Jump to content

Secure Connection Between 2 Computers

noXTRAs

By noXTRAs
in Questions

 Share

Recommended Posts

noXTRAs Newbie

noXTRAs

Posted
Posted

Hello everyone,

I'm new here, but a big fan of the show. I'm wondering if anyone knows the title of an episode (if any) about securely connecting two computers.

I would like to securely connect 2 computers (one of them may be virus infected AND running any ver. of Windows or OS X) and I'm looking for the easiest way.

Thanks in advance for any help.

Link to comment
Share on other sites
noXTRAs Newbie

noXTRAs

Posted
  • Author
Posted

Isn't there a Hak5 episode covering this? :(

One of the PC's COULD be infected...I was thinking about connecting to a virtual machine on the server, once the user (who can be infected) is finished the virtual machine is restarted and waits for another connection.

What problems could appear in a connection like this? How would you hack it?

Can you hijack a browsers SSL connection? What if the user has a phisical digital certificate (usb key)? Can you still hijack a VNC over SSH or browser SSL?

Link to comment
Share on other sites
noXTRAs Newbie

noXTRAs

Posted
  • Author
Posted

Let me elaborate my problem.

I am thinking of making an online polling/voting system. I am a senior software engineer so I can secure the database and the web page from sql injections, xss, csrf and I'm also thinking of a secure system to 'anonymously' identify the user so he/she can vote once, BUT, my main problem is this:

could a haker create some software to hijack the session or .... in order to steal the vote?

Link to comment
Share on other sites
Mr-Protocol Grand Master

Mr-Protocol

Posted
Posted

I will answer your question with another question:

Has any software developer stopped hackers 100%?

I could see this as one of those online poll type things, but it wouldn't stop users from creating a new account and voting again. You would have to grab system specific data and I'm not sure that would really fly.

Link to comment
Share on other sites
noXTRAs Newbie

noXTRAs

Posted
  • Author
Posted

Thanks for the quick reply,

User registration won't be a problem :wacko: mainly because they all have a membership ID. The user doesn't register, I have an entry for each member who can vote.

Well, hackers are stopped 99.(9)% at the stock exchange, visa, paypal, etc. All a hacker can do is ddos the hell out of those servers. I never heard of a billion dollars stolen in fraudulent automated bot trading, or visa being hacked or paypal or the 3D secure servers (and there is a different 3D secure provider in each country)..so it's possible to 99.(9)% hackproof it.

I'd like to know ways of how an attaker would go about to steal votes.

Link to comment
Share on other sites
noXTRAs Newbie

noXTRAs

Posted
  • Author
Posted

I'm thinking of a direct connection to the server, but I don't know if that can be hijacked (and how) if the user has a virus.

My main ideea would be a USB stick, that boots your computer into for a virus free internet browser, but the problem with this approach is that not all PCs/MACs boot from USB by default, problems CAN occur in the boot process and users with a smartphone can't boot from a USB stick...

Link to comment
Share on other sites
Mr-Protocol Grand Master

Mr-Protocol

Posted
Posted

Well, you don't hear about it because of bad press lol. Pretty sure most of those have been hacked you listed.

But if i knew you had to register with an ID, I would try to register with random member IDs to get more votes. If they were just numbers, crank out a list and vote on ALL THE THINGS!

Link to comment
Share on other sites
noXTRAs Newbie

noXTRAs

Posted
  • Author
Posted

The users don't register. They are all in a database already, they can't register.

I'm wondering if the wifi pinnaple could intercept a SSL connection?

I'm now thinkng of using a PGP like system, with a public and a private key.

If the vote + encrypted data generates a valid response, the user will get back a message containing his personal details, including his membership ID. The user can check if these are correct so he knows he voted on the right server and his vote reigstered correctly.

Can anyone tell me if a man in the middle (let's say from one of the ISP en-route to destination server) could intercept the message in order to decrypt it and log the user's vote?

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted (edited)

Let me elaborate my problem.

I am thinking of making an online polling/voting system. I am a senior software engineer so I can secure the database and the web page from sql injections, xss, csrf and I'm also thinking of a secure system to 'anonymously' identify the user so he/she can vote once, BUT, my main problem is this:

could a haker create some software to hijack the session or .... in order to steal the vote?

Well, if you want to secure your database system against SQL Injection attacks, I would recommend using open source tools, such as SQLMap to attack your web application. If the tool is successful in pentrating your database, you will need to write better code, to address the security problem.

The reason why websites are so vulnerable to these web based attacks, is because they are never 100% tested against these attacks in the first place. If they were, we wouldn't be seeing such an alarming rate of websites being exploited in this matter.

Edited by Infiltrator
Link to comment
Share on other sites
noXTRAs Newbie

noXTRAs

Posted
  • Author
Posted

Infiltrator,

Thanks for the reply, but my problem/question is not the sqlinjection part, but a man in the middle attack or some way in wich a hacker could eaves drop on the connection.

Rephrasing the original question:

What are the ways someone can eavesdrop / change data on a SSL connection by being on-route of the packet or having the user computers infected?

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

Infiltrator,

Thanks for the reply, but my problem/question is not the sqlinjection part, but a man in the middle attack or some way in wich a hacker could eaves drop on the connection.

Rephrasing the original question:

What are the ways someone can eavesdrop / change data on a SSL connection by being on-route of the packet or having the user computers infected?

Roger brother, thank you for clearing that up. One way to eavesdrop on a SSL connection is using SSLstrip, part of the Backtrack OS. I would suggest reading up on that, if you are not familiar with the utility.

Other methods, would be infecting the client side with a malware to intercept the SSL connection and then decrypt the messages.

Here are some interesting articles for you to read.

http://thehackernews.com/2012/04/90-ssl-sites-vulnerable-to-beast-ssl.html#sthash.cAHE3DbD.dpbs

http://nbnl.globalwhelming.com/2011/09/20/researchers-cracked-ssl-internet-safe-https/

http://www.marktaw.com/technology/HowlongdoesittaketocrackS.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...