Archive

Archive for November, 2016

Newly discovered router flaw being hammered by in-the-wild attacks | Ars Technica

November 29, 2016 Leave a comment

It seems painfully clear to most security researchers now that the Mirai botnet is not finished and may never be unless providers take security seriously.

In an article from Arstechnica,

http://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/

They explain that the loophole being exploited now deals with remote management ports for devices that our cable and DSL providers use. With most of the home users struggling to setup these devices when they get them home, they seldom change the default passwords and that allows hackers to exploit them. Vendors are also leaving application ports open to the Internet without proper source filtering which allows them to be enumerated by tools like Shodan and Censys.

We simply need to get better at taking ownership of our security posture, both consumers and vendors alike. Let’s all step up out game…

Categories: General

SafetyNet: Google’s tamper detection for Android ¬∑ John Kozyrakis ~ blog

November 28, 2016 Leave a comment

Interesting article about Google’s idea to test for rooted phones for developers who want to make sure that your phone is ‘safe’ to run their applications.

https://koz.io/inside-safetynet/

Categories: General

Stay tuned for more hacking…

November 28, 2016 Leave a comment

I was reading this article about the sentencing of a 17 year old in the UK for a Web attack that happened in 2015. He says he won’t do it again but do we really want that?

http://www.infosecurity-magazine.com/news/talktalk-breach-17yearold-confesses/

It tells us that several websites were vulnerable to a SQL injection attack which leaked personally identifiable info (Pii).

Aren’t we punishing the wrong people here? I mean his motives were to show off his abilities and not to obtain and exploit the data. It also appears that the site already knew about the attack and was not able to do anything to mitigate?

I know that we would all like to live in a world where lost wallets are always returned to us with all the money inside but isn’t the company primarily responsible for continuing to neglect the security of the data?

Until we start legislative accountability for companies that hold service availability over security, we will continue to have breaches. To penalize individuals who help to find these flaws instead of congratulating them is like forgiving the dog and scolding the bone for just being there.  

Categories: General

Cirque du Soleil – Ole

November 25, 2016 Leave a comment

Had a great night out in Mexico watching the new Cirque du Soleil production called ‘Joya’. I saw golfer Greg Norman at the event and the only thing I could think of saying to him was ‘Happy 20Th Anniversary’ ūüė¶

http://www.golfdigest.com/story/the-sharks-collapse-20-years-later&sa=U&ved=0ahUKEwiqjojX_sTQAhWG2SYKHROPC4sQFggaMAQ&usg=AFQjCNGzj3xeuushjxvo5w5em-zuVYJ0Jg

Categories: General

Bruce Schneier on the most recent attack vector, USB sticks

November 19, 2016 Leave a comment

Think of it, you walk into a building, see a computer that (hopefully) is locked and you plug in a USB device and walk away. Just like James Bond, you look at your watch and a few minutes pass by. You unplug your device and head back to the Astin Martin…

Well okay this part is fictitious but the rest isn’t. Read more about the the technique in this article.

https://www.schneier.com/blog/archives/2016/11/hacking_passwor.html

Categories: General

RFID hacking for fun (and profit)

November 11, 2016 1 comment

I recently received a new proxmark3 easy and began the fun of reader and cloning access badge cards. For those of you unaware of how these little while cards work, allow me to share some fun facts. The Radio Frequency Identification Device (RFID) Card are comprised of a coil of copper wire wrapped in a loop to create an electronic field. They also have an Integrated circuit (IC) embedded in them that is powered when the field is oscillated. Remember how rubbing your hands together creates static electricity?proxcard

This oscillating field comes from the reader and is tuned to a specific frequency that can be used to pickup a unique identifier from your card.

Near Field Communication (NFC) uses this mechanism and has a more dense command set which can allow it to utilize encryption.

We use RFID tags on most consumer goods to prevent theft and there was once an idea to embed these into pets and even humans!

proxmark3With a little computer know-how  and about $100.00 you can create a device that can be used to clone these badges in just seconds.

I setup my device to capture some data from my work facility with relative ease. Once stored (captured) from any card, the buffer of the device can now replay the signal to fool any reader.

I wanted to show you what some of the thinest cards would look like when they are scanned. The version I am using is a 37 bit iClass px D8L and it features the facility code and the card holder number (blanked out for security purposes).

proxcard2

Verifying the data from any card is as simple as issuing the command ‘lf search’. Here we can see the card number (known as the TAG ID) that would be registered into the security system along with the format length.

Now for the fun part – we place our valid card on top of our reader and issue the following command – ‘lf hid fskdemod’. This will tell you the TAG ID and will repeat quite a few times until it has sampled the modulated waveform.

Now we place a T5577 card on our proxmark device and type ‘lf hid clone’ followed by the TAG ID number. With any luck, you now have a cloned copy of your card!

Beware of manned security stations using newer technology, they will often look at the face of anyone who had their picture taken while being issued a card. Unless you look very similar to the person whose card you have cloned, you will surely be caught.

Next step is to setup a malware program on the security computer so that your picture is substituted for the card holder and our physical security challenge is successful. I wonder what their favourite website is to use when there is no one coming in and out of the building….hmmm. Nextime.

 

Categories: security Tags: ,

Playing with ASLR for Linux

November 5, 2016 Leave a comment

I recently completed a certification with SANS where we were taught to create our own exploits. A well behaved program should have a start procedure called a prologue, clean up and maintain itself and any objects it creates and finally an end. During our testing we assumed that Address Space Layout Randomization (ASLR) was turned on in order for our exploits to be successful but this is not always the case.

All programs have two different sections (instructions and data) and they need to be flagged differently in the memory. A section where only normal data is stored should be marked as non-executable. Executable code that does not dynamically change, should be flagged as read-only.

One of the tricks that hackers use to get control is to hijacking the stack pointer (a road map for where to go next). Evil programs are designed to perform a redirection in order to run their own malicious code. When any program is running in memory, if we want to protect it against evil programs we can use ASLR. Address space layout randomization is based upon the low chance of an attacker guessing the locations of randomly placed areas. Security is increased by increasing the search space.


Auditing

One of the easiest ways to find¬†if a Linux server had ASLR turned on was to look at the proc filesystem for the variable ‘randomize_va_space’.

cat /proc/sys/kernel/randomize_va_space

If the value returned was a zero (0) then it was off, a one (1) then it was on for the stack. Ideally you want to use the value two (2) which will also randomize the data segments but all programs need to be built as a Position Independent Executable (PIE). It will also require that all shared object libraries (.so libraries) also be built as PIE.

Another way to see if ASLR has been activated is to run ldd against your executable and inspect the load address of the shared object libraries.

$ ldd -d -r demo
linux-vdso.so.1 => (0x00007fffe2fff000)
libc.so.6 => /lib64/libc.so.6 (0x00007f3e73cd8000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3e74057000)
$ ldd -d -r demo
linux-vdso.so.1 => (0x00007fff053ff000)
libc.so.6 => /lib64/libc.so.6 (0x00007f82071ac000)
/lib64/ld-linux-x86-64.so.2 (0x00007f820752b000)

Notice the change in the memory address referenced by the C library and the dynamic linker (libc and ld-Linux-x86-64)? This indicates that ASLR is in effect.

To ensure that all of your Linux code is more difficult to bypass you will want to audit your systems and look for the value of 2 (assuming your other programs fully support PIE.

root@mybox:~$¬†sysctl -a –pattern “randomize”

kernel.randomize_va_space = 2


Bypass

I refer to ‘Bypassing ASLR’ on the Linux system as finding a way to defeat it as a security mechanism. If all shared libraries were compiled as PIE along with all executables (services if attacking remotely and all executables if granted console access) then ASLR would be very difficult to beat but that is not the case. The additional checks required to be sure that the attack footprint has been reduced to zero is to audit each of the services publically available to make sure that all libraries and¬†executables involved are 100%¬†position independent.

There is a great opensource tool out there for checking if your executables support PIE.

‘CheckSec.sh’¬†maintained by slimm609 (https://github.com/slimm609/checksec.sh)

Categories: security, Work related