An apple a day.......

Should keep the doctor away. Useless its an OS X install acting as a DNS server, in which case this apple a day will get you owned.

Incase you have been living on the moon and have missed the huge amounts of news stories about the serious issue discovered in every DNS implementation please read this.

It appears that Apple are one of the few major vendors who have not released a patch and according to Heise Security they haven't even issued any security alerts. I'm not an anti Apple person, I own a Macbook and an Ipod Touch but over the years they haven't been great at security and patching. Steve Jobs might be right about Microsoft lacking taste and design ideas but they sure do kick Apple's ass when it comes to patching and patch scheduling.

This DNS issue has been bubbling for a couple of weeks now until Halvar Flake figured out the problem. DYOR (Do Your Own Research) on the whole story but the issue has got much worse with the release of a metasploit module and Evilgrade which exploits this issue.

As soon as I get the chance I will give a demo of either the metasploit modules or Evilgrade, probably Evilgrade as I like the look of that!

Dave

76% of US Banking websites insecure

I came across a study today written by Laura Falk, Atul Prakash and Kevin Borders from the University of Michigan which explains that of the 214 US banking sites reviewed 76% have security holes.

The report focuses on security issues that have occurred because of poor design decisions in the development of the banking sites. I like this approach because it demonstrates that security compromises don't just occur through obscure or fancy attacks.

Some of the issues highlighted are things that I would suggest are obvious design flaws such as beginning a logon session from an HTTP page.

I would suggest that anyone with an interest in secure web application development should have a read of this report. My article in the next edition of Insecure Magazine will give you tips on how to avoid these types of design issues.

Dave

Views on the news

I have come across a few news stories I wanted to share with you all today, so instead of having multiple posts I thought I would address them all here.

The first news story I nearly didn't read but I'm glad I did. Moodle is a course management portal used by universities and the like across the world. The story explained how the portal has two vulnerabilities, XSS (Cross Site Scripting,not really a "wow") but also a CSRF (Cross Site Request Forgery). The CSRF really interested me and I now have something to point my colleagues to who have listened to me talking about this issue for a while now.

I won't explain CSRF here (details can be found here) but the attack itself tricked users into clicking on a link which sent an edit profile request on their behalf. This leads to a compromise of the users account.

The second story explains how 3/4 UK companies have banned IM within their infrastructure. In the story it states that only 88% of the IT directors surveyed felt IM posed a security risk, oh dear. Personally I would ban public IM (MSN, Yahoo etc) for all users, in fact I would go one step further and remove web access completely for certain business units. If a business unit has access to sensitive data then, in my opinion, the systems in that business unit should not have web access. The sensitive data could be credit card data, Intellectual Property such as source code - anything sensitive and of high value to the business really.

I'd like to hear the opinions of other people on this.

Just one more to go, a more technical story.

The last one is from Sans ISC, have a read and let me know what you think.

Dave

The dataloss database

I often struggled to find the statistics I required for presentations on data breaches until I found attrition.org

I liked attrition, but I love what it has evolved into! I got an email on full disclosure mailing list today announcing its change to the dataloss database. The Open Security Foundation will be running the datalossDB and I for one look forward to using it going forward!

Basically it is a central DB for all public data breaches for the past 8 years there are many ways to search the data and monthly and annual reports can can be viewed by any one.

I have to say the guys at OSF have done a great job with this!

Dave

2600, first the magazine now the book!

2600 magazine has been around since 1984 and I always look forward to my copy being delivered. I was happy to read that they are releasing a book with all of the best bits from 1984 through to 2008.

I think it will be a great read, I bet the articles in the early editions still talked about topics such as blueboxing through to the early/mid nineties when the internet exploded into the beast we know today. I can't wait!

More details can be found here: 2600 book

And yes, I have pre-ordered mine ;-)

Dave

Part 3 - using the wrapped ProRat Trojan

Well finally I have managed to get part 3 written. My initial intention was to use the modified tini.exe that we installed in part two but I changed my mind. Part one and two are still fully relevant, you need to have read part two to understand part 3 fully.

I decided to use a a trojan that has far more "eye candy" than tini and netcat. I'm using a trojan called prorat which I used to tinker about with in the past. I think it will really highlight why part one and part two were important to know.

First, as usual, the actors:


I have used two Windows XP virtual machines (safety first kids) for this demonstration, both the victim and attack hosts are shown below:



I have downloaded and openend the prorat command software on the attacker machine as shown below:


The first thing I need to do is to create the server. The server in prorat is actually the piece of software you wish to install on the victims machine. I chose a random port for my server, port 8668. I have included a few screenshots below showing the wide range of options available to the attacker when he is creating the server:








Some of those options, more so in the first image are pretty serious attacker options. For example disable the firewall and anti virus......

I wrapped the prorat server up with the firefox installer (see part two of this series for more information) and installed this on the victims machine. I have included before and after netstat -na outputs below:



I connect to the server through the prorat command console:


I think its time for some fun, lets have a play with some of the tools available to us. As you can see the command console offers me lots of tools to extract information or even do more damage to the victim. I have just selected a few of these to demonstrate in this post.

I have included screen shots of a view of these tools in action, firstly taking screenshots of the victims desktop:


Viewing the applications the victim is running:


Viewing the web history:


I just have three more examples I would like to show to you in this post. Firstly copying the victims clipboard. I have entered some text in notepad on the victims computers:


And I have accessed this through the command console:


Second, stealing files from the victims machine. The victim has a file called mypasswordsfile.txt:


and I have copied this to the command console:


Just one more to show, the keylogger. Without needing any prompting from me the prorat server has been sending all of keystrokes back to the command console as shown below:


Well that is all really, I think we all can now see how easy it can be to get malicious and powerful software onto an unsuspecting victims machine.

Don't have nightmares, the next technical post will be explaining how to steal data and hiding it covertly with tcp packets.

Dave

PS - all stunts are performed by highly trained security ninjas, do not attempt to perform these stunts in your own home.

Exploit-me tools

I have been using a few new tools recently to help automate my XSS and SQL injection testing and I thought I would share them with you.

My normal approach involved manual work along with the Burp Suite (using the intruder function) with a list of inputs loaded in. I came across the Exploit-me tools from Security Compass and I thought I would tell you guys about them.

I won't talk to much about how to use the tools, I think installing them and having a play will tell you all you need to know. The link above to the Security Compass website does have some FAQ's/usage guides along with a presentation given at the SecTor conference. XSS-Me comes pre-loaded with RSnake's XSS cheat sheet inputs, these can be expanded with strings from your own brain or from many web sources. SQL inject ME is similar in that it comes pre-loaded with some strings, again this list can be extended. Lastly the Access-Me tool aims to exploit access control flaws within an application.

Have a play with the tools and let me know what you think.

Dave

(in)secure magazine article

Hi everyone,

I will be writing an article for the next edition of (in)secure magazine on secure web application development.

I plan on explaining why we need to develop securely, what kind of approaches to development can be taken to ensure secure development takes place and then general tips based on my own experience.

When the next edition is released I will post a link to it here.

Dave

I'm back!

I flew back to Ireland this morning from the British Grand Prix, as a fan of Ferrari it turned out to be a disappointing race for me. Arguably we haven't been as poor from a team perspective since the pre Schumacher days in the 80's and early 90's. Hopefully things will be better when I fly to the home of Ferrari F1 racing in September.

I will be working on post 3 in the series over the next day or two so watch out for that. Because of the comment by Niall last week about Anti Virus products I want to take a different approach to the one I had originally planned so stay tuned!

Citibank ATM's hacked

I came across an interesting story today which explain how the Citbank ATM's in over 5,000 7Eleven stores have been hacked.

It is estimated that the hackers have stolen around $2million from this hack. That is of course no small amount of cash but thats not what caught my attention. All that's known is the hackers broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to steal the pin numbers. The pin numbers were passed in the clear from the ATM machine through to the backend system. This is about all the information that has been made public so far, as soon I hear anymore I will post it here.

This is clearly a new way to steal the pin numbers and would show absolutely no signs to the ATM user. Previously security professionals would inform users not to enter their pin into links followed through phishing emails. We would also tell people about false fronts on ATM's designed to steal your data but this is completely different. The end user would have had no idea that this was going on.

More and more ATM's are running on the Windows Operating system and this appears to be a range of versions from Windows 98 through to Windows XP. I have an example on an ATM running Windows NT below:


And a second image I like is shown below, its a Russian ATM running a pirated version of Windows XP:


Dave

Wrapping a backdoor with a genuine installer

Well I have been able to get this posted much quicker than I thought. In short I will be using dave.exe from post 1 to wrap it up with the genuine installer for Firefox 3.0.

This will install Firefox and also my backdoor silently on the machine.

Here we go, the actors:


Once I have launched Elitewrap I have to define the output filename. This is the name of the wrapped .exe


Once this has been defined you have to select the operation you want Elitewrap to perform.


The readme file lists all the options with explanations but I will be using operation 3. This will install my backdoor silently whilst the Firefox installer runs in the foreground.

And so to wrap the exes, nothing really complicated to it as you can see below:


And here is the output:


Before I run this executable I have run the netstat -na command to show the backdoor isn't already running (it will be on port 39846):


So I double click the exe and here is the output (including an update netstat):




So we can see already that the backdoor is listening and we haven't even installed Firefox. So even if we were to cancel the installation its too late.

We continued the installation and allowed it to finish:


And the final result is shown below:


Firefox installed without any hint of a problem and my backdoor is waiting for me to connect.

I hope that this post has been informative, contact me or leave a comment if you have any questions.

Update: based on Niall's comment I have uploaded the wrapped firefox.exe to Virus Total and the results are shown below:


For part three of this post I will be using some a bit more industrial that dave.exe. All will be revealed soon!

Dave