Wednesday, December 5, 2012

Fake Name Generator: For What Purpose?

I was reading another Lifehacker article in which the focus was how to remove your Internet trace as much as possible.  A section of the article suggested that when signing up for future services to use fake details, and referenced fakenamegenerator.com.

I can see this service may have one or two straightforward uses, such as the one above, but it seems very oriented towards malicious intent.  I'm not sure why, but maybe because of the amount of detail it provides for you - which includes (hopefully fake) social security numbers!

My questions are: 

  • Why take the time to generate this much false data?
  • For what reason would you make it public?
I'm asking for comments to get perspective.  What legitimate purposes could this be used for?
Read More

Tuesday, November 27, 2012

Android 4.2 Security: App Signatures

It seems to be common knowledge now among security professionals that the Google Play Store is infiltrated with malware.  In an attempt to control the malware surge, Google is stepping up its efforts to clean house via security updates in 4.2.

One central mechanism appears to be signature-based recognition of apk files.  When an apk is loaded on a device, the app signature (most likely just a file hash) is uploaded to Google's servers for a reputation check.  It's cross-checked against Google's list of known and reported malware, and if found to be bad, the server sends the response to the Android Package Installer to prevent installation.  If the reputation states that the app requires suspicious permissions, it'll ask you to confirm that you're comfortable with installing it and list what access it's requesting.  ComputerWorld has a more in-depth explanation, for interested parties.  The only downside to all this is that unless rooted, we all have to wait on our carriers to release the update through their vetting marketing process.

This highlights another concept that's rapidly spreading across anyone getting into the software security space: leveraging the user base to protect the cloud.  I'll post another note expanding on that concept soon.
Read More

Sunday, November 25, 2012

Error Handling: Another Surface Attack Area to Minimize

Friends of mine know that I'm a huge Lifehacker.com fan, and in reading a recent article discussing how even though there's ample support for allowing people to rip their own DVDs to multiple devices, the U.S. Copyright Office still considers it illegal.  On a quick side note, the legal term to reflect this activity is called "space shifting."

Anyway, in the post there's a reference to the Internet Blueprint, a site which is apparently dedicated to discussions and petitions of opinion in how the Internet should be governed.  Interested, I clicked on the link to see what was on this "Internet Blueprint" and upon the page loading, what do I see?  This:


One practice of coding securely is taking care of your error handling so for those who "fuzz" the web application, any error output is so general that a hacker has a harder time making sense of what's running.  From this error however, I can clearly see that it's running on WordPress.  I can also see the directory structure, which adds to a hacker's "fingerprinting" of this system.

I thought it was interesting and decided I'd share the thought.
Read More

Sunday, November 11, 2012

Interesting Chrome Extension: "In My Words"

I just read about it on LifeHacker, but the function of In My Words is to replace words on the fly with words you specify as you browse the Internet.  David Galloway, the author of the article, mentions using it as a tool to replace words you find annoying.  If you're reading comments and are tired of seeing the words "OMG", "LoL", etc. this tool can replace those words with for instance, "That's Funny."  

When I was younger, I was a big fan of Mad Libs where you get a sentence to a paragraph in which words are missing and you have to make up the missing words.  It's played as a team-game, so the person writing the replacement words would ask the other person to pick a noun, verb, or adjective to fill in these gaps.  At the end, the result would be read aloud and sometimes it would be hilarious.  Anyway, I'm thinking that this extension could be used the same way.  Might be a fun distraction.

Read More

Thursday, November 8, 2012

Windows 8 Pain Point #2 - Erased, Wireshark Functions!

I wanted to look at a packet capture today, and realized I hadn't installed one of my favorite tools:  Wireshark.  For the uninitiated, Wireshark is dependent on the WinPCAP driver and when installing Wireshark you have to install the WinPCAP driver at the same time.  Much to my dismay, the WinPCAP driver fails during installation due to "known compatibility issues" in Windows 8.  

Even after downloading the driver separately and switching the compatibility settings on both installers to "Windows 7," it still fails.  I know it's only a matter of time until the folks at Wireshark/Riverbed update their software, but I'm saddened all the same.

Since I use Wireshark pretty frequently, I'll post an update once I get a working version.

Update (12/6/2012): I got the WinPCAP driver to install!  Just download the current version of Wireshark and install it.  It will error out during the installation of WinPCAP, but that's fine, complete the installer anyway.  Once you finish, go to the directory in which you installed Wireshark and right-click on the WinPCAP.exe file.  Click on the "Compatibility" tab and set it to Windows 7 and check the run as administrator at the bottom.  Then, when you run it, you'll still get an error but at least you can click on "Run the Program" to get it installed.

What I notice also is that when taking a PCAP (which works fine), it no longer observes the activity with the named interface I was used to - now it's just under a "Microsoft" interface.  But hey, it works!

Update (01/31/2014): I realized that I forgot to update this post.  Wireshark now works seamlessly on Windows 8/8.1 with the most recent version.
Read More

Windows 8 Pain Point #1


Continued from Three great things about Windows 8 so far...

The hotkey driver was another matter.  For starters, there was no driver for it for the Windows 8 64-bit driver set listed on Sony's website!  For those that have ever loaded an OS from scratch, this will immediately bring to mind one of the greatest features hotkeys provide, adjusting the brightness without having to navigate through control menus.

So there I was, squinting at my screen, pondering my next step.  Since Win7 provided backwards compatibility for applications, I figured Win8 did as well, so I downloaded the Win7 version of the driver.  Running the install program failed with a prompt informing me the driver couldn't be loaded for this OS.  I then thought (hopefully) that maybe Sony rolled up the hotkey functionality in some of their bloatware, so I went back to the Win8 list of software and installed everything.  Shortly after doing so I started receiving this error:



If I clicked "OK" my laptop immediately went into hibernation mode.  To make matters worse the prompt had an "Always On Top" attribute which refreshed my mouse/keyboard focus onto the prompt every 5 seconds.  I have to say, that was extremely annoying (this means you Sony).  A Google search revealed the culprit to be a program called "ISBMgr.exe" in the C:\Windows directory which was also added to the Startup Programs List.  Struggling for mouse/keyboard focus, I managed to open Task Manager and kill the program and the prompt thankfully went away.  I also disabled it in the Startup Programs List to make sure I didn't re-encounter it.  Why the program thinks something's amiss is a mystery to me.

Now that I had my mouse/keyboard control again I continued my search for hotkey functionality.  Device Manager hinted that the functionality depended on a driver for hardware id "SNY5001" - also known as the SFEP: Sony Firmware Extension Parser.  I found numerous posts in support forums related to similar circumstances and followed the trail.  It led me to a download posting of the most recently available driver version.  The download, luckily, was not a packaged installer - just the .inf and cab files needed.  Once I downloaded it, right-clicked on the .inf, and installed it I COULD ONCE AGAIN CONTROL LIGHT ITSELF.  Or at least control the brightness through hotkeys again.

So to summarize, I lost hotkey functionality after the upgrade to Win8 and installing all available Sony software I started receiving nigh-unavoidable prompts regarding my laptop battery.  With these now resolved, I continued exploring what else Win8 had to offer.  Because the driver files were such a pain to locate, I'm posting them for download here so others can save time.  

Please NOTE: I am in no way liable for your use of the drivers referenced for download.  They are provided AS-IS without any guarantee or warranty and users download the file at their own risk.  The hash of the uploaded file is:  BD9B677BEE0DC81E0C6F2D79EA165328DF8EC2AE
Read More

Three great things about Windows 8 so far

NOTE: I have not read about any features of Windows 8, so some of these items may already be old news.

I decided to go head and upgrade to Win8 and mess around with it for a week to see what's what.  I figured that if it was bearable, I would just stick with it.  So I installed Windows 8 Professional and my initial impression is that it's not vastly different than Windows 7, other than the obvious re-positioning of the start menu.  I'll expand more on that later.    

First up: Blazing Boot Time


To give a breakdown of system specs, I'm running an i7 2nd gen processor with 8 GB of RAM and a SATA III solid state drive.  I recently had Windows 7 on this this system and boot time was probably about 10-15 seconds.  That was already a vast improvement over my previous config, which included the Sony-branded Win7 and OEM SATA drive, where my boot time took about two minutes on average.  However, after installing Windows 8 my boot time decreased to literally less than 5 seconds.  And for those wondering what I mean by boot time, I consider it the point where you can click on a browser to start accessing a website.

Discovery: Native ISO support


I do find occasional use for ISO files, and after downloading one of them, I found I could double-click into it without Windows asking me what program I wanted to use to open it.  Shocked, I navigated out of the ISO and right-clicked on the file.  What did I see?  Low and behold, native support for ISO files!  Right click and mount is pretty nice, that's for sure.

Driver Support: overall better than Win7


After the initial OS load, I found only two unknown devices listed in my device manager.  One was a USB host controller, and the other was the hotkey controller for this laptop.  That means out of the at least 15 drivers I had to load separately in Windows 7, I now only had two!  Talk about a time-saver.  I loaded the USB host controller driver from Sony's website with no problem.  To read about the near-maddening battle in resolving these two driver issues, read on.

Read More

Monday, November 5, 2012

Flash is broken in Back Track 5 R3: Here's the fix

**updated scripts links as of 1/30/2013

In preparation for the CyberLympics, I wanted to have all my tools updated to the most recent available versions, and as a result I loaded the latest 64-bit revision of Back Track 5 (revision 3).  After registering and updating Nessus, I tried to log in through the web interface but kept getting an error that flash wasn't installed.

First, I tried downloading it from Adobe's site and walking through the install process that way, but most likely due to operator error it wasn't working for me.  After a quick Google search, I saw a post somewhere from someone having the same issue.  As a resolution, that person was kind enough to post a script that would download Firefox and Flash and install everything automagically.  I downloaded and ran that script myself, but it failed.  After some tinkering though, I got it to work!  So, for those who have downloaded Back Track 5 R3 and the flash plugin in Firefox isn't working for you, try this:


Copy the text above and paste into a file.  Make sure you name the file with a ".sh" extension and set the permissions so the file will run as an executable.  You can set the permissions in one of two ways:
  1. chmod u+x /path/to/file/filename
  2. chmod 700 /path/to/file/filename
Then just execute the script!  

I built it to download the latest 64-bit version of Firefox using a general link, so it will always grab the latest release.  For the Flash plugin, I had to specify the full file path, so remember to change it for future releases (unless you know how to make it generalized).

To recap, the script downloads the latest Firefox 64-bit build and the Flash 11 plugin, extracts and installs them.  All this was in effort to get into Nessus.  Hopefully this helps you save time!
Read More

Saturday, November 3, 2012

Global CyberLympics Results

UMUC Takes Second

The UMUC team has returned home from Miami as heroes!  Representing North America, we out-maneuvered six other teams from Hungary, Brazil, Australia, Nigeria, and Sri Lanka to take 2nd place.  The defending champions, hack.ers (Netherlands), were slow to start, but soon out-paced everyone in obtaining points and maintaining that lead.  The gap between first and second place only widened as the competition picked up pace.

Regardless of what our standing was throughout those grueling six hours, all UMUC team members were focused on doing our best.  It was hard-won, as we were competing with Hungary for that 2nd place ranking up until the very end.  

I was honored to be a member of the UMUC team and represent the United States in this global contest.  I learned so much in preparing for the event, that my mind is still filled with ideas for improving and optimizing the entire workflow.  At work the past two days, these ideas keep popping into the forethought.  This competition has had such an impact on me that it's altered my focus of what I want to do in my free time.  Now I find a burning desire to do everything I can to learn Ruby on Rails and Python so I can be well-versed in scripting components for metasploit.

What I learned most from this competition is that I still have so much to learn, and that the anticipation of doing so makes me excited to see what's next!



Read More

Thursday, September 6, 2012

Another way to enhance your tech skills: Cyber Challenges

In the past year, I've been lucky enough to participate in three or four Cyber Challenge competitions including MDC3 (2011 and now 2012), the Global CyberLympics, and DC3.

MDC3

The MDC3 is a competition with three levels of entry:
  1. High School
  2. Collegiate
  3. Professional
From the website:
What is the Challenge?
Teams within each level will battle it out in a series of “hackathons”—exciting, real-world cybersecurity games that put their critical thinking skills to the ultimate test.
Online qualification rounds will test each team’s cyber defense skills, including their ability to harden systems against vulnerabilities, maintain critical services, and communicate timely and effectively. As teams advance, the qualification rounds will increase in complexity and intensity.
The finals—to be hosted at CyberMaryland 2012—will include a Capture the Flag/King of the Hill variation which introduces more exercise problems as the game progresses.
There are three qualifying rounds: forensics, attacking, and defense.  The final round is a capture the flag competition.

Global CyberLympics

The CyberLympics is another competition very similar to the MDC3, since they both use the same CyberNEXS system from SAIC.  There are three rounds before finals, only instead of being limited regionally, the teams compete from around the globe (APAC, EMEA, and Americas).

DC3

DC3 is a forensics-focused challenge where they post problems falling into several levels of difficulty.  The goal is to find information and report it along with the methodology you used to retrieve the information.



Read More

Wednesday, August 29, 2012

Linux JTR is better


As an IT professional, I constantly research for troubleshooting information or to leverage the experience of others who've gone before me down dimly lit paths. Frustratingly, during this research I typically find bread crumbs along the trail until I find enough that I'm able to make proper sense of things. So, I'm going to leverage Google+ as a repository for the things I discover, and I'm making these posts public so that others can hopefully find the answers they seek in one search result.

With that explanation out of the way, I just wanted to share some stuff I learned about password-cracking tool John The Ripper (JTR) recently. In the fall of 2011, I joined my collegiate cyber challenge team in a regional competition.

One of the things that irritated me during the competition was that I couldn't get the password cracking process started for a root password we recovered off a linux system. Unfortunately, I didn't make any progress during the competition, but I made a note to revisit the issue and figure out why it wasn't working as expected, and here's what I found out so far:

1) The default download of JTR only uses DES decryption attempts. This is why the dang thing kept telling me "no password hashes loaded" during the competition. When a password is created in linux, if only the 'crypt' function is used with no switches - DES is used to encrypt the password.

2) If an encrypted password starts with a '$', that's a clear indication it was hashed using something stronger than DES. The password we recovered for the root account in the competition started with a '$':
root:$6$WTGPcLKM$mveC6wr7aZJWX9RmShBVbMMbygrx5QvqQqHp3LyWODOUaD61JFGKxhHE9J12oKXwr2eW0d22Crd./nv5J3cMP.:15068:0:99999:7:::
Since a hashing algorithm is used, and hashes are one-way, the windows version of JTR can't decrypt it. To recognize/'crack' it, you have to use hashing tables, aka rainbow tables. You're not technically cracking the password, you're just comparing your hash to a set of hashes that were generated from common passwords or randomly generated passwords of different character sets. When a match is found for your hash, they display the corresponding plain-text equivalent.

First, I had to determine what type of hash was used, and research revealed this useful info:

If salt is used in a password, a character string starting with the characters "$id$" followed by a string terminated by "$":

$id$salt$encrypted

then instead of using the DES machine, id identifies the encryption method used and this then determines how the rest of the password string is interpreted. The following values of id are supported:

ID | Method
-------------------------------------------------- -------
1 | MD5
2a | Blowfish (not in mainline glibc; added in some | Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)

So $5$salt$encrypted is an SHA-256 encoded password and $6$salt$encrypted is an SHA-512 encoded one.

Based on the password then, it appears it was hashed using SHA-512. Here's more:

"salt" stands for the up to 16 characters following "$id$" in the salt.
The encrypted part of the password string is the actual computed password. The size of this string is fixed:

MD5 | 22 characters
SHA-256 | 43 characters
SHA-512 | 86 characters

The characters in "salt" and "encrypted" are drawn from the set
[a–zA–Z0–9./]. In the SHA implementation the entire key is significant
(instead of only the first 8 bytes in MD5).

crypt('password', '\$6\$SALTSALT\$')"

The root account above has a salted password, which was hashed using SHA-512. Now we face an issue - after a couple more hours researching, the Windows version of JTR (1.7.0.1) does not include support for crypt(3) and SHA-512, meaning I would not be able to "crack" it. However, the Linux version of JTR (1.7.6 and up do). I haven't tested this in a Linux JTR build, but the importance of this post is more to point out that during a cyber challenge where time is of the essence, if you happen to come across a password in the format this one was, don't waste time trying to crack it!
Read More