HeartBleed: we’re sslcrewed

Posted by Michael Hendrickx on April 10, 2014
misc / No Comments

heartbleedThe year 2014 is only a hundred days old, and this is probably the security bug of the year. In case you haven’t heard it, and shame on you if you didnt. HeartBleed is an exploit on a OpenSSL’s TLS Heartbeat extensions. It goes well undetected, and nearly half a billion (yes, B) of websites are vulnerable. We’re not even talking about most other SSL services, embedded systems and so on. It allows an attacker to read chunks of memory (per 64 Kilobytes) which may contain SSL secret keys, passwords, messages, etc.

More technical information can be seen on heartbleed.com, and you can check your site using this site.

You can be sure that most blackhat parties, including several intelligence services have tried already to extract information from your SSL enabled websites. If not, you’ll see an increase in HTTPS connections this weekend. Patch your servers, chnge your certificates, change your passwords; all of them. If somebody was storing all your SSL data in the past, they will have a way to find the key to decrypt all of it now, it’s that bad.

the state of Mixed Mode

Posted by Michael Hendrickx on March 15, 2014
Javascript, security / No Comments

browsersecurity
When a browser grabs a webpage over HTTPS, *nobody* (aside from revelations that governments can see our SSL traffic) can see what’s happening between your browser and the target webserver.  You are protected against the prying eyes of an evil network admin, proxy admin or even government.

Modern websites often import JavaScripts files from multiple sources, to have extra functionality (Facebook’s like button, widgets) or entire frameworks such as JQuery or YUI.  If these JavaScript resources are loaded form a non-SSL location, we refer to this usually as Mixed Content mode.  I did some research to find out how browsers handle these things; both on desktops as well as mobiles.

Please run the tests on https://bloat.io/mm/, it looks *very* rudimentary, but I am gathering some information from different browsers.  Let the page load for a few seconds, and everything gets logged in a database.  As a “visual”, the more “warning icons” you see, the more vulnerable your browser is.

Don’t worry, it won’t try to exploit anything or crash.

The closeness of software, and its dangers.

Posted by Michael Hendrickx on October 15, 2013
misc / No Comments

Craig of /dev/ttys0 has discovered an interesting backdoor in D-Link routers; by setting your user agent to a particular string it is possible to circumvent the admin authentication challenge.

While this is just one of the cases, who knows how many devices have been “backdoored” over the year, either by manufacturers; or by telecom operators (telco branded all-in-one access points). My advice to anyone, get your own device, or flash OpenWRT on it.

But the camera rocks

Posted by Michael Hendrickx on August 23, 2013
security / No Comments

On my way home form a merely thought-inspiring movie, I passed by a few girls sharing a cigarette on your typical San Francisco cafe’s terrace. One of them was showing her (?) phone to the other, who told her friend “…but the camera rocks”.

It made me, continuing the movie’s aftermath realize how we’ve given up openness and privacy on our mobile devices, the modern equivalents of our dearest friends (who else do you check at night, early in the morning and take with you to the restroom?), for gimmicks such as cameras and polyphonic ringtones (ok, not anymore, but you get the idea).

Earlier I checked the website of Openmoko, whose goal was to “Free the phone”. Now it seems they have abolished these projects in favor of making a mobile wikipedia device, but I wish they or a similar body would take up the movement again.

We live in an ecosystem that has many “services” and closed systems; and we happily accept it. It’s ok to give up the freedom of tinkering with a mobile phone you just paid 500$ for, because it has cool apps the other platform doesn’t have, oh and of course, because “the camera rocks”.

I hope we start swaying towards openness again, and take back the right on our digital devices and lives, the same as we have with other, everyday, things. You buy a car, you’re allowed to open the hood and change pretty much everything about it, as long as it doesn’t affect it’s safety or the environment. You spend money on clothes but want to rip off the sleeves, nobody stops you. Let’s keep that in mind, and hold on to that. A device that his so dear to us should be transparent;. And I’m sure its camera would not be so bad either.

Tags: ,

How the semantic web should come back, and is.

Posted by Michael Hendrickx on July 16, 2013
misc / No Comments

The web has come a big way. Sir Tim Berners-Lee’s invention that changd the world has undergone a large metamorphosis in the way how it provides millions – and now billions – of human beings information, communication and entertainment.

Sites in the 90sEarly websites had a fair amount of content, but it was surrounded by flashing marquee’s, background MIDI sounds and non stop, animating gifs. That all paired with flashy color schemes and a Times New Roman fontface.

Fast forward a few years, and the world allowed a small company called Macromedia (later acquired by Adobe) to install a small plugin called “Flash” onto our computers which opened up a whole new dimension into web interactions. Many websites incorporated large amounts of “Flash” into their pages, or became a flash only website.

With the arrival of the iPhone and iPad, Flash has been pushed into a corner. The late Steve Jobs expressed that Flash was an inefficient way to make content look beautiful on battery powered devices, and the demise of flash has slowly begun.

Fast forward another few years, and we’re at the level of “content driven” websites. Websites are simpler than ever and the overall theme is becoming minimalistic. Since the majority of website have similar layouts, HTML5 included a few extra tags (<header>, <aside>, …) to ensure consistency throughout pages.

“Modern” CSS frameworks such as Twitter Bootstrap, Foundation or Base, go a few steps further; by streamlining naming conventions in CSS classes, we have similar “classes” that make links look like buttons, and navigation bars to stay on top of the screen when we scroll down and the like.

webskeletonBut is there a way to bring this to HTML5.1? Seeing that the majority (yes, there are always exceptions) have a navigation bar on top, fixed or not, a menu on the left or right and content on the other side, we should have a few extra tags there.

This could easily be fixed with a:

  <html>
  <head>...</head>
  <body>
    <header>
      <navbar fixed="true">
        <logo src="logo.gif" />
        <navitem href="/about">About Us</navitem>
        <navitem href="/services">Services</navitem>
        <navitem href="/content">Contact</navitem>
      </navbar>
    </header>
    <content>
      .. content goes here ..
    </content>
    <aside>
      <menu>
        <menuitem href="/profile">Your Profile</menuitem>
        <menuitem href="/favorites">Favorites</menuitem>
        <menuitem href="/cart">Cart</menuitem>
      </menu>
    </aside>
  </body>
</html>

In order to bring this in a correct way, let these HTML tags dictate what they are, yet let a user decide whether he or she has any preferences:

  • Do you want the top bar to be sticky?
  • Do you want the menu no top, left or right?
  • Do you like big butt(-and cannot lie?)-ons or a more “professional” look?

I’m not saying we should totally discard CSS and its visual capabilities, but I think we spend too much time coding and consuming styles that don’t really make a difference. Users of the Links browser, the few that remain, probably have the last laugh; although I’m sure they’re missing their frame sets.

Tags: , , ,

Phone numbers as default eLife WiFi keys

Posted by Michael Hendrickx on February 13, 2013
internet, security, uae / No Comments

antsThe UAE’s internet is pretty much provided by two ISP’s: Etisalat and Du who provide broadband services to its customers.

Focusing on the largest of the two, Etisalat, they provide a eLife program that allows triple play services into the homes of their customer base, which include a WiFi network. The problem though is that many of these wireless access points are setup by Etisalat’s technicians themselves, sporting a certain convention for encryption keys; the client’s mobile phone number.

This mobile number convention is a limited keyspace, with just a few numbers short of 36 million possibilities. (8999999 * 4 prefixes). Knowing a possible key, helps tremendously in brute forcing the keys of a Wireless network. To create a list that creates all these numbers in a list, one could write that in Perl:

#!/usr/bin/perl
# generates 05[0256][1-9][0-9]{6} numbers
$| = 1;
foreach my $a (0, 2, 5, 6){
  foreach my $b (1000000..9999999){ print "05".$a.$b."\n"; }
}

*Note: this script can be optimized of course, since it will be unlikely that you’ll have networks with several repetitive numbers having a default eLife installation.

Another handy fact is that “default” eLife setups have their SSID configured as etisalat-XXXXX where XXXXX is a “random” number.

Aside from “having free Internet access” to load balance your torrent web surfing traffic, there’s a much greater risk here.

eLife is delivered with a Aztech HW550 3G wireless router. These devices have an embedded version of Linux available, and Aztech was so kind to have make the source code available. Alternatively, you can resort to OpenWRT’s efforts, but the latter might raise some suspicion if the original owners decide to change something about their WiFi network.

Now, the danger lies in the following scenario:

  • Attacker adds a backdoor into the HW550′s firmware.
  • Attacker cracks your wireless keys and accesses your network
  • Attacker accesses your wireless router (assuming you didn’t change the admin password)
  • Attacker uploads the new firmware
  • Attacker has access to your connection at all times, can use it to launch attacks and tunnel connections

Since the HW550 has a MIPS CPU of “only” 384 Mhz, and only 32 Megabytes of RAM, it can’t be used for heavy load network traffic, but you get the basic idea. Aside from creating “AP zombies”, one could redirect your traffic to do a MITM attack, etc …

So, to prevent this scenario from happening, choose a strong Wireless encryption key and change it regularly. Or, install OpenWRT yourself, or just get an other (better) Access Point.
That, and living inside a Faraday cage, so nobody picks up your wireless signals.

Tags: , ,

Browa10: Brute force script for OWA 2010 servers

Posted by Michael Hendrickx on November 16, 2012
misc / 2 Comments

To quickly test the strength of passwords used by users on a domain, through an OWA (Outlook Web Access) 2010 interface.
Here’s the ruby code, and its README.

Please use this script responsibly and only against servers you’re authorized to audit.

UAE issues new decree to combat cybercrime

Posted by Michael Hendrickx on November 13, 2012
internet, security, uae / No Comments

The UAE has issues a new decree on “combating cyber crimes”. This decree, available in three parts (here, here and here) stipulates recent do’s and don’ts that amend the previous decree dated from 5 years ago.

In a world where we see religiously offensive cartoons and movements such as Occupy Wall Street, and all its derivatives; many countries in the region have had uprisings against their governments. This protests have largely been made possible due to technology.

Be warned though, although it is widely known that the promotion of prostitution and gambling is illegal in the country, some rules may not be so obvious. If you try to raise funds for a cause which isn’t authorized, you could end up in trouble.

keyspace limitations

Posted by Michael Hendrickx on July 03, 2012
security / No Comments

I can’t really say which website this is, but it’s a middle eastern telecommunication company.

Maximum 8 character password, in 2012, really?

But then again, in a confirmation email, I noticed that these guys store the password in cleartext. Is diskspace really that expensive that we have to make it a VARCHAR(8)? I know these guys have an internal IT security department, wonder why.

Tags: , ,

Why this kolaveri 3? Living up to the hype.

Posted by Michael Hendrickx on May 14, 2012
misc / No Comments

A few days ago, I read a post where the founder of the video and photo sharing application Color gives feedback on the much talked about 1 Billion dollar Instagram buyout.

Color came little over a year ago, creating great promises towards sharing pictures with your fellow nearby smartphone users; rather than facebook’s lame and weird single perspective on life.

Fast forward a year, and unlike color, Instagram became a hot entrepreneurial topic; how can a iOS-only photo sharing application be acquired for 10 digits. It seems the latter remained humble and focused on the product, refrained from passing to many negative comments and so on, and it created a nice product, rather than creating a hype.

Another hype phenomenon can be seen in the indian tamilian movie 3, the movie of the internet meme “Kolaveri D”. Although the tamil song created a large hype, the movie seemed to be less successful. Much different to color, there was no arrogance or anything; the movie simply didn’t live up to the hype.

The iPhone 4S was a bit of a let down, not because it is a bad device, yet the world was expecting an iPhone 5. It (the world) created a hype.

Although I’m not really in any position to say how to run your business, but ease down on the hype. Create a kick-ass product, the hype will just be substituted by word of mouth. And that’s what you want.