Monday, April 21, 2014

Consuming the Twitter API v1.1

A short tutorial on Consuming the Twitter API 1.1
Consuming Twitter API in Dot Net c#, using this you can collect tweets aggregate it to do some data-mining or for a simple widget on your website to display your recent tweets or tweets about any particular topic or entity. Here I shall show a simple way to search for tweets of a particular entity and display it on a GridView of a ASP.Net Application.



Twitter is an online social networking and microblogging service  that enables users to send and read short 140-character text messages, called "tweets"

Companies have already started using twitter as it is the new way to promote, connect and brand a company.
Why?? – Connecting with customers, InstantFeedBack, Latest News, Marketing etc

Why Twitter Analytics are Imp?
Analyzing your followers, your own activity, and what other people are talking about online are all smart ways to make sure you’re getting the most benefit out of your social media presence.
see what users are saying about your business or products, and monitor Twitter feedback as best as possible.




Twitter API v1.1 

Twitter bases its application programming interface (API) off the Representational StateTransfer (REST) architecture. 
By allowing third-party developers partial access to its API, Twitter allows them to create programs that incorporate Twitter's services.


Twitter supports a few authentication methods and with a range of OAuth authentication styles you may be wondering which method you should be using. When choosing which authentication method to use you should understand the way that method will affect your users experience and the way you write your application.




Initially Twitter had API v1 which was pretty much straight forward 
Where you constructed the url and pinged it to return ur result in JSON or XML

Then when the API was updated to v1.1 many third party apps were affected coz of it.
There are many reasons for this, like request limitations to prevent the abuse of the service.


In this article I shall focus on getting the data of a twitter home-timeline or a twitter search.

If you use the...
Send...
REST API
Streaming API

What can it do?


Steps
Create an twitter account
Head to dev.twitter.com/apps/ and log in using your Twitter ID and password. 

Click the Create a new application button and enter the name and description of your application. The website should be a page where you can download your code but, since you’re still writing it, enter your home page URL and change it later. Leave the callback URL blank.



Next
•Create an Access Token
Click the Create my access token button at the bottom of the Details tab on your application’s page. You’ll now see various strings against:

•OAuth: Consumer key
•OAuth: Consumer secret
•Token: Access token
•Token: Access token secret


Now coming to Visual Studio

Hope you got nugget Manager if not install it from extension manager

Create a ASP Application Project.

Go to Nuget Package Manager-> Package Manager Console

In the console that will appear at the bottom of VS type in
Install-Package TweetSharp

TweetSharpis a Twitter API library that greatly simplifies the task of adding Twitter to your desktop, web, and mobile applications. You can build simple widgets, or complex application suites using TweetSharp.


using TweetSharp; // In v1.1, all API calls require authentication

var service = new TwitterService(_consumerKey, _consumerSecret);
service.AuthenticateWith(_accessToken, _accessTokenSecret); 

Here we see we need to replace the keys and tokens which we had generated earlier from the twitter website.

var tweets = service.ListTweetsOnHomeTimeline(new ListTweetsOnHomeTimelineOptions());
foreach (var tweet in tweets)
{
Console.WriteLine("{0} says '{1}'", tweet.User.ScreenName, tweet.Text);
}
You can try out this simple app on console, that will get all the statuses from your current timeLine


Here is my app , 
A simple web app with a gridView to hold the tweets. All tweets that contains "Bruce Wayne" are searched from twitter and displayed here.



The code:
Default.aspx.cs

using TweetSharp;


namespace Tweetz
{
    public class TweetAttribs {

        public string imageUrl { getset; }
        public string userName { getset; }
        public string tweetText { getset; }


}

    public partial class _Default : System.Web.UI.Page
    {

        protected void Page_Load(object sender, EventArgs e)
        {
            List<TweetAttribs> tweetsList = new List<TweetAttribs>();
            var service = new TwitterService("oHLA""OgKbtiOg");
            service.AuthenticateWith("22fwghS7T""HMEB5jvSVve");
            var options = new SearchOptions { Q = "Bruce Wayne"  };

            var tweets = service.Search(options);
            foreach (var tweet in tweets.Statuses)
            {
                TweetAttribs taObj = new TweetAttribs();
                taObj.userName = tweet.User.ScreenName;
                taObj.imageUrl = tweet.User.ProfileImageUrl;
                taObj.tweetText = tweet.Text;
                tweetsList.Add(taObj);
            }

            GridView1.DataSource= tweetsList.ToList();
           // GridView1.BackImageUrl = "http://9to5mac.files.wordpress.com/2012/07/screen-shot-2012-07-08-at-8-45-25-pm.png";
            GridView1.DataBind();

        }
    }
}

note:  The keys used are samples, please generate your own and then run the code.

Default.aspx
        <asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False">
            <Columns>
                <asp:ImageField DataImageUrlField="imageUrl" HeaderText="Pic">
                </asp:ImageField>
                <asp:BoundField DataField="userName" HeaderText="ScreenName" />
                <asp:BoundField DataField="tweetText" HeaderText="Tweet" />
            </Columns>

        </asp:GridView>

References:
So just with a few lines of code and with some major help from tweet sharp we were able to fetch the info we wanted.
TweetSharp simplifies things a lot.         

Sunday, April 20, 2014

Getting over the Heartbleed

Not the love life, the life Online

The simple explanation:
Heartbleed allows a hacker/attacker to have access to a random chunk of memory on the server that contains ur encryption keys or un-encrypted passwords, site data etc while the hacker remains anonymous. You would not know if it hit you.



What can the end user do???
Check if your provider/website of which you are a member of has patched the heartbleed bug. 
Here's the list of websites which have been affected by the heartbleed bug.
 Just change the Password.



 Android users update ur phones.

In detail:
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet. 
One library that implements TLS is OpenSSL.

66% of the websites use OpenSSL, so knowingly or unknowingly u have been bugged.

A few versions earlier to the current OpenSSL, the negotiation between the client and server before sending expensive data was expensive. Most of the time the packets used to get lost or corrupt due to too many requests and need to drop its end of the TLS connection.
So the guys at the OpenSSL formulated a solution. i.e A way of telling that the server is available or its currently overwhelmed by different requests.  This way of telling if the server was available was done with the help of "KEEP ALIVE" messages known as "HEARTBEATS".


How does the HEARTBEAT work?
ex: suppose you send an request as a payload "you there man" the size is 13 so the webserver to whom you requested stores the payload as well as the size 13 into its memory. So when you send the "keep-alive" request the message is sent back to the client this is done by reading the message out from the memory of the server where it was stored following 13 places(size of ur payload).So, ur connection is kept alive.


The FLAW: Heartbleed
OpenSSL library never checked that the Heartbeat payload size corresponds with the actual length of the payload being sent.  A user is allowed to input any number up to 65535 (64 kilobytes) regardless of the true size of the payload. 
So now the attacker will send an heartbeat request for 64kb even though his payload size is 13 bytes. The server will start responding to the heartbeat request by sending the first 13 bytes and  continuing upto 64kb from the server memory to the client. The data received by the client will contain encryption keys, usernames, unencrypted passwords, user information, site information etc etc . In short whatever is put onto the server memory which is relatively everything.
All this can be performed anonymously and in a repeated manner so accessing different parts of the server memory. 


The CURE:
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
--Official Statement
Check if your site is affected by using this tool by LastPASS

You need to revoke your current secret TLS keys and regenerate new ones. Coz there is no telling if you have been hit and run coz all these attacks are anonymous. 

Android users of V.4.1.1 Jellybean, need to update their phones. (Better to update all android devices irrespective of the version) Download Lookout’s Heartbleed Detector or Bluebox’s Heartbleed Scanner apps, both of which will tell you if your Android device is affected by the bug.

Change ur passwords of websites that are affected(atleast by a letter) 

Even VPN's are suffering from Heartbleed. You will have to regenerate the client certificates. http://www.pcworld.com/article/2144962/vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug.html

Don't stop there, coz even if you have patched it from the patch received from the vendor there still might be a lot of ways to steal the information. Everyone's checking and trying to find out more vulnerabilities (so should you) and a few have found too like the Reverse HeartBleed


Reverse Heartbleed
The Heartbleed bug (CVE-2014-0160)can be used to attack clients as well as servers. Many organizations have hosts which initiate outbound SSL connections (pulling updates, fetching images, or pinging webhook URLs). These hosts are often on a separate infrastructure (with different SSL dependencies) within the organization firewall. These hosts may be vulnerable to the reverse Heartbleed attack. 
This is the tool to check for it. https://reverseheartbleed.com/

Reverse Heartbleed is more tricky for the attacker however once you have patched the heartbleed the reverse heartbleed becomes more trickier.


This bug has been around for 2 years
There are claims that no hackers knew about this and it was the researchers who found about it probably the NSA and Google(since a month) knew it. 
The race is on to find the next bug. It's got a reward too. http://www.theregister.co.uk/2014/04/16/open_ssl_crowdfunding/

Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, along with most Microsoft Services, are not impacted by the OpenSSL “Heartbleed” vulnerability. Windows’ implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections. 


 References:
https://xkcd.com/
http://security.stackexchange.com