New version of iPwnedCheck is in the App Store! Adds breach details and other enhancements

Version 1.3 has been released and is in the App Store.

Enhancements:

  • Click on a breach name to get more details
  • Internationalized date formatting
  • Removes autocapitalization/autocorrection when adding sites
  • Checks for duplicate usernames/emails already tracked

Get it at-

https://itunes.apple.com/us/app/ipwnedcheck/id826895005

Posted in Ruby, Security | Leave a comment

iPwnedCheck is in the App Store! It’s an #ios app that queries @haveibeenpwned by @troyhunt

I’m excited to announce that iPwnedCheck is now in the ios app store! It’s an ios app that uses the api to query multiple usernames/email addresses against http://haveibeenpwned.com.

Get it here-

https://itunes.apple.com/us/app/ipwnedcheck/id826895005?ls=1&mt=8

Please let me know if you have any comments/questions/complaints!

Posted in Ruby, Security | Leave a comment

Unauthorized Access

Dear Friend from 175.126.111.48,

Please stop trying to log in to this site.

Thanks,

Management

Posted in Security | Leave a comment

PwnedCheck updated to also check for Snapchat

PwnedCheck is a ruby gem that I wrote that checks an email address, phone number, or username against the new site by Troy Hunt called haveibeenpwned.com. His site aggregates data from breaches and allows you to check to see if your data has been compromised. Use it as follows-

Installation

gem install PwnedCheck

Usage:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
require 'pwnedcheck'
 
# The 4 cases.
# foo@bar.com is a valid address on the site
# foo232323ce23ewd@bar.com is a valid address, but not on the site
# foo.bar.com is an invalid format
# mralexgray is a user id in snapchat
list = ['foo@bar.com', 'foo232323ce23ewd@bar.com', 'foo.bar.com', 'mralexgray']
 
list.each do |item|
  begin
    sites = PwnedCheck::check(item)
    if sites.length == 0
      puts "#{item} --> Not found on http://haveibeenpwned.com"
    else
      sites.each do |site|
        puts "#{item} --> #{site}"
      end
    end
  rescue PwnedCheck::InvalidEmail => e
    puts "#{item} --> #{e.message}"
  end
end

Output:

foo@bar.com --> Adobe
foo@bar.com --> Gawker
foo@bar.com --> Stratfor
foo232323ce23ewd@bar.com --> Not found on http://haveibeenpwned.com
foo.bar.com --> Not found on http://haveibeenpwned.com
mralexgray --> Snapchat

The code is available at http://github.com/sampsonc/PwnedCheck and the gem page is http://rubygems.org/gems/PwnedCheck.

Posted in Open Source, Ruby, Security | Leave a comment

PwnedCheck passed 1000 downloads!

I’m so excited. My first experiment with creating and publishing a ruby gem seems to have been successful! As of this post it’s been downloaded 1069 times in the past 4 days. PwnedCheck is a ruby gem that I wrote that checks an email address against the new site by Troy Hunt called haveibeenpwned.com. His site aggregates password dumps from breaches and allows you to check to see if your password has been compromised. Use it as follows-

Installation

gem install PwnedCheck

Usage:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
require 'pwnedcheck'
 
# The 3 cases.
# foo@bar.com is a valid address on the site
# foo232323ce23ewd@bar.com is a valid address, but not on the site
# foo.bar.com is an invalid format
addresses = ['foo@bar.com', 'foo232323ce23ewd@bar.com', 'foo.bar.com']
 
addresses.each do |address|
  begin
    sites = PwnedCheck::check(address)
    if sites.length == 0
      puts "#{address} --> Not found on http://haveibeenpwned.com"
    else
      sites.each do |site|
        puts "#{address} --> #{site}"
      end
    end
  rescue PwnedCheck::InvalidEmail => e
    puts "#{address} --> #{e.message}"
  end
end

The code is available at http://github.com/sampsonc/PwnedCheck and the gem page is http://rubygems.org/gems/PwnedCheck.

Posted in Open Source, Ruby, Security | Leave a comment

New ruby gem to access @haveibeenpwned.

So, I decided to figure out how to create a ruby gem and decided to start with a simple gem that checks an email address against http://haveibeenpwned.com.

Installation

gem install PwnedCheck

Usage:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
require 'pwnedcheck'
 
# The 3 cases.
# foo@bar.com is a valid address on the site
# foo232323ce23ewd@bar.com is a valid address, but not on the site
# foo.bar.com is an invalid format
addresses = ['foo@bar.com', 'foo232323ce23ewd@bar.com', 'foo.bar.com']
 
addresses.each do |address|
  begin
    sites = PwnedCheck::check(address)
    if sites.length == 0
      puts "#{address} --> Not found on http://haveibeenpwned.com"
    else
      sites.each do |site|
        puts "#{address} --> #{site}"
      end
    end
  rescue PwnedCheck::InvalidEmail => e
    puts "#{address} --> #{e.message}"
  end
end

The code is available at http://github.com/sampsonc/PwnedCheck and the gem page is http://rubygems.org/gems/PwnedCheck.

Let me know what you think!

Posted in Ruby, Security | Leave a comment

Testing #WordPress cache plugins. What’s the best?

So far have tried-

  • W3 Total Cache
  • WP Super Cache
  • Hyper Cache
Posted in Wordpress | Leave a comment

#ruby code to access the @haveibeenpwned api.

This is just some ruby I whipped up really quickly to access the API of havibeenpwned.com which is a cool new site by Troy Hunt that aggregates password dump information from breaches and allows you to search for your email address.

I think the code is pretty self-explanatory, but comment or send me a line if you have questions/suggestions/criticism/etc!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
require 'mechanize'
require 'addressable/uri'
 
agent = Mechanize.new
 
File.open('addresses.txt').each do |line|
  line = line.chomp
  begin
    target = "http://haveibeenpwned.com/api/breachedaccount/#{line}"
    page = agent.get Addressable::URI.parse(target)
  rescue Mechanize::ResponseCodeError  => e
    case e.response_code
      when '404'
        puts "#{line} => Not Found"
      when '400'
        puts "#{line} => Bad Request"
      else
        puts "#{line} => #{e.message}"
     end
  else
    puts "#{line} => #{page.content}"
  end
end
Posted in Code, Ruby | 1 Comment

Fun with C++ – Placement New

So, for some reason in the last few days I’ve been thinking about the old days of when I was a developer and really into C/C++. One of the things that I found interesting was placement new. In a nutshell it’s a way that you can instantiate a new object, but specify where in memory it will go. There are some interesting cases where it’s necessary such as cases where you might try to optimize by pre-allocating a bunch of memory and then re-using it. Kind of managing your own memory space. Anyway, this example shows how it’s done.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include "stdafx.h"
 
 
class Foo
{
public:
  Foo() { strncpy(message, "Hello, World", 12);}
  void * operator new (size_t, void * p) throw() { return p ; }
  void operator delete (void *, void *) throw() { }
  void printMessage() { printf("message is - %s\n", message); }
private:
  char message[13];
};
 
int _tmain(int argc, _TCHAR* argv[])
{
  char buf[sizeof(Foo)];
  memset(buf, 0, sizeof(buf));
  Foo *f = new((void *)buf) Foo();
  printf("address of buf - %x\n", buf);
  printf("address of f - %x\n", f);
  printf("contents of buf - %s\n", buf);
  f->printMessage();
  buf[0] = 'h';
  f->printMessage();
  f->~Foo();
  return 0;
}

Line 8 defines the constructor that placement new uses.
Line 9 defines the destructor.
Line 17 creates a buffer that is the size of a Foo object.
Line 19 instantiates a Foo object, but uses the buffer as the address of where the object will be instantiated.
Lines 20 and 21 print the addresses of the buffer and of f (the new object). They are the same.
Line 22 prints the contents of the buf, which is “Hello, World”. This is the value of the message variable in the object.
Line 23 prints the message.
Line 24 changes the first character in buf to be ‘h’. This should change it within f as well.
Line 25 shows that it changed.
Line 26 explicitly calls the destructor. That needs to be done when using placement new.

That’s about it! The example created a buffer, created an object in that buffer, changed the buffer, and showed that the object changed. Fun stuff!

Running it on my machine show-

address of buf - 31fbe0
address of f - 31fbe0
contents of buf - Hello, World
message is - Hello, World
message is - hello, World
Posted in Code | Leave a comment

What is X-Frame-Options?

X-Frame-Options is an HTTP response header that serves as a directive to a browser regarding if or how the current response would like itself to be framed. Framing and window positioning/layering tricks are used quite often in an attack called clickjacking in which a user is tricked into inadvertently clicking on something unintended. For more information see https://www.owasp.org/index.php/Clickjacking.

There are 3 options for X-Frame-Options-

  • DENY. This tells the browser that the page should never be framed.
  • SAMEORIGIN. This tells the browser that the page can be framed within a page that is from the same origin.
  • ALLOW-FROM uri. This tells the browser that the page can be framed on the specified origin.

This site, for example, is set to SAMEORIGIN. So in effect, a page on this origin could be framed by another page in this origin.

This is supported by most newer browsers. Should a site attempt to frame a site and it violates the site policy, it will either display about:blank in the frame or perhaps an error. If a browser doesn’t support the header, it will simply ignore it.

Another mechanism you might see as a clickjacking mitigation that tries to achieve the same goal is “frame-busting JavaScript”. This is JavaScript code that detects if the page is the top-level window (not framed). If it detects that it isn’t, it makes itself the top-level window. Since this is code that is run client-side, it does have several weaknesses such as JavaScript not being enabled, the response being modified to remove it, etc.

Posted in Security | Leave a comment