Category Archives: security

code security

Brocade brute forcer

During a pentest, I needed to test a Brocade SAN Switch. Since the Java webstart was quite slow, and I couldn’t find another script – I quickly coded this together to brute force passwords:

brocade_brute.rb

internet security

Install Burp CA certificate on Android Emulator

Android SecuritySome people ask me how they can “hijack” HTTPS API calls from an Android app. One of the best ways is to use PortSwiggers free Burp Suite, and hijack all traffic between your app and the server. One of the problems is, how do you add burp’s CA certificate to your android (emulator)? Burp’s help page simply says to look it up on google. Well, I hope this is one of the results showing up.

Note: This does not require any ADB pushes or so, and can be done in a few minutes. This was done under Ubuntu, using Android Emulator version 22.6.4. I’m uploading it into a Android 4.4.2 image running on a virtual Nexus 4.

Adding a CA certificate can be done in just a few steps, and will take a few minutes… read more »

security

Quis hackiet ipsos hackes?

acunetix Yesterday, Israeli security researched Danor Cohen reported that Acunetix’s web application security scanner has an exploitable vulnerability. Although the blog post is titled “Pwn the n00bs”, I’ve seen several origanizations use Acunetix to perform scans on (their own?) web applications.

Security bugs appear in all pieces of software; including security scanners and hacking tools. These tools often require to run as root (to perform privileged actions, such as putting a network interface into promiscious mode, etc). LiveUSB security distributions often run all commands as root and could pose a problem. Even though you are running a liveUSB environment, users often mount their HDD or external media to save files. Open source tools can often be fixed easily, but commercial software a la Acunetix usually relies on vendor update channels.

Be careful when running all software, even your security software/hacking tools can be vulnerable.

Javascript security

the state of Mixed Mode

browsersecurity
When a browser grabs a webpage over HTTPS, *nobody* (aside from revelations that governments can see our SSL traffic) can see what’s happening between your browser and the target webserver.  You are protected against the prying eyes of an evil network admin, proxy admin or even government.

Modern websites often import JavaScripts files from multiple sources, to have extra functionality (Facebook’s like button, widgets) or entire frameworks such as JQuery or YUI.  If these JavaScript resources are loaded form a non-SSL location, we refer to this usually as Mixed Content mode.  I did some research to find out how browsers handle these things; both on desktops as well as mobiles.

Please run the tests on https://bloat.io/mm/, it looks *very* rudimentary, but I am gathering some information from different browsers.  Let the page load for a few seconds, and everything gets logged in a database.  As a “visual”, the more “warning icons” you see, the more vulnerable your browser is.

Don’t worry, it won’t try to exploit anything or crash.

security

But the camera rocks

On my way home form a merely thought-inspiring movie, I passed by a few girls sharing a cigarette on your typical San Francisco cafe’s terrace. One of them was showing her (?) phone to the other, who told her friend “…but the camera rocks”.

It made me, continuing the movie’s aftermath realize how we’ve given up openness and privacy on our mobile devices, the modern equivalents of our dearest friends (who else do you check at night, early in the morning and take with you to the restroom?), for gimmicks such as cameras and polyphonic ringtones (ok, not anymore, but you get the idea).

Earlier I checked the website of Openmoko, whose goal was to “Free the phone”. Now it seems they have abolished these projects in favor of making a mobile wikipedia device, but I wish they or a similar body would take up the movement again.

We live in an ecosystem that has many “services” and closed systems; and we happily accept it. It’s ok to give up the freedom of tinkering with a mobile phone you just paid 500$ for, because it has cool apps the other platform doesn’t have, oh and of course, because “the camera rocks”.

I hope we start swaying towards openness again, and take back the right on our digital devices and lives, the same as we have with other, everyday, things. You buy a car, you’re allowed to open the hood and change pretty much everything about it, as long as it doesn’t affect it’s safety or the environment. You spend money on clothes but want to rip off the sleeves, nobody stops you. Let’s keep that in mind, and hold on to that. A device that his so dear to us should be transparent;. And I’m sure its camera would not be so bad either.

internet security uae

Phone numbers as default eLife WiFi keys

antsThe UAE’s internet is pretty much provided by two ISP’s: Etisalat and Du who provide broadband services to its customers.

Focusing on the largest of the two, Etisalat, they provide a eLife program that allows triple play services into the homes of their customer base, which include a WiFi network. The problem though is that many of these wireless access points are setup by Etisalat’s technicians themselves, sporting a certain convention for encryption keys; the client’s mobile phone number.

This mobile number convention is a limited keyspace, with just a few numbers short of 36 million possibilities. (8999999 * 4 prefixes). Knowing a possible key, helps tremendously in brute forcing the keys of a Wireless network. To create a list that creates all these numbers in a list, one could write that in Perl:

#!/usr/bin/perl
# generates 05[0256][1-9][0-9]{6} numbers
$| = 1;
foreach my $a (0, 2, 5, 6){
  foreach my $b (1000000..9999999){ print "05".$a.$b."\n"; }
}

*Note: this script can be optimized of course, since it will be unlikely that you’ll have networks with several repetitive numbers having a default eLife installation.

Another handy fact is that “default” eLife setups have their SSID configured as etisalat-XXXXX where XXXXX is a “random” number.

Aside from “having free Internet access” to load balance your torrent web surfing traffic, there’s a much greater risk here.

eLife is delivered with a Aztech HW550 3G wireless router. These devices have an embedded version of Linux available, and Aztech was so kind to have make the source code available. Alternatively, you can resort to OpenWRT’s efforts, but the latter might raise some suspicion if the original owners decide to change something about their WiFi network.

Now, the danger lies in the following scenario:

  • Attacker adds a backdoor into the HW550’s firmware.
  • Attacker cracks your wireless keys and accesses your network
  • Attacker accesses your wireless router (assuming you didn’t change the admin password)
  • Attacker uploads the new firmware
  • Attacker has access to your connection at all times, can use it to launch attacks and tunnel connections

Since the HW550 has a MIPS CPU of “only” 384 Mhz, and only 32 Megabytes of RAM, it can’t be used for heavy load network traffic, but you get the basic idea. Aside from creating “AP zombies”, one could redirect your traffic to do a MITM attack, etc …

So, to prevent this scenario from happening, choose a strong Wireless encryption key and change it regularly. Or, install OpenWRT yourself, or just get an other (better) Access Point.
That, and living inside a Faraday cage, so nobody picks up your wireless signals.

internet security uae

UAE issues new decree to combat cybercrime

The UAE has issues a new decree on “combating cyber crimes”. This decree, available in three parts (here, here and here) stipulates recent do’s and don’ts that amend the previous decree dated from 5 years ago.

In a world where we see religiously offensive cartoons and movements such as Occupy Wall Street, and all its derivatives; many countries in the region have had uprisings against their governments. This protests have largely been made possible due to technology.

Be warned though, although it is widely known that the promotion of prostitution and gambling is illegal in the country, some rules may not be so obvious. If you try to raise funds for a cause which isn’t authorized, you could end up in trouble.

security

keyspace limitations

I can’t really say which website this is, but it’s a middle eastern telecommunication company.

Maximum 8 character password, in 2012, really?

But then again, in a confirmation email, I noticed that these guys store the password in cleartext. Is diskspace really that expensive that we have to make it a VARCHAR(8)? I know these guys have an internal IT security department, wonder why.

internet security

Privacy in a widgeted world

The Internet as we use it today, has very little privacy left. We all say that Facebook and Google know “too much”, only to realise that they don’t know anything aside from what we feed them, or do they?

Welcome the “widget”. A piece of html (with css, javascript..) to be included in another page, often to socially spread content (Facebook Like, Google +1, LinkedIN share, etc), or other added value (Analytics, sharing, etc) will tell many “providers” what content you are accessing.

It is difficult now to find a popular page without any widgets. Pages pack “like” buttons, “share this” widgets or tweet options to give you a instant way of sharing their content in your social network – banking on good ‘ole word of mouth marketing. If your friends like something, you might be interested also, even if it was only for peer pressure.

The problem that when something (such as the widget) is requested, browser data (such as your session’s information and the referer) also flow to the widget provider’s webserver. This provider will know what page you’re on and usually who you are (assuming you stay logged in into google, twitter, facebook, etc)

Thinking “but if I like a page, facebook will know it anyways“. This is true; the problem lies in the fact that providers know you’re accessing a page, regardless of performing any action (liking, sharing, etc). If you read X number of pages on a new model smartphone, chances are big you want to buy another one – and targeted ads become more… targeted.

From that advertising point of view, it creates mixed feelings. It’s like somebody overlooking your shoulder while you’re reading a magazine and changes the ads accordingly to which article you were staring at longer.

From a website owner point of view, this does create added value. If you can convince to have websites publish your widget code, you can track people’s interests, even before they ever came to your website. This (unidentifiable) user eventually ends up on your web app, identifies him/her self and you have great information. I’m just not sure how ethical this is, and even though Facebook’s outdated law enforcement guidelines don’t hold “webpages visited” in particular, they would have access to it.

Is this such a bad thing? Perhaps. “Widget providers” offer added value to website owners, who in turn decide what goes into their webpages. Vague idea, but maybe a browser extension could prevent the loading of these widgets, replacing them with a pseudo equivalent (fake buttons, etc) and only dynamically load the target script upon a click?

Food for thought. Now, look at the buttons below, they know you’ve been here already.

Javascript security web

JQlog: JQuery Keylogger, or why not to trust your proxy admin.

Note that this post is for awareness and educational purposes only. I do not encourage, and cannot be held responsible for malicious actions using these tools.

The Internet, as it is today, is a mash-up of JavaScript enabled services, often included from external websites. Internet companies offer so-called widgets, which are JavaScript tools that can be used in your own page. Popular examples of this are site analytics (Omniture, Google Analytics, etc) or share-abilities (AddThis, AddToAny, …). It’s by overwriting Javascript libraries on a page, that we can do other things, such as recording keystrokes.

“Overwriting” javascript libraries, or rather “inserting javascript” can be done in several ways. Cross Site Scripting is one of them, but for the sake of this blog post, I will act as a malicious proxy administrator, and overwrite the Google Analytics DNS entry (www.google-analytics.com) and “fake” the ga.js javascript file.

For this, you’d need only 2 files:

This javascript file, found here, holds 3 parts: JQuery, a base64 encoder and the keylogger code itself: read more »