B-sides san francisco logo

Security B-Sides SF 2013: The Pineapple Express: Live mobile application hacking demo…

pineapple express

All aboard the Pineapple Express, its a speeding bullet to the mobile backend! I’m looking forward to speaking at the upcoming B-Sides San Francisco. Most of the mobile security research has been focused on the apps on devices, but I have been more interested in the services and back-ends that power mobile apps.

B-sides san francisco logo

I’m excited about the new wifi Pineapple software that I have discovered while doing my research on mobile application security and I’m leveraging it to create a wifi hotspot during my talk.

In this talk, we’ll go beyond the typical discussion points on mobile security to delve into the vulnerable back-ends mobile applications. I will demonstrate how easy it is to find vulnerabilities and attack the service calls in social media, banking and payment applications.

These applications leverage new formats like JSON, AJAX and REST to deliver a rich user experience, but unfortunately they are too often exposing the same familiar vulnerabilities like SQL and Command injection. During this talk, I will demonstrate just how vulnerable these back-ends can be and how easy it is to watch the traffic and attack these interfaces.

The first step in learning to attack these mobile applications is understanding the formats used. Participants learn how to break-down these new formats, where to attack them and which tools and techniques make it easy to attack these back-end interfaces.

The audience will have the opportunity to connect to my Wifi Pineapple and use their real apps, which I will snoop and demonstrate how to hack the backends. While they won’t actually hack applications, the group will watch the live traffic and the discuss techniques that can be used to hack those applications.

aaronswartz-v2

Anonymous Strikes Again in the Name of Aaron Swartz & Hacks US Sentencing Commission

Anonymous Hackers hacked and defaced United States Sentencing Commission under the operation called “#opLastResort”. And also threatened the US government to release sensitive information.

Hacked Site:

http://www.ussc.gov

 

Cached Deface Page on Google:


The website was hacked early Saturday and a message was placed saying that “a line was crossed” when Swartz killed himself two weeks ago.

“Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice. Killed because he was forced into playing a game he could not win — a twisted and distorted perversion of justice — a game where the only winning move was not to play.

With Aaron’s death we can wait no longer. The time has come to show the United States Department of Justice and its affiliates the true meaning of infiltration. The time has come to give this system a taste of its own medicine. The time has come for them to feel the helplessness and fear that comes with being forced into a game where the odds are stacked against them.”

Anonymous now threatens to release secret information that they have reportedly copied from several governments’ computer systems they were able to access. The hackers also put up their video statement and a list of files named after US Supreme Court justices on the hacked website.

Video link:

http://www.youtube.com/embed/WaPni5O2YyI

Full message left by anonymous can be found here:

http://pastebin.com/Fbx3k2pX

 

Its hard to say, which vulnerability was exploited by Anonymous. But it seems that the anatomy of attack was the same as the attack on MIT sites. Both are on Microsoft IIS and coldfusion. It is also possible that hackers use some zero day to hack sites.

A few days ago, Anonymous defaced a Massachusetts Institute of Technology (MIT) website to denounce the charges against him and urge computer crime law reforms.

Update:

Website is down now and DNS records pulled out.

Slide1

Surviving the Week 1/25/13 – The Widening Web App Security Scanner Coverage Gap

New White Paper: The Widening Web Application Security Scanner Coverage Gap in RIA, Mobile and Web Services – Is Your Scanner Like the Emperor’s New Clothes?

The research detailed in this white paper explains the technologies used in modern applications, demonstrates why they create challenges for modern web scanners and details how you can determine if scanners are effectively scanning and attacking these newer technologies. This white paper summarizes how security professionals and application scanners can close this coverage gap to improve both the efficiency (reduce manual efforts) and effectiveness (find more vulnerabilities) of security efforts.
http://www.ntobjectives.com/go/widening-web-application-security-scanner-coverage-gap-in-ria-mobile-and-web-services/

Is a Lack of SQL Injection Knowledge Breeding New Generations of Insecure Programmers?

OWASP ranks SQL Injection at number two in their top 10 list of vulnerabilities. Earlier this month, Chris Andrè Dale published this article (case study) explaining the root causes and the current state of SQL Injection vulnerabilities.
http://www.securesolutions.no/why-its-easy-being-a-hacker/

Try our free tool, NTO SQL Invader, to exploit SQL Injection once you find it – http://www.ntobjectives.com/go/nto-sql-invader-free-download/

Here’s a SQL Injection cheat sheet also – http://www.ntobjectives.com/go/sql-injection-cheat-sheet/

Know Your JavaScript (Injections)

Different attack vectors used to exploit JavaScript.
http://deadliestwebattacks.com/2013/01/22/know-your-javascript-injections/

Multiple Vulnerabilities

Linksys WRT54GL 1.1 XSS / OS Command Injection – http://packetstormsecurity.com/files/119649
Java 7 Update 11 Sandbox Bypass – http://packetstormsecurity.com/files/119665
Apache OFBiz 11.04.01 / 10.04.04 Cross Site Scripting – http://packetstormsecurity.com/files/119666
Jenkins Script-Console Java Execution – http://packetstormsecurity.com/files/119667
Apache OFBiz Cross Site Scripting – http://packetstormsecurity.com/files/119673
PHP-Charts 1.0 PHP Code Execution – http://packetstormsecurity.com/files/119680
Perforce P4web 2011 / 2012 Web Client Cross Site Scripting – http://packetstormsecurity.com/files/119737
F5 BIG-IP 11.2.0 XML External Entity Injection – http://packetstormsecurity.com/files/119738
F5 BIG-IP 11.2.0 SQL Injection – http://packetstormsecurity.com/files/119739

morocco12-hp

DNS Attack Takes Down Google Morocco

morocco12-hpGoogle Morocco was the latest victim of a Domain Name System or DNS attack. A notorious Pakistani leet hacker group named, “PAKbugs”, hijacked Google Morocco’s official website (www.google.co.ma).

Defaced Page:

This is not the first time that Google Moroco has been hacked by PAKbugs. It was previously hacked in 2009. Previously, PAKBugs hijacked major ccTLDs like .co.ug and .co.ec.

Hacked Domains:

Mirror link:

http://zone-h.com/mirror/id/19094784

According to the Ping Results of the domain, the IP address of the hacked domain Google.co.ma points to [46.183.219.99] – located in Latvia (ip-219-99.dataclub.biz), which is not a Google IP address.

Putting this IP address to a browser address bar, it redirects to www.pakbugs.com which shows that the hacker pointed the Google domain to PAKbugs Server where they hosted a deface page.

It’s not clear how this attack was carried out, but it may have involved compromising the system operated by the Moroccan Top Level Domain Registrar (MaTLD).

What is DNS poisoning?

DNS is the system that converts website names into an IP address of the server hosting the website. A DNS poisoning attack tampers the valid list with fake records causing domain names to resolve to incorrect IP addresses.

Why deface one website, when you can just hack the server that holds the IP address to the victim’s site? So, if you can hack the Domain Name System registrar that holds the records for an entire country, you can change any of the servers that you like to point to any website that you want.

DNS poisoning first came to light in the mid-1990s when researchers discovered that attackers could inject spoofed IP addresses into the Domain Name System resolvers belonging to Internet service providers and large organizations. The servers would store the incorrect information for hours or days at a time, allowing the attack to send large numbers of end users to websites that install malware or masquerade as banks or other trusted destinations. Over the years, DNS server software has been updated to make it more resistant to the hack.

Months ago, Ireland’s domain registry suffered an “unauthorized intrusion into the company’s systems” that affected DNS records for Google.ie and Yahoo.ie. The attack exploited vulnerabilities in the company’s configuration of the Joomla content management system to upload malicious code that caused unauthorized DNS changes. DNS attacks have also recently hit Romania, according to this blog post by BitdefenderLabs.

These attacks can be much worse, if the hacktivists are a more malicious group. Like Nation State hackers, for example, who want to infect groups of systems from a target nation. Or gather pertinent credentials from users who think they are on a legitimate website, and not a spoofed one reached via Domain Name System manipulation. Imagine, how many accounts can be compromised if the websites are redirected to a Phishing page, instead of a defaced page.

aaronswartz-v2

Anonymous Hacked & Defaced MIT in the Name of Aaron Swartz

aaronswartz-v2Much has been written this week on the sad story of Aaron Swartz and the Anonymous hack executed in his name. This story has affected many people in the IT community.

Anonymous hackers, hacked & defaced two subdomains of MIT (Massachusetts Institute of Technology) site and left it defaced, with a tribute and justice for the Internet activist, Aaron Swartz. They criticized certain US laws and call for the government to reform the laws that led to the Aaron’s suicide.

Anonymous hacks mit

Hacked domains:

According to a doc from anonymous on pastebin.com, hackers ask the government to “reform” computer crime, copyright and intellectual property laws.

  1. We call for this tragedy to be a basis for reform of computer crime laws, and the overzealous prosecutors who use them.
  2. We call for this tragedy to be a basis for reform of copyright and intellectual property law, returning it to the proper principles of common good to the many, rather than private gain to the few.
  3. We call for this tragedy to be a basis for greater recognition of the oppression and injustices heaped daily by certain persons and institutions of authority upon anyone who dares to stand up and be counted for their beliefs, and for greater solidarity and mutual aid in response.
  4. We call for this tragedy to be a basis for a renewed and unwavering commitment to a free and unfettered internet, spared from censorship with equality of access and franchise for all.

They concluded their statement by apologizing to MIT administrators for temporarily taking over the website.

MIT has ordered an internal investigation into the case of Swartz. Furthermore, JSTOR – the digital library that accused him of illegally downloading content – has released its own statement regarding Swartz’s death.

About Aaron Swartz

Aaron Swartz, 26, early member of Reddit and major contributor to the site. He was a commenter on RSS specifications, and Internet activist. He committed suicide in his Brooklyn apartment, last Friday. He was accused of stealing nearly 500 million articles from an MIT archive and was set to be trialed in February. These stupid laws and the aggressive penalties which are randomly applied appear to have been part of the reason that Aaron committed suicide rather than suffer unfair treatment of the sort that others such as Kevin Mitnick lived through.

Note about Media overhype
Aaron did not co-develop RSS. Netscape and Dave Winer created RSS 0.9. Aaron helped write a proposed update to RSS as version 1.0 that failed to gain any hold, and eventually Dave Winer and a few others did some updates that they called RSS 2.0, which is what we use today. (See blog, “Setting the record straight…” on Boing Boing)

About the attack

It isn’t yet clear which vulnerability Anonymous exploited, but some of the MIT sites run on Cold Fusion which has multiple known vulnerabilities including:

  • Cold Fusion XSS – There are several known Cross-site scripting vulnerabilities in various versions of Cold Fusion. Cross-site scripting is a hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content to an end-user which will execute in their browser
  • Cold Fusion Directory traversal – Directory traversal vulnerability in Adobe ColdFusion 9.0.1 allows an attacker to access sensitive information. This vulnerability allows an attacker to read the content of the files that are not supposed to be readable.
  • Cold Fusion Path Disclosure – Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/.
  • fckeditor arbitrary file upload – FCKeditor contains functionality to handle file uploads and file management. A remote attacker could use this functionality to upload malicious executable files On the system.

Its possible that Anonymous leveraged one of the listed known vulnerabilities, or found their own zero day attack.

xss-threat3

Surviving the Week 1/18/13

A Lesser Cross-Site Scripting Attack Greater Than Your Regex Security

A lot of developers rely on regex to protect against XSS. The following article demonstrates different mechanisms on how developers use regex and how they can be bypassed.
http://deadliestwebattacks.com/2013/01/14/a-lesser-xss-attack-greater-than-your-regex-security/

Our web application security scanner, NTOSpider, reports accurate and actionable results that are designed to assist in remediation efforts and to help users quickly get to the data that matters most.
http://www.ntobjectives.com/security-software/ntospider-application-security-scanner/

New Java Exploit

Bootleggers were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java less than 24 hours after Oracle patched a dangerous security hole in it’s Java software that was being used to seize control over Windows PCs.
http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/

Multiple Vulnerabilities Detected

Drupal Core 6.x / 7.x Cross Site Scripting / Access Bypass – http://packetstormsecurity.com/files/119598
PHP Chart 1.0 Code Execution – http://packetstormsecurity.com/files/119582
Cydia Repo Manager Cross Site Request Forgery – http://packetstormsecurity.com/files/119584
Drupal RESTful Web Services 7.x Cross Site Request Forgery – http://packetstormsecurity.com/files/119585
Drupal Live CSS 6.x / 7.x PHP Code Execution – http://packetstormsecurity.com/files/119589
Drupal Mark Complete 7.x Cross Site Request Forgery – http://packetstormsecurity.com/files/119590
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root – http://packetstormsecurity.com/files/119638

2013 Security B-Sides San Francisco Voting

Voting for Security B-Sides San Francisco presentations is in full swing. Be sure to vote for your favorites talks.

We’re partial to these two talks by Dan Kuykendall!

photo8

The Pineapple Express: Live mobile application hacking demonstration….A speeding bullet to the mobile backend – Climb aboard the Pineapple Express. In this talk, Dan goes beyond the typical discussion points on mobile security to delve into the vulnerable back-ends of mobile applications. Dan will demonstrate how easy it is to find vulnerabilities and attack the service calls in social media, banking and payment applications.

Get off your AMF and don’t REST on JSON – In this talk, Dan will demonstrate the process of understanding the new formats like JSON, REST and AMF and where to attack them on various vulnerable applications.

Hope to see everyone there!

Application Security Tag Cloud from Tagxedo

Application Security That Works

Application Security Tag Cloud from TagxedoMy buddy, Jim Broome over at DirectDefense wrote this great blog post, “Security that Works: Even on a Budget.” They have posted two blogs in the series. The first one covers “Hacking Attempts” and the second focuses on “Malware.” I wanted to highlight and comment on the “Hacking Attempts post as it relates to application security.

Security is a complex problem. One that requires the right people, the right technology and the right process. At NT OBJECTives, our focus is on building the most automated and repeatable technology for application and web scanning. This DirectDefense post outlines the process and technologies you can use to address the most common security issues.

Security That Works, Even on a Budget – Part 1 – Hacking Attempts:

There are many reports, presentations and research papers on new types of hacks and breaches. The main two causes of most of these breaches are hacking attempts and malware.

DirectDefense analyzed these reports and leveraged their knowledge from performing penetration tests for more than 15 years to create a list of the common techniques they leverage to break into companies and specific practices you can implement to resolve these types of threats at your organization.

In their consulting work, DirectDefense constantly gains unauthorized access due to the following issues:

  • Patching Vulnerabilities (in the OS, database and applications)
  • Configuration Vulnerabilities (default settings, default content & misconfiguration)
  • Passwords (default passwords or weak passwords)
  • Application Vulnerabilities (Injection attacks, like SQL Injection, Command Injection and business logic vulnerabilities)

Helpful Resources:

Where’s Waldo?

As DirectDefense accurately points out, none of these vulnerabilities are new. As an industry, we’ve been talking about patch and configuration management, password management, SQL Injection, the OWASP Top 10 and more for more than 10 years. These are the same vulnerabilities popping up in new technologies or attack vectors, just like Where’s Waldo. This is something I have been spending a lot of time researching over the last six months or so. We released a new paper summarizing our research, The Widening Web Application Security Scanner Coverage Gap, recently that outline the latest attack vectors (like mobile back-ends, JSON, AJAX, complex sequences like shopping cart and more) and how you can identify weaknesses in them.

The following high-level approach is outlined in more detail in DirectDefense’s original post.

1. Identify your assets.

  • What they are running on
  • What type of data they store
  • Prioritize based on risk

2. Patch your Systems. Review your patch management strategy and improve it according to the recommendations listed.

3. Learn to Harden Your Systems. Make sure all production applications are configured and hardened after they are in production.

4. Test yourself and fix any problems. Be sure to know where your vulnerabilities are by using network and application scanning tools. There are plenty of inexpensive application scanners and tools, but be sure you know what they find and what they don’t find. Our application security software, NTOSpider, is designed to find the most vulnerabilities possible through automation.

Once you find vulnerabilities, begin remediating them.

5. Repeat the cycle. Security requires continuous attention and re-assessment. We recommend assessing every application quarterly at a minimum.

If you are able to implement the process outlined above with a solid team, the right technology, you will reduce the number of hacking attempts on your applications.

Mark Gamache

Surviving the Week 1/11/13

NTLM Challenge Response is 100% Broken

Mark Gamache

Security researcher Mark Gamache has used Moxie Marlinspike’s Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It’s been going on for a long time, probably, but this is the first time a ‘white hat’ has researched and exposed the how-to details for us all to enjoy.
http://markgamache.blogspot.in/2013/01/ntlm-challenge-response-is-100-broken.html

Multiple Vulnerabilities

Quick.Cms 5.0 / Quick.Cart 6.0 Cross Site Scripting – http://packetstormsecurity.com/files/119422
Drupal Payment 7.x Access Bypass – http://packetstormsecurity.com/files/119421
Drupal Search API 7.x Cross Site Scripting – http://packetstormsecurity.com/files/119420
Websitebaker Concert Calendar 2.1.4 XSS / SQL Injection – http://packetstormsecurity.com/files/119416
WeBid 1.0.6 SQL Injection – http://packetstormsecurity.com/files/119414
MyBB Profile Wii Friend Code 1.0 Cross Site Scripting / SQL Injection – http://packetstormsecurity.com/files/119250
Eye-Fi Helper Directory Traversal – http://packetstormsecurity.com/files/119254
pfSense 2.0.1 XSS / CSRF / Command Execution – http://packetstormsecurity.com/files/119256
Nexpose Security Console Cross Site Request Forgery – http://packetstormsecurity.com/files/119260
Eye-Fi Helper Directory Traversal – http://packetstormsecurity.com/files/119254
Action Pack DoS / SQL Injection / Code Execution – http://packetstormsecurity.com/files/119356

*Get a free trial today and test your application using, NTOSpider, to discover possible security vulnerabilities.

Vulnerability in Ruby on Rails

Multiple weaknesses in param parsing in Ruby on Rails allow attackers to bypass auth, inject SQL, inject & execute code, or perform a DoS attack.
http://www.insinuator.net/2013/01/rails-yaml/

the-us-army-funds-an-armed-reconnaissance-helicopter-program-pic

Surviving the Week 1/4/13

SSNs, Salary Information Exposed In Breach of Army Servers

Salary-Information-Exposed-In-Breach of-Army-Servers

Computer hackers have illegally gained access to personal information of more than 36,000 people connected to Army commands formerly based at Fort Monmouth. An Army spokeswoman says the information includes names, birth dates, Social Security numbers, addresses and salaries.
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/240145376/ssns-salary-information-exposed-in-breach-of-army-servers.html

Avoid critical hacks and scan your applications with NTOSpider (DAST) or our SaaS solution, NTOSpider On-Demand.

Researchers Find Malware Targeting Java HTTP Servers

Security researchers from antivirus vendor Trend Micro have uncovered a piece of backdoor-type malware that infects Java-based HTTP servers and allows attackers to execute malicious commands on the underlying systems. The threat, known as BKDR_JAVAWAR.JG, comes in the form of a JavaServer Page (JSP), a type of Web page that can only be deployed and served from a specialized Web server with a Java servlet container, such as Apache Tomcat.
http://www.computerworld.com/s/article/9235079/Researchers_find_malware_targeting_Java_HTTP_servers

Multiple Vulnerabilities

Guru Auction 2.0 SQL Injection – http://packetstormsecurity.com/files/119110
Polycom HDX Video End Points Cross Site Scripting – http://packetstormsecurity.com/files/119125
Log Analyzer 3.6.0 Cross Site Scripting – http://packetstormsecurity.com/files/119130
SonicWall Email Security 7.4.1.x Cross Site Scripting – http://packetstormsecurity.com/files/119131
WordPress Asset-Manager PHP File Upload – http://packetstormsecurity.com/files/119133

UN Site Hacked

United Nations website was recently hacked.
http://www.un.org.sn/tmp/x.htm

Microsoft Releases Fix It Tool to Address IE Security Zero-Day

The Fix It tool is aimed at addressing a vulnerability discovered in the wild roughly a week ago. According to Microsoft, the issue affects IE versions 6, 7 and 8. Internet Explorer 9 and 10 are not impacted.
http://www.securityweek.com/microsoft-releases-fix-it-tool-address-ie-security-zero-day