Wednesday, July 29, 2009

Network Forensics: more than looking for cleartext passwords

My next article will be published in Hakin9 magazine issue 6/2009 available at a good bookstore near you in November. I finished writing it last month but the magazine has a backlog of article contributions.
An excerpt of my soon-to-be available print article.
"Logs and alerts from varied network devices (eg. Firewalls, IPS, routers) report what was blocked. They do not offer Security Analysts with sufficient data to ascertain what had taken place because activities that were malicious or suspicious but successful were not logged. This makes an analyst’s job challenging when requested to determine if a breach had occurred and that is where digital forensics plays a crucial role... The evidence that can be acquired from corporate traffic is limitless but is only restricted by the knowledge and imagination of the canvasser as well as the resources made available."

Thursday, July 16, 2009

Session cookie hijacking

I posted about XSS previously. XSS is commonly used by malicious parties to steal session cookies in order to hijack a victim's active session and impersonate them.
For session cookie hijacking to be successful, the victim must already be logged into the application. Next, the victim must be tricked into clicking on a link to invoke the Javascript to compromise their cookie. In my video, I first display the session cookie using a Javascript pop-up by exploiting the lack of input validation on the third party's webserver. I set up a webserver on my local machine and I trigger another Javascript to request a resource that doesn't exist on my webserver. The session cookie is recorded in my webserver log as a result.
The high res version of this demo can be downloaded here.


Clickjacking is a social engineering technique where a hacker fools a victim into performing seemingly innocuous click(s) but ends up being compromised as a result of their actions.
Attended Zscaler's seminar today and was pretty impressed by the speaker's presentation and demo. He demonstrated Clickjacking and I decided to make a video of their demo page instead of building my own.
In this specific demo, I use the common tactic of inciting victims to visit a malicious page via email. The victim enters the webpage and are encouraged to click on an "innocent" button. This "innocent" button is just an image* that hides a Google "Create Alert" button underneath. Imagine the damage an actual malicious page containing hidden malicious scripts, code or actions can cause.
* Alignment of the fake button varies from browser to browser.
The high res version of this demo can be downloaded here.

Wednesday, July 8, 2009

When Dban fails

I am in the midst of transitioning jobs and being the paranoid person I am, I needed to wipe my office laptop before handing it over. I booted up the laptop using Dban but it complained about bad sectors and wouldn't perform its job.
What happens when Dban fails? Time for Plan B. Boot up your machine with any Linux LiveCD. I happened to have BackTrack 3 with me but Ubuntu's installation CD would suffice too. When booted from CD, the LiveCD is running from memory thus freeing up your hard drive to be securely deleted. Fire up the command prompt and use "shred" which is native to most Linux distributions. Viola!!!