Saturday, October 19, 2013

Information Leakage and Improper Error Handling

Information leakage and improper error handling used to be in the OWASP Top 10 2004 and 2007. But they have rename to "Security Misconfiguration" since 2010 and with a wider scope.

While doing my online shopping today, I accidentally triggered an SQL query timeout error. The error page review quite a number of information, which can be useful for the programmer to carry out troubleshooting. But best of all, it also provide the hacker with information to carry out the next level of "attack" to the server.

The error page provides table information, file paths that helps in launching SQL injections and XSS attacks.

















The error page also shows the application that the server is using and its version number. Based on the information, the Microsoft .NET framework version is not the latest. It may contains critical vulnerability that allows elevation of privileges and remote code execution.






Planning to inform the Site administrator on this issues and nobody hacked it yet.


Thursday, October 25, 2012

IPv6 InSecurity. Is your company ready for IPv6?

Everybody is announcing that IPv4 addresses are running out. Countries and major IT companies (such as Google) are encouraging others to move into IPv6. IPv6 have always been portrayed to be more secured than IPv4.

Image from Google

But in the recent talk by van Hauser on "IPv6 Insecurity" in HITB, he share that there are huge grow in the number of vulnerabilities found related to IPv6 in recent years. Several times more than IPv4.

So is IPv6 mature/stable enough? Do you think companies are ready for the change to IPv6? Should we be encouraging our companies to make the change now? These are the questions that I think we need to ask ourselves as a security professional.

Beside worrying about the readiness of IPv6, van Hauser also highlighted the importance for companies (even those in pure IPv4 environment) to be aware and understand the threats from IPv6. Desktop and network devices these days may already support IPv6 and may enabled by default. Attackers may use these "channel" to target companies in IPv4 environment and bypass their network protection (e.g IPS), which is not IPv6 aware.

Related articles:
- HITB slides: Marc Heuse - IPv6 Insecurity Revolutions.pdf


Tuesday, October 16, 2012

HITB playing AC/DC concert

While waiting for the next speaker during the HITB (Hack In The Box) Conference in Kuala Lumpur, the screen in the conference hall starts to play the song "ThunderStruck" by AC/DC (shown in the video below).



The music video is actually part of the introduction for the presentation titled "Behind Enemy Lines" by Mikko Hypponen of F-Secure. His speech talks about the various cyber "enemy" (Types of hackers) and their motives. He also share with us some of the ways to defend against this "enemy" and avoid being the target.

You can download the slides from HITB website here




Sunday, September 23, 2012

USB hacking obsolete?

With Windows autorun feature disabled by default, USB hacking method such as Pod slurping and tronjanized flash drive no longer possible?

I have recently wrote an article "Pentesting with Teensy" for PenTest Magazine that describes how you can emulate a device as a HID (Human Interface Device) and inject attack codes and execute commands in the system.

For those who have not read the article, I have make a short video to demostrate how you can still carry out the USB hacking using Teensy.

Besides using teensy as a pentesting or hacking tool, it can also be useful for auditors to verify system hardening and configuration with system commands pre-set into the device.

More information about my article, refer to my previous post "Pentesting with Teensy".

Tuesday, September 4, 2012

Command Your Windows

System these days does not really require users to use command line. Windows, Mac, Linux and even traditionally command-based UNIX also come with GUI (Graphical User Interface) such as KDE. Command line may seem to be obsolete for many. But it is still very useful to hackers and pen-testers when GUI is not available such as using remote shell.

I have wrote an article titled "Command your Windows", which is published in this month PenTest magazine (September). In this article, I will be sharing on some of the useful windows commands that a hacker or pen-tester can use when obtaining a remote shell to the system.



This magazine can be purchase on-line from PenTest Magazine website.

Please post your comments regarding this article here.
If you are interested in this article, I will happy to share it with you. Just drop me an email.

Friday, August 3, 2012

Pentesting with Teensy

Windows autorun feature is disabled by default these days. Is it still possible to launch code automatically from a USB drive? What if there is a USB drive that could execute code automatically when plugged in and yet not able to be identify as USB drive by the system?

Teensy, USB-based micro-controller development board, which can be programmed to emulate as any device and store programming code. I have wrote an article that describes how you can emulate the device as a HID (Human Interface Device) and inject attack codes and execute commands in the system.

This article titled "Pentesting with Teensy" can be found in the July issue of PenTest (Web App) Magazine.



This magazine can be purchase on-line from PenTest Magazine website.

Please post your comments regarding this article here.
If you are interested in this article, I will happy to share it with you. Just drop me an email.

Thursday, August 2, 2012

WhatsApp InSecurity

The ownership of smartphones and tablets has grown enormously over the past few years. WhatsApp has gained popularity as the cross-platform application to replace traditional messaging services such as Instant Messaging and SMS. How safe is it to use for personal communication?

I have written an article that talks about how you can extract the message and photo that were send via WhatsApp.





This magazine can be purchase on-line from Hakin9 Magazine website.

Please post your comments regarding this article here.
If you are interested in this article, I will happy to share it with you. Just drop me an email.

There is a video on the related demonstration, which I previously posted in "Can you extract message and photo from WhatsApp"

Friday, July 13, 2012

Security Guideline for Mobile Devices in Enterprise

This week, NIST (National Institute of Standards and Technology) has release the guidelines for managing and securing of mobile devices in the enterprise (Guidelines for Managing and Securing Mobile Devices in the Enterprise - SP 800-124 Revision 1). The purpose of this publication is to provide recommendation to help organizations centrally manage and secure their mobile devices against various threats.

This document is intended for technical staffs such as security engineers and those who are responsible in planning, implementing and maintaining the security of the mobile devices.

It covers the type of mobile devices that are applicable such as smart phone and tablets. Basic cell phones and laptops are out of scope as their threat level and security control options are different.

It also talks about the different high-level threats and vulnerabilities related to these devices, as they are generally higher risk exposure that other client devices such as desktop and laptop. These threats are,
  • Lack of physical security controls 
  • Use of untrusted mobile devices 
  • Use of untrusted networks 
  • Use of applications created by unknown parties 
  • Interaction with other systems 
  • Use of untrusted content 
  • Use of location services 
The next section of the document provides an overview of the current state of the MDM (Mobile Device Management) technologies, which mainly comprise of the components, the architectures and the capabilities. For components, it talks about the type of MDM solution between the solution from same vendor of the mobile device and using third party product that can manage one or more types of mobile devices. The architectures deal with the different consideration and the use of other enterprise services based on business requirement. As for the capabilities of the MDM, it should provide the following security services, 
  • General policy that can enforce enterprise security policies on the mobile device. 
  • Data communication and storage that provide strong data encryption during communication and on storage. It should also have the ability to remotely wipe the device. 
  • User and device authentication, which includes account and device lockout and remotely locking of the device. 
  • Application. It should be able to restrict the installing and removal of applications. Prevent access to enterprise resources based on devices OS (Operating System) version and status (rooted or jailbroken). 
Lastly, it talks about the security for the life cycle of the enterprise mobile device solution, which covers from policy down to operations. This life cycle consist of 5 main phases. 
  • Phase 1: Initiation. This phase include identifying needs for mobile devices, creating a high-level strategy for implementing mobile device solutions, developing a mobile device security policy, and specifying business and functional requirements for the solution. 
  • Phase 2: Development. In this phase, it covers technical characteristics of the mobile device solution and related components. These include the type of authentication methods, cryptographic mechanisms and the type of mobile device clients to be used. 
  • Phase 3: Implementation. This phase involve equipment configuration to meet operational and security requirements. Ensuring the integration with other security controls such as security event logging and authentication servers. 
  • Phase 4: Operations and Maintenance. This phase will cover security related tasks that should be performed on an on-going basis such as log review and attack detection. 
  • Phase 5: Disposal. This phase will cover the tasks for retiring of components and the mobile device solutions, including preserving of information to meet legal requirements, sanitizing and disposing of equipment properly. 
For more details on this NIST publication, visit the following link:
This post is also available in Seczine, an online Security magazine.

Tuesday, May 1, 2012

Can you extract message and photo from Whatsapp?

One day while messaging to my friend using Whatsapp, he ask me if the traffic is secure? I did a bit of read up and found out that Whatsapp message was actually not encrypted unlike iMessage.

So I decided to do a simple video to show how you can extract message and photo that were send via Whatsapp.


Wednesday, April 11, 2012

HP ProCurve Switch comes with FREE malware

HP had announced in their Security bulletin yesterday (10 Apr) that they have shipped malware-infected compact flash card with their HP ProCurve switches.

In their official bulletin, "
A potential security vulnerability has been identified with certain HP ProCurve 5400 zl switches containing compact flash cards which may be infected with a virus. Reuse of an infected compact flash card in a personal computer could result in a compromise of that system's integrity."

They have not disclosed how those malware managed to infected the Flash cards but it is likely that it had infected the systems of the third-party manufacturer that supply those flash cards.

It is not the first time that renown companies are shipping malware in their products. Seagate and Apple also have reported cases. (See my previous blog "Battery not included ... but Malware is...)

Related Reports:
- HP SUPPORT COMMUNICATION - SECURITY BULLETIN

Monday, October 24, 2011

Android vs iOS security

A interesting video on well-known security researcher Dr Charlie Miller, which discuss the security postures of Android and iOS



Sunday, October 23, 2011

My Million dollar ATM is ready for delivery??

I have just received an interesting Scam mail. Think it will be useful to share with all my readers.



The email claims to be from FedEx. They are ready to deliver "my" million dollar ATM card in GHANA.

-Below are the extract-

Dear Valued Customer.

The office of the FedEx Managements in the capital city of ACCRA GHANA do hereby wish to inform you that your ATM card package is ready for delivery.

The issuing bank of this ATM card has instructed us to inform you that your card has been credited with the total sum of US$4,750,000.00 (Four Million-Seven Hundred & Fifty Thousand Dollars) which is now accessible and you can make your withdrawal from any ATM machine worldwide.

This ATM card with the PIN code and other vital documents has peen packaged into an Envelop which has been assigned for immediately delivery but unfortunately, the issuing bank has cleared (PAID) the delivery fee, insurance fee, custom duty fee, delivery permit fee but they were not allowed to pay the security bonded keeping fee because we have not been told when you will be coming for your claim not until the bank instructed us to contact you and inform you of the security bonded keeping fee which is only the sum of US$98 dollars, this is the only fee that you has to pay.

We further request you to kindly clear security bonded keeping fee of US$98 Dollars to enable us effect the delivery of your ATM card to you as soon as possible. At the meantime, you have to get back to us with your address where your package would be delivered to you within the nest 48hrs.

Your complete Name:…………………………
Your Complete Address:………………………
Your Mobile Number:…………………………..

Upon your swift response, we shall instruct you on how you will make the payment to the security office before we would be allowed to move your package. Our delivery duration is only 48hrs starting from the time when your package was picked up and dispatched out from our office here in Ghana.

We anticipate your response.

Thank you.

Mr. Mac Moses
FedEx Delivery Officer
Tel: 233- 247630112

-End of email-


From the email header, you will able to see some useful information:
1> Source email address.
2> Source mail server
3> Source IP address connected to mail server
4> Reply to address



From the "1> Source email address", you know that the email is coming from "chinkyeyes@rogers.com". Rogers.com is exactly a Canadian ISP, which uses Yahoo mail gateway (as shown below). So it has verified the "2> Source mail server" in the mail header.


From the "3> Source IP Address" (41.218.192.255), it was from Ghana. So it is likely that the user "chinkyeyes" account was compromised by the scammer.


Scam mail tends to show tell-tale sign such as spelling error.