All companies, software, and websites need to have a clear means of receiving information about vulnerabilities. Every application has vulnerabilities and sometimes 3rd parties just happen to see them. I was using a Web App for a local diamond dealer. Clearly they deal with a high value product that should be well protected. While I was browsing the site, I noticed that it appeared to use GET requests to pass item and price information. It turns out that the two aren’t cross verified on the back end — it was possible to change the price. Maybe they have internal processes to verify the price, but maybe not. Likewise, if an evil attacker uses the vulnerability, is the merchant bound to the price they charged the credit card? They also allowed negative prices. Would the 3rd party credit card servicing site happily provide a charge back?

I’ve tried to contact the merchant, but I just can’t seem to get through to anyone that understands the problem. I only want someone that understands the potential problem to be aware of it so that they can accept the risk or go about fixing it. So New Rule, if you have an application (web or otherwise) you MUST have a clear means of receiving vulnerability information.

Often, while my students are working on a lab, I’ll take this time to search for more class demos. It seems that many of the demos we discuss in class soon get fixed. I’m not sure how or why, but this is often the case. Parameter manipulation — they’re all fixed within a few weeks of discussing them in class. The list goes on, but this is so frequent that I stopped tracking them. Regardless of the reasons, these vulnerabilities get fixed, and I’m glad they do. And I really don’t mind doing some basic research into finding more. So here’s today’s example, as it applies to password policy and authentication fun.

I’ll start off by listing some common authentication-related vulnerabilities I often see and then discuss some error messages I recently found on a popular travel site. I’ll also add some “malicious” ideas, just for fun–to get you thinking.

Common authentication-related vulnerabilities:

• Password policy is weak
• Password policy is strong, but not enforced
• No account lock out (or worse, account lockout tracked at the client side)
• Login error messages let me know whether the username is valid
• Password hints!

Related error messages from a recent find at a travel site:

• “A password must be 5-12 characters long and have no spaces.”–when registering an account.
• “The e-mail and password you have entered do not match. Please try again.”–when attempting to log in with an invalid username or password.
• “That e-mail address is not on file. Please try again.”–when attempting to display the password hint for an invalid account.
• Note: the password hint is happily displayed if you enter a valid username.

Some initial thoughts

• How easy is it to harvest emails or buy a few million email addresses?
• Could a quick script cycle through a list of email addresses and capture password hints?
• How difficult would it be to guess a few password hints based on several hundred or thousand captured password hints?
• This site allows you to save a credit card on file and use it to book travel/hotels/more without verifying anything.
• I wonder if I could book travel on someone else’s account without them knowing. All I need to do is suppress the email confirmation or point their registered email to a different one. By the time the con has been exposed, the postcards I sent from Mexico will have been received.

Do you see where this is going? The main culprit wasn’t the password policy itself. If I had to write the equation, it would look a lot like this (seriously):

Mediocre password policy + password hints + stored credit card info + having a lot of users + nongeneric error messages + not verifying anything on checkout = free trip to Mexico.

Now, let’s go cliff diving in Acapulco!

In city office environments with residential or even non-residential buildings nearby, rogue detection can be a huge and overwhelming issue. Things get even more complicated when you think about shared office spaces where access points are just a wall away. Commercial wireless intrusion detection systems (WIDS) will allow you to place sensors in multiple locations, which allows the WIDS to perform a sort of triangulation to help identify where these APs may reside. The need for these commercial solutions is understandable when you have a wireless network within your organization, but what happens when you don’t? The threat of rogue access points is still there, and an equally serious threat is AP impersonation attacks, which may target corporate systems with wireless cards.

So what’s a guy to do? As mentioned there are two issues here: rogue access points and AP impersonation attacks. Let’s look at each one.

Rogue Access Points: With highly dense environments, the best method I’ve found for identifying rogue access points is similar to those of wireless intrusion detection systems, except it’s a more manual process. What we’ll do is use a standard wireless adapter with a low gain antenna (there is NO need for a high gain antenna, it’ll only make your life difficult) and a wireless sniffer that will display signal strength. The choice here can be either open source or commercial software. I personally use a commercial tool, AirMagnet’s Laptop analyzer, just because it gives me exactly the data that I am looking for. No matter what, don’t use NetStumbler (remember? Active vs Passive sniffing)! Using a floor map, I’ll mark down roughly 5 -10 single points within the office space and take 2 minute snapshots at each point. Once that’s completed I’ll make an Excel spreadsheet containing every BSSID (MAC address) discovered at every sample point, the capture location, and signal strength. Then I’ll sort by BSSID, and start the correlation. For example, if we have 5 sample points, we’ll look for BSSIDs that have relatively high signal strength (~30) at each sample point or at say 4 of the 5 sample points. Assuming you picked points that are around the perimeter and at least one in the middle, you should have enough information to safely assume that is in your office area. If you see particular BSSID with good signal strength along the outer wall samples, you may assume it is outside. Once you have a list of potential real rogue access points, the hunt begins!

For less dense environments or if you’ve targeted a particular suspected rogue, you can use the “walk aimlessly” technique. Use a low gain antenna so you’re not searching for something that’s 3 blocks away, lock in on the particular channel, the particular BSSID (AirMagnet’s “Find” function is really great for this) and just follow the signal. One helpful technique is to use your body to help identify in which direction the signal is originating from. Wireless signals do not propagate through water, so because the human body is made up of something like 70% water, we can place the card near our chest and turn around to see if the BSSID was originating from in front of us by watching the signal strength. Normally it’ll drop ~10 if it is. The same technique can be used for APs above our location, we can put our hand over the top of the card, or bend over. From a third party perspective, all of this may look a little strange, but remember we’re walking around aimlessly anyway, so people already think we’re weird!

In general, the major fault with rogue detection is if AP’s signal strength is turned way down. There are some cases where you may get lucky and pick it up but alot of times thats not the case. You can also take more sample points and even though it has low signal, it might tip you off that it’s somewhere nearby.

AP Impersonation: I’m writing a nice little whitepaper on WPA Enterprise AP impersonation attacks where you can compromise an EAP/TTLS or PEAP 802.11 network due to one common configuration related issue, so I think it’s time to bring more attention to these types of attacks. AP Impersonation attacks are just as they sound, an attacker will position an access point with a mimicked configuration of your wireless access points and the client will unknowingly connect to the attacker’s AP. This can be used in a number of different ways, but here will just look at one variant.

Without a wireless network in your environment, the only wireless an attacker can target is that of your clients. With the wireless network adapter enabled, the client will constantly send probe requests to see if its configured wireless network is available. By responding to these probe requests, an attacker can trick the client into connecting to the malicious access point. In should be noted that if the network in which the client is probing for is encrypted or requires some sort of authentication (assuming its configured correctly), the attack will be mitigated. However in cases such as an airport wireless network, or “Free Public Wifi”, the client may unknowingly connect to the AP exposing itself to further attacks which may ultimately allow the attacker onto the corporate internal network (assuming the client is hardwired into the internal network at the time of attack). Tools have been around for quite awhile now which display these attacks (i.e Hotspotter and Karma).

The main protection against these attacks is disabling wireless all together, disabling while it’s not in use, or disabling while the Ethernet cable is plugged in. Disabling wireless all together is an excellent idea, unfortunately it may not always be an option. You can disable it while it’s not in use, which really relies on getting your clients used to the manually disabling the adapter before and after its use. Again, may not be very feasible. I recommend the last option where you disable the adapter while the Ethernet cable is plugged in. I know most Dell laptops nowadays will do this automatically, and you can even buy wireless configuration software or client security software that will do this as well. Of course, you always want your clients running a firewall and up to date with the recent patches to further mitigate your risk. It’s also recommended to disable the client software from connecting to ad-hoc networks.

In general, rogue APs are such a widely known threat that often go overlooked. They’re usually discovered when a network engineer or security personnel accidentally connects to one or notices it from its client software. This should not be the case within your organization. Quarterly checks should be put in place to ensure these entry points do not go overlooked and that your clients are not subject to these attacks. Think about it, it’ll only take about one day’s work to protect yourself.

There’s a lot of hype circulating around about a Jihad application meant to wage cyber war in the near future. A lot of people have speculated and while the experts are dismissive, the topic is still getting a lot of press and worrying average users. I took a bit of time to examine the binary and I don’t believe it poses a huge threat. Here are my reasons why:

1. The program is written in Visual Basic. While there’s nothing wrong with that, VB is not the preferred programming language of very many professionals. C\C++\C# would tend to be better choices for complicated and efficient programs. VB tends to be a language for quick applications or for those beginning programming.
2. There is a tracking website required to use the application. Terrrorists don’t like to be tracked. Further, the site tracks referrals – thus it would be trivial to create cliques of users, which again is something terrorists would be desperate to avoid.
3. The website variables are in English. Extremists/Islamic Jihadists tend to not speak English, remember all the stories about the few English speakers they use? These guys have some understanding of English – indicating they might not be the stereotypical terrorist.
4. The web url is hard coded and it’s to a real web server. We’re in an age of dynamic dns and fast flux. A static/real url is very amateur and easily blocked.
5. There didn’t appear to be capability to dynamically update the program remotely – this would be key for updates and avoiding being blocked. I did a VERY QUICK analysis, but didn’t see this capability.
6. The executable wasn’t encrypted and didn’t fight malware analysis – real malware writers love to do malicious things to AV guys. They weren’t in this executable.
7. The webserver had frontpage extentions – this again just seems out of place for cyber war.

All told, the little bits of analysis make the code look to be written by high school or early college kids. If their network gets large enough, maybe they could have caused harm. Right now the websever isn’t working and the app seems like a no-go. I’d suggest everyone block traffic to the server http://al-jinan.net and stop worrying.

It seems to be about that time to, once again, get out our computer security crystal ball and conjecture about the upcoming year.

Many things are changing. Some are staying the same. In some areas we are in uncharted territory.

Threats are moving quickly to technologies such as VoIP and instant messaging. Virtualization will have a huge impact on both data security and the data security industry itself. Professional and organized criminals continue to drive much of the malicious activity. The complete set of predictions is available for download on McAfee’s Threat Center as well as a bonus episode of our podcast AudioParasitics.

The wonders of the underweb never cease to amaze me some days. Not because of the devious goings-on that go on but because some groups are so blatant about their devious goings-on.

Need a passport? You might have visited http://www.new-pasport.org. [Google cache]

Allow me to translate:

Passports of the European Union

» Lithuania - 2500 euros without an advance payment and 2000 euros on an advance payment in 50 %
» Latvia - 2500 euros without an advance payment and 2000 euros on an advance payment in 50 %
» The Great Britain - 3500 euros without an advance payment and 3000 euros on an advance payment in 50 %
» Germany - 3500 euros without an advance payment and 3000 euros on an advance payment in 50 %

Driving licenses too:

Driving license of the European Union:

» Lithuania - 600 euros on an advance payment in 50 % and 800 euros without an advance payment
» Latvia - 600 euros on an advance payment in 50 % and 800 euros without an advance payment
» The Great Britain - 600 euros on an advance payment in 50 % and 800 euros without an advance payment
» Germany - 600 euros on an advance payment in 50 % and 800 euros without an advance payment

The payment methodology is interesting too: It’s cheaper if you pay upfront. If you don’t trust the document dealer you can opt to pay a little more in 2 Western Union payments, withhold half the payment by withholding the code need to claim the second transfer until your fraudulent documents arrive.

This isn’t the first time we’ve seen this operation either, they have some history on a .biz version of the domain too.

Almost a year ago the BBC broadcast a Panorama program whereby a researcher had purchased 20 fake or fraudulent passports, some of which were purchased at great personal risk to the reporter. You can see a clip of the program at BBC Online or the whole program here.

UK law is pretty clear on this one: Traveling into the UK on a false, forged or stolen passport carries a prison sentence of up to 10 years, while making a false declarations to obtain a passport can lead to a prison sentence of up to 2 years.

Ok, having been doing this stuff for a while I’ve seen a fair amount of questionable practices. It takes something pretty unique to get my goat (antivirus researcher pun intended) at this point. That said, what I found Micro Bill Systems doing had my jaw hitting the desk.

Following up on a post to the Grok.org.uk [Full-Disclosure] mailing list, I did some research (and yes, it was legitimate reasearch!) into the billing method used by sexxxpassport.com. Micro Bill Systems (MBS) provides the billing used by the site, and the model is rather unconventional, to say the least.

Sexxxpassport offers a free three-day trial to their adult site. All that is required is download and execution of the “Authenticator” software. (Note: most images link to original resolution versions)

The full terms (all 11+ pages) are displayed below this when clicking the link (which consists of that entire underlined text block shown). However, the user is not required to actually view the terms at any point before proceeding. In combination with the fact that the most alarming sections of the Terms begin around page 5, it begs the question of how reasonable it is to assume the user will have fully absorbed and understood them.

Furthermore, by offering access to the services without requiring any billing information it seems very likely the content providers are banking (literally!) on people assuming they can just stop accessing the site before the trial ends, without needing to affirmatively cancel the service, and all will be well. However, that assumption is woefully incorrect.

After three days (in accordance with the Terms), it’s assumed the user wishes to subscribe, and they are charged for 90 days worth of access at “less than 45p per day” (so, somewhere around £40, or approximately $80). Then the popups start.

The frequency and persistence of the popups is actually outlined in the full Terms & Conditions. In fact, it is very explicit about what the MBS software is going to do, with the forcefullness of the billing display ramping up over a few weeks.

Possibly the most alarming item of the Terms & Conditions is in Section 12:

12.5 If You choose to ignore the payment reminders and do not pay the Membership Fee, You hereby understand and acknowledge that the prompt reminders may become more frequent and that You may lose the ability to use Your computer until You have submitted payment. The payment reminders will be active while your computer is online or offline.

Yes, you read that correctly. They are claiming the right to disrupt and potentially completely disable use of your computer as a means to compel payment. Depending on the current display resolution of the system the locked billing popup can indeed obscure things to the point of making it unusable. The popup window will automatically restore itself if resized or moved. It also carries the “always on top” attribute, so it will cover other desktop elements or application windows. Though the disruption is limited in duration it appears that the daily display count for the billing reminder is reset if the system is rebooted, and so could occur more than once per day.

There are also clauses in the Terms & Conditions where fees can pile up quickly.

Depending on how you interpret (a), I could see it adding £25 a day for each beyond the 7th that you have an outstanding bill. Not versed in accounting, I’m unclear precisely the circumstances where (b) and (c) are to be applied.

The closest analogy I’ve come up with: You’re offered a free trial of satellite radio for your car. Then, a week later, you go to leave for work one morning and find a boot on your car, immobilizing it until you pay up.

The most they should be able to do, in my view, is cut off access to their services and refer the individual to collections. What it appears they are doing is, in my humble opinion, a form of extortion based on the (usually correct) assumption that a person’s computer will be key to many other activities in their daily life. Also, possibly with inadvertent/passive blackmail as a bonus: someone not wanting other family members or a spouse to realize they’ve been surfing for pornography, or perhaps even more dire, someone to see it on a computer at their workplace, and becoming desperate to silence the persistent billing popups.

Faced with such a situation, it is probable that most “customers” would quickly pay to regain control of their systems and avoid possible embarrasment. I strongly suspect the powerful social engineering leverage created by this situation is not accidental.

Additional details are available at the Avert Labs Threat Library page for MicroBillSystems.

A self-proclaimed Mac user is targeting Mac fan blogs. He has already defaced 2 famous Mac related blogs.

http://www.applematters.com/

http://iphonematters.com/

In his own words ” I’M A MAC USER. I JUST HAVE A STRONG DISTASTE FOR MAC SYCOPHANTS.”

This is possibly the first time a hacker is targeting Mac related websites. This is interesting month for the Mac user base, with multiple Trojans/malware appearing along with a horde of security updates from Apple itself.

Things are definitely heating up in Mac Land!

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Update Nov 28th <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Seems that this defacement may in fact be a hoax:

http://www.applematters.com/index.php/section/comments/sincere-apologies/

http://www.applematters.com/index.php/section/comments/a-bad-pr-stunt/

http://www.glennwolsey.com/2007/11/28/what-really-happened-sincere-apologies/

Pretty odd any way you look at it. Also after a bit more digging we came across another Apple defacement (there are a few more with some Googling):

http://networks.silicon.com/webwatch/0,39024667,39158606,00.htm?r=1

In the past few weeks, a number of Symbian technical blogs have announced a hack of Symbian Platform Security on the latest Symbian phones. By modifying a file in an OS software update, you can install unsigned applications and gain access to the Nokia Series 60 (S60) phone’s file system. On older S60 phones it was easier to accidentally install malware such as Cabir or Commwarrior. The newest phones refuse to install old installation files and restrict file system access for new programs, unless they’re digitally signed.

Installing unsigned apps is not a big risk by itself, as unsigned programs will not install. After using this hack, you can sign an application yourself and also give it additional permissions–such as reading user data or monitoring email. Signing an app yourself limits it to being installed and running only on your phone, so this isn’t an effective way to spread malicious programs.

Others have suggested more harmful uses for this hack. Phone thieves may use the technique to read your e-mail or steal unencrypted passwords. The risk from this attack is also slim, as the hack may brick various phone models.

Sony Ericsson UIQ phones are also open to a variation of the hack. Instead of the more uncertain do-it-yourself method on the S60 phones, for around $30 you can purchase online a flash update from a phone-unlocking vendor. However, every time a new official UIQ update is released, you’ll need to purchase another unlocking flash.

Though playing with phone hacks can be fun, there is the possibility of ending up with a bricked phone. Here are few more things to look out for:

• Downloading and installing ROM updates from untrusted sources can sometimes be exploited. On some phone ROMs it may be possible to install malicious applications. Install the update and you could end up with a malware bonus.

• Hacking tools may either help disguise malware or in some cases may actually be malware.

For several years, we have been talking about the sophistication of attacks. The main goals are discretion, camouflage and profitability. Some of the common techniques and tools are named Fast-Flux, RockPhish or MPack. As I recently worked on some spam campaigns and dubious websites, I will use them as examples and explain some of these new cybercriminal methods in a set of two blog contributions.

Before complicating the scheme, let me start with a very simple example:

Here, a spammer owns a lot of domain names. He constantly buys new ones using stolen credit card numbers and uses them accordingly with the service interruptions that can occur very quickly or slowly, depending upon the vigilance and honesty of the access providers.

One machine contains his site. It may be dedicated to selling medicine or counterfeit luxury products. In order to trick anti-spam software, e-mails are personalized with background noise and random text. For more diversification, and due to the many domain names he has, his software changes the URL of his site for the various messages it sends.

When a victim tries to follow the link provided for them, a process makes a request to the local name server for the IP address of the machine corresponding to the URL they were sent:

If the information exists at this level (a cache mechanism), it is forwarded directly to the requester. Otherwise, and if the link is still valid, the desired IP address is returned only after checking root and/or primary servers. Dozens of different domain names could point to a single machine.

Here is an example of a result that could be obtained using this method:

With phishing, the methods are becoming more complex. This curve issued from APGW statistics does not highlight the number of victims, which has increased a lot this year.

It shows that, since mid-2006, the total number of incidents (with and without a victim) has remained stable. What’s interesting are the peaks in November 2006 and particularly in April 2007. The question is: how can we have three times more phishing sites than identified attacks? The answer is called RockPhish.

To understand it better, we will expand upon the previous example and look at the intermediate single-flux and double-flux methods.

In single-flux, the criminal has just one domain. Thanks to an unscrupulous access provider, he manages his own domain name server. The criminal also has a network of compromised machines available to him, which he uses as a platform to relay between the victims and his site. The use of very short DNS expiry dates linked to a round-robin technique involving many zombie machine IP addresses allows it to continually change a fictitious physical address used to reach the mirror site.

The latter is therefore even better protected.

When the victim tries to reach the mirror site, a request is sent to the name server with authority over the zone.

The lifespan of the address being no more than a few minutes, there is generally no cached solution. The criminal’s name server is therefore checked. The IP address of one of the bots is sent back to the victim. During the several minutes of the transaction, it will relay the traffic and then disappear, making it more difficult to locate and therefore neutralize key sites.

Here is an example of an online casino site using single-flux technique:

My Windows dig (Domain Information Groper) version shows some distinctive network features: the expiration dates here are very short, and the IP addresses are very varied. This is the mark of a camouflage using the single-flux technique.

Next post will allow us to see how work a double-flux and, after that a RockPhish network.