Friday, November 12, 2010

News Palin hacker gets a year in the big house

Probably not long enough.....

From Computerworld news:


IDG News Service - The former college student who guessed his way into Sarah Palin's Yahoo e-mail account during the 2008 U.S. presidential election was sentenced to a year and a day in prison Friday.
David Kernell's lawyers had been hoping for probation only; federal prosecutors had asked for an 18-month sentence.
The judge in the case recommended that Kernell serve his time at a halfway house rather than federal prison, but that decision is up to the U.S. Bureau of Prisons, the U.S. Department of Justice said. Following his one-year sentence, Kernell must serve three years' probation.
Kernell, a 20-year-old college student at the time of the incident, got into Palin's gov.palin@yahoo.com account by guessing answers to the security questions used by Yahoo to reset the account's password. In chat logs, Kernell said he was hoping to find information that would "derail" her 2008 vice presidential election campaign.
Palin was then governor of Alaska, and her critics thought she may have been conducting state business via the Yahoo account, in order to sidestep Alaska's open records law. Kernell found no such evidence after examining her Yahoo account.
He did, however, post the account's new password -- "popcorn" -- to the 4chan discussion board, and the contents of the account were eventually made public.
In her 2009 autobiography, "Going Rogue," Palin called the incident "the most disruptive" of the campaign.
Kernell was convicted of unauthorized computer access and obstruction of justice on April 30, after a weeklong trial that included testimony from Palin herself. But his lawyers had argued for leniency, citing their client's "youth and emotional condition."
"The public humiliation, trial, and felony conviction are enough to deter any further violations of the law," his lawyers said in court filings.
Kernell is the son of Tennessee Democrat assemblyman Mike Kernell. Neither David Kernell nor his lawyer could be reached immediately for comment.
He was sentenced by Judge Thomas Phillips of the U.S. District Court for the Eastern District of Tennessee, in Knoxville

Using Nmap to see open ports and OS version

Today I will look at Nmap, a powerful network and port scanning tool.  What exactly is Nmap ?


From Nmap.com:
"Nmap is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics"


I will show how you can use Nmap to find out info about a remote machine, such as the operating system the machine is running (that machine will be Ubuntu running in a VM)


First I need the IP address of the Linux machine, which I can get by using "ifconfig" as shown in the following screenshot:




Once I have then I can use Nmap to scan that machine. I won't go over the installation, which is fairly straight forward.....


From the windows machine I start Nmap and then plug in the remote IP addess and start a "normal scan".  The results are shown.






As you can see from the screenshots, Nmap was able to determine the ports that are open and what service is listening on those ports and what the operating system is.


This is only an introduction to Nmap, but as you can see it can gather quite a lot of information about a remote machine in only a few seconds.  This can be useful for locking down a machine or seeing if an unusual port is open and listening - like you would find if it was infected with malware.  The OS version information can aid in performing an inventory of your network PC's to see what you have.

Process Monitor

Process Monitor is a tool used to get real-time file, registry and process/thread activity and is a combination of RegMon and FileMon, two excellent monitoring programs from Sysinternals.



It’s a great tool for troubleshooting your system and also for finding malware. Since Process Monitor allows you to see exactly which files and registry keys are being accessed by a process in real-time, it’s great for seeing all the files and registry entries added when installing a new program.
It also captures more detailed information about a process such as image path, user, session ID, and command line.


It can be a bit intimidating at first because it will load up thousands of entries and mostly stuff that the system processes are doing. However, you can use the advanced filters to find exactly what you are looking for.

In the Filter dialog, you can filter by Process Name, Event Class, PID, Session, User, Version, Time of Day, and many other things.  Thousands of items will show up in the list when it is firs opened but that can be reduced to a few hundred by configuring filters to look a specific process.

In short process monitor is a valuable tool if you need to be able to see exactly what a service is doing and what, if any, dependencies it has.

Yersinia network attack tool

Today in class we looked at the website Yersinia, which provides a tool for exploiting various cisco protocols and services, such as :

Spanning Tree Protocol (STP)
Cisco Discovery Protocol (CDP)
Dynamic Trunking Protocol (DTP)
Dynamic Host Configuration Protocol (DHCP)
Hot Standby Router Protocol (HSRP)
IEEE 802.1Q
IEEE 802.1X
Inter-Switch Link Protocol (ISL)
VLAN Trunking Protocol (VTP)

The number of attacks is quite extensive and not limited to :


Spanning Tree Protocol
Sending RAW Configuration BPDU
Sending RAW TCN BPDU
DoS sending RAW Configuration BPDU
DoS sending RAW TCN BPDU
Claiming Root Role
Claiming Other Role
Claiming Root Role dual home (MITM)

Cisco Discovery Protocol
Sending RAW CDP packet
DoS flooding CDP neighbors table
Setting up a virtual device

Dynamic Host Configuration Protocol
Sending RAW DHCP packet
DoS sending DISCOVER packet (exhausting ip pool)
Setting up rogue DHCP server
DoS sending RELEASE packet (releasing assigned ip)

Hot Standby Router Protocol
Sending RAW HSRP packet
Becoming active router
Becoming active router (MITM)

Dynamic Trunking Protocol
Sending RAW DTP packet
Enabling trunking

802.1Q
Sending RAW 802.1Q packet
Sending double encapsulated 802.1Q packet
Sending 802.1Q ARP Poisoning

802.1X
Sending RAW 802.1X packet
Mitm 802.1X with 2 interfaces

VLAN Trunking Protocol
Sending RAW VTP packet
Deleting ALL VLANs
Adding one VLAN
Catalyst crash

I have not yet examined this tool and might do so in a later blog post.  Clearly very useful for identifying cisco service vulnerabilities and ultimately making your network more secure.

Antivirus for Mac

Why would I need an antivirus product for the Mac ?  Aren't the virus free ?

While this is technically true, computer security is about much more than defending against potentially harmful viruses. Sophos Anti-Virus for Mac runs in the background on your system and protects you from Trojan Horse programs, malicious applications, keeping you safe from threats.

The most common threats to Mac users are still socially engineered Web sites, pirated software, and social network scams on Facebook and Twitter--all of which can contain malicious code that runs on your Mac, collects your password information, banking information, or directs you to malicious Web sites.

Many Mac users also don't realize that your Mac can still transmit and spread Windows-targeted viruses. If you get a file with a virus, it may not affect your machine, but if you send it to a friend with a PC, his or her computer could get infected. The Sophos Anti-Virus for Mac promises to catch these types of files and help you get rid of them safely.  

Best of all - its free

Thursday, November 11, 2010

Securing your iPad

The iPad is a great new device - a mini-computer that holds large amounts of your personal and private information. As such it would be wise to think about how to keep this private information private should you lose it or have it stolen.

“You’re essentially carrying around a complete copy of much of your digital data” with the iPad, said Jason Rouse, principal security consultant at Cigital, which helps companies protect their software.

Malware and viruses are not known to the iPad as of yet, but like any internet capable device you should exercise caution when connecting to "unknown" wireless networks where your traffice could be sniffed and compromised.  Beyond that there are several things you can do to ensure your iPad is protected.

Lock it up.

This one is easy.  Tap the “Settings” icon on the home screen and then select “General” and “Passcode Lock.” Then set the four-digit code you want to use to unlock your iPad when you turn it on or wake it up.  You can choose from several intervals, but shorter is better.  Better security yet would be to configure your iPad to erase all data if someone enters the wrong code 5 or 6 times.

You can also purchase a case with a lock on it to keep people out who don't own it.  There are a number of vendors that sell such products and one could be purchased for around $40.

Find or disable a lost or stolen iPad.

Apple’s "MobileMe" service has a feature called “Find My iPad” (or your iPhone) that can locate a lost device.

Using your computer, sign up for MobileMe and activate the feature by logging into your account and following the on-screen instructions to see the approximate location of your iPad.

You can remotely set a four-digit passcode and lock it (if you haven’t already) by clicking “Remote Lock.” Then you can write a message that will be displayed on the screen to whoever may have found it — like,  “Lost iPad, Please call me at xxx-xxx-xxxx.” - even if it is locked.

Use complex passwords for online services.

With accounts to many sites it can easily be overwhelming to keep them all straight.  Luckily apply has an app called 1Password (which retails for $7.99) which lets you select a Web account from your personal list, like Amazon.com, and click the link for the site that leads to a login screen with your username and password already inserted.

Delete history, cookies and cache in Safari.


You can keep all this private by deleting your Safari browser’s Web history, cookies and cache. Tap the “Settings” icon on your home screen, select “Safari” and then use the respective buttons to clear them out. To set rules on when Safari accepts cookies, tap “Accept Cookies” and then choose among “Never,” “From visited” or “Always.”

InPrivate Browsing with IE 8

InPrivate Browsing feature allows you to surf the web using IE8 without effectively leaving a track to where you've been and what you've done.

This new privacy option is useful when you would like to minimize what anyone else might see when they are using your computer.  This would be useful at an internet cafe or if the machine you're using isn't yours

You can start an InPrivate Browsing session from the New Tab page or the Safety button as shown.



When you choose the option to start an InPrivate Browsing session. Internet Explorer will open a new browser window.  You can open as many tabs as you would like - all of them would be protected.

However, if you open another browser window from the Internet Explorer short cut that window will not be protected by InPrivate Browsing unless you activate it.

IE 8 will store required information such as cookies and temporary Internet files that are required for proper session functionality so that sites your visit will work correctly.  The privacy features kick in when you end your session and all of the active data and information is discarded.

The following list details what is and what is not protected.


· Cookies - Kept in memory so pages work correctly, but cleared when you close the browser.

· Temporary Internet Files - Stored on disk so pages work correctly, but like cookies are deleted when the browser is closed

· Webpage history - not stored

· Form data and passwords - not stored

· Anti-phishing cache - Temporary information is encrypted and stored so pages work correctly.

· Address bar and search AutoComplete - not stored

· Automatic Crash Restore (ACR) - ACR can restore a tab when it crashes in a session, but if the whole window crashes, data is deleted and the window cannot be restored.

6 Steps to a more secure home wireless network

With the proliferation of home wireless networks it is sometimes easy to forget that they are not as inherantly secure as a wired network and can be compromised.  However you can obtain a reasonable secure home wireless network fairly easily and without a lot of technical knowledge.

1. Change Default Administrator Username and Password
At the core of the Wi-Fi home networks is the access point/router. To set up these pieces of equipment, manufacturers provide an administration page that allow owners to enter their network address and account information. These admin pages are usually accessed by a web browser and typing in the default gateway IP address such as 192.168.0.1.  These administration web pages are protected with a login screen (username and password) so that only the rightful owner can login. All home wireless routers have a default username and password that is used to login for the first time such as admin and admin (for the username and password).  These should be changed immediately

2. Turn on (Compatible) WPA / WEP Encryption
All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies and standards exist for Wi-Fi today, the strongest being WPA2 with AES. However, all the devices must be able to support that.  If not, you will have to "step down" to a authentication and encryption scheme that they do support.

3. Change the Default SSID and disable SSID broadcasts
Access points and routers all use a network name called the SSID which is the name that shows up when you view wireless networks. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network (which it more then likely is) and are probably more prone to attack it.  This SSID is also broadcast at regular intervals and is designed to permit roaming in and out of range of the access point.  For your home network, you probably won't be roaming out of range so SSID broadcasts can be turned off

4. Enable MAC Address Filtering
Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many access points permit the configuring of permissable MAC addresses that can connect, restricting access to only those devices. Keep in mind though that this is not that powerful a feature and MAC addresses can be spoofed

5. Assign Static IP Addresses to Devices
Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

6. Enable Firewalls On Each Computer and the Router
Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.

Saturday, November 6, 2010

Using metasploit to find vulnerabilites

I installed metasploit in an earlier post.  Today I will use it to attack a service running on another machine.  I will be using two VM's for this.  Ubuntu which has metasploit installed and a fully patched version of XP which contains the service we want to target.  In this case, the service is Niprint - a small print server application.

I first installed Niprint and then opened it, so it was running and active as shown in the following screenshot:


I also recorded the IP address that the XP machine was using:  192.168.248.128.

Next I loaded up metasploit on the Linux machine which I did by typing "msfconsole" in a terminal window.

Once metasploit is running, we need to configure the IP address of the host we will be exploiting:192.168.248.128.  The following screenshot shows this command:


I also pinged the host to ensure connectivity.

Next we need to select the exploit that we are going to use.  The exploited service is Niprint.  We add the exploit with the set exploit command as shown in the next 2 shot.


I was able to see the list of exploits using "show exploits" at the command line.



next we neet to apply a payload to the exploit.  We can see the various paylaods using "show payloads"

I applied the VNC reflective injection payload with the command: "set payload [path to payload]

eg "set payload windows/vncinject/bind_tcp"  (without the quotes).  Then I ran the exploit with the "exploit command".  Both are shown in the following screenshot.

This particular exploit did not work with Niprint, but finding one that did, would only require loading a new payload and trying again.

Metasploit is a very powerful tool for finding and exploiting vulnerabilites in software.

Thursday, November 4, 2010

News: Zero-day vulnerability found in Internet Explorer

Microsoft has issued a security warning about a new zero-day vulnerability that could allow remote code execution in its IE browser.  This vulnerability effects versions 6 through 8.

From thier security advisory page: "The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

There are several factors that could mitigate this particular attack.

First enabling Data Execution Protection (DEP) in the browser (which is on by default in version 8).  "DEP, a feature first implemented in 2005, prevents the exploit from executing successfully, said Wolfgang Kandek, chief technology officer at security firm Qualys".

Secondly, using protected mode in "Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of the vulnerability as an attacker who successfully exploited this vulnerability would have very limited rights on the system."

Cross Site Scripting (XSS)

Today I will look at Cross site scripting or XSS.  What is XSS ?

According to Wikipedia it is: " a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users".  There are two types of XSS - persistant and non-peristant.

Persistant XSS is when data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the response.

Non-peristant XSS occurs when data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.

I will examine non-persistant XSS here.  For this short demonstration I used Mutillidae which is an open source web vulnerability project that allows you to test and see how some of the most common web vulnerabilities work in a kind of virtual environment (clearly I would not want to inject XSS in someones actual website or blog - that would be illegal)

This is a simple example but shows how dangerous XSS could be.  Many websites are still vulnerable to this type of attack and have not corrected thier code to mitigate against them.


In the screenshot above I have added some code to a virtual blog as an anonymous user that displays a dialog box that says "XSS".


The above screenshot shows what happens when that script is run and shows the comments left by the anonymous user.


The interesting thing is that the code does not show up when you list the comments made for all users - including the anonymous users.


This screenshot shows the script being run for a different user. That is the danger of cross site scripting.  A malicious script can be loaded into a webpage (or blog) and will run for whomever is logged into the page.  The script I used in this example is harmless but scripts could be created that deliver malware to the enduser, deletes files or any number of other malicious things.

How to defend against XSS ?  Disabling scripts from running in your broswer could be one way.  Using a browser like chrome that virutalizes the browser environment so scripts do not have access to the system as a whole, but more importantly, the web developer needs to code the web site in such a way as to not allow comment boxes to accept scripts. In the first screenshot the script starts with <script>.  The website should coded to look for strings like that and disallow them from being entered.