Chapters In Web Security

Leak Sensor - Pastebin data leakage detection

noreply@blogger.com (Raviv Raz) — Thu, 26 Jan 2012 22:22:00 +0000

Leak Sensor – sensitive data leakage detector

As we all know, the cyber war is escalating. Hackers use Trojans and website penetrations to gain access to sensitive data. This includes email addresses, social security numbers, passwords and much more. The hacktivism movements such as Anonymous exploit Pastebin as a platform for anonymous data publishing. They use it as a "hall of shame" to embarrass large corporations and governments, while the majority of the innocent public is usually unaware of their personal details being exposed. Being a socially aware company, Hybrid Security has decided to release free software that is able to detect personal identification information leaked onto Pastebin.

How does Leak Sensor work?

Leak Sensor saves the sensitive details, entered by the user, safe and encrypted. This data never leaves the personal computer in outgoing traffic. Once in a few (user-configurable) minutes, Leak Sensor runs a quick check on Pastebin in order to verify whether the sensitive data has been exposed publically. Each detail entered by the user is assigned a label. For example: you enter your email address and name is "Email". Leak Sensor runs in the background (you'll find a small icon at bottom right of the system tray). In case data leakage has been detected, an alert appears above the system tray icon, detailing which piece of data has been compromised.

Is it not dangerous to put all the eggs in one basket?

Hybrid Security has utilized the most advanced measures available today, in order to protect the personal data as following:

Data is saved encrypted using AES-256, and is non-readable by unauthorized people
Data is protected by a password that must be entered upon each execution of Leak Sensor
The password itself is saved as a hash value. Therefore, if compromised, there is no way of deciphering it
When resetting the password, all sensitive data is destroyed automatically – just like in Mission Impossible

Personal details never leave the safety of your personal computer and are accessible only to the secret password owner

Where can I download Leak Sensor?

http://www.hybridsec.com/resource.html

How do I install Leak Sensor?

You simply run the installer file and choose a target directory for the installation. A "Hybrid Security" program directory group is created under the Start Menu, where Leak Sensor may be found.

The rest of the instructions are to be found on the included user manual within the zip file.

Hope this helps you keep you data safer. And as always, remember:

Just cuz you're paranoid, it doesn't mean they're not really after ya ;-)

2011 Conclusions & 2012 Cyber Predictions

noreply@blogger.com (Raviv Raz) — Sat, 31 Dec 2011 01:25:00 +0000

Hacking your way out of prison - Mission Impossible?

Yes my friends, we have come to the conclusion of yet another cyber-incident-packed year.
As we look back on 2011, we see a great change both in the extensive usage of cyber warfare, and in the attention the media grants such attacks. In light of recent evidence regarding Duqu, and its relative Stuxnet, it is now clear that cyber warfare has been around for years now, used for military purposes. Prisons are a new target for, perhaps criminal organizations, inspired by Stuxnet. A recent study has shown maximum-security prisons are prone to breaches using SCADA attacks. This has apparently left such an impression on Hollywood script writers, that it plays a major role in the opening scene of the latest Mission Impossible - Ghost Protocol movie. The Department of Homeland Security has also become very much aware of attacks on critical infrastructure, which raised the attention to the contrast between SCADA's exposure to the Internet, and the state of cyber security within such systems. However, I think that everyone would agree this has been the year of social uprising. Being so, the Anonymous and LulzSec groups have caught much attention in their hacktivism acts against government and commercial organizations. The use of cyber espionage and cyber sabotage by civilian, dispersed groups is definitely on the rise, if not at its historical peak. History will teach next generations about the first revolution enabled by the Internet - that started in 2011. Of course, Egypt and Libya would not have fallen without extreme physical warfare. But I doubt whether the masses could be so organized and well communicated with each other had the Internet not been so accessible and widely-spread. In Libya, the need for modern communication was so profoundly understood by the rebels, that a serious operation was carried out, backed by foreign Arab nations, to regain control over the cellular network of Libya, after having it shut down by the authorities. The Occupy movement has followed right after, inspired by global events, and endorsed eagerly by the Anonymous group. It is important to understand this relation in order to understand the popularity this hacktivism has gained among the people. The media feeding hackers' egos - consequently motivating them to operate bigger and better against government and commercial entities. The US, Iran, Russia and China have all shown their presence on the cyber battleground this year. Iran hacked certificate authority Diginotar for use in surveillance over their own people. Iran also claims to have used electronic warfare, via a GPS spoofing technique, in order to hijack a super-secret stealth drone used by the U.S to gather intelligence. The U.S has publicly admitted to considering a paralyzing cyber attack on Lybia's array of radars, prior to NATO's aerial attacks on Muammar Gaddafi's military forces. The U.S military has deferred this tactic due to many reasons, probably not fully exposed to the public. The Chinese have shown great ingenuity by embedding back-doors within integrated circuits, exported to the western world, and used by, among others, U.S military industries. Imagine American radar, missile and communication systems being surreptitiously controlled by the People's Liberation Army of China. The whole Iran-Russia-China love triangle does not make such visions very comforting. So what does the future hold for us? According to security giant McAfee's predictive report, there are a few trends we can expect in 2012:

Industrial threats will mature and segment
Embedded hardware attacks will widen and deepen
Hacktivism and Anonymous will reboot and evolve
Virtual currency systems will experience broader and more frequent attacks
This will be the “Year for (not “of”) Cyberwar”
DNSSEC will drive new network threat vectors
Traditional spam will go “legit,” while spearphishing will evolve into the targeted messaging attack
Mobile botnets and rootkits will mature and converge
Rogue certificates and rogue certificate authorities will undermine users’ confidence
Advances in operating systems and security will drive next-generation botnets and rootkits

So I guess if you're the paranoid type, this would be a good time to cleanup the old nuclear shelter, store supplies for a year or two, pull all your money of the bank, and disappear off the grid:
Lose your mobile phone, close your Facebook account and stop using any and all electronic devices.
Because after all, just because you're paranoid, it doesn't mean they're not really after you
;-)
So I wish y'all a happy new year, be safe, and as Anonymous likes to end their statements:
Expect us...
Ho ho ho!

Operation Ghost Click - Cyber Fraud Shut Down By FBI

noreply@blogger.com (Raviv Raz) — Sun, 20 Nov 2011 02:57:00 +0000

Operation Ghost Click Illustrated on the FBI website

So once again - who said crime doesn't pay?

In the case before us it paid around 14 million dollars!!

Well, until a bunch of Estonian citizens were busted, compliments of the FBI.

It's really starting to look like a clear-cut as far as national motivation for cyber attacks:

The Russians do it for the money, while the Chinese usually do it for mother country - meaning government espionage. Anyways, back to our Ghost Click tale:

Some dudes set up a fake online advertising agency. They go up to some companies and say "We're gonna bring a shitload of web traffic to your websites. And it's gonna be fairly cheap for you guys. Wanna buy?" So I guess the guys being served with this offer say "Hell yea!" and thus begins the sting.

Next, all these fraudsters need to do is to infect something like 4 million (!!) computers over 100 countries with software called DNSChanger. Then this crimeware they spread, changes the DNS configuration on the victim computers.

So now every-time you wanna surf somewhere, this virus thing directs your queries to the criminals' DNS servers. Surprisingly you pass along the way through some of their redirection pages, to assist in traffic generation. This DNSChanger also prevents some security updates on victim computers, just to make sure it will evade future detection and thus prolong its operation. As I've mentioned at the beginning, this gains the fraudsters around 14 million dollars over 5 years. But this uncontrolled, indiscriminate infection spree reaches unexpected corners of the Internet. Among which, half a million American computers are involved, including major businesses and government agencies such as NASA. Now the Feds are really pissed...

So they seize servers all over the place, and ask the Estonians to extradite the apprehended suspects. And based on recent cases, I'm guessing that if these dudes are handed over to the U.S, they're facing a long-long time in prison. So what's the moral lesson here kids?

If you got 14 million dollars, be happy and content with what you have and don't be greedy. Take time off on some exotic island, cover you tracks, live long and prosper. Otherwise, bad boys-bad boys, a whatcha gonna do when they come for you?

The father of C and UNIX has passed away

noreply@blogger.com (Raviv Raz) — Fri, 14 Oct 2011 01:08:00 +0000

On October 8, 2011, Dennis MacAlistair Ritchie passed away at his home. He was 70 years old, and apparently has been ill for a long time. Being a modest and media-shy person, Ritchie did not receive due credit for his contribution to mankind in his lifetime. While the worldwide media is all occupied in Steve Jobs's death, we must remember that none of his achievements would be possible without Ritchie's preceding inventions. For the younger generation of y'all hackers reading this post, remember his name. Learn about his inventions for they have changed our lives in so many ways I cannot even list them all here. Allow me then to refer you to his Wiki page for more elaborate information: http://en.wikipedia.org/wiki/Dennis_Ritchie

Winner of the National Medal of Technology, and the Turing Award, Mr. Ritchie has invented both the C programming language and co-invented UNIX along with Ken Thompson. Without these two, we would not have any of the many things we're used to seeing around us: personal computers, modern operating systems, smart-phones and tablet computers. Our modern cars, trains and airplanes use the C programming language, satellites and telecommunication equipment. Basically everything we know about computers and computer-embedded devices is based on C. Linux, Android and all Apple OS are derivatives of UNIX. It was a true honor to have a living genius among us, who's had such a disruptive impact on technology as we know it. It was with great sadness that I read about his passing away, for the world would probably not have looked the same had Dennis MacAlistair Ritchie not been part of it. May you rest in peace, we are all grateful for the world you helped invent.

Anonymous Skiddies

noreply@blogger.com (Raviv Raz) — Thu, 22 Sep 2011 22:53:00 +0000

As I released R-U-Dead-Yet for the first time in back in mid-November, I wrote:

"...let the mayhem, anarchy and general fun begin!"

Little did I think some script kiddies (or skiddies for short) would actually take the anarchy part seriously. It was simply my way of saying: have fun, a few laughs and keep it real. I did not say "go knock down some government websites for political gain." In my OWASP lecture on HTTP DoS attacks, I mentioned Anonymous incidents that have taken place earlier. I did mention the asymmetric warfare now boosted by such tools as SlowLoris and R.U.D.Y, and of course I stirred a public discussion around the mitigation of such attacks. However, some people are just too lazy to write their own tools, so they wait for the white-hat hacker community to release open-source code. The aforementioned lamers then rewrite these tools to suit their black-hat purposes and irresponsibly use them for political propaganda. Apparently, such was the case with a bunch of skiddies naming themselves "Anonymous Anarchist Action". They proclaim themselves to be some sort of a communist caucus within Anonymous. Anyway, they were too lame to rewrite the whole R.U.D.Y functionality, so they "borrowed" the core idea and ported it into Ruby. Python to Ruby?? this is definitely blasphemy. I mean, set aside the whole political anarchy and cyber-crime part, why would anyone rape a beautiful language such as Python into an inferior, esoteric language called Ruby? Beats me.

At least this time they did remember to write where this was taken from unlike the uncool, blatant attempt to use R.U.D.Y's code under a different label and run it on Windows. Here's what th3j35t3r had to say about that:

http://th3j35t3r.wordpress.com/2011/02/09/xerxes-for-windows-not-on-my-watch/

Back to our rebel skiddies - in case you want to be in the know of how they do their magic, you can check out what they write about the R.U.D.Y port and the PPT lecture that sparked their inspiration:

https://github.com/NetAnarchisT/eRiot/

If you actually care about their political propaganda, here's their cyber-punk-wanna-be video:

Web Fraud, Lax Security, And Corporate Consequences

noreply@blogger.com (Raviv Raz) — Tue, 20 Sep 2011 22:19:00 +0000

According to Wired, DigiNotar is now going bankrupt. Its Dutch employees are now struggling to get compensated and probably find new jobs. In these recession times, I wish them all the best of luck, and hope they all land on their feet at the end of this unfortunate story.

To those of us who have been out of the scene lately, here's a quick reminder of the DigiNotar tale:

DigiNotar is a Dutch digital certificate authority in charge, among others, of the Dutch government certificates. It has been internally breached, leading to the mass generation of more than 500 fake certificates spoofing high-profile website identities including major spy agencies. Such certificates, in combination with the power to get in between the clients and target websites, could assist in Man-In-The-Middle attacks allowing the attackers to spoof the authenticity of SSL-protected websites and read the contents of encrypted web sessions. It is ironic that the NigiNotar logo states: "DigiNotar – Internet Trust Services". I mean, who can you trust these days?

The Iranian government seems to be the source of these attacks, judging by forensic evidence leading to the origin IP addresses. Consequently, Iranian web users were spied on by their country and sensitive information was obtained by the Iranian intelligence, having intercepted Internet traffic within local ISP's. Iran is no stranger to fraudulent certificates. Its WMD industry has suffered a blow when their nuclear facility in Bushehr was compromised. Using fraudulent certificates, SCADA controller drivers were replaced with seemingly authentic drivers, fitted with an advanced root kit. The Stuxnet cyber attack consequently sabotaged uranium-enrichment centrifuges, delaying the Iranian race to a nuclear bomb. Authentication technology giant – RSA, has also been compromised earlier this year. This breach has eventually led to a serious case of espionage within Lockheed Martin, the manufacturer of fighter jet planes and spy satellites. As cyber espionage increases at a dazzling rate, it is obvious that spyware, crimeware, Tojan horses and root-kits can have tragic implications and disastrous consequences. Negligence in cyber security results in fatal national security breaches, human rights violation, and loss of work places due to bankruptcy.

The FFIEC and Behavior Anomaly Detection

noreply@blogger.com (Raviv Raz) — Mon, 12 Sep 2011 19:00:00 +0000

On June 28, 2011, the FFIEC (Federal Financial Institutions Examination Council) released an update to a 2005 regulation concerning "Authentication in an Internet Banking Environment". The supplement, states that banks need to purchase behavior anomaly detection systems for online banking applications. Here's a quote of what they require online banks to integrate:

"fraud detection and monitoring systems that include consideration of

customer history and behavior and enable a timely and effective institution

response"

Here is their educated reasoning for demanding such systems:

"Based upon the incidents the Agencies have reviewed, manual or automated

transaction monitoring or anomaly detection and response could have prevented

many of the frauds since the ACH/wire transfers being originated by the

fraudsters were anomalous when compared with the customer’s established

patterns of behavior."

Authentication is futile when dealing with modern menaces such as Man-In-The-Browser Trojans. Crimeware now bypasses existing authentication solutions by piggybacking legitimate, unsuspecting web users. The Trojan allows the end client to use whatever method of authentication his bank has provided. Then, when the user has entered his online banking account, the Trojan and the user go their separate ways. While the legitimate user checks his balance, for instance, the Trojan is busy transferring money into a different bank account, trading stocks and retrieving confidential information out of the victim's account.

Monitoring the device's origin and reputation also fails in this case. The victim's PC has never been reported as part of any crime ring or bot-net. In fact, this criminal act might only occur once, so the window of opportunity to catch the crime is very short.

Hybrid Security now offers a solution to all these problems.

For further details on that, read our paper at:

http://www.hybridsec.com/papers/Web-Fraud-Prevention-in-Online-Banking.pdf

Business Logic Manipulation = eFraud

noreply@blogger.com (Raviv Raz) — Wed, 31 Aug 2011 12:04:00 +0000

We all know the regular checklist our dear security consultants bring along every once in a while when it's that time to audit our websites. Most regulations depend on some derivative of the OWASP Top10 list. Therefore, business logic flaws are usually neglected, lest the auditor is especially gifted in spotting those nuances of difference between the workflow in design and the actual implementation of the business logic. I shall now elaborate and give an example. There was once upon a time one Forex website I have had the honor of pentesting. Now, the developers were sharp enough to mitigate the traditional stuff they read about - you know... SQLi, XSS, RFI, bla bla bla. But I was curious to learn more about the business logic flow of the application. Since the baddies do not really follow the OWASP Top 10, I guessed the audit process should take a more creative path in order to anticipate more interesting fraud scenarios. Now, in the Forex world they like to heavily depend upon AJAX and lots of client-side logic. This saves a lot of bandwidth and processing at the server-side. It is supposedly bandwidth friendly and helps keep real-time transactions performance. So, when you trade one currency for another, you have a "pause" button that allows you a few seconds grace time to decide whether this rate is acceptable to trade by. Then when you press it, the client sends your rate data and all kinds of other control data to the server. In this case, I noticed they would also send the per-transaction due commission from the client to the server every-time a trade would be initiated. The balance on my demo account, as I noticed, would consequently decrease by the amount of that commission. First grade arithmetic came in handy when I decided to check what happens when you change the commission amount to a negative number at the client side. Low and behold - subtraction of a negative number resulted in an increase on my balance! A few scripted clicks later (about two minutes) and my demo made me a virtual millionaire. This real-life example for a vulnerability could not be found using automated scanners. A healthy (criminal) examination of what the author intended versus what the programmer thought he was doing versus what the application actually allowed the users to achieve dug up scary logic holes opening up these guys to serious fraud attacks. Bottom line is - when they talk about SDLC, secure by design, secure by implementation, etc. they actually mean it.
Think well about your intended logical workflow and possible diversions from the main path that could lead to bigger problems. State machines are not just academic course material. They actually help us build more robust systems implementing what the designer had in mind and mitigating what malicious users would like to do.

Website Infiltration and Takedown

noreply@blogger.com (Raviv Raz) — Tue, 30 Aug 2011 18:26:00 +0000

I've been so busy this year that I almost forgot I used to have a blog to write :-)
So last month I published a new article on PenTest Magazine discussing some old, yet still relevant, issues.
It's called "Website Infiltration and Takedown" and you may read more at:
http://pentestmag.com/website-infiltration-and-takedown/
Basically I go in-depth explaining the usage of MultInjector and RUDY. Mastering the two results in swift infiltration of website / database servers and / or shutting down their services by bombarding the web server itself using one simple PC. Hopefully this article will satisfy all you curious hackers-to-be who asked for more info on how to run these tools to create the most damage and anarchy.
Other than this stuff, I've been busy founding a new company - Hybrid Security.
We have developed a unique new product called Telepath, which uses artificial intelligence to spot suspicious users of websites. It's all very exciting stuff, since the old-school information security was really starting to bore me as a same-old-news field. I shall write more about web fraud in the future, as time allows.
It was interesting to learn that traditional infosec guys do not usually speak fraud terminology, while fraud investigators know little about web application security. Hybrid Security brings these two worlds together, offering a holistic solution against nuisances from both the fraudster and the hacker communities.
Stay tuned for more news on that.

2010 Top Web Application Hack Attacks

noreply@blogger.com (Raviv Raz) — Sun, 30 Jan 2011 22:11:00 +0000

I must admit that I was curious just like everybody else, what 2010 will look like, retrospectively, through the eyes of the international infosec community. The WASC Real-Time Statistics shows an objective analysis based on known incidents that can be filtered by year. Here are some very interesting facts:

Out of the known attacks, it seems Denial of Service has become the most widely spread attack around the world. With the Anonymous group creating much media fuss, it was not clear at first whether DoS is more spotlight material in the news or a real epidemic. Now we know. With the introduction of universal HTTP attacks using slow HTTP headers and POST parameters in 2010, DoS against websites is finally common commodity. SQL Injection is still number 2, meaning people either use old software or keep bad habits in their programming paradigms. Check out the total distribution of attacks in the following chart, cutesy of WASC:

2010 Web Application Attacks

Combined with large vulnerability exposure surface in common web applications, these attacks are lethal when vulnerability meets exploit. If DoS is our topic of the year, then from the chart below we see that Insufficient Anti-Automation is probably the vulnerability of those who fall victim to automated attacks. Evermore, in a security world based mainly on signatures, tailor-made bots working against specific websites bypass predefined vendor-written signatures very easily since their uniqueness is usually their behavior rather than some silver-bullet-signature found in their HTTP requests. In order to spot these culprits, website owners will have to differentiate their normal users from the automated ones. It is, once again, time for the Turing test. Hybrid Security now offers such anti-automation techniques in its Telepath product, using artificial intelligence to model normal user profiles and spot the none-human-looking others.

Obviously, improper handling of user-bound data takes the second highest place, since the vast entropy of possible input and output is rarely ever anticipated by the application architects during design or deployment stages. Check out the chart below for the full vulnerability picture in 2010:

2010 Web Application Vulnerabilities

The outcome of web application compromising tends in 2010 to divide between damage to the website owners, damage to the website users, or damage to all sides (including the hackers themselves that got themselves busted in 2010). I would say that credit-card stealing malware downloaded from your website to all your customers usually winds up in your customers being robbed of their money, and you being robbed of your customers. Leakage of information from the website causes great embarrassment to both sides, usually ending up in law suits and damage to the company's public image. Downtime or defacement...? hmmm... which would you say is the less of two evils? Would you rather have your website unaccessible to clients and prospects or have your front page show nasty pictures and foul language?

Because these are the usual consequences, when the above vulnerabilities are left unattended and the above attacks finally find their way to your website. And by the way, if you're a website manager, you've probably noticed that it doesn't take more than a day for the bots to discover your website from the moment your domain record is published. If you're not scared enough yet, check out this last chart:

2010 Web Application Attack Outcomes

R-U-Dead-Yet Version 2.2

noreply@blogger.com (Raviv Raz) — Fri, 21 Jan 2011 15:59:00 +0000

I forgot the fact that people develop hunger for features and bug fixes even when software is open-source and free. Oh well, I guess that's a responsibility that comes with the will to satisfy your end users.

Here comes version 2.2 of R-U-D-Y. It is the same one I used for the demo at the OWASP lecture.

It may fix some of the problems I heard people complain about. Mainly handling ports other than 80 at the attacked server. Not too sure if it socksifies well, but that's what you guys are out there for. Test it and let me know if it works better now.

Some links:

The OWASP 2011 Lecture about Layer-7 attacks and mitigation:
http://www.hybridsec.com/resource.html
You will also find the RUDY download at the above link
If ya read Hebrew, here's an article about it on Haaretz newspaper:
http://www.haaretz.co.il/captain/spages/1210072.html

Universal HTTP DoS - OWASP 2011 Presentation

noreply@blogger.com (Raviv Raz) — Sun, 16 Jan 2011 19:14:00 +0000

Well, the first OWASP meeting for 2011 in Israel was overwhelming in attendance.
Over 90 people attended what was not even the main event of the year. For a country this small, I believe this could only indicate there's a lot of curious minds in Web Application Security around here.
As I promised, my presentation on Universal HTTP Denial-of-Service Attacks is now available online on Hybrid Security's website at this location:

http://www.hybridsec.com/resource.html

You may also find some important references to attack and mitigation tools on the last slide.
Enjoy!

R-U-Dead-Yet Version 2.1

noreply@blogger.com (Raviv Raz) — Sat, 08 Jan 2011 02:28:00 +0000

Thanks to Mr. Ryan Barnett from Trustwave, A bug has been brought to my attention in R.U.D.Y.
This is not acceptable. The issue involved a certain HTML parser not returning correct URL's.
Well, it was not my HTML-parsing code to begin with, so I had to write an awful workaround.
But hey, it's working now so every skiddy can run it using the interactive menu.
The forms and their post action url's are now parsed correctly. So here comes v2.1 with the bug fix.
Download at:
http://www.hybridsec.com/tools/rudy/

Layer-7 Denial of Service Attacks - OWASP ISRAEL 2011

noreply@blogger.com (Raviv Raz) — Fri, 07 Jan 2011 16:05:00 +0000

Well, you can finally write this date in binary: 11.1.11
Or in human date: January 11 2011 - The first OWASP Israel gathering in 2011.
It's a new dawn and a new day, but the underground still strives toward the same goals.
At the OWASP meeting, I will talk about the impact of HTTP DoS attacks, as influence for political and cultural protest. Manifested by, among others, the Anonymous group, DoS attacks have caught much of the media attention in 2010. This in turn, attracted the spotlights to the causes for which these protest groups operated.
Thus enter politics into the cyber warfare plain. We will focus, though, on two techniques mainly:

Here's a digest of the lecture:

http://www.owasp.org/index.php/OWASP_Israel_2011_01#19:00_-_19:30.C2.A0:_Universal_HTTP_Denial_of_Service

Here you can download R-U-Dead-Yet:
http://www.hybridsec.com/tools/rudy/

If you join us at OWASP, drop by and say hello!

Raviv.

WikiLeaks and Business Logic Flaws

noreply@blogger.com (Raviv Raz) — Tue, 14 Dec 2010 21:49:00 +0000

There's been a lot of hacktivism backing up positive and negative feelings towards WikiLeaks lately.
There's been a lot of buzz around the DDoS attacks both against WikiLeaks and WikiLeaks condemners.
So this will not be a talk about WikiLeaks or DDoS :-)
My thoughts actually wandered to that junior soldier, bored and disgruntled against the system. That very same individual who went rogue one day, be his motives justified or not. I imagined him sitting down at his computer just like any day, punching in the usual password and then dumping tons of sensitive data onto a CD or USB disk. Confidential intel has probably been secluded from the Internet, yet the human factor has overcome all authentication, authorization and access control mechanisms appropriately implemented.
Hold on... let's pull out our system administrator checklist:

Was this soldier on some kind of a black list? probably not, since he's gained complete access to incredibly embarrassing amounts of sensitive information.
Was this soldier on some kind of a white list? probably so, since he was allowed to extract the aforementioned data.
Was access control in place and working that day? Maybe so, but this specific soldier may have been exposed to what he was supposed to be due to his usual work.

So where have we gone wrong when the people we trust are able to use and abuse the system from within?

Perhaps we are accustomed to look at our security systems in black and white colors. We have become color blind when we attempt to characterize human behavior as black or white. Human beings tend to be predictably unpredictable. Though, for a while, all of us do our best to seem predictable by sinking into our daily work routine, apparently some of us are eventually overcome by a mischievous state of mind. A certain percent of us actually do something about their malicious fascinations. This is certainly not suspicious by the security measures laid out yesterday, but tomorrow's behavior is not always anticipated by yesterday's rules. It is wake up calls like this one that may just signal the end of security management as we know it. There was a flaw in the business logic, but that logic probably did not adapt itself to the ever changing human behavior. If we were to study every move, every action and reaction triggered by that soldier on a day-to-day basis, we might have actually spotted this unfortunate anomaly created in a sudden burst one day. .Our current vision on security neglects the assumption that human behavior is perpetual and not static. Intimate acquaintance with our IT user population could one day mitigate our surprise in light of new, malicious behavior originating from well-known users. Not that I claim existing rule-based systems should be deprecated. But a hybrid rule-based and behavior analysis integration is probably going to provide us with a better resolution and visibility. No more shall colors be then limited to black or white.

Cometh the age when we see different shades of security.

R-U-Dead-Yet Version 2.0

noreply@blogger.com (Raviv Raz) — Sat, 20 Nov 2010 14:05:00 +0000

R.U.D.Y v2.0 now features the following capabilities:

Concurrent connections using parallel processes enables multi-cpu optimization
Automatic form and field detection to ease user's selection of attack vectors
Interactive text menu allows almost anybody to fire up R.U.D.Y
SOCKS4 proxy support allows usage of proxies such as Tor for dynamic IP migration
Cookie detection and usage guarantees session persistence across connections

Download:
http://www.hybridsec.com/tools/rudy/

Let the anarchy continue...
Peace,

Raviv.

Universal HTTP DoS - Are You Dead Yet?

noreply@blogger.com (Raviv Raz) — Tue, 16 Nov 2010 16:48:00 +0000

A generic flaw in the way HTTP works?
Now that's the kinda stuff I always like to hear about.
Oh, you mean to tell me that once again Web Application Firewalls cannot stop this attack?
Allow me to put on my "surprised" face again. Of course WAF cannot handle this. WAF do not really detect traffic anomalies. WAF simply do what they were programmed to do - detect pre-defined white/black list patterns.
Here is the OWASP lecture about this class of attack:

http://hybridsec.com/resource.html

So trivial we all wonder why nobody's thought of this prior to late 2010...
We simply find a nice web form to flood with never-ending POST values.
Add in connection concurrence in the tens-to-hundreds scale per client, et voilà:
Application layer Denial-of-Service attack.
At the time of this writing, I could not find any efficient PoC code. So I wrote my own.
Introducing: "R-U-Dead-Yet" or R.U.D.Y.
Distributed or not, this baby knocks down websites and web-enabled devices.
Apache? No problem for R.U.D.Y. IIS escaped the SlowLoris attack? it won't escape this time. Think you're ok cuz you wrote in ASP.NET / Java / PHP / whatever? Guess again. This attack is universal!
All you need could be an antique machine running Linux (tested and verified with Ubuntu).
With built-in detection of web forms and form fields suitable for attack, and unattended execution using pre-defined configuration files, this tool is simple enough for anyone to use.
I know not of any firewall / IPS, including WAF, that will currently cope with this attack.
And of course, as cyber warfare is our current hype, SCADA systems using web interfaces can also be attacked, according to the researchers behind the idea. Considering automatic discovery of Web-facing SCADA equipment using the SHODAN search engine, this could be major...
So without much further ado, let the mayhem, anarchy and general fun begin!

Download R-U-Dead-Yet at:
http://hybridsec.com/resource.html

Stuxnet - Cyber Warfare In 2010

noreply@blogger.com (Raviv Raz) — Tue, 21 Sep 2010 23:16:00 +0000

A Russian technician at the Bushehr nuclear facility

Well, we all thought it, but the media now got the title it was looking for:
Iran had been attacked using a sophisticated cyber-warfare tactic. Many speculations may be drawn given the evidence, so let us examine the hard facts:

60% of the targets Stuxnet had affected were based in Iran
Stuxnet was purposely built for Siemens SCADA infrastructures. These are mainly used in power plants, manufacturing plants, national infrastructures and the like. Oddly enough, it seems Siemens is heavily invested in Iran's industrialization, since their systems are abundant there.
The attack involved much more than just software infection. Social engineering must be required in order to persuade German or Iranian employees to plug a usb disk directly into sensitive networks. The interesting stuff inside those networks must be well separated from public networks (or not?)
Four, not one, not two, not three - four 0-day exploits comprised Stuxnet's arsenal. It is not easy to retain such discoveries for a long period nowadays, not with Adobe and Microsoft keeping their own skilled security researchers and having the source code as head start. Two sources of funding pop to my head, given this type of R&D: organized crime and governments.
Organized crime may be interested in squeezing out credentials and money from people. I would even go as far as saying industrial espionage has some degree of benefit to criminal gangs as well. However, Stuxnet was a pinpointed threat to specific industrial systems, which seems more worthwhile for certain governments to invest in. The Iranian power plants are hardly state-of-the-art knowledge to gain from using industrial espionage, when compared with more attractive G8 nations.
Several nations have top priority interest in sabotaging the Iranian nuclear arms race. Out of which, I would say all possess advanced cyber warfare capabilities. The U.S and NATO members et al have long been a force to be reckoned with when it comes to electronic warfare.

So we've established a definite motive and a victim, and of course . So who is the perpetrator? perhaps we will never know. Perhaps it is too political to get into. It's not the point of this article. The point is that air force and naval attacks seem to clear the way in 2010 to negotiations and cyber warfare strategy. Is this a new type of war between global powers?

And for the finale, there's always a Russian or Chinese connection, so here's the twist:

Some unknown company from Belarus was the first to discover Stuxnet. Here is a map showing the distance between Moscow and Minsk. I leave it up to you to ponder this time:

Hacking National Infrastructures - SCADA Exposed

noreply@blogger.com (Raviv Raz) — Mon, 05 Jul 2010 00:26:00 +0000

Screenshot from SHODAN

Are national infrastructures at risk from cyber terror? Definitely!
What are potential targets? Power grids, water utility companies, oil pumps, large factories and many more interesting ones. How can they be reached? It's just a phone call away over cellular or landline, via Internet, and of course they now offer web interfaces so the job becomes easier and more familiar.
As disclosed recently on ReverseMode.com, a few fatal mistakes expose some SCADA equipment vendors to major problems in security. What is SCADA you ask? Well, that's the type of equipment targeted to command & control major infrastructure devices such as the ones used in power grids, telecommunication networks and other fun national toys. Hmmm... We never looked that way, say the black-hats among you evil readers. We only tried web applications so far. Well, it appears that vendors such as intellicom are not any different than others, except maybe they've had a longer period of discretion hiding behind government-classified systems. Nevertheless, you know what they say: security is not obscurity. And thus, after much buzz around cyber security by the Obama administration somebody actually sat down to reverse-engineer the leading protocols in the SCADA world (HICP), understand their inherited weaknesses - such as little to no authentication, and actually fuzzed some popular piece of software the good old-fashioned way just to find that buffer-overflows still plague these systems. You have to understand that in SCADA business, secure software development is not the hottest topic taking into account that TCP/IP is not even around in some systems, and web interfaces are like WOW... for some of these guys. Shocked enough yet? hold on, here comes the best part: Ruben Santamarta, the researcher behind this project also introduces a search engine - SHODAN, that allows locating some SCADA Internet-facing Web interfaces around the globe. I guess it did not come to me as such a surprise, having heard in the past that some oil barons like to wake up in the middle of the night and watch and control their oil pumps over Web interfaces.
With the rise of cyber super-powers such as China and Russia, it is this writer's belief that a major cyber attack is already in the works. If it hasn't struck already, unreported to the public, it is certainly imminent. For the skeptics, here's a video showing Amazon falling victim to such Web SCADA cyber attack:

Let this be a wake-up call to all vendors / operators / integrators of SCADA infrastructures: secure development life-cycles may be nice-to-have for others. For you guys, this may be the last chance to fix things up before the bad guys arrive. The storm is already on the horizon, posing a clear and immediate danger in our contemporary political climate.

Multinjector Is Back

noreply@blogger.com (Raviv Raz) — Mon, 17 May 2010 17:07:00 +0000

It's been too long since Multinjector's last release. The world has evolved, and all the script kiddies need their toys to be upgraded. Great news for everyone: although slow-paced, we are back soon!
We have new programmers on board, and great new capabilities expected in Multinjector 0.4
We may not finish inserting all the features I promised in the past. Heck, We may not even have all the features I'm about to tell you in this version but hey - you get it for free so what else can you ask for? :-)
Here's a short list of what we're currently working hard to put into Multinjector 0.4:

A fully functional website spider able to collect URLs and form fields given a home page
Remote File Inclusion attack added to enable multi-threaded web shell injection attacks
Success verification - alerting the user which locations are injectable
Download from Hybrid Security's website:
http://www.hybridsec.com/tools/multinjector/MultiInjector.py
Additional blindfolded SQL injection techniques
web shell upload via SQLi / Remote File Inclusion
Dynamic IP hopping using the Tor anonymous network

We have a clear vision to provide you with the most automatic and easy-to-use open-source web application attack tool in the world. Feature requests, feedback and questions are very welcome to my email:

So be sure to check up with us regarding the release date.

Peace,

Raviv.

2009 - Rise of The Bots

noreply@blogger.com (Raviv Raz) — Wed, 06 Jan 2010 17:46:00 +0000

First off, I'd like to wish a happy new year to everyone who's reading this.

It's been a fascinating year in the evolution of black-hat hackers. Several security vendors compiled summary reports of 2009 information security incidents, such as McAfee. But you don't need to be an oracle, if you're in the infosec industry to see what's going on and how it could impact the near future.

Viruses are dying out, giving place to sophisticated, distributed-networking spyware. We're no longer up against script-kiddies writing new polymorphic viruses to impress their friends. The AV vendors handle those easily these days. We're fighting well organized-crime cartels trafficking billions of dollars stolen around the globe electronically. We're protecting our online financial and government resources against foreign nations and criminal tiger teams. They are infiltrating millions of corporate and home computers every month, piggybacking innocent high-profile websites to spread their infections. On the client side, they use anything from Microsoft Office exploits to Firefox plug-ins, our media players, our document viewers and for two years now, our smartphones as well.

The server side attacks concentrate on shellcode injections aimed at plugins for application frameworks such as WordPress, full-scale compromise of web-aware devices behind NAT using simple Cross-Site Scripting vulnerabilities, and all this becomes easier with the help of ready-made click & shoot attack frameworks such as Metasploit and W3af.

Brute-force attacks and buffer overflow injections are still very common showing that system administrators have not yet found silver-bullet solutions for policy enforcement and patch management.

Prices are down now for the criminal arsenal needed, thanks to the cloud revolution and the enhancement of off-the-shelf hardware. Your phone conversation can now be tapped on, thanks to A5/1 rainbow tables enabling online decryption of the GSM encryption algorithm. Cloud computing offers cheap and instant access to great computational horsepower. WEP and WPA encryption for wireless networks cannot withstand the brute-force cracking achievements offered by modern CPU and GPU and the improvisation of a few old PC machines hooked up together as a virtual home cracking lab.

The next big challenge we're facing in 2010, if you ask me, is the old Turing test seeking the plain answer to the question:

Is the entity at the other end of the line really human or just some clever machine?

Where's Neo when we need him...?

:-)

DDoS Attacks In Korea - Forensic Analysis

noreply@blogger.com (Raviv Raz) — Mon, 13 Jul 2009 08:31:00 +0000

Background

In addition to ballistic missiles and nuclear bombs, it seems North Korea has established its stance in cyber terror. And like in all other disciplines, it has done so on a massive and global scale.

During July 2009, major government and commercial websites in South Korea and the United States have been subjected to heavy Distributed Denial of Service attacks which, according to intelligence agencies in both countries, were orchestrated by a special cyber warfare unit belonging to the Korean People's Army in North Korea.

The cynical use of South Korean PC's for Distributed Denial of Service attacks against South Korean websites has posed a major problem for the government to cope with. Had this been of foreign origin, the South Korean authorities would probably have used the existing national firewalls at their disposal to mitigate the flood. Gathering from initial probes conducted by the South Korean Information Security Agency (KISA), we learn these amazing facts about the latest attacks:

Distributed Denial of Service Attacks

The viral bots infected around 25,000 PC's. Taking into account the amazing broadband speeds offered in Korea (~40 Mbps), this creates a force to reckoned with.
The infection was performed via emails, infecting the victims with malware downloaded from at least 25 servers, also compromised by the attackers
At its peak, the attacks were observed to reach ~13 GBps of DDoS floods!! A stream that could knock out the entire national bandwidth of some countries...
The infections began somewhere in May 2009
Most of the attacks (93%) were using standard HTTP GET requests, simulating various ordinary browsers surfing to the victim websites, though UDP and ICMP (ping) floods were also utilized against the target websites

Infection Procedure

Various dll files are created under the Windows system directories, masquerading as system files
.nls files are created to store the attack configuration and directives
No external source, such as a bot controller, is involved. Each bot operates autonomously.
The addresses of the target websites to be flooded were hardcoded into the bot code (see list below)
The attacks would be launched from each PC at a rate of every 1 minute
The HTTP requests were instructing the target web servers not to cache requests / responses, thus creating an extra load on the servers' resources
The bots were registered as drivers in the Windows registry
The Windows firewall was disabled in order to allow seamless operation

DDoS Anatomy

Surprisingly, static code analysis of the bots revealed that the DDoS attacks seemed like legitimate HTTP GET requests. Drawing from KISA's forensics, this is how the requests were constructed:

Seen clearly in the above code, all HTTP headers are variable to adjustments, in order to simulate versatile web browsers, and avoid static signature detection.

Target Websites

Drawing on the list compiled by KISA, as found hard-coded within the bots, the list of DDoS victims included high-profile mission critical websites such as the American and South Korean parliaments (White House & Blue House), The New York Stock Exchange and selected newspapers such as the Washington Post.

Hereby is the complete victim list:

www.president.go.kr
www.mnd.go.kr
www.mofat.go.kr
www.assembly.go.kr
www.usfk.mil
blog.naver.com
mail.naver.com
banking.nonghyup.com
ezbank.shinhan.com
ebank.keb.co.kr
www.hannara.or.kr
www.chosun.com
www.auction.co.kr
www.whitehouse.gov
www.faa.gov
www.dhs.gov
www.state.gov
www.voanews.com
www.defenselink.mil
www.nyse.com
www.nasdaq.com
finance.yahoo.com
www.usauctionslive.com
www.usbank.com
www.washingtonpost.com
www.ustreas.gov

Was this a sinister scheme to disrupt global market activities?

How successful were these attacks? Did they in any way affect the NASDAQ trading?

How will the American government react to these attacks following the recently announced cyber-security plans?

Stay tuned for more updates on the newly waged cyber-war...

Milw0rm is dead :-(

noreply@blogger.com (Raviv Raz) — Wed, 08 Jul 2009 13:23:00 +0000

In a sudden announcement, the website's owner (a.k.a Str0ke) broke the news to the world saying he will no longer have the time to manage and update the website.

Fresh exploits, video tutorials, online password cracking and more goodies were offered free of charge at Milw0rm. It is with much regret and sadness that we receieve the news.
I would like to use this opportunity to thank Str0ke for the wonderful resources he has put at our disposal, his precious time, knowledge and enthusiasm.
You have set new standards for the hacking community at times where greedy security companies offer exploit code and technical advisories for unrealistic amounts of money. Here's the relatively brief explanation for the shutdown by Str0ke:

"Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past. Be safe, /str0ke"

And a last screenshot of the website's main page:

For support emails and thank you's, here's Str0ke's email address:

str0ke@milw0rm.com

So long and a thousand thanks milw0rm !!

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit

noreply@blogger.com (Raviv Raz) — Sun, 24 May 2009 15:19:00 +0000

First off, for the impatient, here's the PoC.

You may download WebTuff at the following locations:

Source:

http://www.hybridsec.com/tools/webtuff/WebTuff.py

Windows Binary:
http://www.hybridsec.com/tools/webtuff/WebTuff.exe

Well, I must admit we all missed it. Just when we thought it was over, it's making a come back:
IIS 6.0 once again shows leaks in its input validation. I know most of you probably got to this page because you just want to download the script kiddie tool. So to cut a long story short,
when using WebDAV commands against an IIS 6.0 server with the WebDAV extension installed and enabled, cutting the URI path in the middle and inserting these control characters:

%c0%af

allows a quick and easy bypass of the access control list applied upon the WebDAV exposed web folders.
This can definitely lead under some circumstances to:

web shell upload - creating a backdoor
website defacement
passwords and sensitive information theft
local execution of uploaded malicious code

Here is what Microsoft has to say about that:

http://www.microsoft.com/technet/security/advisory/971492.mspx

The following WebTuff utility is a proof of concept that performs the following actions:

Try to retrieve the file at the given URI using a simple WebDAV GET command
Try to retrieve the file at the given URI using a simple WebDAV GET command, and the assistance of our friends %c0 and %af in the middle of the URI
Save the retrieved file locally and / or report server response

You may find a whole lot of other web application hacking tools at:

http://www.sn3akers.com

Python and Alternate Data Streams

noreply@blogger.com (Raviv Raz) — Tue, 21 Apr 2009 21:50:00 +0000

I've been asked to release the source code of the hiding / unhiding utilities for Windows that were posted previously on this blog
You may find the Python code at the bottom of this post.
A little brief walk through the techniques used here:
Firstly, I recommend you read the following article about ADS.
They explain the dangers of the underlying filesystem known as ADS,
serving as a relic of Macintosh filesystem compatibility:
http://www.windowsecurity.com/articles/Alternate_Data_Streams.html
Since this filesystem is kinda "invisible" to the Windows Explorer, files (including executables) may reside undetected within the same directories. Here's the shocking part, embrace yourselves:
All you need to do is prefix the filename with a colon, for example:

malicious.exe

becomes:

:malicious.exe

et voila, the file becomes invisible.
But having played with this vanishing act for a while, you start missing your files.
Alas, you don't exactly remember anymore the file names, and now they're hidden :-(
This is why another hidden file named index.dat is created under the directory, containing a list of all the hidden file names. This later on serves the unhide utility to rename the hidden files, thus making them visible again.

Usage:

hide and unhide commands may be run from the Start->Run prompt or from any DOS prompt window.
In order to hide the files in a directory (not including subdirectories):
hide c:\test
In order to hide the files in a directory (not including subdirectories):
hide c:\test

Remember !! Do not add a slash at the end of the directory name ! (c:\test\)

Hope you enjoy, and use this for positive purposes only (-:
Here are the links to the Python files:

http://www.hybridsec.com/tools/vanish/hide.py
http://www.hybridsec.com/tools/vanish/unhide.py