Security Republic: 2010

Kernel patching

Upgrading to a new kernel version is necessary from a security perspective but it inevitably introduces a new entry in Grub. You can remove those redundant entries by:

Launching "Synaptic Package Manager".
Searching for "Linux kernel image".
Check "Mark for complete removal" for the kernel versions you no longer need.
Click "Apply".

Update: There is a variation to my recommendation previously.

In light of the publicity created by Firesheep, HTTPS Everywhere has been updated to force websites to activate a secure flag in cookies used to authenticate their users.
I finally tested Firesheep. It is painfully easy to use for hijacking sessions. Here I start Firesheep on a Windows machine (via RDP) and I log into Facebook on a Ubuntu system. As seen in the screenshot, Firesheep quickly captures the cookie of that session and permits easy access to the active account.

Blacksheep

Security vendor, Zscaler, unleashes a tool named Blacksheep to warn users of the presence of a machine running Firesheep. It doesn't mitigate session hijacking but sounds an alarm to alert of a malicious party in close proximity.

Firesheep

Session hijacking is nothing new with early tools such as Ferret supporting this attack. This Firefox extension, Firesheep, has simplied the attack.
I can't wait for the Linux version to be released so that I can play with it. Ways of avoiding becoming a victim of session hijacking are:

Using encrypted wireless networks.
Using a VPN tunnel over insecure wireless networks.
Use full HTTPS sessions. HTTPS Everywhere is one tool that automates the use of HTTPS for popular websites like Facebook.
Be wary of links sent via email or instant messaging.

Bruteforcing analysed

The concept behind the article "Learning from bruteforcers" in issue 27 of (IN)SECURE Magazine is simple but I appreciate the author’s thorough analysis and trending.
Easily one of the most interesting articles that I have read in a long time.

"Prey: A new hope"

A combination of inspiration from reading about the tool, Prey, and an email from Hakin9 mag's editor prompted me to write a new article.
An excerpt from my new article.
"Misplaced your laptop or had it stolen? You are not alone. Dell and the
Ponemon Institute collaborated on a study with 106 United States airports
as well as over 800 business travelers to ascertain the frequency with which
laptops are lost in airports."

Prey

Ever worried about your laptop getting lost? There's a software called "Prey" that can ease your fears. It is a utility that lets you know where your laptop is and can be installed on Windows, Linux and Mac OS X.
It is easy to setup. Register with the Prey website then enter the API and device key information into the configuration window to start the agent.

XSS and SQL injection

These attacks are not new but yet are still very effective against web applications. Here is an article that discusses how to test for such vulnerabilities and how to mitigate them.

Tabnabbing

A new type of phishing attack conceptualised by this security researcher. Rather than try to rehash his explanation, it is best to read his article.

HTTPS Everywhere

Most websites support HTTPS but do not switch users to the more secure protocol when they visit their sites. The EFF and Tor project have collaborated to release a Firefox addon to automatically redirect users' sessions to HTTPS.
Here I demonstrate a Google search prior to installing the plug-in. My search is trasmitted over the Internet in cleartext. After installing the tool, my Google search is automatically secured over HTTPS. The tool has a default list of websites supported but offers the flexibility of adding your own URLs to be managed by it.

iPhone pin bypass

Another reason to love "Lucid Lynx". Security researcher discovers that Ubuntu 10.04 permits users to access data on iPhone without needing to know the security pin. Too bad I do not own an iPhone to test this myself.

Automated social engineering

Cool POC. It again demonstrates how humans are the weakest link in security. You can educate people and display warnings but victims will still click on malicious links.

Browser fingerprinting

Security researchers discover that majority of users can be uniquely identified by fingerprinting their browser. Apparently... the way our browser is set up can give us away. They host a website for you to test this.

Jarlsberg

Google has hosted a vulnerable application called "Jarlsberg" to teach interested parties about how to attack and defend applications. Haven't given it a go so I can't comment (yet) how to compares with WebGoat.

Embedded files

Lumension vendor visited the office. During their presentation, they mentioned whitelisting and blacklisting files to tackle data leakage. I inquired if the Lumension agent was able to detect blacklisted files (eg. executables, audio) embedded inside whitelisted files (Office documents). The vendor couldn't answer my question.
That piqued my curiosity. I embedded the same PDF file inside a Word doc twice by manually copying and pasting it into the doc as well as inserting it as an object. Firing up my trusty Hex editor, I was only able to find the magic bytes (ie. ASCII "%PDF" or hex values "25 50 44 46") for the PDF file that was embedded using the insert object method. I was not able to detect the embedded PDF file that was manually copied.

This is an interesting loophole from a hacker and forensics perspective.

Network forensics puzzle #5

Puzzle #5 is out. I'm going to get started on figuring it out.

"An error occured in avast! engine: Invalid argument"

This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after that. Did some googling and someone suggested deleting a file called "400.vps" in the ".avast" folder. I did just that and avast! was able to launch again. However, the same error occurs immediately after the virus definition update is performed. There is an error with the signature file. Hmmmmmm. What happened to quality control nowadays?

Update: I resolved the update issue. Run the following command.

commandrine@bridge:/$ sudo sysctl -w kernel.shmmax=128000000
kernel.shmmax = 128000000
commandrine@bridge:/$

I combined this command and the avast! update command together in this script to simplify matters. You no longer need to launch the avast! GUI to start the update. Download it here.

Justified

Adobe Reader is officially the most exploited software. My decision to remove Adobe Reader from my machines years ago is now fully justified and not a choice out of paranoia. In 2nd place is Microsoft Word which is also not installed on any of my systems at home.
A case of security by obscurity? Why do soldiers wear camouflage when they can be killed by weapons of mass destruction?

Kon-Boot

I have demonstrated password reset and cracking of Windows passwords before. I won't even bother demonstrating resetting of Mac OS X passwords because it is so trivial. Lame Apple ships a password reset utility with their Mac OS X installer DVD. DUH!!!
Kon-Boot is a powerful tool that gives you root privileges on Linux and administrator rights on Windows without needing to crack or know the admin password.
In my demo, I burnt Kon-Boot as a bootable disc and booted up my Linux system with it. Kon-Boot modifies my Linux kernel and permits me to gain root access just by entering "kon-usr". I run the "whoami" command to prove that I am logged in as root without entering the root password.

The high res version of this demo can be downloaded here.

Information overload

I always preach about the dangers of revealing too much information. I like this article because it provides a simple example to reinforce my point. Discretion is the key.
Researchers develop a Proof-of-concept attack that uncovers the identity of web surfers based on their social networking activities.

The economics of malware

Interesting read about the driving force behind malware writing and distribution.
Whilst we are on the topic of malware... malicious PDF installs backdoor on victim’s system and dials home to Singapore hosted server*. Nice!!!
Anyone wants to call Alan to give him the bad news?

* First came across this cool story on werew01f's blog.

Network forensics puzzle #4

Puzzle #4 is out. I've been pre-occupied and exhausted by work thus the delay in posting my answers for puzzle #3.
The answers for the first 2 answers were straight forward enough.
1) 00:25:00:fe:07:c4
2) AppleTV/2.4

The search terms (ie. questions 3 and 8) were a bit tedious to find manually by combing through Wireshark but easier in NetworkMiner. Alternatively, searching using "ngrep" on Ubuntu was pretty painless. The 2 movies that Ann clicked on are also listed in NetworkMiner.
3) h, ha, hac, hack
4) Hackers
6) Sneakers
8) iknowyourewatchingme

Answers to questions 5 and 7 courtesy of NetworkMiner.
5) http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640×278.h264lc.d2.p.m4v
7) $9.99

HTTP session reconstruction

Been wanting to attempt to reconstruct HTTP sessions captured in Pcap files. Stumbled across this tool called "PyFlag". They have this amazing script to automatically download, install and set up "PyFlag" on Ubuntu. It was painless to get up and running. I managed to load Pcap files to "PyFlag" for analysis but wasn't able to reconstruct the HTTP sessions.
I researched for other tools and found "Unsniff". Worked like a charm!!!

Latency

Antivir is a powerful AV with its heuristic detection of malware. I gave up on it because of the ridiculous time it took to update. I replaced it with Microsoft's "Security Essentials".

Network forensics puzzle #3

New network forensics puzzle is out. Inline with contest rules, I can't post my answers till the deadline is over.

Cookie manipulation

I demonstrated cookie hijacking previously but never elaborated about how the stolen cookie can be used.
To make use of stolen cookie information, the session must still be active for cookie manipulation to be successful. Here I manually add cookies using the "Web Developer" Firefox addon to successfully access an active Gmail session.