In this tutorial, I demonstrate how to set up a splash screen for your RCP application. Though it’s a simple task, it needs some subtle things to pay attention to for it to work correctly.
In this tutorial I demonstrate how to get started with Eclipse RCP, a wonderful framework for developing cross-platform rich-client applications. Please keep an eye on my channel for more videos on RCP framework to come. Also choose 720p resolution in the video for maximum clarity.
Dangerously stupid online security practices followed by some financial institutions in India (Birla Sun Life and Indian Bank) that enable reverse-brute force attacks
The username-password pair is a powerful method for authentication – but only when used correctly. Today I demonstrate a case which sadly some of the aforementioned Indian-based financial institutions follow, which would enable the attacker to successfully carry out identity thefts. In other words, the online security measures (or the lack of it) employed by these institutions, enables an attacker, without having to resort to complicated hacking techniques, to successfully get the complete set of valid usernames in the Bank’s database, which they could later use to carry out reverse-brute force attack on these sites.
Brute force and reverse-brute-force attacks:
Brute-force attacks are a familiar kind, where the attacker tries a myriad of passwords from a carefully crafted dictionary against one username, hoping that the user would have chosen one of the words in this dictionary as a password. I don’t want to go much into the details of brute-force attacks as there are dozens of articles available on the web about the same. Attempts to ward off brute-force attacks include forcing the user to choose passwords of longer lengths with a mixture of alphanumeric characters and symbols and so on. Another attempt would be to block the username after a certain number of unsuccessful log0n attempts.
However, reverse-brute-force attacks are of an entirely different kind. Here, the attacker has the entire list of valid usernames (which the bank happily gives away by employing some stupid security measures, as described in the following section) and one most commonly used password is tried against these complete set of usernames. This type of attack does not render the username blocked, as the attacker tries only one password against each username and the same password against all the usernames. Moreover if the Bank does not enforce a strong password policy, it makes it very easier for the attacker to get working combinations of username and password within a few hours, which he can later use for malicious purposes.
The case with the login screen of Birla Sun Life mutual fund and that of Indian Bank.
As you can see, these financial institutions do not ask for the username-password pair at the same time. They first ask for the username and if it’s correct then ask for the password. It cannot get easier than this for an attacker, since the page would notify the attacker of invalid usernames. This would enable the attacker to try all possible usernames (in case of Birla Sun Life it’s normally a 10 digit number and in case of Indian Bank it’s a 9 digit number). With this basic information, an attacker could write a very simple script, using web programming libraries like PERL::LWP, for example, and automate the entire task of fetching valid usernames.
Once the set of valid usernames are obtained, the attacker just needs to try one or two of the most commonly used passwords (such as 123456 or the word password, for example) against all the valid usernames they have collected. The probability that the attacker gets at least few working combinations is very high, given the fact that the number of people who use weak passwords is very high. To make matters worse, sadly, one of the above two sites (Birla Sun Life) does not even enforce strict rules on passwords. It even allows the user to have a password as tiny as a 4 digit number. And a huge majority of the users are very likely to have a 4-digit number as their password, because it is initially sent in a PIN-mailer to the customers by the institution and the website does not enforce a strong password policy. Given the fact that the attacker now has the complete set of working usernames (happily given out by the website, as mentioned above), trying a 4 digit number against all these usernames highly increases the odds of getting at least a few valid username and password pairs.
Until a few weeks ago it was only Indian Bank who had this stupid security practice, but now even Birla Sun Life, for some reasons, has chosen to adopt this highly flawed security(?!) practice. Perhaps they need to outsource the job to some establishment that really understands Internet security, rather than outsourcing to some establishment that employs science graduates for their cheap labor. As you can see in the warning messages, the login screen prompts the benign user/attacker to enter valid username first so that it would allow him further to the password section. It cannot get more attacker-friendler than this.
I’m writing this because some brilliant developer who designed the IDBI Bank internet banking site does not allow it to be accessed from Firefox or Chrome. I wish he someday grows up and realizes that Internet Explorer is not the only browser and Windows is not the only operating system around. Sigh! Ok let’s proceed now.
I’ve found a way of accessing it using Google Chrome after a number of trial and errors. The good thing is that the hack is really simple.
Just use the following command line to start chrome and you will be able to logon to your IDBI Bank account
/opt/google/chrome/google-chrome --enable-plugins %U --user-agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
Instead of having to type this each and every time, you can also permanently add this parameter to the Menu Editor, so that Chrome would every time start with this switch and you’ll be able to access your IDBI Bank account from it.
I have already posted a detailed how to on installing Google Chrome on openSuSE and making changes to the menu editor. It can be found in the below link
Please leave a comment if this tutorial was helpful to you.
This tutorial helps you with installing Canon LBP2900 (or any other LBP series) printer on openSuSE 11.2 (or any other version of openSuSE). Note that you need to install Ghostscript before you may proceed with this installation. Open YaST, search with the keyword ghostscript and install the package. After the installation of Ghostscript is over, proceed to the below steps. Before you begin the installation you need to disable auto-configuration of USB printers in YaST. To do this, open YaST > Printer > Autoconfig Settings and select No Automatic Configuration and select OK.
- Download the driver file for Canon LBP printers from here (scroll down to the bottom and you can see a .gz file)
- Let us assume that you have downloaded this file to your home folder. Extract the zip file.
- Execute the following commands in the same order
# Enter the root password when prompted sudo su - # The names of the RPM files may vary depending # upon the version. The Exact name of the rpm files # given below may vary depending upon the version # you have downloaded rpm -ivh cndrvcups-common-1.90-1.i386.rpm rpm -ivh cndrvcups-capt-1.90-1.i386.rpm
- Restart CUPS
- The next step is to register the printer (PPD) with the spooler. But before going to this step some symbolic links needs to be created and this was not mentioned in the tutorials. Please follow the steps given below.
# shut down CUPS /etc/init.d/cups stop # Makes fifo0 accessible to all chmod 777 /var/ccpf/fifo0 # Make root the owner of fifo0 chown root /var/ccpd/fifo0 # start CUPS /etc/init.d/cups start # If you attempt to register the PPD files without creating symbolic # links as mentioned below, you might get this error. # "bad device-uri "ccp:/var/ccpd/fifo0"!" # create symbolic links in lib64 to the folders backend and filter # in /user/lib/cups ln -s /usr/lib/cups/backend/ccp /usr/lib64/cups/backend/ ln -s /usr/lib/cups/filter/* /usr/lib64/cups/filter/ # !!! Important !!! Note that you enter the appropriate PPD file name # in the below mentioned command. If your model is Canon LBP3200, # enter CNCUPSLBP2900CAPTK.ppd in the below command and # register the PPD /usr/sbin/lpadmin -p LBP2900 -m CNCUPSLBP2900CAPTK.ppd -v ccp:/var/ccpd/fifo0 -E # If you get the error "bad device-uri "ccp:/var/ccpd/fifo0"!" while registering, # make sure that you created symbolic links as mentioned above
- Connect the printer on the USB port and turn it on. Do this before you proceed to the next step
- Find out the Printer Device path by typing
- Please note that only if you had connected your printer to the USB port and turned it on will you be able to find the device path
- Now register the printer in the CCPD daemon setup file by typing
# Enter the name of your printer and the right device path. /usr/sbin/ccpdadmin -p LBP2900 -o /dev/usb/lp0 # and start the CCPD daemon /etc/init.d/ccpd start
- Congratulations. Your printer has been configured successfully now . You need to do the following to start the CCPD daemon at the time of boot. Open /etc/init.d/ccpd and add the following comments to the third line of the file and save it.
### BEGIN INIT INFO # Provides: ccpd # Required-Start: $local_fs $remote_fs $syslog $network $named # Should-Start: $ALL # Required-Stop: $syslog $remote_fs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Description: Start Canon Printer Daemon for CUPS ### END INIT INFO
- Register the printer in the CCPD daemon
This tutorial helps you create create an encrypted partition on your fixed or portable hard drive that can only be accessed by unlocking it with the password that you entered at the time of creation. You might not need a tutorial for this but if you want to access the encrypted CRYPTO_LUKS partition both from Windows and from Linux this tutorial can help you.
For the purposes of this tutorial, I assume the following
- You have a new 500GB (just for example) external hard drive, in which you’d like to have two partitions of 250 GB each, one normal and the other one encrypted with CRYPTO_LUKS. This is not an absolute requirement. You can apply this same tutorial on fixed drives, portable drives, thumb drives and so on.
- You have some version of openSuSE installed on your machine. (You don’t need it to be openSuSE actually. You can use the KDE Partition Manager on any Linux platform or you can even do it from a bootable version of KDE Partition Manager available on sourceforge.net)
- Open the YaST Control Center and open Partitioner
- In the Partitioner, you will see the list of hard drives found on your machine. If you have an external hard drive, connect it before opening partitioner
- Point to your external hard drive and if there are already partitions on it delete it. (Before deleting it backup any data that might be present on it as the data will permanently get erased)
- Now right click on the hard disk and select “add partition”. Let’s say you want this partition to be a normal NTFS partiton that can be accessed both from windows and from Linux
- Select primary partition and click on next
- Select custom size and enter 250 GB
- On the next screen, select “Do not format partition” and under the check box “File System ID” select “0x07 NTFS” and click on finish. You may later need to log on to windows and format this partition with windows without enabling compression (or you’ll not be able to access it from Linux).
- Now in the partition manager, right click on the external hard disk once again and select “add partition” and select “primary partition” in the next screen and click “next”
- Now select “Maximum size” in the “new partition size” and click “next”.
- Choose the option “Format partition” and under the “File System” select “Ext4” and click on the check box Encrypt device and click “Next” and enter a password. (Do not forget this password)
- After you have entered a password you’ll be back in the partition manager and now click on “Next” and you’ll get a summary of the changes. Confirm the changes if you agree by clicking Finish (Warning: This action cannot be undone)
- Wait for some time while the Partition Manager performs the requested tasks.
- Now if you are using openSuSE, you’ll be able to access both the partitions from Dolphin. But wait, in order to make it accessible both from Windows and Linux you need to follow the below steps
- To make it accessible from windows log on to Windows and connect the external hard drive
- Now on windows you’ll be shown only the non-encrypted partition. Format it once using NTFS but don’t enable compression (or you won’t be able to access it from Linux)
- Now in order to access the encrypted CRYPTO_LUKS partition on Windows you need an open source tool called FreeOTFE, which can be downloaded from here
- After you have installed FreeOTFE on Windows, open it and select Mount. There you’ll see all the disks on your system. Find out which is your external hard drive and there you’ll be able to see the encrypted partition.
- Click on it, enter the same password that you entered in Step 10 and mount it.
- You’ll get the notification that “your partition has been mounted as drive <some drive letter here>”. Acknowledge this message box and only then will you be shown the partition on windows explorer.
- Now open the windows explorer and double click on the encrypted partition you just mounted using FreeOTFE.
- You will be asked to format it. Format it using NTFS now for once without enabling compression.
- Hereafter you can mount the partition using FreeOTFE and access it from windows. Don’t forget to unmount it on FreeOTFE before you shut down or before you remove your disk. This is very essential.
- Now log on to Linux and click on the encrypted partiton, enter the password and you’ll be able to access it from there. If you had copied some files to the encrypted partition while you were on windows, you’ll be able to access it from Linux.
I hope this long tutorial helps.
You can also use the steps mentioned here to create a single encrypted partition on thumb drives that can be accessed both from Linux and from Windows using FreeOTFE. Please drop your comments if my tutorial was very confusing or if you find it useful.
You might sometimes want to check a web page frequently to see if there’s any update on it. Some websites don’t provide RSS feeds of their updates and users are left with no option but to manually visit it every time. Don’t lose your hope, there’s a handy firefox addon that can do just that. It’s called Update Scanner.
It’s very simple to use and screeshots of this application are present in the above mentioned link. This addon is really handy when you want to check if your examination results are out in a website. Instead of manually opening the website every 5 minutes you can use this add on to it for you. In India people who appear for Chartered Accountant exams and endlessly wait for their delayed results would find this add on really useful.