered correctly. Can anyone tell me if a man in the middle (let's say from one of the ISP en-route to destination server) could intercept the message in order to decrypt it and log the user's vote? Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 12, 2012 Share Posted October 12, 2012 (edited) Let me elaborate my problem. I am thinking of making an online polling/voting system. I am a senior software engineer so I can secure the database and the web page from sql injections, xss, csrf and I'm also thinking of a secure system to 'anonymously' identify the user so he/she can vote once, BUT, my main problem is this: could a haker create some software to hijack the session or .... in order to steal the vote? Well, if you want to secure your database system against SQL Injection attacks, I would recommend using open source tools, such as SQLMap to attack your web application. If the tool is successful in pentrating your database, you will need to write better code, to address the security problem. The reason why websites are so vulnerable to these web based attacks, is because they are never 100% tested against these attacks in the first place. If they were, we wouldn't be seeing such an alarming rate of websites being exploited in this matter. Edited October 12, 2012 by Infiltrator Quote Link to comment Share on other sites More sharing options...
noXTRAs Posted October 12, 2012 Author Share Posted October 12, 2012 Infiltrator, Thanks for the reply, but my problem/question is not the sqlinjection part, but a man in the middle attack or some way in wich a hacker could eaves drop on the connection. Rephrasing the original question: What are the ways someone can eavesdrop / change data on a SSL connection by being on-route of the packet or having the user computers infected? Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 16, 2012 Share Posted October 16, 2012 Infiltrator, Thanks for the reply, but my problem/question is not the sqlinjection part, but a man in the middle attack or some way in wich a hacker could eaves drop on the connection. Rephrasing the original question: What are the ways someone can eavesdrop / change data on a SSL connection by being on-route of the packet or having the user computers infected? Roger brother, thank you for clearing that up. One way to eavesdrop on a SSL connection is using SSLstrip, part of the Backtrack OS. I would suggest reading up on that, if you are not familiar with the utility. Other methods, would be infecting the client side with a malware to intercept the SSL connection and then decrypt the messages. Here are some interesting articles for you to read. http://thehackernews.com/2012/04/90-ssl-sites-vulnerable-to-beast-ssl.html#sthash.cAHE3DbD.dpbs http://nbnl.globalwhelming.com/2011/09/20/researchers-cracked-ssl-internet-safe-https/ http://www.marktaw.com/technology/HowlongdoesittaketocrackS.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.