Support Radio bubble

Radio bubble is an independent media community from Greece, mostly empowering citizens to become journalists as things happen, spreading culture and information. Through a variety of means (web radio, twitter, blog etc) they inform citizens of what’s going on. For example, the hashtag #rbnews is used widely for greek demonstrations to report what’s going on. Beyond that, they issue a magazine with poems and stories from various bloggers and they organise music events with some cool bands from time to time.  They’ve been active for quite some time now and they need our support. If you have money willing to spend then you can go here and support them. :)

You can find more about radio bubble here.

The day I hated auditing

From time to time, I audit applications. All these years auditing source codes, reversing or simply guessing I came to certain conclusions that I am about to share with you.

  1. Software engineers don’t care about security
  2. Software engineers tend to do mistakes
  3. They tend to do the same mistake in many places
  4. Go to assumption 1.

That’s it. Four simple rules that are mostly generalisations but they reflect reality in a lot of cases. 

With that in mind, if I have enough time to check for vulnerabilities, I check how the certain software engineers tend to develop things. I don’t give too much details in the technical aspect -ie does he uses a framework- but I spend a lot of time watching how he handles a problem he has, how often he debugs code, how often he or someone else runs tests and finally I have a conversation regarding security. 90% of the times, the software developers will mention that they know about security and they take countermeasures to avoid vulnerabilities. 80% of them has no idea about security but yet he’ll try to convince you that he does.

Today I was auditing a source code of a web application, the developer was presenting me his source code, which was mostly bad code, and suddenly he says “I take extra care of GET parameters passed to the application”. Being provocative I asked “Why not POST as well?” “It is easier to put shit in GET parameters than in POST” and suddenly my face was like “OH REALLY? LEMME SHOW YOU”. I started to explain to him that when a user gets a response from a webserver, it is because the user contacted the server and since this request comes client-side it is possible for the attacker to change POST, GET, COOKIES, even HTTP Headers. And here comes the magic. He didn’t care, he tried to evade the question by showing me the same web application with AJAX requests. Eeermmm… Allow me to show you a neat trick “+AND+1=0/*” you are a cool programmer etc but I didn’t want to end up there mate. Even the best programmers make mistakes, you are not the best, just stop wasting my time and fix your bug.

Dear software engineers, when your company brings in an auditor for whatever reason, they bring in an auditor, not a cop. Act accordingly and please bear with us, we appreciate cooperation more than you think.

Keeping your eyes open. Google’s Intranet

Long story short,  I found the entrance to Google’s Moma. In my opinion, I shouldn’t know that. I also found the google employees login page as well. I am missing the valid credentials/exploit/bypass/do-something-beyond-getting-hired-to-see-what-a-google-sees yet but hopefully some day I’ll be able to check what is beyond their entrance.

The problem is not what I found out but how I did it. I found out about this domain because of this video. Check the url shown in the video 😉
And then I ended up here. They use a two-factor authentication, password and an OTP(not pad, One Time Password 😛 ) . I think his handle is nlevin because of this url (check the URL 😉 ).

That’s all.  Google PRETTYYY PLEAAAASE WITH SUGAR ON TOP ALLOW US TO SEE WHAT’S BEYOND THE ENTRANCE OF YOUR INTRANET.
me iz out.

Operations Security

I have been asked a lot of times questions that fall under the general topic of OPSEC . I have been using some practices quite some time that work well, so I’ll be talking about them.  Some tools will be referenced, some not. Just bear with me.

Everything falling under security is pretty much power redistribution thus it must be treated that way. Because of the ability to redistribute power you need two things, knowledge and responsibility.

How to protect personal data? 

I could write a phd about the subject but a few quick tips. ENCRYPT, ENCRYPT, ENCRYPT SOME MORE. Do you have a few files to encrypt only? My guess is not. If you want to be totally protected encrypt your whole HDD/SDD/USB stick, whatever. Encrypting some files is cool etc but your OS logs everything you do. An Archaelogist (Forensics guys) can read the logs and get your ass busted. ENCRYPT your OS.

What happens if the feds raid my house? If you are using your encrypted OS, your password is stored in the RAM somewhere. A complete memdump will give away your pass, a hash of it or some clues. Usually people don’t want this to happen. An easy workaround is to create two encrypted OSs. The first is the dummy, the second is your main OS. In such a case, boot the dummy ;). They will dump a key that will be of no use 😉 Btw I made an assumption here, you know which cryptosystems are secure and which are not. If this is not the case, well, you better start digging.

How to protect my communications?

I am a happy ownerI used to be the happy owner of a smartphone until the company pushed a crappy update that drains my battery faster than I can imagine. Anyway, as such I use my phone to check my mails. Every now and then I deal with 0days or I transfer money from my bank account etc. As such I have to make sure that there’s no eavesdropper around, same thing applies for my laptop. How do I do this? I’ve set up an SSH in my home. Every time I connect to the internetz I hide my ass behind my SSH which is connected through a trusted VPN which leads to TOR nodes. Ok, that’s too much security but even if something fails I have another options ;). If I can’t use my tunnels I use publicly available one. You better start doing the same.

Assume now that you are in a public cafe. What do you do if you want to fuck with eavesdroppers? Easy. Grap a USB wifi adapter. Script it so that it frequently changes SSID and information. It’ll take some time for the eavesdropper to figure what’s going on 😛

Physical Protection 101

This was a part of a conversation I had with a scene whore. How do you protect your laptop from physical attacks? It’s called two factor authentication and it works, something the user has (usb stick for example), something the user knows (password). If your laptop supports fingerscanning then you can extend the authentication to something the user is (fingerprint 😉 ).

You leave your pc without locking your screen? Take the usb stick with you and the pc is locked. Advancing this scheme, lock everything your bios allows you to lock so that the PC boots only from a certain HDD. There is an attack there but the attacker must have physical access to your PC, know how to dissassemble it etc (CMOS battery removed 😛 ). Another option if you hate usb sticks is pinging your phone. If your phone is not near, PC is locked etc.

I lost my PC/Smartphone etc. Now what? Shit happens and assuming you didn’t do anything of the above or you did but it was bypassed, you can always track your pc/smartphone etc 😉 There are tons of free software out there that do that for you and they allow you to delete data, make noises, photograph the thief etc.

Have fun.

iz out

Human stupidity

Ladies and gentlemen, we have a winner. We had a conversation about who is and who is not a hacker. The scene-whore stated that “a hacker is a guy who knows who to deal with tools”. DIE MOFO  That’s cute. So I did a little info-gathering about this guy and I came up with some amazing information.
He uses only pre-canned tools, he uses only scripts developed by other people, he uses only tools that take no parameter, he is not able to define what a buffer overflow exploitation is. How nice of you.

Quick note: His level of stupidity goes beyond my descriptive abilities. He used a Javascript packer to keep his “site” packed. I guess he didn’t know how to use a fucking packer and thus he ended up having a packer, an encoded string, and the plaintext. Good job 😀

Moving over the scene-whore, who the fuck is a hacker? IMHO the term “hacker” is a term that people give it to you, not one you use to describe yourself. If you say “I hack” that’s fine, if you say “I am a hacker” you better prove it fast. It’s not about the 0days, it’s mostly about the ability to tackle problems in a fascinating way. Everyone can use a milk crate to put a lamp on, a true carpenter will do something amazing to put a lamp on .

The only motive I find is curiosity. Have you used nmap? Do you know every single parameter it takes? Have you sniffed packets to see the differences between the various options? Have you disassembled a .dll? Have you ever built your own kernel? That’s fun. The rest are not.

Friendly advice to scene-whores: Sooner or later someone will detect you. Instead of being the allegedly jack-of-all-trades say you are fucking clueless. Most people will help you (after they troll the shit out of you). Just don’t rm your as$.

Regarding passwords

There’s been a conversation about passwords. Are they strong? Are they secure? Is a 8-digit password enough or it is easy to bruteforce it? We’ve seen huge dumps of passwords lately and companies such as google try to get rid of the password authentication method by using usb keys etc.

Before I move on to the subject some core concepts here. A hash function (such as md5) is a function that takes an input and creates a certain output based entirely on the input. We expect from hash functions to be collision-resistant, ie we want to be hard for an attacker to find an X input so that hash_function(X)=hash_function(ORIGINAL_INPUT).
Another core concept is the two-factor authentication. This is quite simple, the user must have any two of the following three:

  1. Something he, and only he, knows (a password for example)
  2. Something he, and only he, has (a private key for example or his cellphone)
  3. Something he, and only he, is (mostly biometric things)

The final concept is public key cryptography which I mentioned before. The main problem with cryptography is the need of a secure channel to exchange encryption keys but if someone has a secure channel then why doesn’t he exchange the message in the first place? Cause there’s no such thing as a secure channel (well, there is but not for everyone). In order to solve this, Diffie and Hellman proposed public key cryptography. The concept is simple. Let’s assume that B wants to share some confidential info with A. A has used a function that created two outputs. The first one is the Public-Key of A (PKA) and the second is the private key of a (KA). PKA is public and it doesn’t matter who has it. B takes PKA, encrypts the message and mails it to A. The only way to decrypt the message is to use KA. KA is only available to A so A is the only one who can see the original message.

Back to the passwords and the authentication problem. Authentication is the most commonly attacked concept of computer security. Attackers either bypass it or authenticate as a legitimate user by guessing/bruteforcing/you-name-it the authentication process. So far, so good but in my opinion the problem does not lie in the passwords. There are two main problems here, the first one is users, the second is developers.

Starting by users, users need to be educated regarding security. There have been studies around from many sources regarding both password practices and educating the users. A normal user, which may be privileged, is an insider threat to any information system. My thoughts here are pretty straightforward. An ignorant user was, is and will always be a threat to any system. Such users are extremely dangerous when they are privileged. Such ignorance is a vulnerability and chances are that the system will get owned with a usb authentication as fast as it would with a password.

What if users are already trained and someone still dumps their passwords which are pretty complicated to guess and/or bruteforce? Developers need to be educated as well. Have you seen any of these dumps lately before their passwords where “unhashed”? Most of these dumps contained passwords hashed with insufficient functions with known huge collision and rainbow tables and even without a proper salt (salt is to concatenate the password with a string and hash the concatenated string).  It is obvious that by using such functions, in case of a SQL Injection (replace SQLi with every single attack that breaches either confidentiality or integrity of the system) if a dump takes place you are in serious trouble.

As a conclusion, although I am not against using new methods such as hardware or two-factor authentication, security professionals have to make a security awareness campaign and train both users and developers because the problem does not lie in passwords but in the improper implementation of authentication mechanisms and improper passwords or bad practices.

/me iz out

Gathering Information pt I lost Count

Well, it’s been quite some time since the last post but… I am live and kicking.
I thought ‘d write some notes on security.
Continue reading

Begging to get hacked while handling files with PHP

It truly doesn’t take much for a software developer to get owned. Anyway, a loooog time ago I was watching (yes, watching) a class on PHP, they were being taught on how to handle files using HTML forms and PHP code. I noticed a problem though. I thought a few, it gets they are WAY more, are the people who mishandle files. Anyway, how to get from a simple mishandling to get your ass owned.

The concept
 User A wants to upload a file to a server. Server accepts the files, checks for certain criteria, if we find a match file is accepted. RIGHT? WROONG, this is how it should work, not how it works.

The problem

There is a variety of ways to build those criteria. You can check for extensions (for example .jpg only) or for mime-types (image/jpeg only). What’s the problem with that?

The first problem is about changing mime-type. This kind of information comes client-side. Apache, or whatever software you are using does not check whether this file is or is not a JPEG image. When the user chooses the desired file to upload, browser generates automatically the mime-type. The problem is that the attacker can change it moments before he sends the HTTP header. Assume that you allow someone to upload only jpg files (mime-type:image/jpeg). I decide that I want to own your box. I choose a PHP backdoor, change the mime-type, file gets online. This is the simple scenario.
Not to mention the 1×1 jpg hack.
Also, even if he checks, there is always the good old Null Byte Poison Attack under certain circumstances etc.

The workaround

Force an extension. If it says JPG then
thisisamaliciousfile.JPG. Simple?

Stop using multiple ifs and begging to get your ass owned.
Imagine something simple. You never get owned but… Your server is used as a store all shells and you are getting complaints about allowing shells to be stored there. Not cool.

Evading AV signatures, BHEK2 way #malwareMustDie

In Saturday I got an urgent call from a guy who is developing WP themes. He has to showcase a theme in a client but Chrome won’t allow him to enter his blog. My initial thought was WP Theme infection and something like Norton Toolbar blocks him from doing so. VirusTotal  reports that the site is not infected he says. He connect using ftp and downloads the files.
Before I move on, if you want to find more about BHEK2 go here (btw the guys do an excellent job, kudos to #malwaremustdie).

My initial thought was that someone infected it with BHEK2. I had to see such an infection though (WP-based) quite some time. Last time I encountered such an infection, it was sometime around August.

The infection was located in index.php, somewhere around the middle. There was something unusual about this infection though. The main infection was something like

eval(base64_decode("B64_DATA"));

but it wasn’t. When I deobfuscated the string (which ended up in a redirection), it looked like

eval(base64_decode(eval(base64_decode(echo('Javascript redirection to BHEK script');

I did not notice that it was truly evading AV signatures, although I should, until Malware Crusader reported me that it was evading it. Btw, if you don’t follow him, do now :)

Now, Ι wrote a sample PHP file that uses the same approach that BHEK2 did to stay off the radar. The sample is found here . You can execute it safely, you’ll end up with a alert(‘Hello World’); greeting you :)

Btw, a short mention here since we are dealing with PHP obfuscation. Certain sites that are distributing PHP shells, backdoor the backdoors and when you execute the backdoor, the distributor is informed about the compromised server.

Kudos again to all #malwaremustdie guys.

Evading AV

I came over this and I remembered a couple of years ago that I did a dropper like the one described there but more malicious.

Anyway, techniques of evading the AV software.
Continue reading