Category Archives: #security - Page 3

Encrypted Messaging using OpenPGP and Psi

The simplest way to enable encrypted chat messaging with services like Google Talk, AIM, Yahoo, IRC and other messengers/protocols is to use a GNU Privacy Guard enabled-Jabber client. If you’ve never set one up before, you’ll want to follow these directions. I’ve included the configuration I prefer for Windows though my Linux setup was nearly identical.

In Windows I prefer using Gpg4win as it’s extremely easy to use and light weight. So go ahead and pick up a copy of the Windows binaries here: http://gpg4win.org/ — optionally, if you’re interested in another GnuPG you can pick one up over at http://www.gnupg.org (please keep in mind that the Miranda IM client works poorly with gpg2 packaged with Gpg4win which is why Psi is the easier alternative).

Kleopatra makes creating OpenPGP keypairs a quick and painless process. So from within the key manager create the key you’ll use with Psi. Kleo supports RSA & DSA though I prefer RSA keys 2,048 bits and larger (keeping in mind that the larger the key the longer it’ll take to encrypt and decrypt messages though with a modern system you’re not likely to notice; a larger key is obviously more secure). Export the certificate (your public key) to a location of your choice, it’ll use ASCII armor by default.

Now that you have a public key to use with a XMPP client, again, I use Psi because it’s extremely light weight and known to work well with every type of OpenPGP program out there. To download Psi visit go here: http://psi-im.org/

While you could make your own XMPP server in the future, we’ll use a pre-existing server in this article (the main reason is that it happens to have gateways to other popular chat servers).

JaIM has an amazing server which happens to be an excellent AIM Gateway. It also features a number of transports such as: AIM, Yahoo, IRC, ICQ and MSN. JaIM also features XMPP server acces (Google Talk/Misc. Jabber) in addition to its own chatrooms, SOCKS5 Bytestreams, and Prosody Lua-based servers.

JaIM Public XMPP Server

To use JaIM, be sure to check Register as JaIM supports in-client registration. Enter jaim.at as a server, turn off log message history if you want, under Details you’ll see an area for OpenPGP. Find and select your key. Under Connection enable compression, keep alive, any proxy or proxy chain information you may have, enable probe legacy SSL port, allow plaintext authentication over encrypted connections only and set encrypt connection to Always.

Upon connecting it’ll ask you for a username and password to create. Once you connect to a server you can enable encryption by clicking on the gray unlocked logo. It’ll ask for your secret passphrase, upon entering it successfully you’ll see a yellow lock logo appear next to the server of your choice.

You can find commonly used Transports (such as AIM or MSN) by clicking on the Psi Greek symbol and checking the Service Directory on the JaIM.at server. You’ll be required to set your username and password and any account profile details you desire. Some Transports work better than others. If you’re an AIM and Google Talk user, for example, you’ll find this setup to your liking. Psi will automatically import your contacts from each of the Transports you choose.

Messages you send will usually be unencrypted by default unless you choose otherwise. On the top of the message box toward the right hand side of the window you’ll see a gray lock. To enable encryption, please select the lock logo. Note that you’ll need to import other user’s public keys in order to send them messages they can decrypt (obvious but I thought it was worth noting).

Google Talk

You can either use the XMPP option using JaIM’s server (a bit out of the way for my tastes) or you can simply connect to Google Talk’s server directly. To connect directly in addition to using JaIM for your other accounts (or instead of using JaIM), go to Account Setup and add an entry for talk.google.com under Jabber ID it should read:

your.username@gmail.com

Google mistakenly doesn’t mention entering your password in the Account Setup field. If you have 2-step verification enabled on your Google account, you’ll want to enter your one time application specific password here. If you use Google with a regular password, feel free to enter that here as well so it doesn’t ask you your password every time you connect to Google Talk.

Assigning PGP Keys to Others

Simply right click on a person’s name and select Assign OpenPGP Key and enter their key accordingly.

Using the setup above you’ll be able to use Psi to video, voice and text chat with encryption enabled.

DNS Threats and Security Solutions

DNS security is of great importance to the internet as a whole. DNS, or Domain Name System, is a naming standard in which names are resolved to IP addresses. When you surf the internet your ISP’s name servers are queried and the appropriate IP address is found, you’re then forwarded to the correct location of your choice.

IPv4 and IPv6 protocols may make IP addresses appear different, but DNS is used regardless of the IP protocol used. While DNS is more of a phone book or database than the method used for communicating data (the IP protocols themselves), attackers can use DNS changing techniques to their benefit. (Actually there are a lot more differences than appearances when dealing with the new IPv6, but that’s beyond the scope of this article.)

Threats from DNS exploitation include the DNS Changer/Alureon virus and social engineering/harvester attacks used in phishing. Have you ever spent any time in Backtrack Linux? You can easily create faked login pages for use during certain types of man-in-the-middle (MITM) attacks. Such pages can be concealed to appear real but, in actuality, forward your valuable information to an attacker. Some, like the aforementioned harvester attack, will forward you to the correct page afterwards… you’ll never know you were taken advantage of!

Note: Backtrack is a legitimate security auditing Linux distribution. Don’t use it against others (after all, this blog is for folks really interested in security not as a “hacking guide”).

Credential Harvester

One of the most effective attacks is the replication of a false login page. As seen by using the Metasploit Framework. Absolutely any type of false login can be created using the Social Engineering Toolkit (SET). When combined with a successful MITM attack or by including such a payload in malware, an attacker can gain sensitive information about you.

Alternative name server solutions sometimes offer greater security over your standard ISP’s DNS servers. Such tools can often be used to detect false sites as they resolve.

Further Reading on SET’s Credential Harvester

Metasploit Unleashed – Credential Harvester Attack:
http://www.offensive-security.com/metasploit-unleashed/SET_Credential_Harvester_Attack

Note: If you’re interested in seriously studying computer security you owe it to yourself to check out the Metasploit Framework.

History Repeating: The DNSChanger Scare

Almost everyone remembers the scare we had recently with the DNS Changer incident. Uncured computers infected with DNSChanger/Alureon that faced a big problem: with the arrest of botnet masters across the globe, the FBI feared that maliciously redirected DNS entries would – instead of resolving to unintended sites for phishing and advertising – instead, simply fail.

The DNS Changer Working Group (DCWG) has a nifty website that checks for whether or not your DNS resolution was hijacked. The incident turned out to be a major disaster for the FBI and few others. Internet

Service Providers compensated for this and allowed their own name servers to re-redirect the faulty computers. In the news the FBI seemed to blame everyone but themselves. In actuality they overestimated the risk. They even failed to notify people that DNSChanger was actually the very old and well known Alureon to begin with.

Also, the DCWG website would have apparently given nearly everyone in the United States a false sense of security. With ISPs compensating for DNSChanger months in advance (in some cases nearly since Alureon has been around), the page would have infected machines to be uninfected simply by virtue of your ISP correcting the problem (the number one complaint made by the FBI against ISPs).

Guess the internet didn’t shut off! Okay, disperse people. We can all go back to work safely.

Yet on an individual level DNS changing malware is still a very real security problem and, if launched successfully, can mean you handing over sensitive information to the attacker.

As I’m writing this I’ve noticed the DCWG page is back online. While the “global meltdown” is no longer a real threat, the page still can be used to attempt to detect DNSChanger on individual computers. Note that I’m not saying it isn’t a real concern, it is a concern merely not a global threat as the FBI suggested. Prior to the DCWG page going back online, a notice was post explaining how ISPs compensated for DNSChanger and therefore would have rendered their site useless against actually detecting DNSChanger.

So a joke? No. OpenDNS.com reported in blog posts that over hundreds of thousands were infected but simply didn’t know it. While there wasn’t a global meltdown of epic proportions, users should still take note that the threat is real and do everything they can to ensure their own safety. Use DCWG but simply keep in mind  that many ISPs have independently addressed this issue: if you are still infected you should get it cleaned up. Also be sure to run regularly updated malware protection.

DNS Changer Detection (DCWG): http://www.dcwg.org/detect/
Malware Bytes: http://www.malwarebytes.org/

Further Reading on DNSChanger

Blog Post on DNSChanger on Geek Street:
http://mountainloopexpress.com/index.php?fn_mode=fullnews&fn_id=694

Tech Republic Post by Alfonso Barreiro Prior to Incident:
http://www.techrepublic.com/blog/security/preparing-for-the-dnschanger-internet-outage/7863?tag=nl.e036

DNA India on DNS Changer Prior to Incident:
http://www.dnaindia.com/pune/report_dns-syndrome-not-a-major-threat-experts_1712350

Peckham, Matt. “DNSChanger: No, the Internet Isn’t Shutting Down on Monday.” Time Magazine. July 6, 2012. Note: Prior to incident, warnings that a global meltdown scenario is not accurate but threat is still real.

Chabrow, Eric. “Malware Monday: Much Ado About Nothing.” Bank Info Sec. July 5, 2012.

DNS Cache Poisoning/Spoofing Attacks

The types of attacks above are DNS Cache Poisoning attacks and rely on an attacker changing your DNS table to facilitate faulty look-ups (ones that can appear real but be used to steal your information).

More info on DNS poisoning generally can be found on these sites:
http://searchsecurity.techtarget.com/definition/cache-poisoning
http://cr.yp.to/djbdns/notes.html#poison

Alternative DNS Solutions

There are quite a number of different ways to protect against phishing online from nifty router firewall software that monitors the sites you visit to anti-virus software. In the end, used intelligently, a combination of all these methods can be utilized to safeguard your presence online. One small solution (the focus of this article) is to use an alternative name server with security tools built-in to protect you from visiting faulty or purposely misleading websites.

OpenDNS is a terrific solution which provides fast and stable name servers with anti-phishing protection. Combined with DNSCrypt, your DNS look-ups will also be encrypted so that if you have a virus, it’ll be more difficult to change your DNS look-up behavior. Plus OpenDNS enables the use of parental controls for parents to block access to certain types of sites. There’s a paid version and an ad-supported free version which, upon entering an unresolvable IP, you’ll get an error page, like normal, but with an ad.

This solution does not replace the need for a VPN, does not offer the extendability and protection of a good proxy, does not anonymize you in any way, shape, or form, and does not encrypt data passing through your network (for a free solution that encompasses all of those forms of protection, please look into running an OpenVPN+Squid Virtual Private Network as I describe as being effective in this article). This solution is for those wishing to either secure their DNS querying, protecting their system from the above risks and/or accessing sites their ISP would otherwise prohibit them from seeing (such as regional restrictions).

For more information on OpenDNS with DNSCrypt, see ghacks.net’s article entitled, “OpenDNS DNSCrypt, Increase Security By Encrypting DNS Traffic.”

DNSCrypt relies on elliptic-curve cryptography, Curve25519, as outlined here: http://dnscurve.org/crypto.html — keep in mind that the DNS server must actually use DNSCurve in order for you to gain its benefits. If in doubt, call your ISP to see if you can make use of it by itself or use DNSCrypt with the the OpenDNS Service. To setup DNSCurve without relying on OpenDNS, click here for instructions.

DNSSEC Protection: Why It Isn’t Enough

DNS Security Extensions is a way of authenticating DNS entries and ensuring that the response from a queryed server is coming from the intended server. In and of itself it offers no crypto-level protection but it does add a small layer of protection. When considering DNS service providers you should choose ones that use DNSSEC in combination with an encryption tool depending on your needs.

DNS Server Logging and Record Keeping
(Should You Use an Alternative DNS Server?)

Theoretically OpenDNS can compile a list of every site you access (name and IP address). But they do not have access to your data. Once a name server resolves a name to an IP address, a link is created and the DNS server’s role is at an end (simplistically speaking). That means that your ISP actually has even more information about you than any sole DNS server could ever have.

Not only does your ISP have access to the sites you visit through their name server logs, they could potentially see your web traffic so long as it’s unencrypted (not using SSL) since it is running through their network.

It all comes down to personal choice and who you’re willing to trust more (or more completely). Your ISP or your ISP and a third party DNS service. Everyone’s goals and desires are different, the purpose of this post is to inform you of the technology, the threat and possible solutions.

Keep in mind that despite your best efforts to be safe online, your unencrypted information is out there. Plenty of third party sites know what you do. Even by using proxy chains (and I’ve used some pretty extensive proxy chains), most of your activities can eventually be tracked back to you. Generally speaking, your ISP will always have extensive records chronicling your internet adventures.

In an insecure world, what measures do you think are acceptable and worth going through in order to safeguard your privacy?

As a great American Hero once said, “Only You Can Prevent Forest Fires.”

Related post: “Public Wi-fi? Be Mindful of Session Hijacking.”

Janet Napolitano on Cybersecurity @ ASIS 2012

Awesome keynote speech by Janet Napolitano, Secretary of Homeland Security, at ASIS 2012 in PA on the importance of cyber security.

Video embedded here for your viewing pleasure. Originally posted publicly on YouTube by ASIS International. For more videos please see the  ASIS YouTube page.

Hamachi as a Private VPN For Secure Web Traffic

If you’ve ever set up a fake LAN for a pirated games you probably know all about Hamachi. The tool, now available through RAS-giant LogMeIn, allows you to flawlessly construct a VPN which in turn lets you and a set number of friends (5 using the free edition of Hamachi) join in and appear to be using the same network. For this reason Hamachi would seem like an ideal VPN solution for those looking to jury-rig their own homemade VPNs using additional proxy software.

This trend was started by Lifehacker, formerly a prominent DIY tech site that now focuses on providing articles on Instagram replacements and other pop consumer tech. One of the most notable Hamachi VPN articles from Lifehacker can be seen here by clicking here (“Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security” by Alan Henry). These articles all claim Hamachi in combination with Proxy software run off Windows machines are all viable security solutions. That song is now being sung on many tech blogs.

The most common configuration for such a VPN is Hamachi and Privoxy although Hamachi and Squid combinations are also making an appearance (Squid is actually much better in my opinion as it offers unparallelled customization).

The problem is that neither solution works to anonymize you and keep you safe and secure. At best, your Hamachi IP address would be visible in conjunction with your actual IP address. While the proxy will do its job, Hamachi will not properly route web traffic securely. Plus there are no ways to access your VPN via any mobile device despite outlandish claims to the contrary. Android ICS relies on PPTP and IPSec, neither native-supported function is accessible using a Hamachi solution.

What Hamachi is Good At and What It Isn’t

Hamachi is NOT a real VPN in the sense of routing web traffic even with proper proxy configuration. It’s more likely that those claiming success were confused and had limited exposure to actual VPNs and how proxies actually route traffic. Firefox’s web proxy settings – when configured with your Hamachi IP – may have the result of some websites receiving the VPN’s IP address, but in actuality, your actual IP is still very much visible.

If you don’t believe me, go ahead and check the numerous comments made by users in response to these DIY tips. Lifehacker has received a number of complaints about these articles but they haven’t modified their articles.

Real VPN+Proxy solutions conceal your true IP address entirely and route all proxied data through the VPN.

Hamachi is a VPN in that it facilitates secure networking with remote parties insofar as some types of traffic is concerned (most notably this service is great when it comes to gaming, chat servers, simple and secure VPN file sharing, etc). But it is not an anonymous VPN and can’t hide your IP address for web traffic. If that worked in the past, it doesn’t seem to apply any more.

Checking your IP address through services like whatismyip.com is also unreliable as many such sites have scripts that see through proxies. Sometimes the remote servers will say one IP address but log enough when connected (that occurred during my tests of a Hamachi+Proxy setup). Proxy detection is typically limited to basic header information and are typically wrong to begin with (as you’ll see below, with the proper squid.conf entries, you can mask that detection).

Poor Proxy Configuration

Supporters of a Hamachi+Proxy solution self-hosted on the individual’s own machine are bound to think there was something wrong with my proxy settings. But upon thorough testing with both Privoxy and Squid, I’ve determined that my conclusion is valid concerning Hamachi’s privacy.

First off, configuration in Privoxy is notably poor. Beginners pick Privoxy due to its ease of use and Windows-based interface. The better solution is Squid 2.7 Stable 8.

Some Known Issues

The results using WhatIsMyIP (and triple checked elsewhere) is as follows:

With squid.conf configured appropriately:

Your IP Address Is: [HAMACHI IP] Other IPs Detected: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

Huh. Must be registering server-side with my Hamachi IP but merely showing me my actual IP as well. But that’s not quite right. Looking at my normal website’s traffic logs, the Hamachi IP doesn’t actually show at all!

squid.conf with forwarded_for delete:

Your IP Address Is: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

forwarded_for delete and forwarded_for off yields the exact same results.

Trying to add http_access blocks, etc. will have a similar result. You can drop sites from noticing your proxy, only show your actual IP, or completely block various header identifiers (you can essentially cripple what you can see on websites or even get yourself banned), but nothing solves the problem of properly anonymizing yourself.

At one point this setup may have worked (hence all the positive feedback it receives across the internet), but to my knowledge, it doesn’t work any longer. Besides… if you want a VPN solution you owe it to yourself to either create your own OpenVPN Server and use Squid for proxying or purchase a VPN service. Cutting corners with your privacy is silly.

Better Solutions

OpenVPN running on a virtualized or stand-alone linux box with Squid is the absolute best way of creating your own Proxy server.

Keep in mind that beginners often download the OpenVPN Windows AS Client (Access Server) and run it in a virtual box thinking that such replaces the need for a an OpenVPN Server. It doesn’t. You need to configure an OpenVPN server yourself and get it working: there are no shortcuts here. Though you can check out the following guides to help you:

Official OpenVPN Documentation

Optionally, GZ on the TechIMO support forums also posted a great guide to configuring OpenVPN with Ubuntu, click here to access it.

Optionally you can create a Windows OpenVPN Server but it requires a little more work. To be honest, I’ve found that XP doesn’t work great with OpenVPN and Windows 7 works the best. But feel free to give it a try. This guide will help you install and appropriately configure your Windows OpenVPN Server: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ — you must also configure any firewall software and/or hardware you may have. If you are new to configuring your router’s firewall (port forwarding and changing your router’s subnet is extremely important), for example, OpenVPN may not be for you.

Another (slower) solution is to use the free edition of Hotspot Shield in combination with anti-popup add-ons in Firefox (keeping in mind that you are violating Anchor’s Terms of Service by blocking the ads). You can set the appropriate software to block the appropriate ads/frames. Adblock Plus and NoScript work wonders in that regard. Keep in mind that your speeds will be slow with the free edition!

The last solution is a paid one which involves getting a really good VPN service. Price, data throughput and accessibility on devices are the top priority. Log keeping on the server-side is also incredibly important to ensuring your anonymity online. Three top solutions for paid VPNs are: StrongVPN, VyperVPN, and BTGuard (for anonymous torrent use).

Configuring Squid as a Proxy

While you’ll want to get yourself a VPN if you’re trying to protect yourself against MITM attacks (be sure to read my blog post entitled “Public Wi-fi? Be Mindful of Session Hijacking“), once you’re ready to setup a Proxy, nothing works as well as Squid. Similarly check here for comprehensive guide to using squid.conf to enforce your anonymity online.

Resources of Note

LogMeIn Hamachi Homepage
OpenVPN Homepage
Squid Proxy Homepage
Privoxy Homepage
Hotspot Shield VPN

Sources

Henry, Alan (Lifehacker.com) “Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security.” Posted on April 11, 2012.

Quora’s page in support of Hamachi used as an “effective VPN.”

LOIC DDoS & The Nature of Anonymous Attacks

One of the most impressive and dangerous Denial of Service tools is named, jokingly, as Low Orbit Ion Cannon (LOIC). The tool has gained public notice after being repeatedly used in successful attacks against high value web servers such as those belonging to the Church of Scientology during Project Chanology, the Recording Industry Association of America (RIAA), groups opposing MegaUpload and WikiLeaks as the mega-group’s enemies.

While I won’t get into the ideological arguments expressed by either Anonymous or their opposition, I’d like to take a moment to explain LOIC and provide some interesting links to sites containing more information.

As I always state:  I’m merely an individual interested in security for the sake of learning, if you have a vested interest in any of the ideologies either for or against the attacks check the links below for protections or ways to get more involved in the LOIC project.

Background

LOIC, originally written in C# by Praetox Technologies, has been since coded into an independent JavaScript program known as JS LOIC (hosted by HiveMind, linked below). As such there’s even a web version of the DoS tool!

When the project was first released I managed a DDoS (Distributed Denial of Service) attack against my own test box using a 5 PC networked LOIC attack triggered using UltraVNC (akin to a botnet), it worked extremely well. The method could even be used to trigger remotely using an iPad or any device running the appropriate RAS software. If a given server or network is susceptible to LOIC attacks, a DDoS against that server or network can be extremely potent.

Details and Protection

LOIC works by flooding a specified target server with TCP or UDP packets. The attack relies on the principles inherent to most forms of DoS attacks. As such it’s surprisingly easy to protect against. Many servers should have been well-protected against DoS attacks to begin but, as we know from real world IT, what’s best isn’t always what’s done.

Firewall rule-sets can be enacted which filter out the over abundance of packets coming from any one IP address long before something like this becomes a problem. To my knowledge ISPs on a larger scale can protect against DoS traffic by filtering out the appropriate UDP and ICMP packets before they reach their intended targets.

It should be common knowledge for server administrators to contact their ISPs to ensure measures are in place to protect them at that level. Then appropriate measures should be taken to draft appropriate network firewall rules.

But many of the attacks are difficult to trace…

The Nature of Anonymous Attacks

ARP Poisoning, as previously mentioned on fork(), can be used to make attacks appear to be launched from within your own network (or attacks against your network can be made by attackers who gain special accessing by spoofing their way into your network). Such attacks can be used to incite various man-in-the-middle (MITM) attacks and/or DoS/DDoS attacks. For more examples see this blog’s article on session hijacking.

A good intrusion detection system monitoring ARP tables can alert the network administrator of changes or additions and thus possibly thwarting spoofed MITM attacks before they occur. The article by Busschers cited below discusses spoofed/reflected attacks and how they can be conducted.

Sources

My blog isn’t funded by any corporations or governments and as such I’m fully willing to give all sides to an argument. So, I’ve constructed a list of  sources I used when writing this post as well as some sites that may interest those wanting to learn more:

If you’d like to contribute to the C# original LOIC project please check out the LOIC project page here: https://github.com/NewEraCracker/LOIC/

Additionally you can check the more frequently updated SourceForge page for JS LOIC designed by HiveMind: http://sourceforge.net/projects/loic/

The HiveMind web version is located here: https://code.google.com/p/lowc/

Server Fault (Stack Exchange) Topic in regards to preventing LOIC DDoS posed by a user in 2010: http://serverfault.com/questions/211135/how-to-prevent-a-loic-ddos-attack

“4 Best Practices for Mitigating DDoS Effects,” by ES Enterprise Systems, February 6, 2012. Article discusses DDoS damage mitigation here: http://esj.com/articles/2012/02/06/best-practices-mitigating-ddos.aspx

“Effectiveness of Defense Methods Against DDoS Attacks by Anonymous,” Busschers, Rik. University of Twente, NL. This is a great article detailing the Anonymous Chanology & Operation Payback attacks, those recent attacks against PayPal, MasterCard and more. Check it out here: http://referaat.cs.utwente.nl/TSConIT/download.php?id=1085 (It’s also an excellent article for learning more about the type of attacks used and how such things as SYN packet flooding work. If the article ever goes off-line I’ll re-upload it.)

Another great source detailing spoofed DDoS attacks: http://www.skullbox.net/spoofeddos.php

ARP Poisoning/Spoofing in detail can be further explored here: http://www.irongeek.com/i.php?page=security/arpspoof

Network Research Group (NRG)’s ARP Watch can be found here: http://www-nrg.ee.lbl.gov/

ASIS 2012 is coming!

The 58th Annual ASIS International Seminar will bring Philadelphia its countless vendor exhibits to learning sessions brought to you by top security companies from across the globe. The seminar and exhibits will be held from September 10th to the 13th.

Be sure to check the presentation on VIP security and protection to be given on the 11th by ARSEC co-founder, Mr. Oren Raz. I’ll also be in attendance providing technical assistance during the presentation. ARSEC is comprised of specialists at providing both government and private sector clients with in-depth security solutions and training. For more information on them, please visit their website here: http://www.arsec-corp.com/

Exhibition-only tickets are free to be sure to register soon, at the door they’re $75. Ticket costs for those wanting to attend the keynote speaker addresses and luncheons can be found on the ASIS homepage.

If you’d like to use the nifty mobile app for ASIS you can download one for your mobile device by clicking here. The mobile device will let you view photos & videos of the presentations, organize your contacts, check the schedule, access an interactive map of the event and more.

Check out the ASIS 2012 site here: http://www.asis2012.org

9/06 Edit: If you’re interested in Dignitaries Under Fire and its coverage of VIP protection, this is the schedule’s information:

Dignitaries Under Fire
Speaker: Mr. Oren Raz
ARSEC Co-Founder
Former Head of Security for Israeli Embassies
Tuesday, September 11, 2012 1:45 PM - 3:00 PM
Location: PCC 109-B

Links – PGP Security

If you use PGP, as I do, you’ll want to read an old but useful article on pgp.net: “Security Questions” @ pgp.net as it covers a whole slew of topics ranging from how secure asymmetric cryptography can be to possible security threats arising from using PGP. Essentially if you have a good passphrase you’re better off than folks without one.

Similarly, this article explains passphrase safety tips: http://www.wowarea.com/english/help/pwd.htm — similar to the previous article mentioned which mentions TEMPEST*, this discusses things like a hidden microphone, camera, stolen swap files, access to your hard disk or other medium where private keys are stored, not using drive wiping technologies, key loggers, recovery software and EM microscopes on junked hard drives, viruses, Trojans and more.

* Some useful sites dealing with information on the old TEMPEST attack can be found using these sites:

http://en.wikipedia.org/wiki/Tempest_(codename)
http://www.surasoft.com/articles/tempest.php

With modern technologies and, being a regular citizen as opposed to an enemy of the state, your probably safe!

While it wasn’t designed specifically for asymmetric key passphrases, the GRC’s Haystack Password checker can be used as a starting point for developing safe habits: https://www.grc.com/haystack.htm

Also, in GPG anyway, if you ever find yourself needing to explain what a particular encrypted message is you can always perform a session key override:

--show-session-key (file)

Followed by:

--override-session-key (session key hash) (file)

The former will reveal a unique encrypted session key string, which is derived from your public key but is different than your secret key. The latter will enable you to decrypt a single text/file without you having to give any sensitive information. This is very useful if you have a naggy wife (or husband)!

Lastly Schneier’s article regarding the flaws of public key infrastructure is a must read.

The sites above make for some good reading and could help you safeguard your data appropriately.

EDIT: If you are subscribed to the blog, sorry for the multiple emails for the same post. Seems to have been some sort of problem with the CSS but it seems to be fixed now.

Google Searching & Subversion

Google can be an extremely powerful tool to have at your disposal. You can use advanced operators appended to Google search strings to enhance your searching. Using this method you can find (almost) anything.

The fun thing about playing with Google operators is that there’s no limit to what you can do. The potential grows greater with time as different sites introduce different technologies which react differently to Google’s search spiders. Consider the ability to use Google to find images taken from security cameras! This is an extremely powerful exploit using a very legitimate method. Security professionals should take note. But right now we’re going to go over some basics for all the folks that don’t care about exploitation…

Operators and Symbol/Special Word Usage

If you’re not quite aware of Google’s power try using mathematical operators in your search string. Operators are:

^ + - * / are basic operators
% of - as in, "percent of."
in - as in, "340 lbs in kg."

As such these can be seen in the string:

(36+3) * 2

At which case the answer will calculate to 78, showing a neat on-screen calculator and adhering to the rules of PEMDAS (quite like your Python interpreter). By the way, if words are injected into the search, you’ll get a search for the words and numbers as opposed to getting a sum of the math (such as asking Google, “What is the sum of (36+3) * 2?”)

Symbols and Special Words with examples can include (text being modified is in blue for ease of reading):

- meaning  not the next word; exhaust -cars    
 + must include the next word; "cats" "dogs" "ducks"
 ~ find word references of all sorts; dishonest ~dictionary (or wherever you want to search)
" " search exact phrase on page together; example "cats" + "dogs"
... range search; Dan Brown 1990...2012
AND  such as "ducks" and "goats"
OR you probably get the point

Advanced Search Techniques/Operators

Okay cool, so we know how to say that we want to search for ducks and chickens but only if they occur on the same page so long as hens aren’t mentioned! But what else can you do?

Some advanced operators for use in the search bar can include:

book searches the content of an entire book on Google Books
define, what is, what are these are all types of definition queries
cache:* will give you the last recorded cached page for a specified URL; note there are cache archives out there as well.
id: or info: gives you information about a specified URL
related: will attempt to give you related web pages to the specified URL.
movie: 007; common sense.
site: can be used to search only on a specific domain
filetype: or ext: searches documents of a specific types such as PDFs.
link: searches pages that are linked to a specified URL (very cool feature)
stocks: looks up stock quotes
weather: (state, zip, etc) can result in giving you weather reports
allinanchor: specifies a word which, when found in the alt or anchor will trigger. Useful to find sites that refer to other sites by a certain name or word.
inanchor: specifies a word that must appear in an anchor otherwise it isn't listed in the search results.
allintext: or intext: does the same as the two above except the word can or must be within the text of the page.
allinurl: or inurl: term must be listed within the URL.
allintitle: or intitle: refers to the title line usually shown about the file menu bar in the browser.

For more cache sites please see a list of repositories.

Okay that’s enough for now… each of Google’s Services also have their own set of advanced searches but such goes beyond the scope of this blog entry.

So by now you realize you can mix and match results. But what else can we learn? First a word of warning…

Google’s Data Retention

Before you try and pull the wool over anybody’s eyes make sure you’re not logged into Google. Data typed into Google and with an account associated with such information will be kept indefinitely. Anonymous data collection – if you’re not logged in – will include your IP address, search string and time and date the search was made (as well as the results so that Google can monitor their search algorithms and generate statistics).

Within a certain amount of time the IP addresses are stripped from the search so that only the search words, date, time and results remain (I forgot how long, it was actually on an MSNBC documentary… what?? I don’t work for Google!).

If you’re worried about privacy use a proxy and/or VPN solution. Plain and simple.

Analyzing the Browser URL/Parameters and Google Hacking

On your browser you can get a lot of information by looking at your URL bar. You can tell where on the internet you’re going (duh)! So at its base Google may say: http://www.google.com/

Found a neat cheat sheet for reading the various parameters here: http://cdn.yoast.com/wp-content/uploads/2007/07/google-url-parameters.pdf — but what this means is essentially there’s a lot of code in there when you actually search that you probably don’t need to know.

But altering the URL line, or at least understanding it is a key to any successful “Google hack.” When we say “google hacking” we essentially mean directing or using Google search to perform tasks that we wish the search engine to accomplish. People call these “Google dorks.”

There are also exploits which can be triggered against a remote machine by using Google’s search engine. One such example is SQL Injection via Google which can be used by exploiting database code on a remote server in hopes of gaining useful information.

A great guide to Google SQL Injection can be found here @ breakthesecurity.com.

What Google hacking isn’t: Google hacks do not access restricted data on Google’s own servers. You aren’t “hacking into Google,” so if that’s what you’re looking for you should go seek psychiatric help. There’s nothing wrong with using Google dorks to accomplish tasks which would otherwise be difficult to do. However, exploiting any remote system to gain access which would otherwise be restricted to you is subject to federal and state laws. If in doubt, don’t do it.

Lastly you can also use Google searches to pull up completely benign but useful information. Such information can include a person’s entire background or even default router gateway UI login information (dlink + model # + default username and other such combines can be extremely useful at this form of recon).

Consider the fact that many popular cross-platform password managers save their username/password database files with the same .db extension. Some people actually upload their db files right to their web server for safe keeping. Proper awareness of these security concerns are needed.

Happy hunting. The sky’s the limit!

Google Dorks

There are Google dorks for everything from searching for specific types of photos to accessing content which would otherwise be restricted to you on a remote system. Google is a public search engine and as such provides access to everything that its spiders have access to. This can be used for positive and negative gain.

Offensive Security’s Exploit DB covers Google Hacks extensively here and can be located here: http://www.exploit-db.com/google-dorks/

One popular dork is:

"index of /etc/passwd"

Which will attempt to show you password files on systems that are also running active web servers. In this case you’d enter that text directly into the Google Search field. It’ll find pages with that content displayed chiefly on it.

Another is the ability to look up and remotely control TrackerCam security cameras using Google but by manipulating your search bar.

https://encrypted.google.com/search?num=100&hl=en&lr=&safe=off&q=intitle%3A%28%22TrackerCam+Live+Video%22%29|%28%22TrackerCam+Application+Login%22%29|%28%22Trackercam+Remote%22%29+-trackercam.com&btnG=Search

Similarly you can search using key words if you know which words a specific system uses. Consider the TrackerCam example. We know that such sites use Trackercam Live Video, TrackerCam Application Login, Trackercam Live Video in the page’s title. So utilize the intitle option to search such pages.

The operation can be best illustrated by asking Google to search for:

intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com

As you can see, the pipe can be used to separate multiple intitle search options, following similar rules as any computer command line or program interpreter. Using common sense you can master these techniques to give you a desired outcome.

For sake of exhausting this example you can also make up something along the lines of…

inurl:log.txt intext:"password" -com

Searching log files on web servers looking for the phrase “password” found within those text files but only displaying sites ending in the .com suffix. Using that and/or replacing “password” with “username,” you can typically find information stating when a specific user does things which are log worthy (such as a web server software upgrade).

Google dorks is about using your imagination and testing it. Keep in mind though all of your actions will be retained via Google in conjunction with your external IP address!

But the purpose of this post isn’t to show you how to “exploit” Google or any other web server. My goal is to help reinforce the need for companies worldwide to study their technologies and ensure that the loopholes such technologies present are within reason. A wise man once said, “knowing is half the battle.” For that reason I’ll let you, the reader, explore new Google dorks of your own.

cDc’s Goolag Dorks Scanner

One of the coolest tools I’ve ever had the chance to play with has got to be Cult of the Dead Cow‘s Goolag Scanner, or gS for short. Although the tool is rather dated, it allows you to scan for Google-related exploits on a designated domain of your choice. gS will run exploits ranging from data retention/cache tests to Google dork exploration.

To find the scanner you should search around the ‘net, again, it’s really old!

In Closing

Google is an amazing tool which puts all the services of the internet at your fingertips. But service providers and technology producers alike must routinely check for exploits to their own system. Part of this is to regularly “test” search engine accessibility. Not merely for efficient optimization techniques but to ensure their systems can’t be exploited.

I hope that you’ve also learned a thing or two about advanced Google searching. Whether you’re an investigator  or every-day-user, you can use the techniques discussed here to improve your search experience online.

Apple’s Social Engineering Crisis

On 8/08 there was an interesting news article on Bloomberg’s website regarding the Apple password crisis surrounding journalist Mat Honan. Honan’s digital existence was ruined a few days ago when hackers used social engineering tactics against him (for those unfamiliar with the articles, I’ve linked them below).

Anyone who’s ever been to an Apple store knows that convenience is king.

You need help with something? There’s almost always some friendly hipster with a weird haircut to help you. You need your data migrated from one device to another? No problem for these blue shirt gurus! Want your password changed? Sure, answer just a few simple questions that anyone can get…

Wait… what?

Apple previously allowed users to change crucial account details such as one’s password over the phone. Typically most companies handle such changes online and merely talk the customer through a series of secure web pages after confirming their identity by a number of different means. (Recently I had to call Dell and was bumbarded by over 4 different identity-based questions.) Apple’s system allowed for sensitive account changes to be made with a few simple facts about a customer including the last 4 digits of the primary credit card and one’s address!

One with access to another user’s iTunes account, if cloud backups and syncs are enabled, could potentially delete data right out of the air or access important documents which could potentially allow an attacker to access other accounts the user owns.

Other security flaws included the ability to circumvent the AppleID associated with App and iTunes store purchases, compromise iCloud data and more.

That’s exactly what happened to Mat Honan of Wired Magazine. His dilemma is exactly what spawned Apple’s reaction regarding their security flaws: Honan’s entire life was ruined when a hacker – simply interested in taking his Twitter username and causing havoc – gained access to his AppleID, wiped his Apple devices remotely, accessed his other accounts on other services and more.

In response to this crisis, Apple has suspended the option of resetting one’s AppleID password over the telephone as stated in the Bloomberg article linked below. It’s unfortunate that lessons are learned on the backs of paying customers as Honan’s case also dealt with the security failings of Amazon as well as Apple (see links below for further details).

Hopefully these major tech players have learned that sometimes convenience cometh before the fall.

It really is a tragedy that these companies didn’t take security seriously. With more data being stored off-site, on cloud servers, Mat Honan’s story gives us a lot to think about going forward in the digital age.

Sources:
Satariano, Adam. Bloomberg Reporter
Giles, Tom. Bloomberg Editor
Article URL: http://www.bloomberg.com/news/2012-08-08/apple-to-beef-up-security-for-phone-password-resets-after-breach.html

Honan, Mat. Wired Magazine
Article: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Recap Notes on Infosec VC 2012

Recap: the Pros & Cons

Back in June we had an awesome segment of Infosec VC 2012 entitled, “Hacktivism: What, Why, and How to Protect Against It,” lead by Gregory Nowak, Head Researcher at ISF (Information Security Forum) and ISACA Security Advisory Group and Peter Wood , CEO of First Base Technology and also of ISACA. So I thought I’d attend the bulk of the Infosec VC 2012 conferences now in August. What follows is my notes on some of the presentations for those that are interested…

The Disconnect Between Managers and Technicians

Product managers and corporate executives all seem to view security in a macro sense and often don’t fully grasp or care about the minute details of data security, such was illustrated at the 2012 Infosecurity Virtual Conference. These big shot corporate types and project managers are great for selling security solutions developed by a company’s IT department to the company’s administrators. But their lack of “street level” knowledge leave a lot to be desired.

Take the keynote presentation, Data Security and Compliance in an Evolving Data Center, by Derek Tumulak (VP of Vormetric). He was extremely intelligent and understood a lot of core concepts. A few positives of his presentation included: overview of virtualization and how it’s used in data centers (globally speaking), cloud computing and associated models, the importance of mobile security and how one breach could potentially mean disaster for an insecure organization, encryption management (how and when to use encryption as a last resort) and so on.

But Mr. Tumulak failed to identify actual instances of said compromises or how an organization should safeguard their systems on a technical level.

Instead he said, hackers, by and large, have been “[s]tealing information to sell it on the black market,” which isn’t necessarily true. Corporate espionage is big but it isn’t everything. Given the rise of Hacktivism I believe a strong number of attacks are conducted by those with specific ideological views they wish to convey (Anonymous attacks against Sony to protest the prosecution of a PS3 modder and other similar attacks). Also many wish to highlight security flaws to that company and, some, see what they can get by exploiting such systems (sheer curiosity).

While I can’t claim to know every technology out there, I understand this to be a very large weakness in the corporate environment: the disconnect between the inner workings of data security and the project managers that organize teams to implement the solution. Is the solution to make all corporate executives network technicians? Obviously not but a middle ground must be met in order to appropriately data. Big pictures are wonderful but if you aren’t going to get your hands dirty or at least explain past instances of exploitation and what steps can be made to protect against such problems, you’re just ranting. Good for sales, bad for business.

Unlike conventions such as HOPE, Defcon and Black Hat Briefings (which does have a fair amount of “big picture” talks, as corporations only seem to understand that method), a lot of corporate events are presented in this kind of “dry” way at other sessions. The Infosecurity Magazine US Summer Virtual Conference 2012 was full of this. Some, but not all, of the presentations were like this.

You’d think a lot of these executives were more interested in PowerPoint or Keynote than coding.

“Providing Smart Security for Smart Devices,” by Mike Sapien and Marc Vael) was very dry and the solutions discussed were obvious ones. Anyone with smartphone knowledge would have been eons ahead of these guys. The Program Director of ISACA was a little more informative here as far as how corporate employees need to safeguard their mobile data.

Unfortunately almost 99% of the conference was targeted at CTOs, VPs, and other corporate audiences. A number of presenters stated that things that were “highly technical ” wouldn’t be useful; most people gloss over it. As such the tone of the conference was “business minded” and technology was discussed in general terms. As such it didn’t really serve to impress the tech savvy.

I really liked Theresa Payton’s address. As the Fmr. Whitehouse CIO and head of her own security company she has a warning to companies: focus on the new emerging digital landscape. She spoke about the important role social media plays in computing today.

Companies today must adopt social media, in her opinion, but they must also adopt a strong sense of security if they want to address its inherent security concerns.

So in conclusion of the cons, it wasn’t a conference detailing the finer points of information security such as firewall and network group policies, AD flaws and loopholes, social engineering techniques, encryption standards in depth, code exploits & tightening, wireless security (ARP table monitoring for MITM protection), and a myriad of other technical details. It was mostly by corporate-types for corporate-types.

A forum friend of mine actually did tell me “it’s like this. We just go to these things to get our credits for our CISSP,” after I said I wasn’t really interested in the bulk of the conferences. So I guess I’m over-analyzing the conference.

Onto the pros…

Best Presentation: “How to Protect Your Organization from a DDoS Attack”

Panelists

Michael Singer, VP of Security for AT&T
Prof. David Stupples, CCySS, University of London

At Glance

Prof. David Stupples of the Centre for Cyber Security Sciences (CCySS), City University of London was one of the greatest speakers for me. He discusses malware, DDoS attacks in-depth using past examples of such attacks are conducted. Botnets that harvest data and move through proxy servers to mask the identities of attackers are of significant concern to CCySS.

The professor explained how Botnets work and how they are analyzed before being sent to anti-virus/malware companies for safeguarding their client’s systems. He explained how analysis is conducted using mathematics when analyzing botnets in CCySS-made honeypots and how CCySS has a track record of doing just that.

Prof. David Stupples also discussed the limits of Botnets and possible preventative methods such as:

* Providing security/OS upgrades can mitigate against such malicious code exploitation.
* Vendors using honeypots to analyze known botnets/malware can help.
* IP/DNS filtering is effective to some degree against Botnets (and the Botnets ability to connect “home” to its masters).  Note that I attribute this to the way Alureon/DNSChanger was thwarted by ISPs despite the FBI’s warnings to the general public. ISPs were able to compensate for this at their level and ensure DNS didn’t resolve where they weren’t supposed to.
* Malware companies examing Botnet/malicious code fingerprints for quick identification
* Reverse engineering search engine spiders to identify threats immediately

That panel included other security professionals and their insights into the matter of software attacks, viruses, malware and DDoS attacks. They stress the importance of different countries working together to analyze, spot and thwart such attacks. Prof. David Stupples said that such international efforts have helped catch a number of attackers in the UK. He stressed the need for more international law enforcement support.

Michael Singer, Executive Director of Security for AT&T, was also among my top favorite speakers. He discussed how the safeguarding of the internet is essential but not at the expense of individual freedoms, which many people enjoy. He stressed the importance of the need for a global security organization, like Prof. Stupples, but also warns that such an organization must make sure not to curb individual freedoms.

Interestingly Mr. Singer also discussed mobile security and how Android, in particular, can be used for for such exploitation as it’s an amazing platform with the power of a small computer.

To see the presentation, click here to register and go to the conference page.

Glitches

Poor Audio – There are a lot of problems with audio. The audio was pretty bad. But all of these conferences generally have low quality audio.

Slide/video track bar – When watching older/archived sessions, moving this bar to skip or go back usually requires a refresh of the entire presentation page. Which generally stinks.