Encrypted?

It is curious that LogMeIn doesn't require a user to enter their LogMeIn profile information during installation... yet the installed client knows which account it is associated with.
This piqued my interest and I took a peek at the installer file. It seems that LogMeIn uses a VeriSign digitial certificate to encrypt information within the installer?
at No comments:
Labels: , ,

Inside the mind of a botmaster

Eye-opening article about a botmaster. Freaked out yet?
at No comments:
Labels: ,

UPX discovery

Packers are tools used to compress executables to reduce their file size whilst retaining their executable property. Hackers harness packing as one of the numerous tricks to avoid detection. However, there are times when software authors pack their legitimate tools and thus not all packed executables are malware.
UPX is a popular packer. I packed several files with it and analysed them in a hex editor to try to discover patterns. Lo and behold... the tell-tale signs of a UPX packed file is the presence of UPX strings (ie. UPX0, UPX1 and UPX!).
Further investigation demonstrates that searching for UPX strings is not accurate because the UPX packed executables still function even if you change the UPX text. A reliable methodology of detecting packed executables is a tool called PEiD. It identifies UPX packed files by hexadecimal values.
at No comments:
Labels: ,

DDOS

I have been telling my network engineer friends for years that DDOSs are impossible to stop regardless of what anti-DDOS vendors tell you. I never believed that some magical algorithm can throttle the flood of network packets originating from a bot army of 10,000s. How do you withstand 30Gbps peak of traffic?
at 2 comments:
Labels:

Metadata extraction

Metadata analysis is not new. This topic was revisited at the recent Defcon. Chema Alonso and Jose Palazon presented a tool called FOCA.
I decided to give it a whirl. Performed metadata extraction against PDF files hosted on Splunk's website. Besides names of Splunk employees, nothing else interesting to discover.

Tested FOCA against the Central Narcotics Bureau's website. Shocker!!! Besides usernames used by CNB, I was able to acquire I/C numbers. I classify this leakage as a high risk considering that the government standardised citizens' login IDs by requiring them to use their respective I/C numbers to access all government websites.

Don't want to install the FOCA software on your machine? You can opt for the online version.
at No comments:
Labels: , , ,

Basic malware analysis

Was reading the latest issue of Hakin9 magazine (4/2009). There is an article about harnessing music and videos to attack innocent parties. It struck me as strange that it never occurred to me to use a hex editor to analyse the malicious Mp3 file that I studied previously. Lo and behold! I found the URL that was triggered when victims try to play the fake song.
at No comments:
Labels: , ,

Clickjacking mitigated

Previously blogged about Clickjacking. Came across this new plugin called RequestPolicy that protects users against CSRF attacks. Decided to try it against the Zscaler Clickjacking demo. It works like a charm!!!
The high res version of this demo can be downloaded here.

NoScript is another tool to secure against Clickjacking. Neither are for n00bs though... it requires some knowledge to know what to configure.
at No comments:
Labels: , ,

Security by obscurity?

Tired of remembering passwords? You can now "encrypt" files using an image instead of a password. PixelCryptor is a simple tool with an intuitive interface. You choose the file that you want to protect then the image you want to secure it with.

Original file versus the "encrypted" form. It seems to be "encrypted" but I'm sceptical because this tool does not seem to follow any industry standard encryption and does not provide information regarding its encryption methodology. The only hint of what transpires if this statement from their website.
"The pixel data is used to encrypt your data. The combinations are endless and hard to break."

Decided to run tests against PixelCryptor. I converted my original seed image from Jpg to Gif format to lose data. PixelCryptor allowed me to use the degraded image to "decrypt". Using a hex editor, it was discovered that the full contents of the original file could not be retrieved using the degraded image. This does imply that the tool truly uses pixel information to transform files.

I'm still sceptical about the viability of using images as the seed key. Imagine keeping important files "encrypted" on your flash drive... this would require the owner to store the necessary image to "decrypt" on the same drive and it will only be a matter of time before a malicious person who wants to access those said documents figuring out what to do.
at 2 comments:
Labels: ,

Network Forensics: more than looking for cleartext passwords

My next article will be published in Hakin9 magazine issue 6/2009 available at a good bookstore near you in November. I finished writing it last month but the magazine has a backlog of article contributions.
An excerpt of my soon-to-be available print article.
"Logs and alerts from varied network devices (eg. Firewalls, IPS, routers) report what was blocked. They do not offer Security Analysts with sufficient data to ascertain what had taken place because activities that were malicious or suspicious but successful were not logged. This makes an analyst’s job challenging when requested to determine if a breach had occurred and that is where digital forensics plays a crucial role... The evidence that can be acquired from corporate traffic is limitless but is only restricted by the knowledge and imagination of the canvasser as well as the resources made available."
at No comments:
Labels: , , ,

Session cookie hijacking

I posted about XSS previously. XSS is commonly used by malicious parties to steal session cookies in order to hijack a victim's active session and impersonate them.
For session cookie hijacking to be successful, the victim must already be logged into the application. Next, the victim must be tricked into clicking on a link to invoke the Javascript to compromise their cookie. In my video, I first display the session cookie using a Javascript pop-up by exploiting the lack of input validation on the third party's webserver. I set up a webserver on my local machine and I trigger another Javascript to request a resource that doesn't exist on my webserver. The session cookie is recorded in my webserver log as a result.
The high res version of this demo can be downloaded here.
at No comments:
Labels: ,

Clickjacking

Clickjacking is a social engineering technique where a hacker fools a victim into performing seemingly innocuous click(s) but ends up being compromised as a result of their actions.
Attended Zscaler's seminar today and was pretty impressed by the speaker's presentation and demo. He demonstrated Clickjacking and I decided to make a video of their demo page instead of building my own.
In this specific demo, I use the common tactic of inciting victims to visit a malicious page via email. The victim enters the webpage and are encouraged to click on an "innocent" button. This "innocent" button is just an image* that hides a Google "Create Alert" button underneath. Imagine the damage an actual malicious page containing hidden malicious scripts, code or actions can cause.
* Alignment of the fake button varies from browser to browser.
The high res version of this demo can be downloaded here.
at No comments:
Labels: ,
Subscribe to: Posts (Atom)

Ubuntu maintenance script

 Wrote a simple script for keeping packages and snaps updated in Ubuntu. 

  • "An error occured in avast! engine: Invalid argument"
    This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after...
  • Encrypted mails
    I decided to install a digital certificate for my Gmail account. This is simple and free to set up. Apply for a free certificate from Comod...