Thursday 28 January 2010

This is becoming a full time job

One of the problems with being an ethical hacker is that no one ever believes that they need you until it's to late.
That's why here at Phortress we sell avoidence but always seem to end up charging for repairs and fixing things out of hours and after the event. (Hence our repair charges being more than our avoidance charge)

Because no one ever believes that they will be hacked both of us usually end our business meetings being told that we will be called when we are needed, but of course by then the damage is done.

It is the "being called when needed" ethos that eventually had us become ambulance chasers, finding websites or organisations who had been hacked and then offering  to find out how. It is our principle source of income.

The best place in the world to track web site hacks is www.zone-h.org, zone-h takes information from any source, verifies the hack and posts it online.

When we started ambulance chasing in 2008 zone-h updated about five pages a day with approx 25 hacks per page. Just two years later zone-h are updating around 30+ pages a day at 25 hacked websites per page. The list is now so long that it takes me most of my working day just to email the organisations that have been hit.

This in itself shows the dramatic rise in cyber vandalism.

It really is time for organisations to open their eyes to this problem

Tuesday 24 November 2009

White House goes Open Source

  
The White House launched a new version of its website on 24th October. While little has changed on the surface, the underlying technology is now powered by the open source Drupal content management system.


White House hosting history
 
The www.whitehouse.gov site was previously served by Microsoft IIS 6.0, but the new server software identifies itself as "White House". The new site continues to use Akamai's content delivery network for caching.



White House server headers

Drupal is the 6th largest PHP-based content management system in Netcraft's Web Server Survey, being found on more than 400,000 websites. Drupal's security will no doubt be put to the test in the coming weeks, as the White House website has always stood as an obvious target for hackers. Drupal's security team has a full disclosure policy of announcing security problems after they have been fixed, rather than withholding the information from its users.
Drupal's core security advisories are made public at http://drupal.org/security. Eight advisories have been published so far this year, which have included two highly critical file inclusion flaws which could have allowed remote attackers to execute code on Windows servers.

One of the things that Open Source software needs is high profile visibility. It isn't until people see it working that they will consider using it themselves.
I don't think that corporations like Microsoft will ever lose the majority market, but I think that as open source starts to take hold they will most certainly have to adjust their pricing to be able to compete.
Microsoft have lost two UK councils now who have migrated to Open Office because of the cost savings. The French government now gives USB keys with Open Office and other open source software to students. AOL have open source on all PC's, The Guardian saved so much money migrating to Open Office in December 2008 that they had a party with an open bar.

An open bar for journalists!

How much money do you have to have saved to be able to comfortably do that?

Monday 23 November 2009

Hardening Web Servers Against PathTraversal Attacks

What is Path Traversal?

Web servers generally are set up to restrict public access to a specific portion of the Web server’s file system, typically called the “Web document root” directory. This directory contains the files intended for public access and any scripts necessary to provide Web application functionality.
In a path traversal attack, an intruder manipulates a URL in such a way that the Web server executes or reveals the contents of a file anywhere on the server, including those lying outside the document root directory. Path traversal attacks take advantage of special-characters sequences in URL input parameters, cookies and HTTP request header.[1]
Real world examples of path traversal strings:
../../../../../../../etc
../../../../../../../../../../etc/passwd
../windows\\winhelp.exe
..\\..\\..\\..\\..\\..\\..\\..\\..\\_private/
String examples
Path traversal issues can allow an intruder perform arbitrary code execution, stored XSS attacks or second order SQL injections. By simply uploading malicious code that later on is going to retrieved by a user, uploading a JavaScript file that later is going to be executed by another user or a piece of code that is going to execute an SQL query.

 Why Path Traversal happens

A path traversal attack happens because user controllable data is used by the application to access files and directories in the application server or other back end file systems.? A path traversal attack is possible in parts of the web application that legitimate file uploading takes place, but it also can happen in parts of the web application that there are dynamic execution issues.
In a search engine field for example:
$searchForData = $_GET[searchForData ];
eval(’searchForData;’);
Code example in PHP.
A very straightforward example of path traversal attacks using a RFI (Remote File Inclusion attack) vulnerability.Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own malicious code in the space provided for PHP programs on a web page. For instance, a piece of vulnerable PHP code would look like this:[3]
include($page . ‘.php’);

This line of PHP code, is then used in URLs like the following example:
http://www.vulnerable.example.org/index.php?page=archive

Because there is no filtering someone can upload malicious PHP code such as a webshell and embed his code to the current file.

Fixing the problem in Web Application

Multiple levels of security should be used to defeat the vulnerability. All Web Application functionality that is responsible for uploading the file (if that is necessary for some reason ) should take into consideration the following counter measures:
1. All user supplied data should be decoded and canonicalized and then check if the user supplied data contain any path traversal sequences such as ../, ..//,..\/, also this measure should filterout the all null characters e.g. ../../../../../../../../../../../../../../../../../../boot.ini.jpg .The “″ sequence is used both to bypass a simple file extension check and to cut off the extension when the file is read and processed by the CGI application.[1]
2. The Web Application should perform a while list filtering removing all non allowed characters or dropping immediately all user supplied data if they do not comply with the white list filter.
3. Use a Chroot environment can be used to create and host a separate virtualized copy of the operating system. in order to restrict the user from accessing the parts of file system that should not.
4. The malicious user trying to perform the path traversal attack has the same privileges with the Web Application process handling the whole interaction. Make sure the Web Application has only the needed privileges to perform it tasks.
5. All malicious activity should be logged, so as to have an understanding of what is attempted.
API used to defeat the path traversal issues:
1. In java is java.io.File object. Use the getCanonicalPath function.
2. In ASP .NET the System.Io.GetFullPath should be used.

Fixing the problem in IIS


The easiest way to tighten an IIS Web server against this and other attacks is to download and run the IISLockdown tool, free from http://download.microsoft.com. URLScan, which is installed when you run IISLockdown, blocks requests that contain unsafe characters. IISLockdown also disables the parent paths setting, which prevents the use of “..” in script and application calls. Finally, IIS Web administrators should check all Web permissions, which provide an extra layer of security to NTFS file permissions, and consider upgrading to IIS 6.0, which provides significantly enhanced default security over previous versions of IIS.[1]

Reference [1]: http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1134252,00.html
Reference [2]: http://en.wikipedia.org/wiki/Remote_File_Inclusion
Reference [3]: The Web Application Hackers Hand Book, Chapter 10 page 345.

SSL, not so secure?

While talking to Ross from Super Mondays last week we wandered onto SSL and he was quite surprised when I mentioned that it isn't quite as secure as everyone thinks.
Independent hacker Moxie Marlinspike has unveiled new techniques to defeat SSL encryption, which would leave common web applications such as online banking or secure website logins vulnerable to attack.
This would mean that the padlock icon in the corner of supposedly ‘safe’ websites and touted as optimal security by companies like security-with-verisign may not be as safe as people generally believe.
Marlinspike revealed his findings at the Black Hat Security conference in Washington DC, showing a number of ways where the “chain of trust” fell apart around SSL encryption.
He looked at the possibilities for new vectors of attack against HTTPS, the combination of HTTP and a network security protocol, which are often used for payment and sensitive corporate transactions.
Marlinspike also revealed a free software tool called “SSL Strip”, which could be deployed on a network and used for a man in the middle attack on all potential SSL connections.
It stripped away the SSL encryption, substituting a look-alike HTTPS site, while still convincing the user and website the security was in place.
Tools like Ettercap have been used for a long time against SSL but "SSL Strip" seems to be taking things to a much more advanced and dangerous level.
It seems that evermore personal awareness is going to be needed when logging into what we think are secure sites.

Saturday 21 November 2009

New All Exploits Site

http://www.exploit-db.com/

A great new service for anyone who is interested in security.
At last one huge database of exploits, explanations and codes. This site is a must in the bookmarks for anyone interested in security.

Tuesday 10 November 2009

No point crying over spilled COFEE


In 2007 Microsoft released a tool called COFEE which is an acronym for Computer Online Forensic Evidence Extractor.
It was released to law enforcement agencies around the world and while COFEE is a professional tool, it’s meant for the average police officer who may not have a lot of experience with computers, you just plug a USB key with COFEE installed and if autorun is enabled on the computer, it will run a series of diagnostics and 150 ‘commands’ that can, among other things, decrypt passwords, display internet activity, and uncover all data stored on the computer.  Most importantly, it can do this on-site, rather than an investigator needing to remove a machine during a search or raid and send it to a lab for analysis. It then writes a report and generally gives a quick and dirty analysis of the computer. It’s not an exhaustive tool and most of the commands and tools the COFEE uses are things that many hackers already have on their computers and could run manually any time they want.
COFEE is a good simple tool and a tool law enforcement officers need and should have, and it’s been a pretty closely guarded tool – until now.
In the last few days, a user on the what.cd uploaded torrent of COFEE and made it available for any user to download. Which, of course, means that it’s now available on any number of bittorrent sites. The site it was originally found on did something they rarely do and took the torrent offline, but it was already too late and the tool is in the wild. Even if many of the bittorent sites agree to pull the torrent, there’s enough users who have the file and enough sites that will be uncooperative that it’s very unlikely that this djinni can be put back in the bottle.
The fact that this tool has been a big mystery before now has made it very enticing, but getting your hands on a copy has been limited to a very few people who were in law enforcement or had friends that were.
It needs to be pointed out that is owned and jealously guarded by Microsoft. I won’t be surprised if they start going after people to get this removed from the Internet.
Now that the COFEE has been spilled into the tubes of the Internet, what are the moral and ethical responsibilities as security professionals, IT managers or personnel managers concerning the tool? This is a tool that’s aimed at letting police officers who are computer novices collect valuable forensics information using applications that are available natively in Windows and creating a simple report for future reference. While this is interesting, it’s nothing top secret or even that revolutionary, but it does impact on many privacy laws if it is used wrongly.
I suspect the main reason it was only available to law enforcement officers was to keep the malware creators and hackers from the limits of COFEE and figuring ways to prevent it from collecting anything if they ever have their own computers compromised.
Personally I think the tool’s been leaked and rather than try to get it back, law enforcement and the security community should be concentrating on providing an even better tool that will do everything COFEE can do and more using open source tools. There are any number of forensics tools already out there that will do a very good job of evaluating a desktop’s running configuration that could be made at least as easy to use as COFEE the hard part would probably be getting law enforcement agents to accept something that didn’t have a huge name like Microsoft behind it. For example, if a limited version of Backtrack was created that would run when you plug a USB key into the computer, the amount of data collected could be greatly increased.
If there are already other tools available that can easily and cheaply provide law enforcement with forensics evidence they can use in court, I don’t know of them and would appreciate some pointers.  If not, someone needs to create something and make it available to law enforcement, especially if it’s something that’s easy for a computer neophyte to use. I don’t think that having COFEE leaked reduces it’s effectiveness or makes it harder for law enforcement to use, but I believe that the open source community can create a better tool and make it available to everyone without feeling a need to keep it’s capabilities secret.

Thursday 5 November 2009

SSH Security issues on Jailbroken iPhones

Jailbreaking (http://www.theiphoneblog.com/iphone-jailbreak-unlock/) an iPhone unlocks some very useful features that the iPhone is lacking and gives you the control over your device that you should have in the first place. Just getting access to the xGPS project and it’s turn by turn directions has been more than enough reason for many people to jailbreak a phone.
But as Uncle Ben once told Peter Parker, “With great power comes great responsibility.” Apple locked down the iPhone in part to protect users from the bad guys out there, and if you’re in parts of central Europe with a jailbroken iPhone you may be regretting having a taken your security into your own hands.

A Dutch hacker has started breaking into iPhones that have been jailbroken and left SSH running with the default root password. This enabled the hacker to log into the iPhones and send the owner a message telling them their iPhone is insecure. It goes on to give them a link and asks for 5 euros in order to secure the phone. This has been sighted on a relatively few iPhones so far, but it’s not inconceivable that this exploit could be used on a much wider scale.

This just highlights that the act of jailbreaking your iPhone or hacking any manufacturer’s device places the onus of securing the device back on the owner rather than on the manufacturer.

Once you’ve taken the steps to jailbreak an iPhone you’ve relieved Apple of the security responsibility. It may not take much, but if you’ve done the necessary research to download the tools to free your device, you are also taking on the responsibility of securing the same device. So take the time to do a little more research and figure out what steps you need to take beyond just jailbreaking to secure your iPhone.