Wednesday, April 30, 2008
Types Of Cross-site scripting attacks
We all know that XSS is the most common exploit to be found in any website. However, different forms of XSS have different uses, as i will cover in this post. This ranges from a simple Social Engineering opportunity to a full defacement or possibly remote admin access. The following types of XSS are defined:
Type 1 XSS
Type 2 XSS and
Type 3 XSS.
Their uses are the following:
Type 1 XSS, AKA local XSS:
This form of XSS is rarely mentioned, because it is very hard to pull off and requires knowledge of either browser exploits or local OS html files. For the first scenario, the attacker could use their website to send malicious commands to the local users vulnerable HTML files (look in /WINDOWS, there are HTML files there) that executes some command on the users system.
Type 2 XSS AKA non-persistant XSS:
Type 3 XSS AKA persistant XSS:
This kind of XSS is what is mostly used against guestbooks, forums and other permanent user content pages. When this type of XSS is used it stays on the page and can be used in many ways; stealing cookies, defacing a page, and spreading(the new "XSS worm" phenomenon)
These types of XSS are completely different from each other, and all serve different purposes within hacking.
Securing Your Web Browser
I was reading Roger's Blog and found out a valuable share about Securing Your Web Browser.
It is really an interesting and worth reading guidance by CERT which will guide you how to secure your web browser. It provides the guidance for four popular web browsers Opera, Mozilla, Konqueror and Netscape.
This paper will help you configure your web browser for safer internet surfing. It is written for home computer users, students, small business workers, and any other person who works with limited Information Technology (IT) support and broadband (cable modem, DSL) or dial-up connectivity.
You can access the paper by clicking here.
Monday, April 28, 2008
Unlocking Network Knowledge
Packet Analytics' Net/FSE, the network forensic search engine, is the first commercial solution available to network security analysts that are built from the ground up to make network event analysis operations cost effective, faster and more efficient. Net/FSE, available as a free download, brings together event data from network devices and gives security analysts the ability to correlate and analyze billions of events in real time.
Net/FSE gives the security team the ability to collect any type of network event data, including flow data (unlike many SIM and log management solutions) that can be generated by almost every enterprise network router and is essentially a free resource of forensic information. Other valuable information sources for Net/FSE include alerts from IDS, IPS, SIM and NBA, firewall logs, web server logs, authentication logs and database server access logs.
SIMs and log management solutions have partially addressed the needs of network security analysts but such systems are not built to provide analysis capabilities for alert analysis, indepth network forensics or incident response. Net/FSE by Packet Analytics fills the gap in the network security market by bringing cost effective, easy to use network event analysis capabilities to enterprise networks. Net/FSE adds value to an enterprise’s existing tool suite and maximizes the value of these tools by making the organization’s security practitioners more effective in their daily tasks.
Six Dumbest Ideas
Your job, as a security practitioner, is to question - if not outright challenge!
This is a really old article, written by a very well respected security professional back in 2005. Although certainly some points are bang on the button, there’s good chunks of this that simply don’t stand up today. We definetely need to change the six dumbest ideas in Computer Security.
1 - Default Permit. Yes, is certainly correct, although how many times have you actually seen people do this, especially today? This might have been the case in 1999 (perhaps even 2005 when this article was written, but I doubt it), today however pretty much everything respects this ideal - especially firewalls that Marcus points out. The thing missing I suppose is where these default permits are - taking firewalls as an example, ingress default permits are as dead as a dodo now, but egress permits are still wide open from my experience, so there’s a valid point there.
2 - Enumerating Badness. Ah, the old white-list vs black-list. Whenever was this really a good idea? I get the point about anti-virus companies "enumerating badness" with their virus/malware libraries, but this is a bad example
3 - Penetrate and Patch. Once again, a good point, but misses that fact that software is complex and you are never going to get things 100% right. Relying on penetrate and patch for your whole security, bad, having to use it when holes are inevitably found, good. I just love the quote "Unless your system was supposed to be hackable then it shouldn't be hackable" in the article - this sort of assumes the "enumerating badness" argument in that we’ll either design software that can’t be hacked (limit the functionality to things we know work correctly), or we’ll protect the system from "bad" things happening. This assumes that we can tell "good" from "bad" (in contrast from #2, "bad" from "good"), which over time as research gets done we have to shift out knowledge. In the article the example of network being designed not to be hacked is a reasonable one, but it just doesn’t, IMO, work as well in software.
4 - Hacking is Cool. Ah, my favorite point in the whole article. This is the dumbest thing written here. If you think "hacking" is learning a bunch of exploits, then you are seriously mistaken. Hacking, in it’s traditional sense, in learning and understanding a system and then going about making it do things it was never designed to do. Running metaspolit is not hacking. Executing some "script" is not hacking. If (as some of the commenter’s on Digg point out) if wasn’t for "hackers" trying things out on their own systems and telling everyone their findings then we’d have systems (like WEP, web forums, stack/buffer overflow "guards", etc) that we "thought" were secure, but really weren’t. You actually do want to "give the hackers stock options, buy the books they write about their exploits, take classes on "extreme hacking kung fu" and pay them tens of thousands of dollars to do "penetration tests" against your systems" because they have knowledge and insights that are rare, that are often not in your organization, and have different views that the people that built/maintain/operate the system. Replacing "hacking is cool", with "engineering is cool" might very well be the way of the future (look up enrolment rates in computer science/engineering degrees to be very disheartened about this "future), but we need hackers to keep pushing the state-of-the-art and the boundary of good vs bad forward.
5 - Educating Users. I’d sort of agree here - one of the things Michael Howard said ages ago was if we had totally secure systems, the attackers would simply go after the users. This point however assumes we can solve all the issues with technology, which clearly we can’t. Attachments is one issue that is a difficult balance between usability (and the ability for people to do the work they have to do, simply), and security. If the balance is incorrect, it either pisses people off, or they work around it. Phishing is another good example where technology just isn’t working (or at least not as well as people would like), but education seems to work. I’d love to think that technology can solve any problem - I’m an engineer after all and sort of have that view built into me. The reality is though that some problems are intractable, at least for now, and we still have to educate users. Otherwise, why do we have driving licenses when we should just wait for the cars that drive themselves? Which is a good link to the final point….
6 - Action is Better Than Inaction. Network guy to CEO - "We’re under attack". CEO to network guy "Hold on, let me think about it for a while". I agree with the "don’t install the latest wizz-bang device/software", but evaluate, gather feedback, trial and slowly deploy argument, but the "do nothing" approach" is just myopic. If it’s possible for you to wait, then by all means wait and do it "properly". In the mean-time though, users are complaining that they can’t do xyz, like connect to the network via their laptops and show the boss something during the 2 minutes they might only have in the hallway. Security guys often find it far to easy to say "no" and cite concerns than to say "yes" for the benefit of the users and figure out what the risk is and try to mitigate it as much as possible.
Thursday, April 24, 2008
Patches Pose Significant Risk
I was reading interesting article on Security Focus about researchers saying that Patches pose significant risk. I quote from this article:
“ When Microsoft releases a patch, what they are saying -- from a security standpoint -- is, 'Here is an exploit.' ” - David Brumley
I personally think that's understood. Of course, when there is new vulnerability available in any software it is actually a exploit. When any organization release the patch for that specific vulnerability - they do states the severity rating as well and in their advisory they clearly state that it should be deployed accordingly to its severity. Now , if the organization doesn't have proper patch management process then why blame Microsoft or specific software vendors?
I don't agree with David Brumley comments. In fact, releasing a patch does pose significant risk but deploying the specific patch in due time also reduce the significant risk.
Well, when we will stop whinging around about the exploits? We should start thinking practically and try to worry about the real problem which is patch management and deployment.
Monday, April 21, 2008
XSS Warning - Security Extension
XSS Warning 0.3.4 protect from:
# Url attack
# Iframe attack
# Http request attack
Unsurprisingly, it warns you of potential XSS attacks on the URL string with a large blocking page. But here are some thoughts.
Firstly, it only works in the case of reflected XSS. While that’s the most common form of XSS, it’s also only one form. Secondly, because it doesn’t generate an alert box, if the XSS is loaded inside of a hidden iframe, the user would never be warned that it failed (also making it easy to check for, incidentally). I encourage everyone to check it out.
Please click here for more details and to download the extension.
Friday, April 18, 2008
The folks at Symantec are concerned about Trojan.Silentbanker, and I can't blame them. This Trojan horse program performs "man-in-the-middle" attacks between users and more than 400 banks. Running on the user's computer, the Trojan monitors the use of Web sites, looking for banks it can manipulate. It reads data coming from the bank and instructions sent by the user, and modifies fields in user instructions such as the account destination of transfers.
In a recent posting on its Security Response blog, Symantec notes that Trojan.Silent-banker can even attack sites that require two-factor authentication (generally in the form of one-time password tokens). Really, this isn't surprising or even all that impressive. Once a Trojan is in the position to intercept and modify form fields, it follows that it could do so with the one-time password, which is just another form field.
This level of compromise requires a malware infection on your PC. Conventional phishing sites, which do not incorporate malware, can attempt to fool you, but they attack only one bank at a time. This particular Trojan has weakness, such as looking at specific addresses for updates, that will help to limit it.
Your best defense ( say it with me, guys) is to keep antivirus software up to date and not to run executables you get from strangers.
Thursday, April 17, 2008
ENABLE WIRELESS ENCRYPTION:
Enabling Wireless encryption is essential otherwise every one within your Radio Frequency (RF) range (and remember the Wireless network world record distance is 125 miles!), at best can capture your traffic compromising surfing habits, gathering usernames and passwords and at worst sharing illegal images or hacking over your Wireless network for which you are legally responsible.
DO NOT USE WEP (WEP is trivially broken)
DO NOT USE A DICTIONARY BASED WORD FOR YOUR WPA/WPA2 PSK
DO USE WPA2 (BEST) or WPA (NEXT BEST) WITH A NON-DICTIONARY PSK
Note: Use AES encryption where you can, it's the strongest available.
DISABLE SSID BROADCAST:
Ensure you disable the SSID broadcast on you Access Point this will hide your Wireless access point from casual WARDRIVERS. While it is still trivial for a proficient WARDRIVER to determine the SSID it makes him/her work that little bit harder and there may be easier targets in the neighbourhood.
ENABLE MAC FILTERING:
Ensure you configure your MAC filters, this will tie your access point down to only those devices with the MAC addresses you specify.
CONS: MAC addresses can be spoofed fairly trivially in both Windows and Linux.
It is essential to keep you Access Points firmware up to date. Vulnerabilities are discovered daily and it could just happen that your Access Point is compromised through a newly discovered exploit this is not restricted to Wireless attacks and may even occur via a wired interface
ENABLE SECURITY FEATURES:
While this may seem obvious ensure all of you Access Points security features have been enabled, many Access Points security settings default to non-enabled for functionality purposes.
CHANGE DEFAULT PASSWORD:
The default password for your Access Point should be changed at the earliest opportunity, to a strong non-dictionary based word to ensure no attackers are able to reconfigure settings.
ENABLE HTTPS :
Management of the access point should be carried out via HTTPS (which is encrypted) in preference to HTTP (which passes traffic in clear text) to prevent your Access Point management username and password from being compromised.
Ensure that logging is enabled (it is too often disabled by default) on your Access Point and check those logs regularly. Logs will hopefully give you an indication of whether or not you have an unwelcome visitor.
I believe that the 7 settings already discussed (if carried out as described) will make your Access Point more than reasonably secure. For the truly paranoid (and we count ourselves among them) however, we have 2 more.
DISABLE THE DHCP SERVER:
Rather than have the Access Point's DHCP server issue wireless clients (which could include a wireless attacker) with all the configuration necessary to join the network (and thus the Internet) we prefer to statically configure these settings on the client. We also prefer to use a IP range that is not easily guessed (i.e. not 192.168.0.X or 192.168.1.X etc.) whist still in the private address range.
POWER OFF WHEN NOT IN USE:
If you're going away for the weekend or on holiday, turn off that Access Point. If its not active, it's not going to be compromised.
Disabling wireless client machines when not is use is equally important. For example an Access Point with no clients can make discovering a hidden SSID truly challenging.
The images displayed are taken from a Linksys WRT54G Wireless Access point and are included as a rough guide as to the settings discussed.
Wednesday, April 16, 2008
XSS - Cross-site scripting
The term XSS gets thrown around a lot. Lot's of people don't quite know what it is though. Basically an XSS attack is a client-side vulnerability where a server does not properly sanitize data inputted to readily accessible forms.
In layman's terms, this generally means that a website will display any information given to it, regardless of its malicious content. This is important because it can be used to fool people into clicking on links to (otherwise) trustworthy sites which will, instead, cause malicious code to be loaded.
For this example, we are going to look at a government website which is vulnerable to XSS in two sites using the input from only one form. This is the website for the New York State Assembly. They have a convenient little page to help search for your representative.
Our target for today is the little box I have highlighted in yellow. Now, zip codes are normally numbers, let's see what happens if we give it deliberately false information. In this case, we tell it our "zip code" is "word"
This is the first sign that there might be an XSS vulnerability. The server is readily displaying our input.
Now, what we want to do is see if we can pass code to it. I generally test this by seeing if I can get it to display
In place of a plaintext output. To do this, we are going to take our previous link (http://assembly.state.ny.us/mem/?zip=word) and change it to our potential XSS link [instead of word we can put script alert('hi') ] please put script between <> and see what that gives us.
Here are some key things to remember about forming a sucessful XSS attack:
1. Forms can often be escaped with a ">
2. Some forms of sanitation can be escaped! Of course, this is often hard to do, it is definitely possible
3. Don't be modest. In a case like this, the form could have been pushed to the point of loading iframes with malicious code and all other kinds of fun stuff
Friday, April 11, 2008
Nokia Mobile Phone Hacking using Bluesnarfing Technique
Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs. This allows access to a calendar, contact list, emails and text messages, and on some phones users can steal pictures and private videos.
With bluesnarf you can:
* Read and delete phonebook entries
* Read and delete SIM card entries
* Make phone calls from target phone
* You can also perform many other action that determined by the phone AT’s commands
How to do bluesnarfing using bluesnarfer tools this the step:
1- You need to discover bluetooth device at your network. you can use BTScanner, just start it.
2- Copy the content of BTScanner into a text base file, this include the BT physical address and the phone name.
3- After discover some potential target. Launch the bluesnarfer!
4- Following are the useful command to launch hacking.
Bluesnarfer -r 1-100 -b xx:xx:xx:xx:xx:xx
-r 1-100 = will show the phonebook entries from 1 until 100
-b xx:xx:xx:xx:xx:xx = attack the device according to the physical address
Please note: This post is for educational purpose only.
Wednesday, April 9, 2008
Tool for Cracking Passphrases on Encrypted SSH Keys
phrasendrescher is a cracking tool used for the purpose of finding the pass phrase for RSA or DSA keys as they would be used by SSH for instance. It performs wordlist and rule based attacks against the key. The tool can be used on multiple keys at once and is known to run on FreeBSD, NetBSD, OpenBSD, MacOS and Linux.
It can run at around 17 000 guesses per second (on my ~2GHz PC at least). It supports dictionary-based guessing, permutations of dictionary words (e.g. l33t) and pure brute force. I'd include an example of it running, but the documentation on the home page is pretty good too, so you may as well read that instead. You can download it from here.
Tuesday, April 8, 2008
Microsoft ad on Security
I was reading pdp's Hakiri - Hacker Lifestyle and found this interesting video.
Monday, April 7, 2008
MAC Hacked in 2 minutes
At the CanSec West conference, at end of March this year, Charlie Miller wins the PWN 2 OWN contest. He was able to hack Apple Air notebook within 2 minutes. I think he was most likely sitting on a vulnerability waiting until the contest.
In other news some swiss guys did a pretty good analysis of the time it takes for Apple and Microsoft to patch there disclosed vulnerabilities. Apple sadly has a ways to go.
Sunday, April 6, 2008
Failures of Disk Encryption
"Security is not a product but a skilled continuous process which requires thought..." Jorge Sebastiao, 1999.
Even for the best technologies there is always a weak point which must be addressed, in this case Disk Encryption as its weakness. The weakness is that even in memory the keys exist in some readable format, if we can get to it, then it is game over:
Saturday, April 5, 2008
Wireshark 1.0.0 Released
Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
Wireshark, the most popular network protocol analysis tool has finally turned to version 1.0.
This released version is not much different than the previous version 99.8 released in Feb 27. Apart from some cosmetic improvement from the previous version this version includes an experimental Mac OS X package.
You can download wireshark 1.0.0 from here
For a more complete list of information about this release, read the official release note here.
Friday, April 4, 2008
Last week, I read some interesting news on an Australian website The Age. A journalist explained that a Russian malware distribution site offered a haul of 1000 spyware-infected Australian machines for 100USD, double the price offered for US machines and 30 times more than those from Asia.
Good and interesting research has been done by Francois Paget of McAfee. For complete details and how the scam works please refer here.
Thursday, April 3, 2008
How To Do Security?
Here you’ll find videos that explore a variety of security questions for developers, including encryption, handling attacks, security best practices, and a lot more.
Right now it has available Sql injection and XSS modules. Both modules are designed to catch as many vulnerabilities as we can, it's that why the SQL Injection module is a Python port of the great DarkRaver "Sqlibf". The XSS module is made by us, using our library Gazpacho (soon will be released as standalone tool).
The process is very simple, ProxyStrike runs like a passive proxy listening in port 8008 by default, so you have to browse the desired web site setting your browser to use ProxyStrike as a proxy, and ProxyStrike will analyze all the paremeters in background mode. For the user is a passive proxy because you won't see any different in the behaviour of the application, but in the background is very active. :)
Http request/response history
Request parameter stats
Request parameter values stats
Request url parameter signing and header field signing
Use of an alternate proxy (tor for example ;D )
Export results to HTML or XML
Console version (python proxystrike.py -c / proxystrike.exe -c
ProxyStrike v1.0 (Windows)
ProxyStrike v1.0 (Linux/OSX)
Wednesday, April 2, 2008
Researchers dive into memory dumps
Davidoff and Liston created a USB thumb drive that could be plugged into a computer and that would, after the computer was restarted, scan the data left in the computer's physical memory for passwords and other sensitive data. The two researchers created a pair of programs to find the telltale signatures in memory that indicate where a password might be store and called the scripts DaisyDukes because the programs were "very revealing," Liston said.
David mentioned, "The goal here is to see if we can hit an office building in 25 minutes or less and get out with a lot of valuable data".
Attacks aimed at dumping memory using an external drive can be made significantly harder by setting a BIOS password to prevent the system from automatically booting, the researchers said.
Full Article can be read at Security Focus.
My Blog is PCI Certified by Scanless PCI
Jeremiah Grossman has posted a very interesting post about getting PCI Certified for free.
Scanless PCI is faster and less intrusive to deploy, yet is as effective as competitive solutions for a fraction of the cost.
I qoute from Jeremiah's post:
Scanless PCI claims they’ve found a unique (patent-pending) way to certify merchant websites with no-setup, no technology changes, and at absolutely no cost! Sounded too good to be true so I investigated their website. To my amazement I left the site completely convinced that their offering is every bit as effective at stopping hackers as other ASVs we’ve discussed here in the past. Their process was so straight forward I figured there was no excuse for my blog not to be PCI Certified as well. Check out the right side column, compliance was zip zap!
I encourage everyone to jump on board and give the service a try.
Tuesday, April 1, 2008
Working the security drama queens.
The Vista laptop also went down, the fault of Abode. The irony of Adobe being at fault is only compounded by the LookingGlass vendor of the week last week being Adobe. No NX, No ASLR, unsafe libraries, no cookie Adobe.
Only the Mac faithful could take something like a Macbook being hacked and turn it into a commerical for Apple products. It seems as if the Macalope is stumping for a job as Apple's Chief Security Officer or as Obama's running mate, I can't decide which.
"Plus, you hack it, you keep it. So, sure, everyone's trying to hack the Air."
He seems to imply that the only reason people were hacking Macs were they get to keep them. Since not everyone can live without the faux sexiness that is Apple, of course someone will find a way to go home with that hardware. He also goes on to explain the only reason "security researchers" are paying attention to Mac is that they are cool and we are not.