Controls Are Not the Solution to Our Problem

If you recognize the inspiration for this post title and graphic, you'll understand my ultimate goal. If not, let me start by saying this post is an expansion of ideas presented in a previous post with the succinct and catchy title Control-Compliant vs Field-Assessed Security. In brief, too many organizations, regulators, and government agencies waste precious time and resources devising and auditing "controls," regardless of the effect these...

Read More

Old School Oracle Auditing

I was again reading for hacking articles and one of the article "Simple Oracle Auditing" caught my attention. Well, its an old article but its still fun to read and learn from the gurus. Check it out guys: http://www.securityfocus.com/infocus/1689The Hacka ...

Read More

MPAA University Toolkit Phone Home

This is a follow-up to my story Examining the MPAA University Toolkit. After reading the hysteria posted on the Slashdot story MPAA College Toolkit Raises Privacy, Security Concerns, I thought I would take a look at traffic leaving the box. Aside from traffic generated by the auto-start of Firefox, the only interesting event was the following. I captured it with my gateway Sguil sensor.Sensor Name: hacomTimestamp: 2007-11-23 21:27:04Connection...

Read More

Examining the MPAA University Toolkit

I learned about the MPAA University Toolkit at Brian Krebs' always-excellent SecurityFix blog. If you want to know more about the user experience, please check out that post. Here I take a look at the monitoring software, focusing on Snort, operating on this application.I downloaded the 534 MB peerwatch-1.2-RC5.iso and started it in a VMware Server session. I used ctrl-c and then 'sudo bash' to exit from the initial script presented within X,...

Read More

Tap vs Lightning Strike

Earlier this year my lab suffered a near lightning strike. A tree right outside the lab was struck by lightning, causing damage to multiple electronic and electrical devices outside and inside the building. Outside, the lightning disabled an exterior lighting system and my phone lines. Inside, the lightning took a severe toll on the lab. The cable modem to the outside world was destroyed. The NIC on the lab firewall facing the cable modem was...

Read More

7 steps to better Solaris Network Settings

I was auditing one of our customer again and this time round, i managed to come up with a 7 step guide to better secure the TCP stack for Solaris. Well, you guys can add on for more.1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=22. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/etc/notrouter" need to be present. If the file is missing, issue the following command to...

Read More

Updating FreeBSD 7.0-BETA2 to 7.0-BETA3

Recently I posted FreeBSD Binary Upgrade News about developments with Colin Percival's FreeBSD Update tool. Today I performed a remote (via SSH) upgrade from FreeBSD 7.0-BETA2 to FreeBSD 7.0-BETA3 using FreeBSD Update. I document the process below so you can see how easy it is and for my future reference.Here is uname output to show the OS version prior to upgrading.# uname -aFreeBSD myhost.mydomain.com 7.0-BETA2 FreeBSD 7.0-BETA2 #0: Fri Nov ...

Read More

Network Monitoring: How Far?

In my January post The Revolution Will Be Monitored and elsewhere I discuss how network monitoring is becoming more prevalent, whether we like it or not. When I wrote my first book I clearly said that you should collect as much data as you can, given legal, political, and technical means because that approach gives you the best chance to detect and respond to intrusions. Unfortunately, I did not provide any clear guidance for situations where I...

Read More

Hacking Iphone the fun way

I got my iphone and i know there are exploits and vulnerabilities in it discovered by H.D Moore, creator of metasploit. However i wasn't too enthusiastic about the damage that this exploit can do but more into the fun aspect aspect of how to install new 3rd party application in phone. I know that you can install hacking tools too, but thats not my goal. Why install those tools when you can install it in the PC? Anyway, I managed to unlock the phone with a few help and of course start using it. It is the coolest phone out on the planet and of course...

Read More

Hacking SCADA

While i was in Dubai, i got a chance to visit one of our customers who was using SCADA. Back then, it was so new to me and i have no idea of how to actually audit it. Back here in Singapore, i got another chance to actually test and audit SCADA systems and this time round, i found a way to actually break the application and network apart. However, i have to be very careful during the audit, as one wrong move may affect the whole of Singapore.So what is SCADA? SCADA stands for Supervisory Control and Data Acquisition and they are the systems that...

Read More

Two factor authentication bypassed

It had been a long fortnight and i have not finished writing my report for various banks. It was really that much report to write and especially for one specific particular bank. I managed to bypass the security control mechanism setup by this bank and steal the username and password of any user.Most of the banks here in Singapore practised two factor authentication and for most people, they think that it is secure because of the extra added security. However, a PoC was released to the bank depicting to them that it was possible to bypass the security...

Read More

Image upload xss

Also, i stumble across an old blog post by rsnake where it was possible to execute XSS on an upload function.http://ha.ckers.org/blog/20070603/image-upload-xss/http://pstgroup.blogspot.com/2007/06/tipsimage-upload-xss.htmlan example of something you might test for:So you upload this file:http://ha.ckers.org/image-xss/"onerror="alert('XSS')"a=".jpgThis ends up making the page look like:The Hacka ...

Read More

DOM Based XSS

I was reading Amit Klein's 2005 article on DOM Based XSS and he actually mentioned a few things to look out for in DOM XSS. In that article, he gave us an insight look of how to look for potential XSS in the DOM and why sanitizing is important on the client side. The full article is here: http://www.webappsec.org/projects/articles/071105.htmlBelow is a snippet:2. Analyzing and hardening the client side (Javascript) code. Reference to DOM objects that may be influenced by the user (attacker) should be inspected, including (but not limited to):document.URLdocument.URLUnencodeddocument.location...

Read More

Deadly execution in huge Financial Company

I was auditing one of the biggest financial company in the world and here in the Singapore branch, it was just really bad. I was playing around with the software and noticed an uploading function. With evil thoughts in my mind, i quickly wanted to see if this application does allow uploading of exe, bat or some other executable files. To my wildest surprise, it does allow the uploading of exe files and i tell you, i could upload any sorts of trojan or virus and execute it on the client's pc. I actually did upload an exe program and tried execute...

Read More

Basics of Mod_Security

This past week, i was auditing a customer's web server defence against web attacks and i realised that he did not install mod_security as one of their modules in the server. Well, considering it is a huge customer, they should at least do some basic filtering using mod_security since their servers are running on linux. I had mentioned about mod_security in my previous post and for those who are still not sure what it is, mod_security is a web application firewall that is an Apache Web Server add-on module that provides intrusion detection, content...

Read More

Analyzing Protocol Hopping Covert Channel Tool

I enjoy analyzing covert channels, although my skills are far inferior to someone like Steven Murdoch. However, today via Packetstorm I learned of Protocol Hopping Covert Channel Tool by Steffen Wendzel. He wrote a text file describing his thoughts behind the tool called Protocol Hopping Covert Channels. Quoting the paper:This paper describes a new way to implement covert channels. This is done by changing the protocol of the tunnel while the tunnel exists and even change the protocol on a randomized way without restarting the tunnel or reconnecting...

Read More

No hacking activites

Been really busy with all the results i got from my projects and pretty occupied with report writing. I am handling a few projects currently and well, there ain't anytime for me to research or perform any sorta testing or hacking. This is good in the sense that it keeps me busy and at least i feel "useful" to my company in the sense that i am performing audits for our customers during this peak period. I will definitely resume back to the hacking mode soon and check out for more cool ill street hacking. As of blogging now, i am still writing long...

Read More

Great Papers from Honeynet Project

If you haven't seen them yet, Know Your Enemy: Behind the Scenes of Malicious Web Servers and Know Your Enemy: Malicious Web Servers are two great papers by the Honeynet Project. You might want to see Web Server Botnets and Server Farms as Attack Platforms by Gadi Evron as background. You'll notice people like e0n are using NSM to combat bots. I have not seen any IRC-controlled SIP/VoIP attack bots and botnets yet. If you think your IPS will save you against bots, keep in mind the time it takes to update some of them. I also recommend reading...

Read More

FreeBSD Binary Upgrade News

If you've read my previous posts on FreeBSD binary upgrades you'll see that Colin Percival's work on this subject has been one of my favorite additions to FreeBSD during the last few years. I recommend reading the latest two posts on Colin's blog for even more good news: FreeBSD minor version upgrades and FreeBSD major version upgrades using FreeBSD update. I plan to deploy FreeBSD 7.0 in production soon, and the native capability to upgrade the...

Read More

Impact of NetFlow on Routers

Thanks to the great IOShints blog for pointing me to NetFlow Performance Analysis. If you have any questions regarding the impact of generating NetFlow records on your routers, check out this Cisco white pap...

Read More

Must-Read Snort 3.0 Post

If you care at all about Snort you must read Snort 3.0 Architecture Series Part 1: Overview by Marty Roesch. Keep reading his blog for future descriptions of Snort 3.0. On a related note, Marty released Daemonlogger 1.0 recently. Daemonlogger is an open source full content packet logging to...

Read More

More Unpredictable Intruders

Search my blog for the term unpredictable and the majority of the results describe discussions of one of my three security principles, namelyMany intruders are unpredictable. Two posts by pdp perfectly demonstrate this:Bugs in the Browser: Firefox’s DATA URL Scheme VulnerabilityWeb Mayhem: Firefox’s JAR: Protocol issuesHow many of you who are not security researchers even knew that data: or jar: protocols existed? (It's rhetorical, no need to answer...

Read More