Tag Archives: mitm

Top Articles & WordPress Session Hijacking

The blog has successfully been migrated to the new self-hosted WordPress (forensicsblog.org), simple name, same great flavor! We’ve got a double feature for you this evening. First, is a list of some of the articles generating the most views on here (thank you for reading!), followed by some WordPress Session Hijacking resources.

Also, please take the time to visit some of the great forensics resources along the right side of the blog. I’ve tried to keep the list to (in my mind) the most interesting blogs/bloggers in information security. They all have great content and research worth reading.

Top Articles on fork()

  • Research: GPS Device Analysis” — research on the manual forensic examination of a Garmin Nüvi 1490. Piece includes a comprehensive breakdown of the GPX file structure, how it’s used to store trackpoint data and information on GPS metadata.
  • Thoughts on viaExtract (Demo)” — discusses the viaExtract utility designed by viaForensics for the analysis of android devices. Highlights artifact extraction with AFLogical and viaExtract case reports. Also discusses the Santoku Linux distribution for mobile forensics.
  • Updates to GPS Utility (Timestamp Features)” — TrackerCat’s latest post to date: adds timestamp extraction of trackpoint data within GPX files to CSV file format. Also includes the ability to recursively export GPX files from a user-specified path and displays embedded file metadata time.

There are a lot more interesting posts here so be sure and scroll down or use the Monthly Archives menu on the side panel. You can also use the site-wide search for topics such as “encryption” or “OpenPGP.”

WordPress Session Hijacking

Since I’ve been tinkering with this blog, I’ve noticed that WordPress is still vulnerable to session cookie hijacking. This is a topic that WordPress or plugin developers should address in much greater detail since many use WP as a site-wide CMS. This section is to share some links on the subject and increase awareness of it.

To those that may not know, session hijacking is when an attacker copies authenticated session cookies from an authorized user and uses them as his own. This is done by first monitoring unencrypted network traffic and then modifying the appropriate cookie and sending it back to the server. HTTP or poorly implemented HTTPS are most at risk. There’s nothing new about this and it’s extremely simple to execute.

These sources can be invaluable for understanding and mitigating the risk:

There are too many MITM tools to list. I’ve included the Fern link to demonstrate how such attacks can be carried out over a wireless network. The following tools are for either modifying HTTP headers or crafting clone cookies:

Almost every new installation of WP.org I’ve seen is susceptible to this attack. WordPress recommends using HTTPS. If you don’t have SSL enabled on your site or haven’t set up HTTPS properly, your site could be at risk. Other forms of risk mitigation include:

  • Use a trustworthy VPN when logging into a WordPress to prevent eavesdropping. If using a mobile device or laptop to access your blog a VPN is the simplest way to ensure your safety on an public hotspot.
  • The Safer Cookies Plugin by Janis Elsts which restricts an IP address to one session at a time, solving half the problem for blog owners. It would have been nice to see this as an option in out-of-the-box WordPress. It’s almost ludicrous that WP doesn’t come with a feature like this (even Facebook allows for terminating multiple simultaneous sessions).
  • Deploy WP security suites and WP firewall plugins such as Cloudflare Threat Management, WordfenceBetter WP Security or Bulletproof Security. Firewalls don’t protect against session hijacking directly but helps by adding IP-based controls such as blacklisting and white listing single IPs or addresses within a specific range. They may slow down the site’s loading speed but they’re worth it.
  • WordPress login control plugins are extremely useful to setup on your blog. There’s Login Lockdown and Lockdown WP Admin. The first provides excellent rules for login expiration and maximum login attempts before an account is locked down. The second offers the ability to hide the WP admin page from individuals that aren’t logged in. It also has the option of making logins use basic HTTP authentication (but without SSL, that isn’t as secure as it sounds).
  • Sandboxing. If an attacker does gain a foothold by accessing an account, make sure it isn’t your admin account (if you’re using your WP admin account to log in regularly, you shouldn’t be doing it from an open wifi network beyond your control). Also make sure your account’s user directory and all files within it are safe (this is critical if you’re using WP plugins that allow you access to modify files without having to FTP/SFTP in).

WordPress has yet to come up with a fix for this type of attack as it’s considered “low priority.” This is probably due to the fact that this attack isn’t direct, it’s passive and requires being in a position to capture network data. The problem is that WordPress isn’t necessarily responsible; HTTP is not secure and website owners should be aware of this threat.

Hope you found the resources above interesting. Thanks for reading!

World is Too Slow to Adopt Two-Factor Authentication

Here’s the deal: you do a lot of business online. Amazon purchases, you check your X-Box account, access social networking sites and so on. And as I’ve said time and again, man in the middle attacks are at an all time high. So you needed a way of securing your online accounts beside using just a password.

While some sites like Facebook, Google and Dropbox have implemented forms of two-factor authentication, many sites do not (to my knowledge Apple and  Amazon have not implemented TFA security). SSL alone doesn’t protect customers from online threats.  Amazon AWS does support multi-factor authentication but, at the time of writing this, their user accounts do not have this feature (upon asking their technical support why they didn’t use TFA, I was told “SSL was secure” and not to worry).

For those left out of the loop, TFA relies on either texting you an ever changing security key or displaying one using a token generator (such as the great Google Authenticator for Android). Logging into a website from an unknown computer (one where a former cached login could not be found) results in a page asking you to confirm a key displayed on your token generator.

The way it works now if you don’t remember your password? A reset email can be mailed to you… not such great security. It sends an email to the account you registered with. If your email account is compromised to begin with, your other accounts can be too. All the SSL in the world doesn’t amount to a hill of beans if you don’t have better security practices for users that want to make use of them.

Social engineering attacks can also be used to get companies to change your passwords by phone. Apple and Amazon have already been caught doing this. For more information see my post entitled “Apple’s Social Engineering Crisis.

So why don’t sites adopt TFA? They don’t want to be bothered implementing it. Really. That’s the only excuse I can think of since, if companies follow Google’s example, you have to manually opt in to using it in the first place.

So enough is enough. Start telling the companies that you do business with online to enact TFA now.

Related Articles (Better than this rant)

Please Turn on Two-Factor Authentication.” Curts, Matt @ Lifehacker.

Two-Factor Authentication: The Big List Of Everywhere You Should Enable It Right Now.” Gordon, Whitson @ Lifehacker Australia.

“XBox GM Talks Xbox Live Security.” Frederiksen, Eric. July 19,2012. See: http://www.technobuffalo.com/gaming/platform-gaming/xbox-upgrading-security/

Products of Note

Google Authenticator for Android

Google Authenticator for iOS

SolidPass Two-Factor Authentication Token (Used in many places)

Related Blog Posts

Public Wi-Fi? Be Mindful of Session Hijacking

Links – Application of Elliptic Curve Crypto

With the NSA/CSS’s support of RSA dwindling, they’ve adopted the public key ECC method with open arms with their Suite B. This is in part due to the fact that small sized RSA keys have been cracked to some degree and that the associated contracts with the NSA have ended (keys over 1,024 bits are still safe at the time this post was created). This post will give some information on ECC’s adoption and cellular cryptography.

Since I just started using secure voice apps on my Android, I thought I’d provide you with a list reference material regarding ECC’s increased usage in every day technology. Feel free to check out the solutions mentioned below as well (I do not endorse any of them; find a solution that works best for you and your needs).

We now find ECC used in nearly every aspect of secure computing from chat servers to cell phone voice encryption. And yet ECC’s primary goal is to utilize PKCS by providing a secure means of authentication and digital signature management as opposed to whole document encryption. The algorithm is best utilized in actual data streams flowing from one network to another in conjunction with other well established algorithms to encrypt the contents themselves.

Secure SIP providers around the globe have started producing secure VoIP tools that use ZRTP to transport data using key encryption and SRTP to actively encrypt that data. This is a really good way of thwarting cellular eavesdropping.

For example, VoIP provider S.M.A.R.T.S. Technology designed HushCrypt on Android to encrypt voice calls handset-to-handset using AES-256 based on the ZRTP utilizing the ECDH-38 elliptic curve. Their competition, RedPhone by Whisper Systems, uses ZRTP and its encrypting component, SRTP. Experiment with them as you see fit and determine which is best for you.

Similarly, my favorite secure texting app on Android (also provided by Whisper Systems), is TextSecure, as it relies on ECC in transit and AES-128. Keys are generated on a session-to-session basis and remain “alive” until either party cancels the session (this is complaint with NSA Suite B, for more information see the related link below).

Pretty heavy encryption, huh? But as Henry Kissinger once said, “Just because you’re paranoid don’t mean they’re not after you.” And in this world of increased threats: a little security goes a long way.

ECC & Cellular Crypto Resources

If you’re interested in learning more about the encryption standards used in commonly accepted technologies, please feel free to visit the links below (think I missed a cool link? feel free to share and I’ll pop it up on the list).

Also feel free to check out the WordPress recommended links throughout the post as I’ve approved some good Wikipedia entries!

NSA Suite B on the combined use of AES, ECC and SHA Hashes  (includes Whitepapers for interested Math majors)
ECC to replace RSA,” Blogspot’s In God I Trust blog
The Case for Elliptic Curve Cryptography,” NSA/CSS Homepage.
HushCrypt Secure Phone on Google Play Android Store
Whisper Systems Security Products
WhisperSystems/TextSecure Wiki on the Protocols Used
WhisperSystems/RedPhone Wiki on the Protocols Used
Voice Encryption Basics on Wikipedia
SRTP Protocol Whitepaper
NSA Watch,” Schneier, Bruce.  September 30, 2005. Schneier on Security blog. *

* Note: If you aren’t subscribed to his blog, read his articles or read his books (and you’re interested in computer security), you don’t know what you’re missing. This Schneier blog post has everything you need to know about ECC including links to some great resources that go well beyond this shallow post. Bruce Schneier is a name you can trust.

Related Posts

I mentioned using PK and ECC in my blog posts entitled “Encrypted Messaging Using OpenPGP and Psi,” “DNS Threats and Security Solutions,” and “Links – PGP Security.”

DNS Threats and Security Solutions

DNS security is of great importance to the internet as a whole. DNS, or Domain Name System, is a naming standard in which names are resolved to IP addresses. When you surf the internet your ISP’s name servers are queried and the appropriate IP address is found, you’re then forwarded to the correct location of your choice.

IPv4 and IPv6 protocols may make IP addresses appear different, but DNS is used regardless of the IP protocol used. While DNS is more of a phone book or database than the method used for communicating data (the IP protocols themselves), attackers can use DNS changing techniques to their benefit. (Actually there are a lot more differences than appearances when dealing with the new IPv6, but that’s beyond the scope of this article.)

Threats from DNS exploitation include the DNS Changer/Alureon virus and social engineering/harvester attacks used in phishing. Have you ever spent any time in Backtrack Linux? You can easily create faked login pages for use during certain types of man-in-the-middle (MITM) attacks. Such pages can be concealed to appear real but, in actuality, forward your valuable information to an attacker. Some, like the aforementioned harvester attack, will forward you to the correct page afterwards… you’ll never know you were taken advantage of!

Note: Backtrack is a legitimate security auditing Linux distribution. Don’t use it against others (after all, this blog is for folks really interested in security not as a “hacking guide”).

Credential Harvester

One of the most effective attacks is the replication of a false login page. As seen by using the Metasploit Framework. Absolutely any type of false login can be created using the Social Engineering Toolkit (SET). When combined with a successful MITM attack or by including such a payload in malware, an attacker can gain sensitive information about you.

Alternative name server solutions sometimes offer greater security over your standard ISP’s DNS servers. Such tools can often be used to detect false sites as they resolve.

Further Reading on SET’s Credential Harvester

Metasploit Unleashed – Credential Harvester Attack:
http://www.offensive-security.com/metasploit-unleashed/SET_Credential_Harvester_Attack

Note: If you’re interested in seriously studying computer security you owe it to yourself to check out the Metasploit Framework.

History Repeating: The DNSChanger Scare

Almost everyone remembers the scare we had recently with the DNS Changer incident. Uncured computers infected with DNSChanger/Alureon that faced a big problem: with the arrest of botnet masters across the globe, the FBI feared that maliciously redirected DNS entries would – instead of resolving to unintended sites for phishing and advertising – instead, simply fail.

The DNS Changer Working Group (DCWG) has a nifty website that checks for whether or not your DNS resolution was hijacked. The incident turned out to be a major disaster for the FBI and few others. Internet

Service Providers compensated for this and allowed their own name servers to re-redirect the faulty computers. In the news the FBI seemed to blame everyone but themselves. In actuality they overestimated the risk. They even failed to notify people that DNSChanger was actually the very old and well known Alureon to begin with.

Also, the DCWG website would have apparently given nearly everyone in the United States a false sense of security. With ISPs compensating for DNSChanger months in advance (in some cases nearly since Alureon has been around), the page would have infected machines to be uninfected simply by virtue of your ISP correcting the problem (the number one complaint made by the FBI against ISPs).

Guess the internet didn’t shut off! Okay, disperse people. We can all go back to work safely.

Yet on an individual level DNS changing malware is still a very real security problem and, if launched successfully, can mean you handing over sensitive information to the attacker.

As I’m writing this I’ve noticed the DCWG page is back online. While the “global meltdown” is no longer a real threat, the page still can be used to attempt to detect DNSChanger on individual computers. Note that I’m not saying it isn’t a real concern, it is a concern merely not a global threat as the FBI suggested. Prior to the DCWG page going back online, a notice was post explaining how ISPs compensated for DNSChanger and therefore would have rendered their site useless against actually detecting DNSChanger.

So a joke? No. OpenDNS.com reported in blog posts that over hundreds of thousands were infected but simply didn’t know it. While there wasn’t a global meltdown of epic proportions, users should still take note that the threat is real and do everything they can to ensure their own safety. Use DCWG but simply keep in mind  that many ISPs have independently addressed this issue: if you are still infected you should get it cleaned up. Also be sure to run regularly updated malware protection.

DNS Changer Detection (DCWG): http://www.dcwg.org/detect/
Malware Bytes: http://www.malwarebytes.org/

Further Reading on DNSChanger

Blog Post on DNSChanger on Geek Street:
http://mountainloopexpress.com/index.php?fn_mode=fullnews&fn_id=694

Tech Republic Post by Alfonso Barreiro Prior to Incident:
http://www.techrepublic.com/blog/security/preparing-for-the-dnschanger-internet-outage/7863?tag=nl.e036

DNA India on DNS Changer Prior to Incident:
http://www.dnaindia.com/pune/report_dns-syndrome-not-a-major-threat-experts_1712350

Peckham, Matt. “DNSChanger: No, the Internet Isn’t Shutting Down on Monday.” Time Magazine. July 6, 2012. Note: Prior to incident, warnings that a global meltdown scenario is not accurate but threat is still real.

Chabrow, Eric. “Malware Monday: Much Ado About Nothing.” Bank Info Sec. July 5, 2012.

DNS Cache Poisoning/Spoofing Attacks

The types of attacks above are DNS Cache Poisoning attacks and rely on an attacker changing your DNS table to facilitate faulty look-ups (ones that can appear real but be used to steal your information).

More info on DNS poisoning generally can be found on these sites:
http://searchsecurity.techtarget.com/definition/cache-poisoning
http://cr.yp.to/djbdns/notes.html#poison

Alternative DNS Solutions

There are quite a number of different ways to protect against phishing online from nifty router firewall software that monitors the sites you visit to anti-virus software. In the end, used intelligently, a combination of all these methods can be utilized to safeguard your presence online. One small solution (the focus of this article) is to use an alternative name server with security tools built-in to protect you from visiting faulty or purposely misleading websites.

OpenDNS is a terrific solution which provides fast and stable name servers with anti-phishing protection. Combined with DNSCrypt, your DNS look-ups will also be encrypted so that if you have a virus, it’ll be more difficult to change your DNS look-up behavior. Plus OpenDNS enables the use of parental controls for parents to block access to certain types of sites. There’s a paid version and an ad-supported free version which, upon entering an unresolvable IP, you’ll get an error page, like normal, but with an ad.

This solution does not replace the need for a VPN, does not offer the extendability and protection of a good proxy, does not anonymize you in any way, shape, or form, and does not encrypt data passing through your network (for a free solution that encompasses all of those forms of protection, please look into running an OpenVPN+Squid Virtual Private Network as I describe as being effective in this article). This solution is for those wishing to either secure their DNS querying, protecting their system from the above risks and/or accessing sites their ISP would otherwise prohibit them from seeing (such as regional restrictions).

For more information on OpenDNS with DNSCrypt, see ghacks.net’s article entitled, “OpenDNS DNSCrypt, Increase Security By Encrypting DNS Traffic.”

DNSCrypt relies on elliptic-curve cryptography, Curve25519, as outlined here: http://dnscurve.org/crypto.html — keep in mind that the DNS server must actually use DNSCurve in order for you to gain its benefits. If in doubt, call your ISP to see if you can make use of it by itself or use DNSCrypt with the the OpenDNS Service. To setup DNSCurve without relying on OpenDNS, click here for instructions.

DNSSEC Protection: Why It Isn’t Enough

DNS Security Extensions is a way of authenticating DNS entries and ensuring that the response from a queryed server is coming from the intended server. In and of itself it offers no crypto-level protection but it does add a small layer of protection. When considering DNS service providers you should choose ones that use DNSSEC in combination with an encryption tool depending on your needs.

DNS Server Logging and Record Keeping
(Should You Use an Alternative DNS Server?)

Theoretically OpenDNS can compile a list of every site you access (name and IP address). But they do not have access to your data. Once a name server resolves a name to an IP address, a link is created and the DNS server’s role is at an end (simplistically speaking). That means that your ISP actually has even more information about you than any sole DNS server could ever have.

Not only does your ISP have access to the sites you visit through their name server logs, they could potentially see your web traffic so long as it’s unencrypted (not using SSL) since it is running through their network.

It all comes down to personal choice and who you’re willing to trust more (or more completely). Your ISP or your ISP and a third party DNS service. Everyone’s goals and desires are different, the purpose of this post is to inform you of the technology, the threat and possible solutions.

Keep in mind that despite your best efforts to be safe online, your unencrypted information is out there. Plenty of third party sites know what you do. Even by using proxy chains (and I’ve used some pretty extensive proxy chains), most of your activities can eventually be tracked back to you. Generally speaking, your ISP will always have extensive records chronicling your internet adventures.

In an insecure world, what measures do you think are acceptable and worth going through in order to safeguard your privacy?

As a great American Hero once said, “Only You Can Prevent Forest Fires.”

Related post: “Public Wi-fi? Be Mindful of Session Hijacking.”

LOIC DDoS & The Nature of Anonymous Attacks

One of the most impressive and dangerous Denial of Service tools is named, jokingly, as Low Orbit Ion Cannon (LOIC). The tool has gained public notice after being repeatedly used in successful attacks against high value web servers such as those belonging to the Church of Scientology during Project Chanology, the Recording Industry Association of America (RIAA), groups opposing MegaUpload and WikiLeaks as the mega-group’s enemies.

While I won’t get into the ideological arguments expressed by either Anonymous or their opposition, I’d like to take a moment to explain LOIC and provide some interesting links to sites containing more information.

As I always state:  I’m merely an individual interested in security for the sake of learning, if you have a vested interest in any of the ideologies either for or against the attacks check the links below for protections or ways to get more involved in the LOIC project.

Background

LOIC, originally written in C# by Praetox Technologies, has been since coded into an independent JavaScript program known as JS LOIC (hosted by HiveMind, linked below). As such there’s even a web version of the DoS tool!

When the project was first released I managed a DDoS (Distributed Denial of Service) attack against my own test box using a 5 PC networked LOIC attack triggered using UltraVNC (akin to a botnet), it worked extremely well. The method could even be used to trigger remotely using an iPad or any device running the appropriate RAS software. If a given server or network is susceptible to LOIC attacks, a DDoS against that server or network can be extremely potent.

Details and Protection

LOIC works by flooding a specified target server with TCP or UDP packets. The attack relies on the principles inherent to most forms of DoS attacks. As such it’s surprisingly easy to protect against. Many servers should have been well-protected against DoS attacks to begin but, as we know from real world IT, what’s best isn’t always what’s done.

Firewall rule-sets can be enacted which filter out the over abundance of packets coming from any one IP address long before something like this becomes a problem. To my knowledge ISPs on a larger scale can protect against DoS traffic by filtering out the appropriate UDP and ICMP packets before they reach their intended targets.

It should be common knowledge for server administrators to contact their ISPs to ensure measures are in place to protect them at that level. Then appropriate measures should be taken to draft appropriate network firewall rules.

But many of the attacks are difficult to trace…

The Nature of Anonymous Attacks

ARP Poisoning, as previously mentioned on fork(), can be used to make attacks appear to be launched from within your own network (or attacks against your network can be made by attackers who gain special accessing by spoofing their way into your network). Such attacks can be used to incite various man-in-the-middle (MITM) attacks and/or DoS/DDoS attacks. For more examples see this blog’s article on session hijacking.

A good intrusion detection system monitoring ARP tables can alert the network administrator of changes or additions and thus possibly thwarting spoofed MITM attacks before they occur. The article by Busschers cited below discusses spoofed/reflected attacks and how they can be conducted.

Sources

My blog isn’t funded by any corporations or governments and as such I’m fully willing to give all sides to an argument. So, I’ve constructed a list of  sources I used when writing this post as well as some sites that may interest those wanting to learn more:

If you’d like to contribute to the C# original LOIC project please check out the LOIC project page here: https://github.com/NewEraCracker/LOIC/

Additionally you can check the more frequently updated SourceForge page for JS LOIC designed by HiveMind: http://sourceforge.net/projects/loic/

The HiveMind web version is located here: https://code.google.com/p/lowc/

Server Fault (Stack Exchange) Topic in regards to preventing LOIC DDoS posed by a user in 2010: http://serverfault.com/questions/211135/how-to-prevent-a-loic-ddos-attack

“4 Best Practices for Mitigating DDoS Effects,” by ES Enterprise Systems, February 6, 2012. Article discusses DDoS damage mitigation here: http://esj.com/articles/2012/02/06/best-practices-mitigating-ddos.aspx

“Effectiveness of Defense Methods Against DDoS Attacks by Anonymous,” Busschers, Rik. University of Twente, NL. This is a great article detailing the Anonymous Chanology & Operation Payback attacks, those recent attacks against PayPal, MasterCard and more. Check it out here: http://referaat.cs.utwente.nl/TSConIT/download.php?id=1085 (It’s also an excellent article for learning more about the type of attacks used and how such things as SYN packet flooding work. If the article ever goes off-line I’ll re-upload it.)

Another great source detailing spoofed DDoS attacks: http://www.skullbox.net/spoofeddos.php

ARP Poisoning/Spoofing in detail can be further explored here: http://www.irongeek.com/i.php?page=security/arpspoof

Network Research Group (NRG)’s ARP Watch can be found here: http://www-nrg.ee.lbl.gov/

Public Wi-Fi? Be Mindful of Session Hijacking

Cache Exploitation & Sidejacking (Session Hijacking)

Tools

* Firesheep Packet Sniffer on PC
* FaceNiff or DroidSheep on Android (rooted)
* Other MITM (man in the middle software; no packet injecting capable NIC needed!) For more on MITM attacks please click here (Schneier on Security; 7/15/2008).

The risk

The most common type of cache exploit can be seen using Firesheep which takes unencrypted data passed via cookies over a Wi-Fi network and reveals them (works well with social networks and sites that do not appropriately handle user data transmission).

Although some data may be handled via SSH (encrypted), the actual cookies, for logins are not on some insecure sites. Some social networks and heavily trafficked websites have sought ways of solving the problem but not all evolve accordingly. So long as they don’t, this exploit will work and has done so for many years.

These type of exploits could be known as the “The Starbucks Social Network Exploit” for all intents and purposes since places that offer free wi-fi are at risk.

Naturally ANY wi-fi network is at risk. As we see with Aircrack and WEP/WPA cracking, any reasonably secure network can run the risk of MITM attacks. Another way of bypassing security measures is by ARP poisoning once one has gained access to a network, assuming the identity of a networked computer. Another reason why you should only join relatively secure networks that allow SSH tunneling.

Protecting yourself

* Use SSH tunneling to connect to your VPN/proxy setup after connecting to open wi-fi.
* Always try to use SSL/TLS enabled variations of web pages (if you use Firefox please be sure to download and make use of the HTTPS Anywhere Addon).
* Use encrypted connections, using only protected wi-fi networks not public ones or at least trusted ones.
* Urge wi-fi network admins to monitor ARP tables and run appropriate IDS and conduct other server-side preventative measures.