Wednesday, July 28, 2010

Malware detection service - Video

Qualysguard's new malware detection service is a new malware service, with main idea to provide a new scanner goes to website crawls it, retrives the pages and investigate the web contents for malware. It takes two stages to do that, one is looking at the structure of the page for typical way that malware embed in pages. It also get static analysis done and gets the page to handed over to vitual machine which running with Windows XP. This mechanism renders the page and look for abnormal activity and flag the page to the website.

Watch this video for more details

Qualysguard's new malware detection service is a new malware service, with main idea to provide a new scanner goes to website crawls it, retrives the pages and investigate the web contents for malware. It takes two stages to do that, one is looking at the structure of the page for typical way that malware embed in pages. It also get static analysis done and gets the page to handed over to vitual machine which running with Windows XP. This mechanism renders the page and look for abnormal activity and flag the page to the website.

Watch this video for more details

Wednesday, July 21, 2010

Core Impact Pro: Penetration testing framework

Needless to mention how useful metasploit is being for security world. Who ever you are, either a script kiddie or a seasoned professional metasploit got something for you to learn from. For those of you new to metasploit, its a framework with useful tools for penetration testers, Intrusion detection system signature developers, security professional or just some one to learn hacking in a simulated environment. Metasploit's main aim is to provide more updated information on exploit techniques and to create a functional knowledge base for exploit developers and security professional. Though the tools and techniques provided are there for ethical testing reasons, there are instance where can anti social elements may use this information to create an attack vector.
Today CORE IMPACT joined hands with Metasploit to come up with an updated commercial security framework called CORE IMPACT Pro. It obsoletes the need for having two scanners for same function. The upcoming framework can expect to have some of the coolest functionalities like Meterpreter plugin which allows clients to easily deploy IMPACT Pro Agent onto any machine that they have gain access to via Metasploit. And for those customers who simply want to run Metasploit alongside IMPACT Pro, they can now have the Attack and Penetration Wizard call and run Metasploit’s db_autopwn feature directly from our product.
Project manager Alex Horan wrote in his blog
This standard language for communicating information about a machine – and the actual vulnerabilities present on that machine – allows any system that can report or act on such information to more easily understand the results of an IMPACT Pro test.  Also count among the new methods of exporting data from IMPACT Pro our added delivery of an integration with vulnerability assessment specialist Qualys’ PCI Connect SaaS Platform. And for our friends who work in the public sector, the change of agent encryption to the AES standard will also prove handy for those specifically bound by FIPS-140.
Supplementing these additions driven directly by my time spent talking to people working to secure their environments or measure the security of their environments are the IMPACT Pro usage stats that a growing number of our customers have chosen to share with us in an anonymous fashion.
By analyzing this data we’re beginning to draw some interesting conclusions about just how people utilize IMPACT Pro and that state of the world as seen by penetration testers using the product.
With IMPACT Pro v10 we began sharing this data back to those customers who are sending their testing information to help them better understand how their testing practices and results stack up compared to the rest of the participating customer community.
With v10.5, we’ve now added the ability for organizations to tell us what industry that they belong to – so now you use this feature to see just how you compare to other IMPACT Pro users from within your specific area of business.
Among the updates to IMPACT Pro v10.5 are:
  • Integration with the Metasploit penetration testing framework: this new integration offers users of the two systems the ability to utilize Core's commercial-grade, automated solution - with its massive library of professionally developed exploits, easy-to-use interface, and in-depth reporting capabilities - directly alongside Metasploit.
  • Integration with Qualys PCI Connect SaaS (News - Alert) platform: With this customers can now address PCI DSS Requirement 11.3 - which directs merchants to perform in-depth penetration testing on a frequent basis - and run IMPACT Pro's PCI Vulnerability Validation Report to complete their Self Assessment Questionnaire (SAQ) within the QualysGuard PCI Connect interface
  • Support for the Security Content Automation Protocol (SCAP): this moves incorporates CVE, CVSS, CPE data into its reports and is also able to export the data in XML format for use in centralized security databases
  • Enhancements to the CORE IMPACT Dashboard and Usage Statistics: this adds a range of improvements to its Dashboard interface, including more intuitive presentation of product usage statistics
  • Use of the AES encryption standard for IMPACT Agent communications: AES encryption for interactions carried out between the product's Console and any IMPACT Agents deployed on systems while undergoing penetration tests.
  • Microsoft (News - Alert) Windows 7 64-bit support
Besides its new functionality, it also allows you to see your network, endpoint, email-user and web application security as an attacker would. With IMPACT, you can:
  • pinpoint exploitable OS and services vulnerabilities in network and endpoint systems
  • measure end-user response to phishing, spear phishing, spam and other email threats
  • test web application security and demonstrate the consequences of web-based attacks
  • distinguish real threats from false positives to speed and simplify remediation efforts
  • configure and test the effectiveness of IPS, IDS, firewalls and other defensive infrastructure
  • confirm the security of system upgrades, modifications and patches
  • establish and maintain an audit trail of your vulnerability management practices
  • schedule tests to run automatically on a recurring basis

Sunday, July 18, 2010

Design Flaw that hurts Word Press bloggers

As most of you may aware couple of days ago high number of word press bloggers account has been attacked due to a design flaw in the Word press blogging platform. Main cause is by default WP allows users to set up a permissions that let any one to read their blogs  wp-config.php file s configuration files. And another reason is Word press stores the bloggers credential in plan text.
Attack happens by attacker injecting malicious i Frames into the blogs so that readers who visit the blog would automatically get infected with malware with a code that spreads fake anti virus software..Wprd press says
"A few people got hacked last week and asked us to help," says David Dede, founder of Sucuri Security, which also uses WordPress for its own blog. "We fixed them and in one site, just after we fixed it, it got hacked again. Looking at the logs, we didn't see any access in there at all, so the attack didn't come from the Web."
This apparent security oversight allowed an ill-intent individual with a hosting account on the same Network Solutions server to launch attacks against his "neighbors" using automatic scripts. First, he most likely identified WP blogs with a readable wp-config.php, then he harvested database login details from these files and finally used the credentials to inject malformed information into the "siteurl" database field.
[ad#Google Adsense-1 Add Links]
To hide the content of the wp-config.php file from server neighbors, David (Sucury Security) suggests that this file should have 750 permissions (I guess he meant 640 since the execution permission is not required). Unfortunately, this trick will only work on servers with suPHP. On other servers where web server executes PHP scripts with its own rights, this trick will completely break WordPress blogs. Every page will produce the “Failed opening required ‘wp-config.php’” error.
This means that WordPress blogs on most shared servers are vulnerable to this sort of attack. It merely takes to hack one account (most shared servers have multiple hacked accounts) or even to create a regular account specifically for hacking purpose and you can steal MySQL database credentials of your neighbors with WordPress blogs. Any other database driven web scripts that store database credentials in plain text are also vulnerable.
Some of the hacked sites contain hundreds of spammy links that can only be visible if you browse with disabled JavaScript. For some reason, every link is enclosed in <noindex>tags and use rel=”nofollow” in <a> tag’s parameters. So what’s the use if it is neither for normal web surfers nor for search engines?
The links are followed by the networkads hidden iframes.

I also found a dozen of infected WordPress blogs that try to pull hidden spammy links from hxxp://alkoltashov .narod .ru/ sites.txt. The links are supposed to be displayed in a <div> located way outside of the visible area, but because the configuration of Network Solutions servers that disable URL file-access, those link injections fail with the following error.
Dede and other experts say the attacks suffered by WordPress could happen to most any popular blogging platform: "It's a hard problem to fix. They need the credentials stored somewhere, and the Web server needs to be able to read it," Dede says. Joomla, Mediawiki, and other blogging platforms that are set up the same way are also vulnerable to this type of attack when the permissions in the configuration files are set up incorrectly, he says.
What about encrypting option ?
Encrypting the credentials isn't an option because the keys have to be stored where the Web server can read them in order to decrypt the data, he says.
Looks like it is important to store the decryption key in another file somewhere on the file system. If a malicious user has access to the file system -- like they appeared to have in this case -- it is trivial to obtain the keys and decrypt the information.
Source: Unmask parasite blogs, Dark Reading 

Monday, July 12, 2010

Risk associated with auto complete feature

Auto complete can be very useful for some one who has lengthy user name, complex passwords, or some one with too many user accounts and use it so often to switch between accounts/browsers.  It can really be very frustrating to enter the same user name, password, email address again and again. Most of the browsers came up with a handy function called auto complete to remember the login credentials so user do not have to type it often. But looking at security point of view Auto Complete is not secured at all. It is an Security risk that any one other than you who has access to your work station can comprise your login credentials  like password in matter of seconds.
The AutoComplete feature in Internet Explorer, Firefox, Opera and other web browser can save web addresses, form data, different login informationsuch as usernames and passwords, etc. This information will be automatically entered every time you visit the site again. The problem is that all this information will also be automatically entered for anyone else who works at your computer and accesses the same sites. To protect your privacy user must take control of when too use auto complete and when not to depend on the sensitivity of the information and level of trust on securing the work station.
Typically all web browsers and application stores the login credential if you enable the auto complete option. Work station basically stores the passwords in location that are easy to access. Below is the screen shot of where Google chrome stores the password.  Go to options, personal stuff and saved password. Select the site and click the save password option. Browser will then display the password.
This is the same case with Mozila, Google chrome, Chromium, IE, Opera and safari. For users with heavily secured work station and features like account lockout (10 minutes best practice) this may not be a huge issue but for small office and places where user shares his/her work station with others this could be a serious social engineering problem.
So it is important for an average user to understand the security issue behind the auto complete feature and its best to disable to and use it as need arises. Many businesses are also disabling the ability for their computers to store and remember passwords. If a site is accessed where a password is stored it becomes very easy for a third party to investigate online accounts, buying habits and potentially make an online purchase under your name and using your credit information.
Lets look at some of the way to disable auto complete in major browsers.
Disabling auto-complete in Mozila firefox
  1. Select "Tools" then "Internet Options".
  2. Select the "Privacy" tab.
  3. Open "Save form information" category.
  4. Remove the check mark from the "Save information I enter in web page forms and the Search Bar".
  5. Click OK.
How to disable AutoComplete settings in Mozilla
  1. Select "Edit"
  2. Select "Preferences".
  3. Under "Privacy & Security" category, select Forms.
  4. Put check mark for "Save form data from web pages when completing forms"
  5. Click OK.
Disabling auto complete in Google Chrome
  1. Select "Options"
  2. Select "Personal stuff".
  3. Under "Personal stuff" never save passwords.
  4. Under "Under the hoods"clear browsing history.
  5. Under "Under the hoods" un check the option Use suggestion service to help complete the searches in the address bar" for added security.
  6. Click OK.
To disable AutoComplete (disable form AutoComplete, password AutoComplete) in Internet Explorer
  1. Select "Tools"
  2. Select "Internet Options".
  3. Open the "Content" tab.
  4. Under AutoComplete, click "Settings" button.
  5. In "AutoComplete Settings" window select what information your browser will remember - remove check marks from AutoComplete options you don't need (Web Address, Foms, User names and passwords on forms)

Thursday, July 8, 2010

PenTBox: Pen test tool

PenTBox is a Security Suite that packs security and stability testing oriented tools for networks and systems.
Programmed in Ruby and oriented to GNU/Linux systems, but compatible with Windows, MacOS and every systems where Ruby works. This tool is for security testing purpose, is a helping program for IT Administrators to test and improve security and stability of networks and applications. In addition, can be used by ordinary users to do simple operations.
It is free, licensed under GNU/GPLv3.
Latest stable Version 1.3.2
- FTP fuzzing improved and finished.
- Improved CLI.
- Improved files working.
- Now the Honeypot log have a file by default.
- Added a hping3-based mode to work in syn_dos.rb
- Added Dictionary attack and Dictionary-bruteforce hybrid attack in hash_cracker.rb
- Added SHA384 in digest.rb and hash_cracker.rb
- Now modules integration is with modules and classes, his improve the portability and the performance but the modules can’t be executed independently.
PenTBox Contains
Cryptography tools
  • Base64 Encoder & Decoder
  • Multi-Digest (MD5, SHA1, SHA256, SHA384, SHA512)
  • Hash Password Cracker (MD5, SHA1, SHA256, SHA384, SHA512)
  • Secure Password Generator
  • Files en/decryptor Rijndael (AES) 256 bits – GOST – ARC4
Network tools
  • TCP Flood DoSer
  • TCP Flood AutoDoSer
  • Spoofed SYN Flood DoSer [nmap - hping3]
  • Port scanner
  • Honeypot
  • PenTBox Secure Instant Messaging
  • L33t Sp3@k Converter
  • Fuzzer
A video demostration of PenTBox 1.1 Beta doing a TCP Flood DoS attack against my iPod Touch (3rd gen, 32 GB).
Developers Site: PentBox
Source: PenTBox
Source forge: Download here

Friday, July 2, 2010

Password storage location: Web browsers

Not all passwords are stored at same location. In general windows PC stores its password file under different location to where browsers stores there password file. Here lets talk about those locations and technical details that major browsers are storing their password files.

Google Chrome:

Google chrome browser stores the password in windows machine at [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data.
Google Chrome uses SQLite as the storage space for passwords and other web page related critical data's. Google done a appreciate work by extracting windows specifif code from the cross-platform stuff. The only Windows specific code here is the encryption function, which can easily be ported by creating a different Encryptor object for each OS. The important piece here is CryptProtectData, which is a Windows API function for encrypting data. Data encrypted with this function is pretty solid. It can only be decrypted on the same machine and by the same user that encrypted it in the first place

Mozilla Firefox

The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version) These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.
Firefox is much better than Internet Explorer in terms of managing “remembered” logins. In Internet Explorer, there is no built-in feature where you can manage or view your saved login information. That’s why you need third party tools to reveal the passwords hidden under asterisks. As for Firefox, you can access remembered passwords with a few clicks.
To view your remembered passwords in Firefox browser, go to Tools, and click on Options. Go to Security tab and click on the Show Passwords button. A remember password dialog box will appear. Click on the Show Passwords button again and a new column with password will appear.
Upon clicking the saved password location (tools-options-security-saved passwords), you won’t need any tools to reveal the hidden passwords under asterisks. It’s a feature that’s included in Firefox browser. So any one who has access to your work station can typically spy into your password by going around to security tab in the options location.
One useful tool that worth sharing about Firefox browser password management  is "Firepassword" . FirePassword is the console tool designed to decrypt the username and password list from Firefox sign-on database. Firefox records the login details such as username and password for every website authorized by the user and stores them in the sign-on database file in encrypted format.  It works on similar line as Firefox’s built-in password manager but it can be used as offline tool to get the username/password information without running the Firefox. It is DOS based and the manual says that FirePassword requires only 3 files which is key3.db, cert8.db and signons.txt. This 3 files can be found in Firefox profile directory.
All you need to do is to place the 3 files together with FirePassword and run FirePassword.exe. Weirdly, I am able to decrypt all my username and password by copying ONLY the signons.txt file. Looks like it’s not necessary to include the other 2 files.
For detailed technical explanation click here

Internet Explorer > 7.0 (Updated version 6.0):

  • Auto complete passwords are stored under Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  • Documents and Settings\Application Data\Microsoft\Credentials is the credential file location used to save  HTTP authentication passwords
An automatic tool that used to retrieve IE password is IE PassView can be used to recover these passwords


The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile


Safari stores password data via Keychain. /Applications/Utilities/Keychain Access (on Mac)
On PC, All that data is stored in plist files at: C:\Documents and Settings\(UserName)\Application Data\Apple Computer\Safari
I believe it is FormValues.plist


The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name] You should search a filename with .s extension.

Google Talk:

All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]

MSN Messenger version 7.x:

The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]

Windows Live Messenger version 8.x/9.x:

The passwords are stored in the Credentials file, with entry name begins with "WindowsLive:name=". These passwords can be recovered by both Network Password Recovery and MessenPass utilities.

Yahoo Messenger 7.5 or later:

The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager - "ETS" value. The value stored in "ETS" value cannot be recovered back to the original password