Twitter activated vending machine - VIVA Eid Social Media Activity

[us_btn text="Follow me on instagram" size="18px" align="left" target="_blank" icon="fa fa-instagram" color="red" style="outlined" link="url:http%3A%2F%2Finstagram.com%2Factionscripter"]

What kids love the most about Eid?
It’s definitely not the food nor the new clothes… It’s the Eidiya? that they look forward to.

For you who doesn’t know what an Eidiya is, it is the money children receive from elder members of the family & their adult relatives on Eid, read more about it here Eid-ey-yah

How can we turn this traditional/religious event into a social media activity & mesh it with the real world? A twitter vending machine that will dispense gifts/Eidiya once a user follow the official twitter account of VIVA Bahrain?@VIVA_BH and tweets their favorite moments of Eid.

So how does it work?

All what is required is a data enabled smartphone & a public twitter account, parents had to follow the instructions on screen & it basically involves sending an Eid greeting tweet with #VIVAEidiya hashtag & a dynamic number that appears on screen.

Once the tweet is sent the, machine will look for that tweet & it will dispense a box that has Eidiya.

Different denominations (20,10. 8, 5, 3, 2, & .5 Bahraini Dinars) were placed randomly in the twitter vending machine, so no one would know how much is inside the box until they open it.

The video was shot @ Bahrain City Centre, the venue where the machine is/was placed at

This slideshow requires JavaScript.


Online Security Crash Course - Part 1

I am not a security expert nor a hacker, but I've had my share of attacks since 1996.

This post is surprisingly not about computer viruses or trojan horses, its rather about the internet & web application security which will help you understand the new/old trends hackers use to gain control or access to private personal information & how to secure yourself against them.

It's worth to note thatI wont be getting technical, this post is meant for the general internet users.

I'll split this post into two parts:

Part One

  • XSS & CSRF ( aka the twin evils )

Part Two

  • Wordpress Security & SQL Injection
  • Your router & the cafe's

 

XSS ( Cross Site Scripting )

Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

XSS Demonstrated
XSS Demonstrated

 

 

How does it look like?

www.examplesite.com/index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-examplesite.com/";}</script>

 

What harm does it do?
Depending on the payload & the exploitable site, WIth XSS an attacker can:

  • Steal your cookie & impersonate you
  • Friend an unknown friend
  • Like a page
  • Follow a stranger on twitter
  • Show a fake login page
  • Basically, perform any action

[box type="info"]Did you know that XSS is as old as the browser?[/box]

 

Real life story:
Samy is my Hero, In 2005 Samy Kamkar released the Samy worm, Execution of the payload resulted in a "friend request" automatically being made to the author of the virus and in messages containing the payload being left on the profiles of the friends of the victim.

 

Protection & Prevention:

  • Unfortunately, XSS is a website/code/server side attack, luckily modern browsers has basic protection against XSS attacks.
  • Also have a look at noScript
Firefox XSS warning
Firefox XSS warning

 

Read more about XSS http://www.veracode.com/security/xss

 

 

CSRF (Cross-Site Request Forgery)

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing.

An attack could be embedded as an iFrame, a form or an image source (hidden) on popular sites.

[box type="note"]I'd describe it as a silent XSS, its a 100% genuine request coming from the victim's browser, no antivirus, web protection software or browser's filters that could detect this attack. [/box]

 

How does it look like?

<img src="https://bank.example.com/withdraw?account=myAccount&amount=1000000&for=EvilAccount">

Note: You won't be able to spot the code above in an attack as this lies in the coding part ( view HTML source )

What harm does it do?

  • Query A Bank Account Transfer
  • Add an email forwarder
  • Place an online order
  • Limitless activities

 

Real life story:

in 2007, Google suffered from a CSRF attack where the attacker could add a filter to forward emails to a specific/another email address (email forward), forwarding all emails that has attachments as an example.

[box type="alert"]When was the last time you checked email forwarders?[/box]

Protection:
You are on your own in this! As explained earlier CSRF attacks are way too legit for the web browser's filters to spot & stop this type of attacks, the site owner/developer should use a technique called (tokens) to stop this attack, there are of course several ways on doing so from the server side.

[box type="tick"]If you are done with your logged-in bank account session, just log out, the same goes to other sites & steer away from saving passwords [/box]

[box type="tick"]Try using two different browsers or (VM), one for sensitive web applications such as banks, email, social networks & one for general browsing.[/box]

Also try not clicking on links from untrusted resources & untrusted websites.

Read more about CSRF http://www.veracode.com/security/csrf

It's worth mentioning XHR (XMLHttpRequest) attacks, which leverage a surface for the attackers to inject various activities to the servers, carried from SQL injections to XSS, many known websites such as the BBC, Yahoo, PollDady, MySpace & more have suffered & still  suffering form this silent (sorta) attack.

[box type="alert"]What I have discussed is a little bit scary, silent attacks are not noticeable its not like someone have changed your email password or hacked your twitter account, the hackers gets the feed of your entire life without you knowing so.[/box]

 

Bonus content: ClickJacking

 

Tune up for Part 2!

Resources:

  • http://en.wikipedia.org/
  • https://www.owasp.org
  • http://www.veracode.com/

PollDaddy unlimited voting hack 2012 video

Based on Alex's post on RustBrick's website back in 2009, I was able to find a way to crack the new code/algorithm set by pollDaddy.

I am not going to publish how the hack works but I will show you a quick video demonstrating the attack in action.

For those who doesn't know, PollDaddy is a popular online poll creator.


Monitoring your brand online with mention - mention.net

I recorded the following quick screencast to show you how to Monitor your brand or certain keywords using mention.net 

 


Don't fall for this scam on linkedin

Have you been receiving many ( above the norm) add/invitation requests on linkedin? Is it a project manager or an HR Manager who works at a fancy company in UAE? ( Cisco, HP, Du etc...)

then look-out because they are just few scumbag scammers with an agenda.

See the screenshot of the invitation below, what do they all have in common?

Linkedin scammers
Linkedin scammers
  • They don't have a profile picture ( duh )
  • They are all project managers or HR Managers who have worked at either, Cisco, Du, Siemens
  • They are all located @ the UAE
  • They are all former cricket players, some have passed away already too. ( look up their names)

Another example, see Edward Finsh profile below, an HR Manager @ Cisco?

Now I looked up his name on the internet & I have also looked up his profile picture and it matched another profile on twitter (Lee Strauss) & then looked him up again on Linkedin, Tada:

Lee Strauss
Lee Strauss

 

weird ha? why would multiple fake account originated by the same group add you on linked in?

What is it in for them?

 

 

 


How Adobe Digital Editions ruined my digital reading experience

I'll be honest with you, I am not a fan of reading books digitally, to me it doesn't replace reading real books with real paper that has its own scent with each page flip.

Yet I have formed this habit of buying digital books that "might" be interesting rather than wasting a space on my shelf, if it turns out to be an awesome book I will continue reading it on my iPad, Nexus, or Even my MAC since its just a PDF file which I can carry with me everywhere... A very simple user experience, unbelievably effective, I can even bookmark pages with iBook.

To cut the story short, I was interested in one of the books provided by Wiley but i wasn't sure if the book was good enough to get a printed version so I decided to get the digital edition, checked out and downloaded the file.

At the beginning I thought "what the heck is this file (I sort of expected a PDF)" instead I got an ACSM file, I went back to the email they've sent, I tried looking for instructions, I've even downloaded the file again to see if I missed any useful instructions on how to read the damn book, turned out I needed something called Adobe Digital Editions (thank you Google & this forum post) which I have installed & i am gonna tell you why I hate this experience:

  1. Its not a PDF
  2. I had to install an application
  3. I had to register to be able to use the application ( I had problems getting registered )
  4. I had to import the file & download the ebook
  5. The viewport was awful & alot of content to read in a single slide, 3 - 4 pages
  6. The application is awfully slow
  7. A super lag that will help ya skip chapters without realising it

Perhaps Wiley have done this for a reason & that's to protect their books from getting shared for Free AKA Piracy.

I managed to form a habit, a legal way to read digital books that I might have not bought in their paper (hardcover, paperback) form, so Wiley; be wise & roll this ACSM back or others might just as well "drop that habit" & seek for alternatives.

tip:

How to  convert ACSM to PDF  :)


VIVA Bahrain new website - Homepage

VIVA Got a new look!

[dropcap]W[/dropcap]e have spent a fair time researching, gathering requirements, design translation & dwelling into usability best practices for this project, I am now proud to announce that we have launched our new revamped website @ viva.com.bh - I have highlighted below some of the new features that have been introduced with this release.

 

 

This is not the end , we have introduced way more features on our new website, go have a look yourself @ viva.com.bh & remember this is just the beginning ;)


how to approach twitter for business

The art of using twitter for business

Many social media resources suggests that you should invest more in your social media optimization programs, yet they don't tell you much about how to cater such platforms to your business needs, they would perhaps show you how to register a twitter account, put up a facebook fan page, a youtube channel & maybe show you some successful ( videos ) of campaigns ran by ?others.... but then what?

If you are a designer, lets say a web designer, you open up your sketch book to start brainstorming and putting ideas together to come-up with some sort of wireframes for the project you are working on.
but hang on you wont be able to do so without a sitemap - meh! In order to get a sitemap you'll have to dig out requirements from the stakeholders, having that in mind this will also help exploring your project's goals & objectives...

Before jumping in to the social media wildlife you should put yourself in the visitors shoe & think like a customer, what is it in for me to join, what is your value proposition? If you haven't thought of it yet then start gathering ideas on how to approach it...

get to know your customers & what do they really want.

I came across this lovely infographic what makes people want to follow a brand if you look close enough you'll notice that reasons are close & almost similar between facebook & twitter.

Using twitter for business is not limited to marketing and promotional activities, depending on the size of your business/organization?there are many ways that you could?utilize?twitter, different departments such as retention, HR, CSR can?benefit?from social media.

I have attended a social media forum in Abu Dhabi few years ago, and it seemed that everyone have agreed that there is not a single blue print on how to approach social media but now as I think of it there is actually a simple prototype which I have named "the 3 important pillars of social media marketing ":

how to approach twitter for business

 

? The outer circle represents the?categorized?type of tweets and the inner ones represents its activities?

  1. Sales & Marketing
    this could be anything from your marketing?activities?& programs, engaging social media campaigns such as hashtags or a simple boring push notification.
  2. Customer Centric
    Could span from customer support to news about your customers, a simple "how to's tips" or video screencasts would be nice to have as well.
  3. General Info
    PR related tweets, press releases, humanized interactions, personal info etc ...

 

The same can be applied to facebook however, you might need to consider a ?different interaction strategy since facebook & twitter are not the same & as a result you might find that your twitter audience are different from your facebook audience ... OK?I'll keep that for another post perhaps. :)

I'am all up for a discussion.

 


SproutSocial Review - A Social Media Monitoring tool

Sproutsocial - what is it?

it is an awesome social media monitoring tools that supports various social media platforms such as twitter, facebook & linkedin...

SproutSocial features:

  • Organize & access social networks in one place
  • Advanced search options, reach more customers, prospects & find what do they want
  • Get the tweet bubble history, get to know what was previously communicated
  • Analytics & advanced statistics
  • and much more.
Watch my review below ( I was editing the sound and I somehow managed to find a new voice ;) )
Funny that it was founded in 2009 but to me its?totally?new!


My Gmail's first "welcome email"

thought I'd share the first email i got from gmail while it was on beta back in 2004

Gmail is different. Here's what you need to know.

Gmail Team?gmail-noreply@google.com?to?me
show details?9/6/04

 

First off, welcome. And thanks for agreeing to help us test Gmail. By now you probably know the key ways in which Gmail differs from traditional webmail services. Searching instead of filing. A free gigabyte of storage. Messages displayed in context as conversations.

So what else is new?

Gmail has many other special features that will become apparent as you use your account. To help you get started, we encourage you to visit our?Help Center, there you can browse frequently asked questions, read our?Getting Started guide, or contact the Gmail User Support Team. You'll also find information in the Help Center on such topics as:

  • Importing your contacts from Yahoo! Mail, Outlook, and others to Gmail
  • Using address auto-complete
  • Setting up filters for incoming mail
  • Using advanced search options

You may also have noticed some text ads or related links to the right of this message. They're placed there in the same way that ads are placed alongside Google search results and, through our AdSense program, on content pages across the web. The matching of ads to content in your Gmail messages is performed entirely by computers; never by people. Because the ads and links are matched to information that is of interest to you, we hope you'll find them relevant and useful.

We're working hard during our limited test to improve Gmail and make it the best webmail service around. Thanks for taking the plunge with us. We hope you'll enjoy Google's approach to email.
Thanks,

The Gmail Team

P.S. You can sign in to your account any time by visiting?http://gmail.google.com