Category Archives: Security

Some considerations on finance, security and Apple, JP Morgan and Sony attacks

0
Filed under Generic, Security

There is a side that seems to be unnoticed everytime there is a big attack that made me write this article – I wanted to do some considerations on how finance securitity and latest Sony attacks (but not only) are linked.

It seems that lately, big, widespread attacks make it on the news more often, and are becoming increasingly aggressive. Although I can make some technical considerations on this (and will do an an article later next week), I saw something strange in how the markets react to security breaches (and will go more into why companies should – and probably will – invest more on security later on).

Let’s start with JP Morgan.
The data of as many as 76 milion households and 7 milion businesses leaked – to an unknown extend (account details?). This will certainly expose those individuals/entities to easy social engineering attacks, which will be extremely hard to relate to the attack. So, what was the answer of the market to the attack?

None. Yes, that spike down later on might have been related to the attack, but as you have seen was soon recovered.

Let’s go a bit back in time to another story that made it on the headlines: Apple data leakage.
The attack involved hundreds of well known individuals in the end of August. Did the market react to this? Well, yes, for a period, but then again, no substantial loss.

Now, moving to Sony. Sony has faced issues with their security sistems since years. From the Playstation Network to Sony attacks, there is never an end.
Watching the Sony chart, it seems that the cause of the drop was not really related to the attack, but certainly that didn’t help for the future outlook. And the latest attack, didn’t seem to affect the market (see pointing up in the last tick).

I can do these examples for a while, but point is, it seems that attacks, at least in the short term, don’t affect the companies considerably. Is this then a good reason to reduce the costs of security?

Well, here are some considerations from my side:

  • Stock market seems to react more on the generic feeling of insecurity than a quantitative loss of customers/income given by the attack. This, I assume, is because it is extremely hard to quantitatively define the extent of the loss.
  • There are discussions, even driven by Wall Street, to improve cyber security regulations. The process might take a while to consolidate as it is a fairly new concern – the extent of attacks we have seen this year were seldom seen before. Litigations and regulatory fines will help Wall Street to quantify losses and protect investors.
  • Last but not least, the actual cost impact should be considered. A generic estimate considers the data leakage cost (including regulatory fines, fees, legal costs and so on) to be somewhere between 90$ to 300$ per user. In the case of JP Morgan, a conservative estimate would be 150$ * 80000000, accounting for an astonishing 12B$ loss.

Companies should be more concerned than ever on security as this is bound to become a huge topic in the future, particularly given the fact that 0 days vulnerabilities are extremely hard to tackle. But as always, only time will tell how the market will evolve in that sense…

…One side note…
JP Morgan announced it will double its spending on security since 2015 moving to 500M/year – good news. But then again, will those money be spent in the right places?

Hacking samba shares and attacking my Qnap (without Metasploit)…

0
Filed under Security, Systems

So, it has been a while since I made an article, unfortunately I spent (and probably will spend) too much time trying to recover my old V40 PC… Can’t wait to give it a hard drive 30 years later!

Back to hacking samba shares now (and my qnap server).
Let’s try to get some info on the server, nmap is always a good start

the Qnap server is not exactly ‘closed’ – but after all, it is a system for sharing, and is quite secure by itself when up to date. Let’s get some info on the HTTP side – netcat can help us.

So, it is running PHP 5.3.29. This version of PHP by itself has some remote vulnerabilities, but let’s move forward. They are hiding the Apache version! Bad for us but good job.

Let’s run nmap again and let’s see if we find something interesting. This time though, we run a serious scan with:
nmap -A -T4 192.168.1.12

Amongst the various info, I get to know the server is running kernel 3.4.6 and samba 3.6.4 – in particular this is interesting:

Ah – using guest on samba shares works! Let’s do a bit of tests on samba then. No need for a password when using guest usually

Unfortunately, none of those shares (except for IPC$, which is very limited) lets me connect as guest.

Let’s take another approach. Nmap is always our best friend (and the script smb-enum-users).

Good job nmap! :) Now we can do some good old bruteforce! Let’s target TestUser, which I created with a decently weak password. For this to work, we need a good dictionary of passwords, and the owner of the smb-brute redirects us here.
Unfortunately I wasn’t able to specify the password file to bruteforce the samba share using nmap + smb-brute, so had to create a script on my own… If you know how to please drop me an email!

Here is the script I created:

Few seconds after running the script:
./testMe.sh “//victimHost/TestFolder” TestUser /home/ragnar0k/twitter-banned.txt
Login successful using password password123

To conclude – how to secure are samba shares?
This depends on how far you want to take your security – and mainly some common sense:

  • Make sure the minimum password complexity, retries and password expiration are enforced (works well with a centralized system such as Active Directory and Kerberos)
    • minimum password requirements: a meta character and numbers. This alone might not help you against a brute force attack
    • retries: after three wrong passes, an account should be locked. It is possible though to create tools that wait for the account to be unlocked and continue – if the pass is in the beginning of a dictionary, blocking accounts after a few retries alone won’t help
    • password expiration: if a tool is waiting for accounts to be unlocked, maybe after three or one year of daily unlocks, it might eventually guess the password (though I would become suspicious after a week…). Setting a pass expiration might help there (unless the user chooses the password next in schedule by the hacker).
  • If the user uses an external GUI to set the password (i.e. SSO), the validation form should first verify the password is not in the known passes list (from the link above). A good way to create a password database is to merge all the pass files in https://wiki.skullsecurity.org/Passwords into one (cat * >> main_passes), and maybe import them in a database
  • Make sure passes are not repeated within 2 or 3 years

 

 

Are your devices secure? Firmware hacking

0
Filed under Arduino, Security

How to hack your firmware – this might seem like a complex topic. In some cases it is, but nowadays, this is not always the case.
Some unix skills and just a bit of social engineering might be enough to make your company or home insecure.
There are several ways through which a company or a person might have received a compromised device:

  • A company receives a demo hardware from the company in the mail, why not trying it?
  • The guy in the shop decided he wants to monitor his customers, how about quickly removing the seal and compromise the firmware?
  • The website sending firmware updates has been compromised (either from your side, for example through dns poisoning) or on their page
  • The firmware was downloaded from a strange internet source

There might be a few reasons more, but let’s get hands on and see how easy firmware hacking could be!I am trying this on my Arduino Yun, as it is using OpenWRT + squashfs. Squashfs is nowadays very used (see for example dd-wrt compatible devices).What we need is:

  • The firmware (in our case the Yun firmware is openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin)
  • A Linux box. For this blog entry I will use Debian, but I guess the same will work under ubuntu and other debian based distros

It is worth noting at this point that I fully support Arduino’s choice of using an open solution such as OpenWRT, and squashfs is not the problem. Hacking firmwares is still possible even using proprietary formats, as long as the source of the firmware (or person handling the device before you) is not trusted.

Let’s first install the right tools. As root, run:
aptitude install squashfs-tools

The tools we need: unsquashfs and mksquashfs.Now, let’s get some information on the file:
unsquashfs -s openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin

This should give an output such as below:
Found a valid SQUASHFS 4:0 superblock on openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin.
Creation or last append time Sun Nov  9 01:25:00 2014
Filesystem size 7799.69 Kbytes (7.62 Mbytes)
Compression xz
Block size 131072
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are compressed
Always_use_fragments option is not specified
Xattrs are compressed
Duplicates are removed
Number of fragments 130
Number of inodes 2083
Number of ids 1

In particular “Compression xz” will be useful to us when rebuilding the package.
Let’s now decompress the filesystem in a working directory:
unsquashfs openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin

A new directory should now be present: squashfs-root. It will contain all the files of the router. The purpose of this article is of course only to demonstrate how we could compromise a firmware so will only create a simple example. Let’s create something that, at boot, will write under /tmp a file

First we go in /etc/init.d and create the script, which we will call “hackTest”.
The file will contain:
echo “This might be a virus :)” > /tmp/virusTest

Let’s make it executable now
chmod +x hackTest

…And link it to the correct start sequence in /etc/rc.d. In my case, I decided to set it to S94:
ln -s ../init.d/hackTest S94hackTest

Now all is good to go – let’s pack our squashfs. Go back to the folder containing squashfs-root and create the new firmware:
mksquashfs squashfs-root openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin -comp xz

Note “-comp xz”, this is the compression that was specified on the file info above.
All is now ready. Update the Arduino, wait for the reboot.

Now, I understand that someone might think: isn’t it easier to just modify the system once booted up?
Well, this is true but on a factory reset things will go back to normal. Also, most of those devices provide a limited set of  read/write directories, so searching for issues if someone gets suspicious is a lot easier.

So what is the solution?
Well, make sure once the firmware is downloaded that the MD5 is correct using a different source to get the md5 strings (for example, your desktop). If your firmware was however modified, chances are it will not upload the firmware or might automatically modify the firmware during the install. This is quite a difficult matter to resolve, and if we are ever going to go back to a mainframe architecture in the future (i.e. Chromebook) this will become an ever bigger issue, and making the firmware proprietary is not the solution (see the various iOS hacks).

Google XSS game

0
Filed under Security

Well, this has been covered widely but can’t stop from writing about it in my blog, as I just had some time to play with it:
Google XSS game
It actually brought me back to the time when I had fun with text only games (good old MUDs!) :)

Now, if you haven’t tried it, I strongly suggest to give it a go – the aim is to make an alert() pop up in different scenarios.
I have to admit, I seriously struggled with #4 (like, hours), but it was well worth it. And reading the tips on the site is not cheating, they are just useful enough.

For #6, feel free to use mine (fabytes.com/ggxss.js – won’t spoil with details, just make sure certificate is ok on your machine before you use it) :)
And yes, it is safe I just put alert() in it!

GoogleXSS

Protonmail security review

0
Filed under Security

Note: Protonmail is still in beta, so things might change

Protonmail promises to deliver security to the mail world, accessible without any kind of monitoring from their side. As I write, their project on indiegogo.com has 27 days to go and already reached 128% of the goal.
So, after all the media coverage received by Protonmail, is it really going to be the next alternative to gmail?
But most importantly, is it as secure as it is advertised?
Let’s look into some of its features…

MailPage

 

The interface is very simple, no fuss. Gladly, no advertising so far based on “anonymous data” collected from our mail context. That is a good start I think.
As promised, the javascript side is not compressed, leaving a bit of transparency to the user, but I’ll get to it in a bit…

CodeJS
The interface to compose mails is also very simple; would be comparable to any standard webmail client, if it wasn’t for the encryption features on the right:

SendMail
We can encrypt the mail and give it an expiration. I am not quite sure why would an email expire when saving the contents for offline reading would be very easy, but let’s move on…

Debugging a little bit, seems clear that we use our public key client side to encrypt our mail:

So, the base encryption is AES256.

I believe arguments are then built within #totalpackage and sent (where the pgp part is added for *@protonmail.ch emails):

Then the draft is created:

This is good news – they are using the openpgp.js library to encrypt the messages, so it really happens all on the client side. Ok, but actually, this can be done using thunderbird too or most mail clients. That said, having it javascript based will give me the opportunity to have my pgp data always with me, even on someone else’s device.

Anyway, I clicked in the beginning to send the document encrypted externally. It seems to me that this part:

is responsible for encrypting outbound messages. It looks to me this will encrypt only the message with an hashed AES256 pass (see encryptMessage function in the code above). Keep this in mind, we will get into it in a bit.

We then receive the email from protonmail. Obviously no receiver PK is checked since we don’t know it (and I can’t find a way to add them)

mail

The question at this point is…

Are external mails kept just encrypted using a sha256 of our password using AES256?
It might seem like an OK solution now, but I bet in 5 years time hacking a sha256 won’t take so long. Even now with supercomputers won’t take long to break this SHA256. I personally don’t think at this stage protonmail offers an adequately secure external email.

In addition to that, answering to external emails now is impossible, but this might change.

Now, let’s forget about the AES256 scenario for a while. What are the other issues?
Well, there are no signature and no certificate authorities here, so anybody with access to the mail and the password (let’s assume someone is sniffing chats + mails) can actually get the data.
Ultimately, not using public keys, will lead to an additional exchange of keys, which in turn leads to a less secure solution.

All in all, this is a well thought system, though I think little privacy is offered with externally encrypted emails (which – in theory – can be decrypted by the server owners), and even our local emails might not stand the test of times (also, how scalable is it? Will we be able in the future to change algorithms without rebuilding the whole inbox?)

Never the less, my support goes to the guys, it is a great step forward to what we had before and even though there is room for improvement (and well, it is always possible my analysis has some flaws so welcome to comment) this I think is one way to make cryptography really accessible to anyone.

…Just one last heads-up. There are some pretty heavy limitations (in particular if you are used to Gmail space):
Screenshot - 21.06.2014 - 02:10:25

Plaid CTF

0
Filed under Generic, Security

Plaid hack catch the flag game – wanted to play a little bit before the weekend but seems that people would rather DDOS it.. I wonder why there must always be someone spoiling the game…Or is it a way to gain some time?

Updated source and binaries

0
Filed under Forensics, Security

New code and binaries out there!
It is now possible to set thresholds within the tool and there have been some stability improvements (though, still not exactly stable…)

I’ll publish the training videos on how to train new files in the next few days and start advertising the tool a bit more!

Youtube video uploaded!

0
Filed under Forensics, Security
Tagged as

added a youtube video on how to detect files – available in the “Projects” Section.