Posts Tagged ‘hacking’

Why exfil your payload via ASCII? A picture is worth…

July 6, 2020 Leave a comment

Malwarebytes has discovered a new type of skimming attack where the booty is sent via an image!

The attackers hides the credit card skimmers in the metadata of icon files and then sends the sensitive info after the attack is successful, to the C2 via an image.

Talk about the need for ‘copy protection’?

As if hiding JavaScript in the copyright tag of the ico file isn’t ingenuous enough, they capture input field data, obfuscate it and place it in a image file to be uploaded so your Siem doesn’t even see it?

They have shared the details in a blog post if you want to learn more.

Categories: General Tags: , ,

Certificate Expiry – Doh

February 8, 2020 Leave a comment

Don’t you just hate when that happens – you have a nice, professional website that is generating revenue for your company and someone forgets to renew the TLS certificate!

Packt Publishing sure does today when it seems clear that almost all of its visitors will not be able to connect to their website.

It happens to many of us and it is due to poor certificate management. Microsoft Teams announced that they had surpassed Slack as the number one platform for messaging and collaboration but recently experienced an outage due to an expired certificate. Imagine how that affected their reputation and think of the brand impact that could have resulted in incalculable loss!

Whether you have 1 SSL/TLS Certificate protecting your website or you have setup an extensive server farm both inside and outside your organization, managing certificate renewal can bite you in the A$$.

Think strongly about a certificate management program that can alert you to thinks like certificate expiry for items like websites, Internet of Things and even network devices. With the push to ensure that we adopt https everywhere, you will need to manage certificates for almost every endpoint we use for mail, for file and print services and of course for all of the applications that use web based browsers. Even some of the desktop application are just shells that use a custom shell to deliver http based content so you may also have outage associated with certificates for some of the popular applications like Slack and Teams on your desktop.

Prevent outage by discovering and being aware of all of your certificates before someone else tells you!

Categories: General Tags: ,

Are you a Secure Programmer?

December 27, 2019 Leave a comment

Happy New Year to those of you who read this blog, and to those folks who remember my predictions about going over 20,000 unique CVEs in 2019, I trust you may agree that 2019 was a banner year for vulnerabilities. Lucent/Alcatel are among the vendors who have CVEs that have taken us over 20,000 this year (CVE-2019-20047, 20048).

It’s time to ask yourself, are the hackers getting better at ‘hacking’ or are coders just getting worse? If we are going to examine how the last half of a decade has had more than 10,000 unique vulnerabilities each year and that number keeps increasing, we will all need to come to the conclusion that programmers just don’t know how to create programs that are secure by default!

Here is a chance for some of the best and brightest programmers to change course and learn how to avoid these vulnerabilities once and for all.

A California University (UCDavis) has created an online course that can help teach the Principles of Secure Coding. In a series of four courses, developers can learn about the fundamentals, identify vulnerabilities and walk on the wildside as they learn how to hack just like the a blackhat!

Take one, two or the set of four courses and really understand how pentesters can exploit how code works so you can learn how to avoid many of the common pitfalls.

Categories: General Tags: , ,

RFID hacking for fun (and profit)

November 11, 2016 1 comment

I recently received a new proxmark3 easy and began the fun of reader and cloning access badge cards. For those of you unaware of how these little while cards work, allow me to share some fun facts. The Radio Frequency Identification Device (RFID) Card are comprised of a coil of copper wire wrapped in a loop to create an electronic field. They also have an Integrated circuit (IC) embedded in them that is powered when the field is oscillated. Remember how rubbing your hands together creates static electricity?proxcard

This oscillating field comes from the reader and is tuned to a specific frequency that can be used to pickup a unique identifier from your card.

Near Field Communication (NFC) uses this mechanism and has a more dense command set which can allow it to utilize encryption.

We use RFID tags on most consumer goods to prevent theft and there was once an idea to embed these into pets and even humans!

proxmark3With a little computer know-how  and about $100.00 you can create a device that can be used to clone these badges in just seconds.

I setup my device to capture some data from my work facility with relative ease. Once stored (captured) from any card, the buffer of the device can now replay the signal to fool any reader.

I wanted to show you what some of the thinest cards would look like when they are scanned. The version I am using is a 37 bit iClass px D8L and it features the facility code and the card holder number (blanked out for security purposes).


Verifying the data from any card is as simple as issuing the command ‘lf search’. Here we can see the card number (known as the TAG ID) that would be registered into the security system along with the format length.

Now for the fun part – we place our valid card on top of our reader and issue the following command – ‘lf hid fskdemod’. This will tell you the TAG ID and will repeat quite a few times until it has sampled the modulated waveform.

Now we place a T5577 card on our proxmark device and type ‘lf hid clone’ followed by the TAG ID number. With any luck, you now have a cloned copy of your card!

Beware of manned security stations using newer technology, they will often look at the face of anyone who had their picture taken while being issued a card. Unless you look very similar to the person whose card you have cloned, you will surely be caught.

Next step is to setup a malware program on the security computer so that your picture is substituted for the card holder and our physical security challenge is successful. I wonder what their favourite website is to use when there is no one coming in and out of the building….hmmm. Nextime.


Categories: security Tags: ,

Security Controls – Know ’em, Use ’em

June 8, 2015 Leave a comment

I wanted to create a post to share with our readers the SANs top 20 controls. These are a set of ‘good practices’ that are aligned with the National Institute of Standards and Technology (NIST) and should be adopted by any business in order to manage their computers and networks more effectively. I feel they are outlined in order of importance and I would like to begin with the most important (Number 1). A full list of the top 20 controls are available at I will try to detail several of them over the next few blog posts.

  • Inventory of Authorized and Unauthorized Devices

The need to have a complete and up to date inventory of what is on your network is crucial to knowing how to stop the bad guys from getting in. You can’t fix it if you don’t know its broken and the same holds true with networking. Just because you cannot see it doesn’t mean it can’t connect to your computers, servers, wireless. Anything that can connect to your wired network must be inventoried and if you use a wireless network you should REALLY inventory any system that is connected to it.

Use an automated asset discovery system to audit all of your devices or do it manually but you must do it. Audit your Dynamic IP configuration tools and consider network level authentication in the case of wireless. You can also consider using Private Key Infrastructure (PKI) to manage the authentication of devices if they support it in order to effectively manage access.

  • Inventory of Authorized and Unauthorized Software

Equally as important as knowing about all the devices connected to your network is knowing about all the software running on those devices. Attackers are scanning any device that is connected to your Internet connection starting with your router and any services that you expose to the public facing Internet. Port forwarding remote administration tools, web servers, even ports that you are not aware of so know all of the connection methods that your equipment uses and if you have wireless networks you need to inventory all software. A wireless network that is not separated from your wired (primary) network exposes ALL of your devices and the software running on those devices.

Use software that controls what applications are allowed to run (whitelisting). Use host based firewalls and remove unnecessary software and services that you do not know or need. Only deploy software tools from a known source and verify file integrity using hashes wherever possible.

  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

In their default configurations, most equipment manufacturers do not focus on safe and secured deployments. Why would they – they want the device to work in ANY situation. They leave the implementation of security to you, the purchaser. If you do not learn to modify configurations for your environment you are exposing yourself to attack not only from outside agents but from within as well (this is especially true with Wireless). Scripts that can be run (intentionally or otherwise) when a user visits a webpage will often include default credentials in order to catch the low hanging fruit. Adding your own configuration parameters can help mitigate those risks.

Utilize a standard build for new computer systems and store them offline if possible. Establish a secure mechanism to deploy any new system over the network and ensure that new configurations adhere to policies that you create and maintain. Implement a file integrity check on all key configuration files and maintain a change management system to log any/all modifications.

  • Continuous Vulnerability Assessment and Remediation

As new features, devices are added and software, firmware change the need to monitor and manage vulnerabilities can grow exponentially. Failing to scan for and fix critical vulnerabilities can introduce risk to your organization during the time it takes to find and the patch your software and firmware flaws. Implement or contract for vulnerability assessment on a regular basis to ensure that nothing is missed. All it takes is one avenue for an attacker to penetrate your systems – you have to make sure that all of them are closed. Implement central logging in order to monitor system wide activity and reduce the chance that an attacker can remove his tracks.

Setup a patch testing lab if uptime is important – it will allow you to rate your risk level whenever delay is necessary in deploying patches. Implement an automated patching mechanism and monitor activity to review any errors.

  • Malware Defenses

Malware is any software, script or piece of code that is intended to damage, disable or circumvent normal use of a computer. It can be harmful, benign or helpful although the latter is rarely the case. Your need to prevent it from happening is now more important that ever before. The ability for AniVirus/Antimalware software to prevent this from ever happening to you is gone. Attackers can and do use obfuscation techniques to thwart your scanning software so don’t rely on it. On the contrary, make sure that you use one and keep it up to date. It can be useful to catch 50-80% of the infection attempts.

 Control/Limit the use of external devices and consider implementing network based Intrusion Detection systems on or in conjunction with your firewall. Log all domain name queries to help identify known command and control contact to malicious domains. Create and implement an incident response process that can be helpful in adding any out of band malware that is not currently being detected by scanning signatures.

These five top 20 controls will have the most effect in preventing breach and helping you mitigate risk on your network. I suggest that my clients subscribe to our management service in order to help monitor and manage their Windows/Apple/Android devices and when we are contracted to manage the entire LAN we will monitor and manage the remaining devices. This allows us to have logs from all of the computer devices and can help us find the primary errors in any organization.

For a more detailed event monitoring approach we suggest that they utilize a device that can be used to hold all event logs from any network system (syslog server). It also allows us to use file integrity monitoring on devices that have a key role in the organization. There are agents for most hardware that can be installed to manage the files, bandwidth, etc.

OSSIM Version

OSSIM Version

It uses a vulnerability scanner to help identify any potential attack vector so we can remedy it. It also has a trouble ticket software built in that can create tickets automatically whenever a set of configured criteria are met which include traffic analysis, breach information, new devices found, etc.

For those of you who have read this far and find yourselves without adequate protection in any/all of these areas I would encourage you to consider looking at the Alienvault line of products.

I feel security is like insurance – it’s better to have and not need than need and not have.

Categories: General Tags: , ,

Computer Breach and what you can do about it

May 18, 2015 Leave a comment

Security Breach can happen to you

Experts agree that 2015 will be a tipping point for most small to medium sized businesses when it comes to computer security. The average organization cost of data breach is now over 6 million dollars. For most of my clients their loss won’t be anywhere near those numbers but to understand the cost to you or your organization that is over $200 per record. Maybe it’s a list of your clients or your employee wages or perhaps it’s usernames and passwords for your organization. Do the math – these can add up to large scale loss for everyone.

Among the top 5 threats for computer networks today are;

  1. IoT – The Internet of things brings along convenience but those IP enabled devices are not without risk. As you purchase Wi-Fi enabled security systems, TVs, media devices, Network Area Storage, etc. we are seeing an increase in vulnerabilities that expose your network and help to increase your attack surface. They need to be monitored and maintained because they are not as secure as a computer or a server.
  2. DDoS – The abilty to overwhelm your network with traffic is quite common and can easily be done by most consumers with a home network connection. If you require the Internet to do business you should evaluate whether you can operate without it. If not then you should consider protecting yourself against the real possibility that it could happen to you.
  3. Social Media Attacks – If your business uses any cloud based or social media application you should review your authentication and user management policies to avoid a potential breach of your accounts. Hackers are now targeting online applications in order to infect your users and gain access to your networks through the use of Cross Site scripting vulnerabilities. All it takes to be infected is for an email to be clicked on and you can no longer rely that your AntiVirus will prevent any Trojans from getting through.
  4. Mobile Malware – The volume of mobile devices beginning to enter your workplace and the ability to use your internet connection add a very large possibility that malware on a mobile device can get access to your corporate network. If you already allow users to have access to your network with any computerized devices you are probably at risk. You should consider controlling the access or monitor all of the devices by using a Mobile Device Management platform or you risk a possible breach to continue without your knowledge.
  5. Third party Attacks – Many companies allow third party applications to connect with their own network assets but how safe are they? Large scale breaches have been shown to be caused by third party vulnerabilities and these occupy a ‘grey area’ when it comes to management (who is responsible to keep all applications up to date on those systems?). Many user agreements do not cover damages that can be caused by a lack of security practices and once the vulnerabilities have been exploited, hackers use those systems to pivot onto your networks and wreak havoc on your networks.

There are several methods you can implement that can help mitigate the risks.

  1. Implement Monitoring – It is no longer safe practice to just implement a firewall you need to monitor all traffic coming into and out of your network. Hundreds of breaches in any network design have been traced to a failure to see IOC (Indicators of compromise). Not only do you need to record reams of data but you need to review them in order to determine what is normal behavior and what indicates a potential breach. There are devices available that can help you do that and although they can be complicated to implement, once properly deployed they can help you become aware of details that help you find attacks before they become too big.
  2. End User security awareness – If you don’t already have a program in place you should consider a large scale awareness campaign surrounding security at your organization. It can be as simple as a regular talk over lunch or it  can involve testing to be sure that your employees have taken the necessary steps and understand your policies. You need to train your users about the do’s and don’ts of all aspects of your security. Physical security, passwords, email questions, sharing account credentials, staffing questions, etc. You need to protect all aspects of information leakage whereas hackers only need one of them.
  3. Inventory all equipment – If you do not have an active list of your equipment, anything that is or was connected to your network, then take the time to make one and keep it up to date. Many organizations are leaking information that can be critical to your operations. Network devices that no longer are connected should be properly disposed of and /or their configurations need to be wiped. Improperly configured devices and anything with wireless access remain the largest risk to any organization – all of these devices need to be audited on an regular basis to manage the risk.
  4. Review your Protection – Make sure that you update ALL software (this includes Operating systems and any third party applications) that are actively used on all networked computers. Update any firmware on devices that connect to your networks. Implement and maintain Antivirus software on any computer that is actively used to open emails or browse the Internet.

There are many different ways you can help protect yourself from attack but I wanted to point out the clear methods to avoid them. If you are aware of all of the different methods that can be used to gain access to your company or it’s information then you can help manage them. A failure to see them coming is a sure fire way to enable the attack over an over again.

Categories: Work related Tags:

Imagine a single tool that hackers could use to break into your network…

March 12, 2015 2 comments

…and you are probably thinking about Metasploit.

As a security specialist I am saddened to think how easy it is to break into what was once considered a pretty safe way to conduct your business online. Years and years ago we all touted the necessity of a firewall with it’s ‘allow nothing in – allow everything out’ stance. Most sysadmins believed that if you had a crunchy outer shell it would be enough to protect you from the bad guys outside of your organization who are knocking on your proverbial door. We, as sysadmins then debated about the merits of network segmentation and egress filtering and a lot of us agreed that it would be a lot of work to implement and administrate compared to the risks associated with simply leaving the network topology flat and open. Then came along WiFi and for most of the users – it made connectivity easier but as sysadmins we knew that it would require some additional brain power to make it work securely. First WEP got cracked and when WPA-Personal and -Enterprise was introduced and at that time, it represented a pretty safe and uncrackable method to secure the wireless network. WPS made it easy to setup but we found shortly after that WPS has it’s flaws.

Today any user with a computer and extremely fast graphic card could crush a short password in a matter of hours. Now we tell users to make their password longer and to choose better passwords. Then would-be hackers build faster computers to crack longer passwords in a shorter period of time. It all begins to seem to me more like when the bad guys get in rather than if they get in.

It’s time to ask yourself about how well your assets are protected? Does your network topology resemble a cookie (hard on the outside and soft on the inside) or have you taken steps to limit the damage that can be done once your walls fall? It’s hard to believe that you could come in one Monday morning and find out that your network is having a really bad day; all the result of a little tool like Metasploit in the hands of a few skilled people. There are literally thousands of known vulnerabilities, at least one for any number of hardware devices that make up your network and they are all contained in and ready to be unleashed on all of your devices by this tool once they get in. Network switches, IP phones and phone systems, routers and firewalls, printers, etc. Lets not forget the laptops, workstations, servers, tablets, ipads and oh yes the smart phones that we all know and love?

You home users are just as vulnerable with your Thermostats, IP cameras, wifi adapters, home alarm systems, all web enabled. Every day we hear about some vendor that has IP enabled another appliance in your home and do you think they are worried about the safety of the device while you own it? As a consumer I am pleased when my new fridge can show me a picture on my cell phone of what is inside while I am standing in my local super market but as a security researcher – I am horrified of all the possibilities that could happen as a result of poor security. On the flipside and as a white hat (someone who hacks stuff to make it better) I am thrilled that there will soon be more things to test and ensure that the vendor has created a safe secure product for my fellow users to enjoy. The question that is raised in my mind by these likely events is just who is quality controlling these devices – them or you?

Categories: Work related Tags: ,

Still using short passwords in your organization…

February 5, 2015 Leave a comment

With email turning 40 years old recently we though it was a good time to visit ‘password length’ and how choosing one factor above all can make the difference in your online security for you and your organization.

There are very few applications left that require short eight character passwords (known as legacy apps) so you should be thinking of different ways to create and recall your passwords. There are several methods I have heard over the years and whichever method or combinations you choose to employ, security experts all agree, length is the most important one of all  (at least that what the ladies are saying :-))

I wanted to show how anyone who plays games on a computer can use that graphics card to guess your password. Typically it is the main Central Processing Unit (CPU) that is responsible for the ‘heavy lifting’ in your computer but for our purposes we need a Graphics Processing Unit (GPU) to do the tedious task of computing.

Now typically password guessing has involved a wordlist, a list of common passwords that is used to compare against what your password *might* be. This was necessary because of the permutations of each place holder. If we wanted to check every combination of upper case, lower case, number or special character in each of the 6 positions it would take an enormous amount of time. You could thwart the risk of someone guessing your password with a good password rotation policy but as processor power increased this is quickly becoming a concern.

Password-guessing-6      Here we show how fast we can brute force any password to a length of 6 characters. This is the default password length of a windows password. In as little as 2 minutes someone with about a $1000.00 computer can crack your password files on your computer or in your organization.

Here we see how easy it is for that same person to try every possible combination of characters if you change the minimum length to 7.

Password-guessing-7In as little as 3 1/2 hours we can use the power of a single video card to examine every combination of characters you can possible use to create a password of 7 characters or less.

How about 8 characters? This same user would take approx. 2 days to try all possible passwords and compare them with the password file that stores your hashes. All anyone needs to do is run a tool on your computer or on your domain controller to exfiltrate your password hashes and they can use the power of the GPU to guess your passwords. How about 9 characters? Well the amount of time it takes for a single medium priced GPU to tackle 9 characters is quite high (almost 4 years). So why not just make the minimum length of passwords to be 9 characters? Well these results were derived using a single $400.00 video card. We can buy a more expensive card and increase our processing power another 20%. We could even buy a more expensive computer that is capable of running 4 or even 8 video cards in the same system! A machine like this would probably reduce the amount of time it takes to brute force 10 character passwords to a few hours (this is an estimate – YMMV).

The days of simple dictionary passwords may not be here anymore and you might feel that it is impossible to remember all of these long passwords so I wanted to point out a few methods you should adopt that can help you. I hope I have shown you how trivial it is to guess your password and failure to adopt a longer password could result in compromise of your accounts. All it would take for a hacker to get access to your information is to use a ‘free’ wifi hotspot and your computer could be owned.

1. Use a longer password – add dots, dashes, your phone number, anything that will take your password length beyond 12 character Security professionals have forecasted that 12 characters is the minimum length we should be using with todays technology.

2. Use an online password manager – these systems can generate random passwords of various lengths and you only need to remember one password (the password to log you in).

If you are interested in finding out just how easy it could be to guess your current password you can visit

Categories: Work related Tags:

I am betting that 2015 will be the year of security…

January 31, 2015 Leave a comment

Last year was a banner year for old school hacks – remember HeartBleed and ShellShock – those were missed by a lot of us because it was stable code (or so we thought). Hundreds of thousands of us just focused on the newest apps and how we could exploit them. A few researchers went back over some of the mainstream code that we all used for years and found some ‘features’ that we added a while back that could be exploited today. I am willing to bet that more and more people are taking the gloves off and trying all sorts of applications to find that 0-day that will make them famous.

As a self proclaimed whitehat, I am interested in find flaws for profit. Let me be clear, I am not interested in exploiting them or selling them to blackhats – no, for I am a security researcher. My intention is to help users identify weakness in the communication devices we use on a daily basis so that we can feel safe. There are a myriad of individuals who would love to collect anything about you from advertisers who want to sell you things to our governments who want to monitor what you do with your time. When you add to that the kids that come home after school and just want something to do along with the legitimate users who hack for profit you have a lot of reasons to protect your online privacy.

Recently I put together a small computer that could be used to identify weak passwords by scanning your wireless networks. First we were able to install Linux on a single board computer and connect a wifi adapter that is used to ‘listen’ to your wireless. After a short amount of time (minutes if you have active traffic) we collect the traffic from your wireless network and package it up to be sent to our master server.

[0:08:20] starting wpa handshake capture on “BELLxxx”
[0:08:18] new client found: C4:62:EA:xx:xx:xx
[0:08:08] new client found: E8:61:7E:xx:xx:xx
[0:07:58] listening for handshake…
[0:00:22] handshake captured! saved as “hs/BELLxxx_34-8A-AE-xx-xx-xx.cap”

After approx. 10 minutes I was able to capture traffic from this WiFi AP that contains the pairwise transient key (PTK) that are exchanged when you authenticate using WPA2. If you are busy using your wireless we can capture it even faster!

Next we use GPUs (not CPUs) to check the passwords against a large database of millions of passwords. Normally this process would take days and days but by using the large processing power of video cards we are able to shorten that time frame to mere hours. When used together on one computer, multiple GPUs would take just minutes to try every possible combination.

Now with just one computer and an expensive video card we can test the combinations of pairwise master keys (known as PMKs) at an astounding rate…

Connecting to storage at ‘sqlite:///WPAcrack.db’… connected.
Parsing file ‘Xxxxx_20-AA-4B-xx-xx-xx.cap’ (1/1)…
Parsed 13 packets (13 802.11-packets), got 1 AP(s)

Attacking handshake with station e4:ce:8f:xx:xx:xx
Tried 144668765 PMKs so far (12.7%); 62770 PMKs per second.

At a speed of approx. 4 million per minute I can compare your authentication passphrase against my database of WPA passphrases. If you are not careful, someone just like me could guess your passphrase and connect to your network and you may not ever know it!

Now how important is it for you to patch your laptop, download new updates for your routers or cell phones or even verify that all your devices have the latest code (called firmware)? You have all of these devices that you need to make sure are patched, updated and not vulnerable to attack and all the hackers have to do is compromise just one of them!

Gives you a whole new lookout on ‘The Internet of Things’ doesn’t it?

Most of you might be asking yourselves ‘what can we do to protect ourselves’ right about now. There is a nice campaign put forth by the folks at SANS to help ‘secure the human’. (

There is also a nice poster that you can print and pass along to your family and friends –

For those of you who are serious about security (physical or virtual) you can hire a professional, we can help you evaluate your risk and then make suggestions on how best to focus your efforts to help remove it from your homes or offices.

Let’s hope 2015 isn’t the year you get hacked…

Categories: General, Work related Tags: ,

Hey dude – pass the hash…

May 27, 2014 Leave a comment

I wanted to share my experience with a client recently and mention a great tool that helped us resolve an issue that many IT admins probably face on a regular basis. It is my hope that it can help someone as it has helped me and my client.

We recently took on a client who has a Windows 2003 SBS server and did not have the current password for the Administrator user. We used several methods to try and crack the existing password and they were all failing. I even used a method to remove the SAM and system registry to begin to crack it offline (a process that took almost 8 hours to setup). After an hour or two of running a tool to try and brute force the password I thought I would try to ‘pass the hash’ (a method that windows uses when a password is used to access resources across the network on remote shares).


Mimikatz in action

Mimikatz is a tool written by Benjamin DELPY who also goes by Gentle Kiwi ( and this tool can setup and impersonate a session that can be used to authenticate to your system. All you need is the ntlm hash, the domain (which is found on the login screen) and the username (also found in the hash – usually ‘Administrator’). When used correctly it can setup a session that will impersonate the user and the password without knowing what the password is!


PsExec in action

Once you open a new command prompt you can use another fantastic tool from Mark Russinovich called PsExec ( to connect using the authenticated command window to your target machine as if you have a local login with those credentials and run a remote command window on your target – viola.

Now we have a remote shell on the target we can add a new user and make them administrator.

We have installed our remote software and all completed before the second hour of cracking the password has begun.