What Good is Sharing Security Keys along with Downloads - security

Sometimes I see a list of keys along with a download that I believe are meant to verify if a downloaded file is legit. For example here
http://cdimage.ubuntu.com/releases/12.04/release/
There are SHA1 sums at the end of the download page.
I assume the process is, you download file, verify it using these sums. However, if someone hacked the page and installed a modified version of download files, wouldn't they change the SHA sums as well? Then what is the purpose of sharing the sums / keys along with downloads?

"That they can also be used to verify the integrity of the dl, check if your file wan't corrupted, and to verify authenticity of remote mirrors" are good enough for me.

Related

why download apk file is buffered and gives user old version

We hold our landing page on Azure and it is for users to download an Android apk file. This landing page is a html file. Here is the markup for users to download:
download here
It all works fine until now. Users start to complain that the app they downloaded cannot work properly. But when we tested, it works fine.
Finally we find out that, although the link is
http://www.[mysite].com/android/[MyAndroidApp].apk
but sometimes when user click it, it goes to
http://101.44.1.131/cloud/223.210.55.28/files/9216...636//www.[mysite].com/android/[MyAndroidApp].apk
This is a buffer and holds an old version of our app!
Can anyone tell me why this happen and how can I prevent it buffer our old version?
How often do you update this apk file?
May be a caching issue, but not sure exactly.
Have you tried using Azure storage? Upload the file on there, and then link directly to it.
Should cost you less in the long run and not cause any buffering/cache issues
I would suggest you try to put version numbers after your filename. This is also a good practice for .js files. A problem is very often that it's cached and the cache not updated correctly. It's a general problem in the web.
So. Try to put version numbers after the file name, and let us know if this works.
Thank you all for your suggestions.
We have found the reason. Looking at the redirect url, it is actually some ISPs cached our apk files. They are doing this so that they can save themselves money and bandwidth. This is a common practice in some countries and is well documented.
How evil it is.
Our solution is thus change the file name very time we deploy a new version.

Automate variable values during compilation

I am working on a big team (around 15) for a web application that use Google captcha. As you might know, is necessary a public and a secret key that are associated to a URL.
We have multiple environments where we test our work. Therefore, for have a valid captcha, we need multiple google keys for our captcha.
The problem is when we commit our work, many of us modify this keys and when we deploy it, captcha not works because we have put an invalid value.
I am looking a way to automate this and solve this problem. I have think two ways:
Put them as global variable when we start our nodeJS app, but is a very big string to remember it, so is easy to fail when we write them.
Automate it with Jenkins, bubt I am not sure if is a good practice to add it in this step (I think to make a shell script that replace the value for a value in the code -i.e. CAPTCHA_KEY-).
I don't like any of these ideas, so I am open to hear new options
Add the keys using environment variables on your machine.
A good example of this can be found in this link: Storing Keys
This is also good practice because you should not be committing and pushing the keys to the repo. It is best to add any file with private information to .gitignore so that these keys are not stored with the project. If the project were ever compromised, whoever obtains the code would not have the keys because they would not be stored in the repo.

How to check on webpage that user has original(not modified) addon installed?

As i'm aware that client side data should never be trusted
i'd like to ask if there is a way to verify
that guest has my browser addon installed and it is not modified by someone else.
My idea would be:
1. Store unique keys on my server that are issued
on installation
2. Saving them to addon storage
3. Check agains those keys on visit
4. Changing those keys inside of addon on time basis with addon update.
EDIT:
As #nmaier said in comment, user could get key/keypair and provide them to modified addon.
If they would provide it manually each time then i probably couldn't do much about it.
I think of blocking modified addon to automatically update itself.
So i got two questions:
1. Could modified addon sniff communication by original one (to extract the keys)?
2. Is browser data storage accessible by standalone .exe program or is data encrypted?

How do you check the integrity of downloaded open source files?

I would like to start checking that the open source projects that I am using in my apps are what the developers released. I noticed that many projects have a SHA1 and MD5 digests presumably these can be easily tampered with for example if a hacker replaces the orginial zip file on a mirror they can also replace the .md5 and .sha1.
How can I check the integrity of third party open source libraries that I depend on?
I think , there is No trusted way for this, since the hacker may change the source files and its (md5 or sh1) files. He simply may replace the whole project with another one.
so , download the source from trusted sites such as sourceforg and code.google.com and codeproject and mirrors recommended by these sites.
typically an open source project, although open to all to download and modify themselves, the ability to actually change the uploaded files is restricted to certain individuals governed by the project owner.
A good example is https://github.com/thecodemine/formwizard, where you can see a read-only link, but cannot modify directly unless authorised.
However you can fork the project to your own account and modify as you wish, for example https://github.com/AlexKey/formwizard
I'm also guessig on large open source projects like linux distributions for example, even code / files uploaded by authorised individuals will also go through stringent reviews before official release.
A hacker of course on comprosising a system could change files at will, but this isn't a weakness of an opensource model but instead could be a problem for any project.
Also things like Code signing help detect unauthorised modification.
http://en.wikipedia.org/wiki/Code_signing
Code signing is the process of digitally signing executables and
scripts to confirm the software author and guarantee that the code has
not been altered or corrupted since it was signed by use of a
cryptographic hash.
You have not Googled your question. If you do so you'll get a lot of content about it. The link below will teach you how to check the integrity of a downloaded file.
https://help.ubuntu.com/community/HowToMD5SUM
You may also check the following link, which shows that it is very difficult to modify or replace the .md5 and .sh1 files.
Here's the link.

I'm finding rogue code included in my HTML page head -- how did it get there and how do I stop it?

My major weakness is securing my sites -- I know, a bad weakness.
I have a site now that when I view the source in Firebug, I'm seeing all kinds of scripts with the src of http://mylocksmithusa.com/sitebuilder/acura2002.php -- but they're not in my files that I can find. How did they get there, how can I find them, how can I remove them, and how do I stop them from happening again?
Similarly, another site of mine keeps having its index.php file rewritten, mostly just having some of the code erased and then a bunch of <iframe>jareqjj93u8q2u35w</iframe> jibberish added to the bottom.
My FTP passwords are very secure -- should I change them and hope it stops? Or is there more to it that I just don't understand about locking down my sites from this kind of dangerous abuse?
Thanks!
Looks like you've been a victim of a SQL injection attack or trusting unsanitised input from your query strings.
If files are being physically appended to there's also the chance that you've got some code on your site that allows file uploads without checking a user is authenticated and/or doesn't check the type of file being uploaded. This would allow a miscreant to upload a script to modify every file on your site and add these links.
A common source of the iframe-addition attacks is infected client computers leaking their FTP passwords. So you need to check both the server and any clients you have used to connect to it for malware, before changing the passwords. (And preferably changing to SFTP; nobody should still be using FTP in 2009.)
Don't just assume your machines aren't infected because you're running anti-virus software. Today's AVs are pathetically, hopelessly behind the malware writers. Take multiple opinions and if an AV finds anything don't trust it to fix the problem, because chances are it will fail, potentially leaving infections present. Instead reinstall the OS.
In the first case with the HTML seemingly added at serve-time, the server itself may be infected and need reinstalling. Either way, get them off the web until you're sure they're cleaned.
You are asking us how someone popped your site and the only honest answer is "we don't know".
Check ftp and other services, check your code for where you get input (cookie, querystring, post params etc) but the most likely is you installed an old known vulnerable version of wordpress or some webapp and a roving worm found it and exploited it.
My site got was attacked the same way too <script src=http://mylocksmithusa.com/sitebuilder/acura2002.php></script>. After I checked it, apparently almost all of my .js file was appended with document.write([the script above]) on the last line. Additionally, almost all .html file was appended with an iframe just after the <body> tag (and then few last lines in the files were removed), and several of .php files in my site got appended with eval([super long codes]) on the beginning of the file.
After cleaning up the files, yesterday I changed my ftp password, and today the site isn't hacked anymore (before, every few hours the files will be changed). So I suspect some worm or something already got access to your ftp. What you can do is change the ftp password, take your site offline for a while, until you cleaned up the files.

Resources