Smile, you are being recorded!

 Blog  No Responses »
Feb 132012
 

The BBC has recently ran an article about a hacker who has published details on how to hack a certain type of webcam. This story is interesting for several reasons.

First, it further highlights how fragile our privacy has become since we live in a digital world with details of our life being kept on the internet: personal blogs, twitter feeds, Facebook or Government/Health records, etc. All this data is available online if you have the right access to the system it is held on. But it is not just still photos or lines of texts, it can also be live pictures through personal webcams or state surveillance cameras. Again, that data is available if you have the right credentials. In this case, hundreds of Trendnet webcam users thought/thinks their live video feed was protected through the use of a userid and password, but a bug in its firmware allows anyone to access it by adding a simple “/anony/mjpg.cgi” at the end of the webcam IP address. If you think about the number of devices around you that have a built-in camera, from computer screens to mobile phones, it is a scary thought if they were to be compromised in such manner. A quick google around will report many different ways to remotely access those cameras, and although they require user intervention, meaning the outcome is what is intended or for the “victim” to be a willing participant, couldn’t a worm be created to exploit those video streams and invade many people’s privacy?

Secondly, it shows how long it can take before such story makes the headline. It took a month from the vulnerability to be exposed and for most security websites to write about it. If means many Trendnet users had their privacy exposed for a long period of time!

Finally, Shodan. It is a website referenced in the original hacking article as a way to quickly identified vulnerable webcams out there (and many other things). I must admit I overlooked that website when I first heard of it on the Register over a year ago. It seems like a great resource but I am not sure if it serves Good or Evil.

It is maybe time to put that sticky tape on your built-in webcam when not using it :)

 Tagged with: , ,

Koobface, The dangerous game of naming and shaming

 Blog  No Responses »
Jan 242012
 

There has been wide coverage of the naming and shaming of the supposedly perpetrators behind the Koobface botnet that has affected Facebook and other social sites for a few years.

The gang leader was first named on Dancho Danchev’s blog, then the Facebook’s security team threaten and did reveal the gang’s real identity, the New York times even ran an article on it and finally Sophos published another in-depth look at how they also discovered their identity. In between, many other sites jumped in to share that information.

I am slightly uncomfortable with this approach.

It appeared to have worked in this instance as the bonnet Command & Centre has been turned off, and it also appears they named the right persons; but what if all those blogs/researchers made a mistake!? It would have been nothing more than a smear campaign that could have affected the lives of some innocent internet users.

This tactic is used by the police in some countries, so they can catch “real” criminals on the run. They name and shame, appealing for help from the public and thus making it more difficult for them to cary on with their illegal activities.
By “real” I mean criminals in the traditional sense of the term, who have broken the law physically as opposed to virtually. But as our lives become more and more entangled with the virtual world, criminal activities “there” can and do have an impact “here”.

Where I think there is a difference, is that the police conducts a thorough investigation before naming and shaming, more importantly they follow an established, documented and legally sound process to conduct such investigation. Although those security researchers are experts in their own right (pun intended), it is a dangerous game to become a vigilante…

To conclude, I am not fundamentally against this practise but I am concern it could spiral out of control. It also highlights how difficult it is to bring hackers to stop their activities as, this, is some kind of last resort solution.

 Tagged with: ,

My take on SANS 660, The HexFactor and Netwars

 Blog  No Responses »
Dec 152011
 

I have just attended the SANS 660 course in London, it is one of the most advanced course SANS has to offer and it did not disappoint!

Its bootcamp format means you will start your day at 9am and finish it at 7pm! The last two hours being called a “bootcamp”, basically 2 hours of exercises linked to the content of the day that really helps understanding the different techniques that were discussed.

Speaking about content, although they state that previous programming experience is “recommended”, it is not, is it mandatory!

And for the last 2 days you really need some understanding of x86 assembly to get a chance to follow the fast pace. I have to admit that the last day I was lost after lunch!

But what do you get if you buckle up and go on the ride? You get an incredible amount of information as it goes into a great level of details on how to identify and write your own exploits. But it also allows you to get a better appreciation of what to look for when reviewing the security of a network, an application, a website or a system. This is not just a “hacking” course, and the “ethical” at the end of the full course name is there for a reason.

The lecturer, Stephen Sims, is quite inspiring. Of all the lecturers I have met in the different courses I have taken those last 15 years, he is probably the one who knew his subject the most! It is also great that he is always willing to help his students understand what they are doing wrong during exercises. And it is apparently not just computer hacking that he is good at, being a core member of a signed music band going by the name of a modern hard-disk.

The highlights of the course for me were:

  • The different techniques to attack a network with the consequences of badly, or shall I say commonly, configured routers;
  • Ways to get out of a locked down desktop;
  • What to do with a buffer overflow, how to locate/change/utilise those different address pointers and defeat canaries and use gadgets.

Although at the end it will feel like you need a larger brain and many more weeks to assimilate this new information, you will also get a sense that you have only barely touched the surface of all those techniques…

Then of course, after each of those hard days working you can relax at the next door pub… and if you didn’t have enough, this is where you can take part in a hacking challenge, the Hex Factor challenge. It is basically a “capture the flag” contest where you setup a team, or go at it solo, and are faced with a number of different challenges:

  • 2 quizzes
  • 3 hacking challenges (i.e.: breaking into a network, a server, etc)
  • 3 reverse engineering challenges (i.e.: bypassing a password in an executable)
  • 3 forensic challenges (i.e.: recovering data hidden somewhere)

This is really a great environment, not only to meet like minded people (although some may say it is a bad thing! ;), but also to actually practise your newly acquired skills. It is also good that each of those challenges have different level, allowing anyone to participate, from the manager to the engineer! This event takes place in a number of conferences and is organised by volunteers. So I’d like to congratulate everyone who was involved to make it such an entertaining event!

Finally, this year there was the Netwars challenge. It has a similar format as the HexFactor one and ran for 2 days (after the Hexfactor was finished). It is an individual hacking contest with increasingly more difficult challenges. The fact you see the top 10 scores on a big screen live, the buzz of having a large room full of people hacking away, the organisers making sure everything is going smoothly and that everyone feels confortable really made those 2 nights special.

To conclude I will say that, again, SANS did not disappoint. It was a top quality course part of a great conference with huge opportunities to network and practice your skills. So I can happily recommend for anyone to attend the 660 class, and also, if you really want to make the most of it you have to stay in a close by hotel, be ready not to sleep too much and embrace the geekiness around you :)

SANS, Stephen, Thank you very much!

 Tagged with: , , , , , ,

Carrier IQ, an interesting story of deception or what we could call the Facebook syndrome

 Blog  No Responses »
Dec 022011
 

It all started with some findings published by Trevor Exkhart on his website a few weeks ago.

He found that a Californian based company called Carrier IQ (CIQ) had develop a software that was acting as a *key logger* and was installed by default on many different mobile devices: Android, Blackberry, Nokia Phones, iPhones (iOS 3.x to 5.x), and also tablets.

The important point here, is that this software is intentionally installed/provided by the devices manufacturers or network carriers. It is quite amazing how widespread the use of that spying software is (the BBC reported 140 Million devices). This is not limited to only one type of device or provider. What they collect might be different (apparently much less on iOS than Android), but it shows a systemic desire from companies who make and sell those devices to gather usage and user information.

This is what I would call, the Facebook syndrome!

The official stance from CIQ was that their software was only used for improving the “network experience” by providing some information back to carrier and phone manufacturer such as signal strength, network information, etc.
They explicitly stated that they “do not and cannot look at the contents of messages, photos, videos, etc., using this tool”.

This is not what you would say from a software that logs all the key pressed on your device…

Again, it is important to note that by default their software is not hidden (there is a visible check-mark in the status bar) but this can be modified by 3rd parties. And it is being modified!

One example given by Trevor is Verizon in the US, although you can opt out, by default the phones they sell will record and transmit (?) the following personal user information: any URL accessed, including potential search queries and the location of the device. This is what could be considered as a significant personal privacy invasion.

So how did CIQ reacted to Trevor’s post?
By sending him a Cease and Desist letter on the 16th of November!

They claimed Trevor was in copyright infringement (because of some of their publicly available training material having been referenced) and making false allegations.

As reported on The Register on the 24th of November, they eventually withdrew their legal threats thanks to the legal help of the EFF, who nicely summarizes the case on their website, and also to a new post showing exactly what Trevor meant by calling CIQ software a “root kit” (I called it a “key logger earlier”, but root kit is more accurate and also has wider security implications).

Trevor’s second CIQ article, goes into details as to why CIQ software is indeed a root-kit. With a video showing the different steps required to reproduce his tests. It also describes how the data is collected even if you are off the network and, at least on an HTC phone, the data is not really anonymised.

Since then, another mobile phone hacker has published some findings about CIQ, this time confirming that Apple has included CIQ software in all its iOS version from iOS3 to the latest iOS5. However, it seems that the information logged on the Apple devices is much less than what is logged on Androids’: no URL nor SMS and the location is only sent if you have allowed for it to be, furthermore, that information is not transmitted by default but only if the user manually choose to send diagnostic information to Apple.

All this has generated an increasing level of noise and attention:

As pointed out in a ViaForensics article, it is not clear when and if the data CIQ logs on the phone is always transmitted or just remains on it. And if transmitted, to where? But if it is being transmitted, I have a little story for you…

A few years ago I went on holiday and decided to take an international data plan, I had an iPhone 3G at the time, and I did monitor my data consumption every day with the built-in iOS bandwidth statistics. I stopped using data on my phone when I reached 90% of my allowed and pre paid consumption.

I was therefore very surprised when I was charged for going over my data allowance by a good margin! How could I have miscalculated my data consumption by so much!? After complaining to my provider they eventually claimed that the built-in iOS bandwidth statistics were only showing average figures and were not accurate. I also read in some forum at the time, that Apple claimed their figures should be taken as an estimate only. With that in mind, I decided not to pursue further, accepted to pay the extra fee and promised myself never to use data roaming again.

Now, it would be interesting to know if all the network data generated by CIQ is counted in those mobile OS network bandwidth statistics or if, like the information it gathers, they are also hidden from view.
After all, if the provider goes at length to hide the data they collect from you, they probably don’t want you to see that sealed fat envelop leaving your phone!

If that’s that case, how legal is this?! not only spying/gathering user information is questionable but doing so could be at the expense of the user! Couldn’t it be considered as a hidden cost to their service? could it explain the unexplainable extra fee I had to pay?

So I have three final comments to make:

  1. Mobile device companies are like any others, they want users’ personal information, but unlike others, they have full control of the device you discuss you life on.
  2. Opting for usage statistics, should be just that, an optional choice! and it should be made clear that it could result in extra cost, especially when roaming!
  3. If CIQ data consumption is also hidden from mobile OS(es) statistics then this is an extra hidden cost to the user
Now, where have I kept my 10 years old beloved Nokia 8210?
UPDATE, 12th of December 2011: CarrierIQ has responded to the issues discovered by Trevor through a 19 pages document. Not sure I find it very convincing.
 Tagged with: , , , , , , ,

I used to have one password…

 Blog  No Responses »
Oct 142011
 

I used to have one password. It was the password to my Unix student account and it was in the mid nineties!

Since then, I must have dozens of passwords for work/home computers, websites, files, etc. Having a truly different password each time is almost impossible unless you use some kind of password safe application. Or you could use some kind of clever formula, I do emphasise on the “clever” because if your formula is to generate the same password with a simple variant at the end of it, a hacker who has access to more than one of your password could find out what that formula is quite easily.

Another issue is the username. Most security warnings are related to users having the same password, although it is indeed true, there is also an issue with using the same username everywhere. I would argue it is more important to start with a known username than a known password.

The recent attack against Sony shows that credentials stolen from other companies/websites can be re-used to mount generic brute force attacks. This is echoed in another recent article about the increasing danger of consoles and their online credentials that can sometimes be the same as those used for corporate use, especially with Windows live ID. I would again argue that it isn’t just an issue with consoles as many people when registering to new websites re-use the username they use the most, their work or home username.

There is however the need for a tradeoff between the highest level security of having a random username and password for each of your login, and something you can use without having to think/consult for/every 5 minutes.

I would start with a different password for every login… and to change them from time to time.

 Tagged with: ,

Attack on Quantum Cryptography

 Blog  No Responses »
Aug 152011
 

There is a recent BBC article on a new attack against a key component of Quantum Cryptography: Key Transportation.

There are 3 main components to a cryptographic system:
- The strength of the algorithms used (close/open, random generator, collision, etc)
- The integrity of the system (implementation, key storage, devices security, etc)
- The transportation of keys (no full or partial interception of the keys, etc)

Quantum Cryptography has for some been seen as the future for ensuring the integrity and detection of any interception attempts during key transportation.

I am not a Quantum Physic expert, but what I understand is that key transportation is done through light, where photons of light are sent to the receiver who will inspect the states of those photons to reconstruct the key. It is similar of sending a stream of bits which make the key, apart from the fact that in Quantum Physics a photon has not just a binary state (0/1 or -/+) but multiple values at the same time.
One of the key Quantum property useful for cryptography is that once a stream of photons is inspected, it is “destroyed” or changed. Therefore if someone was trying to evesdrop the receiver would know.

As a side comment, there are a few things that still puzzle me how this can only be a good thing. What about repeaters? you would need those to exchange keys to very far distances? So even if you can guarantee the key hasn’t been intercepted you cannot apply the same “quantum” guarantees to the repeaters (ref Integrity of the System). Furthermore, this could lead to a Denial of Service attack, I don’t see how Quantum Physic Key Exchange infrastructure could be as resilient as today’s internet. You would need specific “light tunnels”, if it gets damaged or if someone tries to intercept the key exchange even in the sole goal of disrupting the exchange process, then keys cannot be exchanged and the communication cannot take place…

Anyway, I would hope they must have thought about all this and have an answer. But what a team of scientists has just done, is to prove they could intercept the key and “blind” both ends into believing the exchange had been successful.

However some scientists have replied it was just a “configuration” problem with the system implementation and that it was possible to detect that attack after all.

Nonetheless, this adds weight to those who believe Quantum Cryptography is not the Saint Graal some claim it is, and that similar implementation issues there are today in “standard” cryptography also exist in “Quantum” Cryptography.

The BBC Article (Summary)
The Norwegian University Article where the paper came from (Original Article)
The Quantum Hacking Group responsible for the discovery (More info)

Below is a great video from the Quantum Hacking Group Website explaining the attack:


YouTube Direkt

 Tagged with: , , , ,

GPU Password Cracking

 Blog  No Responses »
Jun 272011
 

Brute force password cracking has been around for a while but in the last few years a new way to use your brand new graphic card has emerged which brings high performance attacks against passwords much cheaper and easier.

This is because the “brain” of those graphical card, The Graphical Processing Unit or GPU, is designed to handle mathematical and repetitive tasks very efficiently.

There is a very good article about this topic on the ERRATA SECURITY blog with some interesting facts:

- Although GPU are now found in most electronic devices (i.e.: phones), dedicated PC cards are obviously better

- Radeon is better than GeForce

- Although you can use more than one GPU, the benefits are not exponential and most people only need 1 or 2 GPU.

- This is because past 8 Characters, a password become near impossible to brute force. It would take too long, regardless of the number of GPU you use!

- Some people actually slow the speed of the computer memory to reduce voltage and thus heat. All that matters is the GPU!

- What you would use a GPU against:

  • Bitcoin hashes match calculation (Bitcoin is a digital currency)
  • WPA Passwords, as you cannot really use Rainbow tables, brute force can be useful! in fact this is true for any “salted’ passwords.
  • Protected documents: ZIP, Office, etc

Some of the software you need if you want to experiment yourself can be found on the Golubev website.

Update 28/06:
It looks like you can even now have external powerful GPU cards for your notebook, and it is a Radeon!
SONY EXTERNAL GPU DOCK

 Tagged with: , , ,

Extreme Pen Testing

 Blog  No Responses »
Jun 132011
 

Here is an amuzing story where prisoners in a maximum security prison managed to hack their lockdown computers.
Their computer seems to be more like a dumb terminal than a full featured one, and what they can do and where they can go is very limited (i.e.: watch television and receive call).
However, the prisoners found out that by opening 200+ windows explorer they could cause a buffer overflow which then allowed them more access!

http://gcn.com/articles/2011/05/30/colorado-prison-sidebar.aspx

and to go with this story here is a photo I came accross on the internet and that summerize the security state of many companies!

 Tagged with: ,

Apple Security

 Blog  No Responses »
Mar 112011
 

With the rise in popularity of Apple products there is also an increasing interest from hackers and security professionals.

The well oiled speech from Apple and their fan is that apple products are more secure than the competition. Especially around the Mac OS X, which does not need Anti-Viruses, does not get malware, etc.

But is this actually true? and even if it is today, will it always remain so?

I do not think so.

A number of security vendors have started to offer some anti-virus for Mac: Sophos, McAfee, ClamXav, to name a few!

You could argue they are just surfing on the Apple computer market share increase, but then you would forget that some MAC OS X trojans are being seen around, for example, SOPHOS recently discussed a new MAC OS X trojan: BlackHole RAT which may be currently distributed along pirated MAC software on Torrents.

Added to that, the fact that Apple does not get security right all the time. The recent 62 bugs that have been fixed in the latest Safari Update  (5.0.4) is a reminder of that. A further reminder is the results from the pwn2own contest which is taking place now, today, a French team managed to hack even the latest patched up version of Safari. This was the first browser to be hacked at that competition… it took a mere 5 seconds.

While some articles are reassuring about Apple stance on security, like this one, others are more critical, like this very interesting interview of some famous Mac hackers. What is also interesting is that one of those hackers was also referenced in the “nice” article :)

So here you have it:
- An increased interest from hackers,
- A platform, which  as with any IT platform, has and always will have vulnerabilities/bugs.
- An Apple security stance and practises  which can be questionable

Apple claims to be taking security seriously but Apple being Apple they also seem to be very close minded on how they implement it, who they listen to and what security controls are really important for their users. Time will tell if they are right, but for once, I am ready to bet against Apple. At the very least I do not believe they have the right attitude. What may work very well for design and “user experience” is different about security. A closed and arrogant security approach never work very well, for long.

Therefore, I wouldn’t be surprised if we see a global security scare regarding Apple products within a couple of years… I would even bet before the end of this year!

What pushed me to write this article in the first place is that I am myself a Mac user and a couple of days ago I noticed a constant noise from my Mac hard-disk, after doing some basic troubleshooting like closing all applications, stopping all the network services I use and run the background there was still some hard-disk activities… I could not identify an obvious bad process, but again, it is not like windows where you can use tools such asHijackthis and their online database to identify known bad processes (or if there is, I don’t know it!)

Then I looked at the Network section of the Activity Monitor and could see a constant small download of data, when I disabled the computer wifi, the activity stops and when I reenabled the wifi card, the downloads started again… so what was triggering this?

I am sure I am showing my rusty Unix skills, as I could have probably find a command to show me all processes using the network interface and link this back to an application name. But I didn’t do so.

Instead, I looked at the traffic through Wireshark and although I could see some HTTP traffic activities, none of the destination IP looked suspicious. (A good article to configure your network interface for MAC OS is available HERE, you will need to scroll down through the headings errors on the page)

I did not have enough time or instant knowledge for investigating further, so instead, for the first time I ran an anti-virus software on my MAC! It did find 4 issues but I think it was related to some windows archives.

Therefore so far, I found nothing and it could be nothing (a scheduled maintenance job, etc). .

If this was happening on a Windows machine I would be much more worried, but then I would also have much more confidence in the security tools I could use to detect a potential malware.

What it meant for me though, is the realisation that I should stop blindly trusting the level of security of my computer just because it is a MAC… and that I should probably start to use the command line a bit more as well as using some security controls/technologies I would normally use in a windows environment.

Lastly for some basic but good security tips on Mac OS X, you can see the 3 articles that Sophos published on their security blog: Part 1, Part 2 and Part 3

 Tagged with: , , ,

The rise of Memory Scrapping attacks and what it means to IRM, Disk Encryption and Thunderbolt

 Blog  No Responses »
Mar 072011
 

No matter how much layer of security you implement on a computer there always will be one area that is protected by a simple old access control, the memory.

You can have a complex password policy, dual factor authentication, full disk encryption, file encryption which could even be extended through the use of an Information Right Management solution, for that protected information to be accessed and manipulated it needs to be decrypted into memory.

The security of that data in memory then relies on memory access control and proper segregation, I am not sure we can talk about memory sandboxing but thats the same idea. The data will, of course, also rely on the physical security of the device it is hosted on.

Gaining administrator access on that device would therefore grant you access to the full memory.

This last point is of significance.

For IRM solutions, being an administrator on a device does not necessarily mean you also have access to the users IRM protected files. The same is true for simpler file encryption solution, it can be used to protect access to documents even from system administrators.

To some extend this could be true for some full disk encryption solutions, but you would then limit what a support staff could do. Having said that, it is possible to implement a full disk encryption only on the user data space and leave the minimum boot and system filesystem unencrypted or encrypted but only giving administrators access to the area where they can support the users, not on the user data disks. To be efficient this would require a good, and probably complex to implement, temporary files handling strategy.

So why is the fact that data gets unencrypted in memory of significance?

For two main reasons:
1) System administrators on those devices could then gain access to data in use which is not accessible to them while at rest or on the move

2) Those same system administrators could also get access to other sensitive information such as personal information (date of birth from an email being written, wife or pet names, etc) which could be used to attack the user password and/or full disk encryption key. In a worst case scenario it could also mean gaining access to an unencrypted password/key stored or cashed in memory…

So we may all trust system administrators (*caugh*), but a recent article I read from Networkworld.com was referring to a report by SANS who identified memory scrapping attack as one of the most dangerous new attacks on the rise.
This type of attack attempts to gather personal identifiable information and other useful information non encrypted in memory to do what I just described, access encrypted/protected information one is not suppose to be allowed to.

Another extension of this attack could be done through the use of the FireWire or the new Thunderbolt ports. Those technologies allow for full access to the memory. This article from The Register highlights the issue by comparing the secured master/slave USB protocol and the unsecured peer-to-peer FireWire/Thunderbolt protocol.
It would seem that on devices with FireWire/thunderbolt ports an attacker with no admin access is still able to conduct memory scrapping attacks as long as he has physical access to those devices.
The above referenced article mentions an attack through the display port of a Mac, it is because “Thunderbolt is based on Displayport technology” and it is easy to think of possible attacks:
- Leave your laptop (screen locked, turned on) unattended at work or in a conference and an attacker could just walk by and plug something into your new and shiny thunderbolt port (and probably unused for quite a while until vendors starts to produce compatible products)
- You plug you laptop to a screen which has been compromised and an attacker can then gain full access to your laptop memory while you are doing a presentation.

How do you protect against those attacks?
The simple answer is that it is difficult and that right now you cannot really be protected.
You would need to choose a laptop with no Firewire/Thunderbolt ports (goodbye Apple products) or being able to disable them.

But more importantly more work to segregate access to parts of the memory may be required by future Operating Systems.
Administrator Access should no longer mean full computer access, user data should be held in a container not accessible by admins but only from the data owner or auditors.
If done correctly:
- Sys admins would still be able to support the users and their computers
- User data would be better protected against the attacks described above
- Compliance requirements and data recovery would still be met without impacting the security of the system. A very basic example is an auditor role that may not be allowed to access the user system and just allowed access to user data. It would require the disk to be physically removed from the computer. That access for the auditors could require two auditors to provide credentials to be allowed to view the data, etc.

The Security around computer memory is an area which may need more attention from vendors in future.

 Tagged with: ,
 Older Entries
© 2011 Encryptsolutions Suffusion theme by Sayontan Sinha