01/9/16

Mobile Vulnerability Database (MVD)

 gpmvd

 

Introduction:

The Android operating system is the most widely used operating system for mobile devices. Android has around 82.8% (IDC) market share and is a favourite  target for attackers. One of the latest vulnerabilities, StageFright, allows the attacker to execute arbitrary code on an Android device which takes advantage of a flaw that exists in media library stagefright. Considering other platforms such iOS, Windows, and Blackberry, Varutra is maintaining the vulnerabilities related to mobile operating systems in the Mobile Vulnerability Database (MVD). Varutra has developed the MVD application for the Android platform which identifies vulnerabilities on the Android operating system and provides detailed vulnerability reports, and which is freely available on Playstore for all Android users. The applications for other platforms are under development and will be available very soon for iOS, Windows and Blackberry.

MVD (Mobile Vulnerability Database):

Mobile Vulnerability Database, or MVD, is a unique place to find out about vulnerabilities reported worldwide for Mobile Platforms.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective of MVD is to give a common place for mobile users to get acquainted with the vulnerabilities that might exist on their devices. Users can choose to receive specific vulnerability details as a report via Email.

1. MVD

Platforms covered by MVD

At present MVD covers major mobile smartphone platforms such as Android, Blackberry, iOS and Windows Phone.

2.1 PlatformsMVD Web Application:

MVD is also available in web interface where users can search and gather information related to mobile operating system vulnerabilities by simply searching by the Common Vulnerabilities and Exposures (CVE ID) vulnerability category.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective is to give a common place for mobile users to get acquainted with what vulnerabilities might exist on their devices. Additionally, users can choose to receive specific vulnerability details as a report via Email.

Web Application

For more information: http://varutra.com/mvd/

MVD Platforms:

MVD is developed for mobile operating systems such as Android, iOS, BlackBerry and Windows

3.1 MVD PlatformsTerminologies related to MVD

What is KVID?

KALP Varutra ID (KVID) is a unique number assigned to each reported vulnerability; maintained in the MVD database by the Varutra team.

E.g. KVA01 for Android, KVB01 for Blackberry, KVI01 for iOS and KVW01 for Windows Phone

Note: KALP stands for Knowledge Attained Learn Process. It is a blog for information published on the World Wide Web and consisting of discrete entries (“posts”) typically displayed in reverse chronological order.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this “common enumeration.”

For more information: https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

What is CVSS?

Common Vulnerability Scoring System (CVSS) is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization.

For more information:

https://en.wikipedia.org/wiki/CVSS

CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical).

E.g. BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

MVD Feature:

MVD feature How to get the Vulnerability Report on Email?

The user can register with their Name and Email ID on Register for Vulnerability Report and then select the required platform and version to receive the report. A module is being implementing where once a user is registered they will get automatic updates for any new vulnerabilities reported in the platform and version specifically chosen by the user.

4.1 Vulnerability Report

 Users can now access the MVD on their Android Smartphones, Tablets.

The MVD Android application covers major mobile smartphone / tablet platforms such as Android, Blackberry, iOS and Windows Phone. Users can register with their Name and Email ID on “Register for Vulnerability Report” and then select the desired mobile platform and version to receive the report. Users can also download the MVD Android application on your device from Google Play:

https://play.google.com/store/apps/details?id=com.varutra.mobilevulndb&hl=en

 Conclusion: 

MVD very useful for mobile phone users who are interested in knowing the vulnerabilities in their Android phone and want to mitigate the vulnerabilities. Additionally, MVD is useful for security researchers interested in knowing the vulnerabilities present in multiple mobile operating systems.

For more Details reading Pentestmag

Author:

Mr. Chetan Gulhane

Security Consultant, Varutra Consulting Pvt. Ltd.

10/4/14

Shellshock-Security Patching Aftermath

Shell Shock-

On September 24th 2014, a publicly disclosed vulnerability was revealed in the UNIX/Linux which we have discussed in our blog http://varutra.com/blog/?p=1010. Although a patch has been released for this vunerability by vendors such as ubuntu,redhat and centos etc. but the patch was not successful, Additional vulnerability in the same area were discovered which left Bash again more vulnerable to severe attack such as arbitrary remote code execution. The set of vulnerability collectively known as shell shock are serious issue in many organizations. The CVE number that are part of this are CVE 2014-6271, CVE 2014-7169,  CVE 2014-7186, CVE 2014-7187, CVE 2014-6277 and CVE 2014-6278.

In response to shellshock, Richard Stallman (software freedom activist and computer programmer) said the bug was just a “blip”. It’s not, it’s a “blimp” — a huge nasty spot on the radar warning of big things to come. Three more related bugs have been found, and there are likely more to be found later. The cause isn’t that a programmer made a mistake, but that there is a systematic failure in the code — it’s obsolete, having been written to the standards of 1984 rather than 2014.

Detailed Explanation

The Shellshock problem is an example of an arbitrary code execution (ACE) vulnerability. Typically, ACE vulnerability attacks are executed on programs that are running, and require a highly sophisticated understanding of the internals of code execution, memory layout, and assembly language—in short, this type of attack requires an expert. Attacker will also use an ACE vulnerability to upload or run a program that gives them a simple way of controlling the targeted machine. This is often achieved by running a “shell”. A shell is a command-line where commands can be entered and executed. The Shellshock vulnerability is a major problem because it removes the need for specialized knowledge, and provides a simple (unfortunately, very simple) way of taking control of another computer (such as a web server) and making it run code. Suppose for a moment that you wanted to attack a web server and make its CD or DVD drive slide open. There’s actually a command on Linux that will do that: /bin/eject. If a web server is vulnerable to Shellshock you could attack it by adding the magic string () { :; }; to /bin/eject and then sending that string to the target computer over HTTP. Normally, the User-Agent string would identify the type of browser you are using, but, in in the case of the Shellshock vulnerability, it can be set to say anything.

Example: curl -H “User-Agent: () { :; }; /bin/eject” http://example.com/

would be enough to actually make the CD or DVD drive eject.

How does this Attack works?

When a web server receives a request for a page there are three parts of the request that can be susceptible to the Shellshock attack: the request URL, the headers that are sent along with the URL, and what are known as “arguments” (when you enter your name and address on a web site it will typically be sent as arguments in the request).

For example, here’s an actual HTTP request that retrieves the XYZ homepage:

cmd4

 

In this case the URL is / (the main page) and the headers are Accept-Encoding, Accept-Language, etc. These headers provide the web server with information about the capabilities of my web browser, my preferred language, the web site I’m looking for, and what browser I am using.

It’s not uncommon for these to be turned into variables inside a web server so that the web server can examine them. (The web server might want to know what my preferred language is so it can decide how to respond to me).

For example, inside the web server responding to the request for the XYZ home page it’s possible that the following variables are defined by copying the request headers character by character.

cmd 1

As long as those variables remain inside the web server software, and aren’t passed to other programs running on the web server, the server is not vulnerable.

Shellshock occurs when the variables are passed into the shell called “bash”. Bash is a common shell used on Linux systems. Web servers quite often need to run other programs to respond to a request, and it’s common that these variables are passed into bash or another shell.

The Shellshock problem specifically occurs when an attacker modifies the origin HTTP request to contain the magic () { :; }; string discussed above. Suppose the attacker change the User-Agent header above from

cmd2

to simply () { :; }; /bin/eject. This creates the following variable inside a web server:

cmd 3

If that variable gets passed into bash by the web server, the Shellshock problem occurs. This is because bash has special rules for handling a variable starting with () { :; };. Rather than treating the variable HTTP_USER_AGENT as a sequence of characters with no special meaning, bash will interpret it as a command that needs to be executed.

The problem is that HTTP_USER_AGENT came from the User-Agent header which is something an attacker controls because it comes into the web server in an HTTP request. And that’s a recipe for disaster because an attacker can make a vulnerable server run any command it wants (see examples below).

The solution is to upgrade bash to a version that doesn’t interpret () { :; }; in a special way.

Some attacks using shellshock

The Shellshock attack takes advantage of a flaw in Bash that enables attackers to execute remote commands that would ordinarily be blocked.

Allows an attacker to execute command via user agent, referrer, and other HTTP headers. shell shock

Figure : Working of Shellshock

The Shellshock problem is an example of an arbitrary code execution (ACE) vulnerability. A shell is a command-line where commands can be entered and executed.

  • Somebody could use your server as an attack bot:
    () { :; }; ping -s 1000000 <victim IP>
  • If victim.com was vulnerable then
    curl -H “User-Agent: () { :; }; /bin/eject” http://victim.com/
    Would be enough to actually make the CD or DVD drive eject.
  • To extract private information, attackers are using a couple of techniques. The simplest extraction attacks are in the form:
    () {:;}; /bin/cat /etc/passwd
  • DoS attack using Shellshock
    () { :;}; /bin/sleep 20| /sbin/sleep 20|/usr/bin/sleep 20

Proof of Concept for incomplete fix to shellshock

The bash fix for CVE-2014-6271 was incomplete and command injection is possible even after the patch has been applied. The issue is being tracked as CVE-2014-7169 and exists due to incorrect function parsing.

To test, execute this command from within a bash shell:

foo='() { echo not patched; }’ bash -c foo If you see “not patched“, you probably want upgrade immediately. If you see “bash: foo: command not found”, you’re OK.

Shell Shock --

 Figure: Unpatched Bash

The two attacks CVE-2014-6277(Permits remote code execution and requires a high level   of expertise. It has a CVSS score of 10.0) & CVE-2014-6278 (More severe as it allows remote code execution and doesn’t require a high level of expertise. It has a CVSS score of 10.0) are more severe and permit remote code execution:

These two vulnerabilities have been resolved in upstream patches Ubuntu/RHEL/Debian.

Deadening Shellshock

We strongly recommend applying the patches that were released on September 27th in order to remediate these new vulnerabilities by the following command:

APT-GET: Ubuntu / Debian

Update Bash to the latest version available via

apt-get: sudo apt-get update && sudo apt-get install –only-upgrade bash

YUM: CentOS / Red Hat / Fedora

Update Bash to the latest version available via the yum:

sudo yum update bash

For detailed explanation to mitigate the shellshock go through the links:

https://access.redhat.com/articles/1212303

http://www.bankinfosecurity.com/how-to-mitigate-shellshock-risks-a-7363/op-1

https://f5.com/solutions/mitigation/mitigating-the-bash-shellshock-cve-2014-6271-and-cve-2014-7169-vulnerabilities

http://www.akamai.com/html/security/shellshock-bash-cve-list.html

References:

https://www.cloudflare.com

http://seclists.org/oss-sec/2014/q3/650

https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability

https://www.qualys.com

Author(s): Lokesh Bawariya Security Consultant & Sachin Wagh Security Consultant, Varutra Consulting

09/27/14

Shell Shock – The Bash Vulnerability

BASH (Baurne Again Shell)

Bash is the shell, or command language interpreter, that will appear in the GNU operating system. Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification. Bash is quite portable. It uses a configuration system that discovers characteristics of the compilation platform at build time, and may therefore be built on nearly every version of UNIX. Ports to UNIX-like systems such as QNX and Minix and to non-UNIX systems such as OS/2, Windows 95/98, and Windows NT are available.

Here is a short list of feature available in bash:

  • History and Command Re-entry
  • Job Control
  • Shell Functions and Aliases
  • Arrays
  • Arithmetic
  • Brace Expansion
  • Substring Capabilities
  • Expanded I/O Capabilities
  • Command Timing
  • Editing and Completion etc..

Shell-shock:

The Bash vulnerability, now dubbed by some as “Shellshock,” has been reportedly found in use by an active exploit against Web servers. A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,”

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Because of its wide distribution, the vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous. The vulnerability affects versions 1.14 through 4.3 of GNU Bash.Examples of exploitable systems include the following:

  • Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
  • Certain DHCP clients
  • OpenSSH servers that use the ForceCommandcapability
  • Various network-exposed services that use Bash

How to check a vulnerable application for shellshock:

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system is vulnerable, the output will be:

  vulnerable

  this is a test

Fixing Vulnerability:

The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash. The following subsections cover updating Bash on various Linux distributions, including Ubuntu, Debian, CentOS, Red Hat, and Fedora.

APT-GET: Ubuntu / Debian

Update Bash to the latest version available via apt-get:

 sudo apt-get update && sudo apt-get install –only-upgrade bash

YUM: CentOS / Red Hat / Fedora

Update Bash to the latest version available via the yum:

sudo yum update bash

Note: Now check your system vulnerability again by running the command

For more information refer:  CVE-2014-6271

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt

 bash: error importing function definition for `x’

 this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.

References:

http://www.zdnet.com/shellshock-how-to-protect-your-unix-linux-and-mac-servers-7000034072/

http://www.cnet.com/news/vast-majority-of-os-x-users-safe-from-bash-shellshock-bug-apple-says/

 

Author: Lokesh Bawariya

Security Consultant, Varutra Consulting

08/25/14

Android Malwares – An Overview


GoogleBouncer
Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of executable code, scripts, active content, and other software. ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.

Mobile malware is a malicious software designed specifically to target a mobile device system, such as a tablet or smartphone to damage or disrupt the device and allow a malicious user to remotely control the device or to steal personal information stored on the device.

Android malwares are continuously spreading across the globe. The rate at which android malwares are targeting the mobile phones is increasing day by day. Users install android malwares knowingly or unknowingly when they install applications from untrusted sources. It is very important that Android user’s needs to be careful while installing applications from internet.

97% of mobile malware is on Android   by Forbes Report

In this article we will have overview of some well-known mobile malwares for android.

  • AndroRat
  • SandroRat
  • ZitMO (Zeus-in-the-mobile)
  • AcnetSteal
  • Cawitt
  • Gamex
  • PremiumSMS
  • KabStamper
  • Mania
  • SmsSpy
  • UpdtKiller

AndroRat: AndroRat is one of well-known open source proof of concept, which became an android remote access Trojan. AndroRat can bind with legitimate applications with the help of apk binder which is not freely available on internet which cost around $30-$40, available on underground hacking forums. AndroRat collects information from users mobile including contacts, call logs, messages, location, can take picture form camera, give call sends to the command and control center located at remote location.

SandroRAT Figure: AndroRat Apk Binder

SandroRat: SandroRat has functionalities like AndroRat including collecting contacts, call logs, messages, location, can take picture form camera, give call and sends information to the command and control center located at remote location.
Recently samples of SandroRat received by McAfee Labs from customer in Poland with name Kaspersky_Mobile_Security.apk. Spammers use phishing techniques to spread this malware with threating emails pretending from antivirus companies.

SandroRatEmailSample
Figure: SandroRat sample received via email

ZitMO: ZitMO is acronym of Zeus in the mobile. ZitMo is banking Trojan. ZitMo has capability to steal mobile transaction authorisation numbers (mTAN) sent by bank in text messages. ZitMo sends collected information remote server. A mobile version of Zeus also found on Blackberry smartphones.

ZitMoFigure: ZitMO

AcnetSteal: Acnetsteal gathers data and information from infected device. It collects information like email addresses, telephone numbers. AcnetSteal uses triple DES encryption to send collected information to remote location.

AcnetStealFigure: Acnetsteal

Cawitt: Cawitt silently runs the background and collects information and later forwards to server located at remote location. Information collected by cawitt includes device ID, IMEI, phone number, bot ID, Modules. Cawitt can also premium rate SMS messages from the device when it receives command from server.

cawittFigure: Cawitt

Gamex: Gamex hides its malicious components inside the package file. When gamex get root access by the user, it connects to command and control (C&C) server to download more applications and to forward device IMEI and IMSI numbers.

Gamex
Figure: Gamex

PremiumSMS: PremiumSMS android sends SMS to premium numbers and generates profit.It has a configuration file that contains data on the content of the SMS messages and the recipient numbers. Example of the sent messages:

 Number: 1151 Content: 692046 169 BG QCb5T3w Number: 1161 Content: 692046 169 BG QCb5T3w

PremiumSMSFigure: PremiumSMS

KabStamper: KabStamper malware has capability to corrupt images available on the infected devices. Basically it overwrites the images on the devices with predefined image. KabStamper is a malware that circulated in Japan during the AKB48 ‘election.’ AKB48 is a Japanese pop group that consists of 48 members. KabStamper is distributed via trojanized applications that deliver news and videos about the AKB48 group. It destroys images found in the sdcard/DCIM/camera folder that stores images taken with the device’s camera. Every five minutes malware checks this folder and modifies a found image by overwriting it with a predefined image.

KabStamperFigure: KabStamper

Mania: Mania is SMS sending malware that sends out messages with content “tel” or “quiz” to number 84242. It pretends to perform to perform license checking to cover up its SMS-sending activities in the background. Mania is known for using the trojanization technique, where it is repackaged with another original application in order to dupe victims.

ManiaFigure: Mania

SmsSpy: SmsSpy logs incoming and outgoing SMS message to a certain file, and uploads the file to a FTP server. SmsSpy poses as an Android Security Suite application that records received SMS messages into a secsuite.db. This malware targets banking consumers in Spain where it is spammed via a message indicating that an extra Security Protection program that protects the device is available for download.

SmsSpyFigure: SmsSpy

UpdtKiller: UpdtKiller connects to command and control(C&C) server, where it forwards users data to and receives further commands. This malware is also capable of killing antivirus processes in order to avoid being detected.

UpdtKillerFigure: UpdtKiller

So how an android user can prevent himself / herself from such malwares and download authentic applications securely?

Android users should use Google play store to install application, all the application submitted to Google play store evaluated by Google Bouncer. Google Bouncer analyses the application to detect the malicious behavior in its cloud infrastructure.

Preventions:

  • Do not download android applications from untrusted sources.
  • Check the permissions of application before installing.
  • Always keep your operating system secure by downloading and applying any security patches released by your smartphone vendors (to check OS level vulnerabilities on your mobile download MVD application).

Conclusion: : Android is one of the popular mobile operating system and it holds around 80% of mobile market share; the reason Android is favorite target for attackers and so the increasing threat from android malwares. User needs to be alerted while downloading any applications from Internet and keep their phone OS up-to-date with security patches.

References:

http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malware-is-on-android-this-is-the-easy-way-you-stay-safe/
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=2344277
http://www.f-secure.com/

Author: Snehal Raut
Security Consultant, Varutra Consulting

06/30/14

CSRF Vulnerability on LinkedIn

csrf_linkedin

In previous blog we have seen a critical vulnerability in LinkedIn password reset module allowing an attackers to compromise LinkedIn user’s account and how helpless a LinkedIn user in case of an actual compromise of his / her account in real world scenario.

Here is a new vulnerability Cross-Site Request Forgery, CSRF present on LinkedIn Recommendation Section, which allows attacker to delete any Recommendation of Any user. 

 

Lets us understand the issue and simplicity of this attack.

1. Attacker / malicious LinkedIn user can check the recommendation given by LinkedIn User 1 to LinkedIn User 2.

2. Attacker logs into LinkedIn account, goes to the web page source and search for strings such as “Recommendation for USERNAME”.

csrf2

 Figure: Web page source shows the recommendation details with a unique Id ”515940281” for User 1’s recommendations to User 2.

 

3. To craft a malicious CSRF link attacker goes to Manage Recommendation area and check for any recommendations he has posted for others.  Clicks on it and copy the URL for any one recommendation.

The URL will be

https://www.linkedin.com/recommendations?dep=&recID=515830421&goback=%2Enas_*1_*1_*1%2Eprs

csrf1

Figure: Analyzing and collecting URL for Displaying and Withdrawing a User’s recommendation.

 4. Now same way the URL to withdraw any given recommendation by the attacker is

https://www.linkedin.com/recommendations?wdr=&recID=515830421&goback=%2Enas_*1_*1_*1%2Eprs

The only difference is to change the parameter from ‘dep’ to ‘wdr’.

Craft a URL for removing or withdrawing recommendation from User 1 to User 2 is

https://www.linkedin.com/recommendations?wdr=&recID=515940281

This is the shortest and simplest form of the vulnerable CSRF link.

5. Send this URL to User 1 in an email. More dangerously, the same CSRF link can be send using LinkedIn mail feature.

6. On clicking this link by User 1 the selected recommendation given by User 1 to User 2 will be withdrawn or deleted.

 

On reporting this issue LinkedIn was prompt to acknowledge the vulnerability and have mitigated it.

More can be read at http://packetstormsecurity.com/files/127259/

Author: Kishor Sonawane

06/5/14

Better Secure Than Sorry! Neglected, Assumed and Hence Vulnerable Menace: Password Attacks

password

On July 16, 1998, CERT reported an incident where an attacker had found 186,126 encrypted passwords. By the time they were discovered, they had already cracked 47,642 passwords.

In December 2009, a major password breach of the Rockyou.com website occurred that led to the release of 32 million passwords. The cracker then leaked the full list of 32 million passwords (with no other identifiable information) to the Internet. Passwords were stored in clear text in the database and were extracted through an SQL Injection vulnerability.

In June 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-bookshop. The data were leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as other hacking groups and individuals.

On July 11, 2011, Booz Allen Hamilton, a large American consulting firm that does a substantial amount of work for the Pentagon, had their servers hacked by Anonymous and leaked the same day. “The leak, dubbed ‘Military Meltdown Monday,’ includes 90,000 logins of military personnel – including personnel from USCENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors.” These leaked passwords wound up being hashed in Sha1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the password requirements.

On July 18, 2011, Microsoft Hotmail banned the password “123456.” Surprisingly passwords such as “123456,” “password,” and “12345678” made it to the top three in the Worst Password List of 2013’ released by SplashData.

Confidentiality, integrity, and availability (CIA) triad is critical to guide policies for information security within an organization. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of ready access to the information by authorized people.

An attacker may exploit an unintended function on a web server and use the cgi-bin program “phf” to list the password file. Now, this would breach the confidentiality of this sensitive information (the password file). Then, in the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute an integrity attack when he gains entry to the system. And he can even use an availability attack as part of the overall effort to neutralize alarms and defensive systems, so they can’t report his existence. When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity, and availability) would be in jeopardy. Always think C-I-A.

Intruders
One of the two most publicized threats to security is the intruder (the other is viruses), generally referred to as hackers or crackers. Anderson [ANDE80] identified three classes of intruders:

  • Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.
  • Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized or who is authorized for such access but misuses his or her privileges.
  • Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.

The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider.

Intruder attacks range from benign to serious. At the benign end of the scale, there are many people who simply wish to explore a network to see the content. At the serious end, there are individuals who are attempting to read privileged data, perform unauthorized modifications to it, or disrupt the system.An analysis of password attacks revealed that there were two levels of hackers. The high level was a sophisticated user with a thorough knowledge of the technology; the low level was the ‘foot solders’ that merely used the supplied cracking programs with little understanding of how they worked. This teamwork combined the two most serious weapons in the intruder armory: sophisticated knowledge of how to intrude and willingness to spend countless hours ‘turning doorknobs’ to probe for weaknesses.

Password Protection
The front line of defense against intruders is the password system. Virtually all the multiuser systems require that a user provide not only a name or identifier (ID) but also a password. The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following way:

  • The ID determines whether the user is authorized to gain access to the system. In some system only those who already have an ID filed on the system are allowed to gain access.
  • The ID determines the privileges accorded to the user. Few users may have ‘super-user’ status that enables them to read files and perform functions that are specially protected by the operating system. Some systems have guest or anonymous accounts, and the users of these accounts have more limited privileges than others.
  • The ID is used in what is referred to as discretionary access control. For example, by listing the IDs of other users, a user may grant permission to them to read files owned by that user.

Password Attacks

The ability to crack passwords using computer programs is also a function of the number of possible passwords per second, which can be checked. If a hash of the target password is available to the attacker, this number can be quite large. If not, the rate depends on whether the authentication software limits how often a password can be tried, either by time delays, CAPTCHAs, or forced lockouts after some number of failed attempts. Another situation where quick guessing is possible is when the password is used to form a cryptographic key. In such cases, an attacker can quickly check to see if a guessed password successfully decodes encrypted data.

Attempting to crack passwords by trying as many possibilities as time and money permit is a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.
With regard to passwords, it’s simple: don’t use passwords that may be found in a dictionary. For enterprise and more security conscious web sites implement password policies that mandate the use of numbers, letters and, sometimes, special characters. But is this enough?

With the recent publication of hundreds of thousands of usernames and associated passwords, it appears that common sense is in fact, not very common.

The recent Yahoo! E-mail hack revealed that ‘123456’ was used as the password for 1,666 users. Believe it or not, 780 users used ‘password’. Please!

Once hackers are able to infiltrate a site, they make their way to the list of usernames and passwords. A file that is typically encrypted or ‘hashed’ using MD5 (Message-Digest Algorithm) is a widely used cryptographic hash function.

Hackers will then try to generate hashes through brute force and compare the data from the stolen file to the newly created hash file. This is how, after a breach, they are able to post all of the passwords online.

A quick distinction: a Dictionary Attack is where a hacker will use a dictionary file to iterate through every possible word to produce a hash file which can then be used to compare to the target hash.

Dictionary files can be downloaded from a number of places such as the Pirate Bay, so it’s something that script kiddies can use. A dictionary attack works well on single word passwords, but fail on more complex passwords such as those required in most mature organizations.

Brute Force Attacks are different in that they will cycle through every possible combination of characters (e.g., aaaaaaa, aaaaaab, aaaaaac, aaaaaad, etc.), rather than employing a dictionary list. While very effective, given enough time, brute force attacks will typically waste a lot of cycles trying to crack a hash from nonsense letter combinations like:

  • dddddd
  • jhakdsj
  • asdasda

If we calculate that we can move through 50 hashes per second, then a 7 letter password (the most common password length) has 56,222,671,232 possible word combinations (see Table 1), which would take almost 2,000 years to crack using brute force.

table_passPasswords that resemble line noise are only generated by the most paranoid users. Most people will generate words or phrases that they can easily remember. This means that they will follow some basic word construction rules in the creation of their password/passphrase.

Rainbow tables (that uses pre-computed password hash chains) are used by security testers or hackers as a faster technique to crack a password. A password with a large salt value can defend against rainbow tables though.

Password Selection Strategies
To eliminate guessable passwords while allowing the user to select a password that is memorable, four basic techniques are used:

  • User education: Users can be told the importance of using hard-to-guess password and can be provided with guidelines for selecting strong passwords.
  • Computer generated passwords: Though these passwords are random in nature, users may not be able to remember them.
  • Reactive password checking: The system periodically runs its own password cracker to find the guessable passwords.
  • Proactive password checking: A user is allowed to select his or her own password, however at the time of selection the system checks to see if the password is allowable and, if not, rejects it.

Brute Force Attack

When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys or passwords until the correct one is found.Brute-force attacks can be made less effective by obfuscating the data to be encoded, something that makes it more difficult for an attacker to recognize when he/she has cracked the code. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.

Dictionary Attack

It is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values).

In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack). Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), such as single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit. However these are easy to defeat. Adding a single random character in the middle can make dictionary attacks untenable. Unlike brute-force attacks, dictionary attacks are not guaranteed to succeed.

Password Aging

Auditors and other security practitioners continue to recommend password aging, the idea that a password must be renewed within a set period or it expires, as a best practice to protect accounts against unauthorized access and to ensure separation of duties. At best, this is a waste of time and a distraction that reduces user support for well-founded security initiatives. At worst, it actually increases the potential for misuse of accounts.

Password aging is counterproductive in that it inevitably encourages more people to write down more passwords. Arguments for the security value of password aging hinge on several assumptions about the vulnerability of passwords, each of which is flawed in a significant way.

Assumption No. 1: Password Aging Is a Protection Against Brute-Force Attacks Against Specific Passwords

It is relatively easy to gain access to a computer without the need for brute-force attacks. For example, if an attacker has physical access to a Unix system or Windows PC for longer than a few minutes, that attacker can easily bypass the password security and gain access to the administrator account without mounting any kind of attack on account passwords.

Furthermore, in organizations today, keyboard-logging software is more common than password-cracking software. If the attacker does not have unrestricted access to the device for longer periods, login failure lockout and a moderately complex password should defeat manual guessing attempts.

Assumption No. 2: Password Aging Is a Protection Against Password Sharing

Users who are willing to share passwords will continue to do so, whether or not password changes are required. Password aging may reduce the size of the group knowing the password but will not eliminate it.

Assumption No. 3: Password Aging Limits the Effect of Stolen Passwords

Even with password aging set to 30 days, the attacker will have, on average, 15 days with a stolen password. This is more than enough time to cause significant and lasting damage, including the creation of other entry points (back doors) into the system. If passwords are stolen through automated keystroke logging software, which is increasingly the case, then the new password will be stolen the first time it’s used. Other ways of password theft, such as social engineering and shoulder surfing, are also repeatable.

Preventions

The best method of preventing a password from being cracked is to ensure that attackers cannot get access even to the hashed password. For example, on the Unix operating system, hashed passwords were originally stored in a publicly accessible file /etc/passwd. On modern Unix (and similar) systems, on the other hand, they are stored in the file /etc/shadow, which is accessible only to programs running with enhanced privileges (i.e., “system” privileges). This makes it harder for a malicious user to obtain the hashed passwords in the first instance. Unfortunately, many common Network Protocols transmit passwords in cleartext or use weak challenge/response schemes.

Password guessing: Most host administrators have improved their password controls, but the group account still abound, and password-directory and password-cracking programs can easily crack at least 10 percent of the passwords users choose. The deterrent is enforcement of good passwords.

Password sniffing: CERT estimated long back in 1994, thousands of systems will be the victims of password sniffers. On LANs any internal machine on the network can see the traffic for every machine on that network. Sniffer programs exploit this characteristic, monitoring all IP traffic and capturing the first 128 bytes or so of every encrypted FTP or Telnet session. The deterrent is to utilize programs that provide one- time (non-reusable) passwords.

Apostrophe Use

Here we are expecting one apostrophe followed by an‘s’, and positioned at the last or second to last character. For the algorithm we are not concerned with the apostrophe to show a contraction, only possession and plural possession.

Hyphens and Underscores

The rule here is that these are uses independently for the separation of two unique constructions; then each word is tested separately.

Ending Punctuation

Ending punctuation (! ? . , ) is expected to be at the end of the password, and we would not expect to see more than one punctuation character. Any other ending punctuation is not accepted.

Suffixes

Accepted suffixes include -able, -ac, -acity, -age, etc. Here is a comprehensive Suffix Worksheet. The rule here is that the last letter before the suffix cannot be the same as the first letter of the suffix. The rule does not allow for repeating vowels.

Vowels

The word needs to contain at least one vowel.

Employing Character Position Analysis, analyzing a character’s position in relation to its neighbors, allows a hacker to know if the characters fit next to each other. There are three tests involved as well as methods for getting more accurate results, as well as how to deal with more complex characters. This heuristic approach allows hackers to crack long and complicated passwords quicker.

Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Cryptologists and computer scientists often refer to the strength or ‘hardness’ in terms of entropy.

Entropy

Entropy is a measure of unpredictability of information content.

It is usual in the computer industry to specify password strength in terms of information entropy, measured in bits, a concept from information theory. Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is the number of “entropy bits” in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss. Put another way, a password with 42 bits of strength would require 242 attempts to exhaust all possibilities during a brute force search. Thus, adding one bit of entropy to a password doubles the number of guesses required, which makes an attacker’s task twice as difficult. On average, an attacker will have to try half of the possible passwords before finding the correct one.

Entropy is defined in the context of a probabilistic model. Independent fair coin flips have entropy of 1 bit per flip. A source that always generates a long string of Bs has entropy of 0, since the next character will always be a ‘B’.

NIST Special Publication 800-63 suggests the following scheme to roughly estimate the entropy of human- generated passwords

    • The entropy of the first character is four bits;
    • The entropy of the next seven characters are two bits per character;
    • The ninth through the twentieth character has 1.5 bits of entropy per character;
    • Characters 21 and above have one bit of entropy per character.
    • A “bonus” of six bits is added if both upper case letters and non-alphabetic characters are used.
    • A “bonus” of six bits is added for passwords of length 1 through 19 characters following an extensive dictionary check to ensure the password is not contained within a large dictionary. Passwords of 20 characters or more do not receive this bonus because it is assumed they are pass-phrases consisting of multiple dictionary words.

Guidelines for Strong Passwords

  • A minimum password length of 12 to 14 characters if permitted
  • Generating passwords randomly where feasible
  • Avoiding passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors’ names or dates)
  • Including numbers and symbols in passwords if allowed by the system
  • If the system recognizes case as significant, using capital and lower-case letters
  • Avoiding using something that the public or workmates know one strongly likes or dislikes

References
1. William Stallings, Network Security Essentials: Applications and Standards, Pearson Education
2. Daniel Minoli | Emma Minoli, Web Commerce Technology Handbook, Tata McGraw-Hill
3. Mark Nicolett, Manage Passwords to Secure Your IT Environment, Gartner
4. Ray Wagner | Ant Allan | Jay Heiser, Management Update: Eight Security Practices Offer More Value Than Pass-word Aging, Gartner
5. Gery Menegaz, Brute Force Attacks: Beyond password basics, ZDNet.com
6. Password cracking – Wikipedia, the free encyclopedia

About the Author

Kishor Sonawane and Satish Chinchorkar (Varutra Consulting) – Article written for Pentest Magazine May 2014 issue.

11/14/13

Social Engineering and How It Helped Us Find A Mole

SE1

Social Engineering is essentially the art of influencing some person into doing things that 
he may or may not do willingly. It is not a concept that got into picture recently, but has probably been existent since hundreds of years. Simply put, every time you try to get someone to do something that is in your interest, you are applying social engineering.

We can observe variants of social engineering in everyday life, from a student trying to escape punishment for not completing his homework, to an employee trying to land a job in a company or score a big promotion.

Social engineering can be performed either using deception or inception i.e. either using the existing trust relationship or else planting a new bond of trust. The nature of impact is vast and extent of loss solely depends upon the skills of attacker.

The idea is to exploit the weakness in human brain to inherently trust things sooner or later.

I will try to throw an insight on Social Engineering, its types and give you a real example of a Social Engineering activity conducted by me and one of my team-mates for an organization.

Introduction

According to me, Social Engineering is a mix of science and art.
It is art when a sales person manages to sell a comb to a bald person, or a scam artist fools a house lady to give lots of money for phony lottery scheme.

It is a science, when it is used to educate people on potential dangers of misusing it, or when it is used for information gathering, market analysis and even corporate and police investigations.

One can classify social engineering activities into two classes:

Human Based

  • Human based activities involve interacting with humans directly, and trying to manipulate situation to our favor.
  • It may involve impersonating some other person and getting few tasks done. Communication of such sorts mostly happens over phone, where attacker may call a lady at her home acting to be her bank employee and ask her to provide her credit card number to update their new database. He may throw in names of actual employees, mention her husband’s name, or tell her that she has won a reward, which will arrive at her place soon, just to increase credibility.

Technology Based
These activities use computer, mobile phone to launch attacks. Attacks maybe

  • popups on websites, that may ask to download a software /driver to fix computer issues
  • email attachments, containing malicious PDF or image that takes control over the workstation when opened email scams, claiming to send a big reward for a small registration fee
  • fake websites, either to trick user into entering credentials of their social networking accounts, or to forcibly open ads and increase their own ad clicks
  • sending an SMS to victim and try to lure him/her in giving out sensitive information to win a bogus competition/ lottery.

A Case Study

The CTO of a reputed organization approached me with a concern. There had been leaks of sensitive documents from one of their offices, and he wanted to find out the source. He also wanted to ensure there weren’t other ways that security breach from an outside source could occur. He asked me to help, and I agreed. 
We tasked ourselves to gather as much sensitive information as possible through on-site (physical) and off-site (remote) activities. 
Activities were supposed to yield two results: Evaluating whether the office was penetrable from an outsider or not, and finding out the employee involved in the breach of security that happened in the past. 
Instead of dealing with two problems separately, we decided to have a combined approach, which was partially planned, and some part had to be done as we move ahead.

Basic plan was simple:
1. Gather as much information as possible about the branch, like departments, employees, events, etc.
2. Formulate a plan (Operation ‘Infiltrate’) for penetrating into the branch
3. Formulate a plan (Operation ‘Investigate’) for finding the source of the leak
4. Execute both plans

For our own comfort, we decided to start off with ‘Operation Infiltrate’, and execute ‘Operation Investigate’ somewhere during the time frame. 
Our team skimmed through the internet to find all information on the organization, its employees, organizational hierarchy etc. This involved analyzing user’s social networking accounts, job sites having their profiles, blogs, forums to company website and other portals accessible publicly.

Here is a summary of what we did, with a little insight on how it was done:

Spoofed Branding

A half cooked lie is most likely to be caught. A good Social engineer will have spoofed almost everything he can, so that all possible calculated scenarios are under his/her control. 
We created a fake website, populated with testimonials, blogs, address etc. We then created a company profile for each of us who were pretending to be the employees on the website, which we could access and show on logging-in into our “Employee Portal”, just in case we need it while we are interacting with employees and need to prove our authenticity.

Enter the perimeter

This is one of my favorite activities that give a sense that I am on a secret mission like “007” agent and involves some interesting physical activities.chinawall

It was easy to bypass first security gate by walking
in business attire with a costly watch, nice suite and leather bag with sunglasses. This gave easy access as a visitor, without getting involved in much questioning by the security guards.

While walking from main gate to respective building,
I removed the jacket and sun glasses, now posing as
an interviewee, looking to meet the senior HR of the company. By inquiring about the HR personnel on the inquiry desk, by name and some other information (which had been collected by our team efficiently, from the internet) gave me easy access to the floor she was sitting.

While I was sitting at floor guest area waiting for the
HR personnel, I was told by the security personnel that she would be arriving soon. I tried to convince him to
let me meet her on my own in an attempt to get a easy access into the employee area, but I was told to wait back.

…continue reading on CYB3R Magazine

 

11/7/13

Bug Bounty : An Introduction

What exactly is Bug Bounty ?

In the Wild West, when outlaws roamed the land, local sheriffs did not have the resources to track them down alone. So they put up “Wanted” posters, offering huge rewards (a fairly handsome amount) for their capture.

bug_bounty

Thus began the concept of “bounty hunting”. A bounty hunter captures fugitives for a monetary reward a.k.a. bounty. Other names, mainly used in the United States, include bail enforcement agent and fugitive recovery agent.

From capturing notorious criminal, Bounty Hunting has since been introduced into Information Technology as well.

Software companies pay a certain amount (Bounty) to the security researcher (Bounty Hunter) who finds critical “bugs” or vulnerabilities in their software. This is known as “Bug Bounty”.

This concept was first conceived by Netscape in 1995. Few companies to follow were iDefense (2002), Mozilla Firefox (2004), ZDI (2005), Pwn2Own(2007), Google Chromium(2010) and Facebook(2011).

This is a very lucrative field for Information Security enthusiasts and researchers as well. When a security researcher reports a valid vulnerability in an application, then the developing organization pays a bounty to the researcher, instead of just saying a simple thank you.

Bug bounty provides a platform to the researchers to improve their skills and experience and to get rewarded with a bounty. Not only do you get rewarded for finding vulnerabilities, but you may also get your name listed in the company’s Hall of Fame. Doesn’t that sound great?

Why do companies organize bug bounty programs?

The answer is simple, to be secure. By providing this policy, many security researchers around the world will try to find vulnerabilities in the target applications. Every security researcher has his/her own methodology to find the bugs. This yields to broader coverage of scrutiny on the application from a security standpoint. One more important thing is that these bug bounties encourage young and talented security researchers to showcase their talent, implement on real word applications and learn immensely in the process.

Few companies which provide bug bounty are:

  • Google
  • Microsoft
  • Facebook
  • PayPal
  • Mozilla, and many more.

So, what types of vulnerabilities are accepted?

It all depends on the impact of the vulnerability on the application. From my experience, major vulnerabilities that the companies look for to be identified, when offering a bug bounties are:

1. Remote Code Execution

2. SQLi

3. Authentication Bypass

4. Privilage Escalation

5. XSS (All flavours)

6. CSRF

7. Clickjacking

8. Unvalidated Redirects and Forwards

This does not mean that only these vulnerabilities are accepted. Companies provide bounty only for reporting a previously unknown security vulnerability of sufficient severity.  Based on the severity, a higher amount is paid. It may be considered a good part time work for security researchers as they get exposed to real world applications, and get paid in the process.

Why are these programs successful?

This is mainly because of the participation of the both white hat (ethical hacker) and black hat (unethical hacker) community. Mostly white hat hackers participate in these programs to learn and get paid. The strategy of black hat hackers is also the same, but they more concentrate on the bounty part. If a black hat hacker finds vulnerability, then he has a chance to either responsibly report to the organization or to sell it in the black market. So it is important for companies and organizations to track the activities of these “bounty hunters” and lay down strict policies against finding and reporting vulnerabilities.

One more lucrative attraction is that once vulnerability is reported, the name of finder makes to the company’s hall of fame, which increases his/her reputation in the community.

So, join the hunt, let your names to be listed in Halls of Fame and your pockets be filled 🙂

Author : Javid Hussain

Javid is a Security Researcher at Varutra Consulting. He is known for bug hunting and having his name on many “Hall of Fame” for identifying and reporting high risk vulnerabilities for Google, Facebook, Apple, Nokia, Twitter and many more.