SourceAvengers Blog

0x00-0xff, Indiana, United States
SourceAvengers Blog - I am a Junior in College, have competed and won in multiple Capture the Flag events, competed in the Indiana CCDC for two years, and founder of The Computer Security Group of Indiana University Southeast. I enjoy network security, penetration testing and programming. I also greatly enjoy video games and action movies.

Thursday, November 27, 2014

The Future of DDoS attacks - How they will evolve to bring companies to their knees.

Hello,

I am glad to be writing once again with some theories I have been considering as the potential evolution of malware as a whole.

This post regards specifically the use of Malware, anonymous networks and attempts to automate the process of long term attacks against a target.

-----------------------------------------------------------------------------------------------------------------------
I will set this post up as a question answer kind of thing to help make it easier to explain.

Question: How will DDoS attacks of the future look like and be capable of?
Answer: As many of you are aware malware mutates/evolves as time goes on. Some of the features and types of targeted attacks I have witnessed take little to no technical skills to accomplish. The real threat is the malware writers who view things from the long term perspective. DDoS attacks of the future will incorporate advanced Artifical Intelligence programming to scan and find vulnerable services on a companies IP range they own. These services will include fax machines, phone systems, and online chat systems on a companies site to DDoS all customer avenues of reaching out to the company for help in the first place. Also, the last type of DDoS attack could crash many small to mid sized business out there, that is to perform spam attacks against a target set of company email addresses, this spam will end up being things likely to bypass spam filters such as email list signups and such.

Question: What are the methods to help mitigate the above mentioned types of DDoS attacks?
Answer: This is a complicated issue as they will be targeting any means of communication that a customer could use to get in contact with a company. In regards to mitigation methods to help make the attack less effective the common and most used method is to simply blackhole the targeted IP Address for 24 hours, possibly get a DDoS protection service such as cloudflare, etc. However, DDoS targeting phone systems and email systems and fax systems are basically unprotected. There needs to be a evolution of defensive stratedgies and techniques because the employees at each of the top companies are nearly completly unprotected from many types of these attacks.

Question: What services and how would these services be attacked from malware on tens of thousands or even millions of infected machines?
Answer: I will shortly cover what and how these would be attacked.
  1. Fax Machines - The attacker would have his malware us its programmed AI to scan the company owned phone numbers on a 6~12 hour interval which would be randomized. Basically it would scan every phone number and look for any and all fax machines and save them to an internal list. Then the infected machine would move onto the next set of checks.
  2. VoIP Phone Systems - Again the malware would automatically scan the company phone numbers except this one would scan once a day and just recheck the phone systems for active phone lines. Then the malware would move onto the next step.
  3. Online Chat Support Systems - The malware would need to be programmed with a database of tactics on how to initiate and send messages to major companies, this database would need to be able to be updated if and when the attacker wants to add a new target. Therefor this would be done through an anonymous service like I2P or ToR. Again as mentioned in the Swatting post it would have a decentralized connection setup to avoid single points of failure. The malware would then move onto the last and final check.
  4. The last and final check is to check if the target has been blackholed. It would check to see response times and for timeouts from dropped packets. If this is the case then it will perform a very fast network scan for the companies website that has been updated/changed to bypass these attacks.
  1. Now finally, in regards to the attack these are the logical steps after all the checks passed.
  2. Step one - Attack all detected fax machines with pure black ink images so all fax machines would run out of ink and be unusable this entire time. The method for this would be to hide the origin traffic through tor or I2P which would let your infected machine maintain behind a constantly change web of new jump points. Every 15 minutes the tor route should be changed to keep the attack ever changing and to make it nearly impossible to block based on IP Address.In regards to bypassing any attempts of detecting pure black ink images the attack could shift random white areas and sizes into the image/scan sent to the fax. That should elude any of the protective measures for trying to stop this attack median.
    Step Two - Now that your infected system is actively attacking the companies fax machines the malware will active its next layer of attack. This would consist of loading the list of active phones that were in the companies phone range of numbers owned. The malware would then send a call to each of the lines in question again while hiding behind Tor or I2P and have it be totally random static combined with some random silence. This should defeat any detectable/blockable methods.
    Step Three - Online chat support systems. This step would query the internal database that is up to date within the malware from the earlier checks. Then it would take the needed steps to initiate a support chat with the company, using an advanced chatbot backend with decent AI would allow you to drag the conversation out to fill up the chat support systems. Also, it could look for things like "Support Rep. John Smith terminated the support chat". And then it would repeat the same process again and again non stop. This attack would only hault if the site became unreachable, which could be from simple overload or possibly the IP/site being blackhold. If it was blackholed then it will scan the company IP range again and look for which IP the company changed the website to that the old IP was handling. Once found the process would begin again.
    Step Four - Spam/Email DDoS attack. Now this one would need to be done from the attacker itself, reason being is because it would require the attacker tosign up for tens of thousands of newletter sites, news updates, etc and that means youll need a list of emails to sign up with from the get go.This final attack would complete the whole range of ongoing and non-stop attacks. Once this attack was launched and all the attacks initiated and used then effectively the company will be unable to function.

Question: So in summary how much impact would this type of attack have against a company?
Answer: Finally, heres a short summary of how big of an impact this will have against a target company. The targeted company would have to replace every fax machines ink cartidge multiple times a day costing 10's of thousands of dollars per effected office. The company would be unable to take sales, support or billing calls so the customers would be unable to receive support so the company would lose potential future customers and current customers costing 10's of thousands a day or more depending on how much this attack keeps them from operating. To completly shutdown a companies site the attacker would want to consider having a seperate set of pool of machines to act like webspiders, the machines would spoof to appear to be spiderbots and not repetatively query the same URL, this would help bypass detections of session attacks, traffic attacks, etc. You could have the malware randomize the next url that was detected to have enough randomniss in the queries to bypass pattern and session based attack detection/protections. This attack would be geared towards the companies dns url so it follows it even after changes in IP's are made. The companies email systems would be unable to filter all the legitimate list signups as spam so intercompany emails would be rather useless and intercompany calls since the phone lines would be down aswell.

The future evolution of malware will be geared towards remaining anonymous as much as possible and bypassing future detection/pattern recognition detection attacks against malware. It will slowly turn into a stuxnet like beast of a malware trend in which the attacker will need only to launch the attack from a untraceable method and then never have to work on it again. DDoS attacks are expected to end after 24 hours however a non-stop continuous set of attacks will be the future.

Thursday, November 20, 2014

Analysis of Swatting Methods and Potential Ways of Complicating Investigations in the Future


     Hello all its been a good long while since I posted any security related ideas or analysis and as such I felt it was time to post something new.

WARNING: I do not condone any types of malware as they are illegal to install on any other persons system, I also don't condone placing any fake/illegitimate calls to the police in order to initiate the prank itself, finally I do not condone anyone using any of the below mentioned techniques this is all simply theoretical and my beliefs on how the future of such calls will be made in order to prevent prosecution of the originating caller themselves. Please do not use either of the below methods or discussed specific ideas for anything other than educational reasons. The below 2 theories are only a hand full of the potential future methods hackers may use to abuse the protective systems of our Police SWAT members.

As most of you are aware a rather new type of commonly used prank has surfaced called "Swatting". This prank relies on 3 main factors.
  1. A target for the actual SWAT raid to be used against.
  2. A story that an emergency 911 operator can believe.
  3. Finally, the call must be made to start the process of the police actually performing the SWAT raid on your target.
What has been used thus far for many of these SWAT incidents are VoIP calling services, or burner phones that are bought with cash and then disposed of as soon as the call is made to the police station.
However, both of the methods used thus far have many issues that can result in the calls being able to be back traced or back logged to the original callers identity.

There is many ways these systems can be backlogged/reviewed to determine the callers identity that is why these methods have led to arrests of people in the past. However, there is other options for how to make such calls without them being backtraced to the actual caller in the first place. I will describe in detail below how a person could make these calls and remove any digital methods of backtracing who initiated the call itself.

Now it should be without saying that any use of a computer at all should be done on a system that has a virtual machine running on it that is encrypted and then deleted following any research or use of the system. Then obviously the physical drives should be wiped and the computer should never be used for any other reason. Also, as it may not seem obvious any IP's hardware addresses, etc should all be spoofed. Using any identifying median is just asking for trouble.
--------------------------------------------------------------------------------------------------------------------------

1st Theory - Using Malware to Create Degrees of Seperation.

A malicious individual who wants to make the call itself seem more legitimate might want to determine the best way to go about writing the malware that would allow this to take place in the first place. The language of the malware is not as important as the need to make it more universal as to the types of machines that it can affect. The potential features of such malware would include the following.

  1. A check for whether or not the GEOIP location of the infected machine has been registered as being infected in the past. This is important to limit the targets down to only 1 machine per GEOIP location, this will play into creating more authenticate looking calls to police stations.
  2. The backend connection would be made through either the I2P or Tor network to allow a more anonymous and harder to block method of communication. The check for whether a GEOIP location for the IP had been previously infected would be made through this network in a decentralized manner. If the reply back stated it had a machine already infected at that location then the malware would remove itself and take various methods to erase its digital tracks. The GEOIP lookup would be performed in a non-anonymous manner from the infected machine itself to get the public facing IP address location instead of the one I2P or Tor may provide.
  3. The malware would exploit a free online service such as https://www.spooftel.com/freecall/ to spoof the callerid and number origin that would initially be seen by 911 operators for the target police station, this would allow the police to take the callers word with more initial belief.
  4. The malware would also need to have its own set of default stories to draw from, the malware would want to have a realistic Text-to-Speech backend from one of the many public libraries for Text-to-Speech available.
  5. In order be able to launch a targeted attack(phone call to get SWAT to raid a target) the malware would need to perform a lookup every so often(randomized time value to eliminate pattern recognittion detections, however it would need to vary between 10-60 minutes to avoid extensive network traffic.). The lookup would request specifically whether a target had been named yet for the end result phone call, if it had then a secondary check would verify if any other infected host had made a phone call yet to the target phone number. The previous lookup would need to also have an address returned to the malware as to where the target's address is in order to read it off to the operator.
  6. The malware would then place the call using the text-to-speech library to read out one of the pre-written stories. The malware would need to monitor the incoming sound to the VoIP call itself in order to recognize if any operator had answered the phone call yet, if it detected that they had then it would begin to read the pre-written story into the VoIP call and then hang up as if the line had been forcibly disconnected by the target mentioned in the call. 
  7. Finally, the last step would be the malware would remove itself and any libraries or digital records that could prove that the malware had existed on the machine in the first place.
  8. The obfustication needed to bypass most if not all anti-malware detection services would be to use encryption that was based on a unique factor of the infected machine such as its listed mac address, that would be the encryption and decryption key for each section of the malware. The malware would also need to exploit types of file modification that are not able to be seen as malicious by anti-malware companies. An example would be to make changes to the files using packing software used by games and such. This would help bypass de-obfustication techniques while also making it so the anti-virus couldnt detect malicious file actions being taken. This would also make it much harder to deploy updates that could unpack the malware.
The pro's about the above plan are that backtracing the digital footsteps of the call origin would be nearly impossible. Also, the originating call would originate from or near the intended target in the first place to make the call more authentic. A simple check through online distance mapping software would be made for each infected machine before it made the call, this query would be made only if none of the infected machines had the same origin city/state as the target. The reply would be sent only if within lets say 50 miles of the target city or from the same city.

The cons are that first you would need to write the malware that bypassed the anti-virus/anti-malware services available, that bypassed behavior detection techniques(running a script from the origin program can commonly confuse behavior detection techniques, and finally a method of delivering the malware would need to be both very public aswell as appearing to be trustworthy. Also, the time required to infect tens of thousands of machines that had unique GEOIP locations could take a very long time. The person making the call would need to worry about their malware being detected aswell as how they could communicate to the malware in an anonymous manner to initiate the attack in the first place.
--------------------------------------------------------------------------------------------------------------------------
2nd Theory - Using mobile technology as an asset.

Now this theory would be harder to implement in both a reliable and hard to traceback manner. The requirments for this second theory are the following.

  1. The malicious caller would need to purchase phones for cash in a much harder to track manner. The ideas would be to travel out of state and purchase a burner phone for cash in a retail environment. The perfect time to do this would be during the winter as you have an excuse for wearing a jacket or coat that would help hide your physical identity.
  2. The burner phone would need to be off until the call is to be made against the target. This is to prevent any trackrecords of where and when the phone connected to the networks previous to the call.
  3. The call should also be made from a location/area that either has little to no cameras and probably it would be better to be made very early in the morning say 4-5am, this would give time for SWAT to prepare for the raid of the target.
  4. The caller should not use their own voice or even their own voice with a voice changer. Again relying on a text-to-speech software would help eliminate being traced back through your voice.
  5. All of this combined would make it so your not recognized through your voice, number, physical appearance when the phone was purchased. This would eliminate nearly every method of backtracing the original caller.
The pro's of this method are that the resources required to implement such a solution are very limited and by eliminating all the identifying factor then it should be nearly impossible to trace back to the origin.

The cons are that you would need to wait an extended amount of time before placing the calls after purchasing the phone. In this above example waiting 4-6 months or even a year might be best to eliminate video/audio records of in store cameras and witness statements about who actually bought the phone. If you made the call in a short time after purchasing the phone then people may still remember who and when the phone was purposed since it was a short time before they were questioned.

Wednesday, June 26, 2013

Securing Your Digital Life and Right to Privacy - A Forensic and Security Methodology

Hello,
     As you all are aware its been known for about the last 10 years that the NSA, CIA, and other Intelligence Agencies both Domestic in the USA and Foreign of it have increased their surveillance of communications and increasingly stepped on the right of privacy of individial citizens. I am writing this as advice on how to eliminate most methods of monitoring, tampering, forensic evidence gathering or liability from an individual's standpoint. I should note that some basic security knowledge or willingness to learn the below information is somewhat of a requirement.

1) Encrypting Your Data to Prevent Forensic Evidence or Data/Identity Theft. 
      a) If you have a mobile smart phone, which most people these days do then I recommend you do the following. Go the the settings section/application in your android or iPhone and then scroll the screen down to the security/screen locking section. Open that section up and then go to the screen locking section at the top, most likely you set a pin or screen pattern for your unlock method. Change this to a password, the latest android updates allow up to a 17 character password. Set a password you'll remember with at least 1 uppercase letter, 1 special character, 1-3 digits and the rest can be lowercase letters. An example of this would be SourceAvenger999* . This will make brute-forcing, dictionary attacks and hybrid attacks most likely unsussessfull at decrypting your device. Now go back to the security/screen locking section of settings and select "Data Encryption", Under this section you'll find options to encrypt the phone and Memory Card of the device. I recommend encrypting both as then no unencrypted data would be present.
      b) Encrypt your Internal Hard Drive, External Hard Drives and Flash Drives. I recommend using Truecrypt or Diskcryptor for encrypting your data. Cascading the algorithms(aka using for example AES-TWOFISH, or AES-SERPENT) will greatly increase the overall security of your data against forensic analysis. Make sure to encrypt the entire hard drive/flash drive to leave no unencrypted data behind.
      c) Encrypt your Phone Calls, I recommend applications like Redphone which encrypt the phone call so people monitoring the phone calls via the cell company or mobile tower vehicles cannot get anything from the content of your phone calls.
      d) Encrypt your text messages, I recommend programs like TextSecure and such that do end to end encryption and identity validation. Make sure your application also stores the texts encrypted on your device .     e) Encrypt your Instant Messaging conversations, I recommend using Pidgin-otr (aka Off the Record). This will allow you to chat with friends and family members in a secure medium. This ensures that those monitoring the connection through mitm techniques cant see the content of your Instant Messengers. There is also a plugin for Skype with Pidgin to allow encrypted skype conversations. Off The Record works with most chat protocals(Aim, MSN, Facebook, Goole Talk, etc).
       f) Encrypt your Email Communications, I recommend using a plugin like Enigmail and the runtime client GNUGPG which will store your encryption key for you. Enigmail integrates into Thunderbird allowing you to encrypt, sign or just verify that messages haven't been altered in transit and that there encrypted by your intended contact.
       g) Use a VPN for doing most your online activities to block the ISP from knowing your online activities, any MiTM attempts by intelligence agencies and such. Use OpenVPN 256bit encryption to prevent monitoring/decrypting of your internet activities. This also has the added benefit of adding a layer of anonymity to your internet activities.

2) Securing Your Passwords Against Most Attack Methods 
      a) Use a service like Lastpass or AI Roboform that will securely encrypt and store your usernames and passwords for websites. For Lastpass I recommend a 40+ character pass phrase with Uppercase, lowercase, numbers ,special characters such as * , and a space between each word. Use 10,000 iterations to slow down attackers who try to break your Lastpass Password Hash if it were to ever get stolen.
      b) Use the Secure Password Generator Included with the Services, For whatever site you are registering with generate the maximum length password it will let you(generally 32 characters) with Uppercase, lowercase, digits, and special characters. Generate a new one for each site you are registered with this will ensure if one of your sites are hacked the rest are not.
      c) Never share your password with ANYONE, sending your password to anyone should only ever be considered for dire emergencies as whoever you send the password to has full control over what account you gave them access too.

3) Practice Secure Computer Habits 
      a) Don't click random links people send you especially if they do not look like something from a known safe site such as facebook, gmail, etc. Any sites like tinyurl, and bit.ly can "shorten" links which makes it unknown where that link will land you at without special extensions to "unshorten" them or actually following the link. Thats why following any online links even sent by friends can be dangerous.
      b) Have an up to date and secure anti-virus product on your machine, I recommend Avira, Avast or Kaspersky. To make it even more secure in the "expert" settings of the antivirus change the heuristics to a High Detection level, Scan All File types, Scan arcieves, scan files when written/read, and scan for rootkits/memory threats. All these settings need to be enabled to maximize your security. Also avira has the option to target Joke programs and "Unusual Runtime Compression" as possible threats which can save you sometimes.
       c)Use a behavior detection based firewall such as Comodo Internet Security. Set the firewall configuration to Proactive Mode, Under HIPS Configuration select the mode for monitoring to be Paranoid Mode and under monitoring settings make sure all options are checked. Select the box "Put popup windows into verbose mode", enable adaptive mode and enable enhanced protection mode. Under firewall settings change the following settings. Set the mode to Safe Mode, enable Anti-Arp spoofing, enable Do protocal analysis, Filter IPv6 Traffic, and Filter Loopback Traffic.
      d) Don't download and execute programs that you arn't sure are safe. If your unsure if their safe or not run them in a virtual machine, Comodo Sandbox or through an online sandboxing service.
      f) Routinely Check for Unknown programs or network activity on your machine. However often you believe it to be neccessary check your machine that often. I normally monitor my processes, network activity and such live while im using the machine.
      g) If all else fails and you manage to get hacked or attacked by malware then try to recover the damage done to your machine through many of the tools available online such as Malwarebytes anti-malware, superanti-spyware, spybot search and destroy, malwarebytes anti-rootkit, etc. If you run all those programs and the malware is still active and resistant to termination then backup your data and wipe the machine. Unless the malware embeds it self in your machines bios in the motherboard then your shouldn't have any issues erasing it and starting over fresh.
      h) Disable Autorun for flash drives, cds, dvds, etc.
      i) Use avira to lock your host file from changes
      j) Use spyware blaster to "immunize" your browser against known malware sites and cookies.
      k) Turn off your computer when you leave your house and if anyone ever knocks on the door be prepared to power the machine down and your phone. This will ensure minimum forensic evidence is available. Cold boot attack methods would be degraded due to the machine already being powered down, having to take the compuer case apart, take ram out and plant them in a diff machine then freeze them to prevent data loss. By then odds are most if not all the data in memory was lost. Also the phone being off ensures the decryption password wasnt stored in live memory able to be plucked out either. Note: By no means is this a complete and perfect guide to securing everything but I do believe it to be a really good start for most people. The ideas and methods I recommend should prevent forensic analysis by thieves, warrentless raids, wiretapping, or other methods of monitoring or gathering intelligence. In theory all of these methods if implemented correctly could eliminate any forensic evidence or personal information to be stolen or monitored. This should also bypass most throttling techniques by ISP's and governments as well as most censoring methods. Lastly, this should guarentee you your right to privacy as outlined in the bill of rights which has been so often trampled on by the NSA, CIA, etc.

P.S. Theres other things you can do to further increase security such has hidden truecrypt volumes, encrypted virtual machines, using I2P or tor for more degrees of separation, etc. As I said above this is by no means a complete and perfect set of methods to protect you but its a great starting point to go forward from.

From an forensics standpoint heres what would happen Federal Agents knock or bust down your door you power off the machine by holding in the power button, and at the same time power down your phone. By the time they get around the room to arrest you or to seize your electronics the machines are off and the decryption passwords are no longer in RAM. This goes for the phone or the computer. As for decrypting the hard drives forensicly breakign a 40+ character passphrase that uses all characters and has cascading of algorithm encryption is going to be near impossible. The judge cannot prove you remember the decryption password as who knows how many weeks or months pass where you arnt using it anymore, therefore it can be forgotten. The judge cannot pry into your thoughts to verify the authenticity of your statements and lie detectors can be fooled so honestly speaking basically the forensics lab would have images of your harddrives, flash drives, etc and have no way to prove whats on them, the ISP has no logs of your internet activity and most VPN's do not logs the majority of the internet traffic. Therefore there is no direct proof you played any part in whatever your being accused of and not really any circumstantial evidence. Also, forensically speaking if your house was raided while your gone and your machines off then there isnt even a chance your decrpytion passwords stored in ram, therefore the hardrive images are useless, flash drive images, etc. And if your are coming home and 15 cop cars are there then i think its a safe bet to turn your phone off before asking them why their there so again no RAM can be accessed for passwords.

 From a Security standpoint these security methods can be beat by hardware keyloggers, software keyloggers, cameras monitoring computer use, etc but if you practice all the good computer practices then you shouldn't need to worry. Always be aware of how your actions could be perceived by those around you, never openly give away information if its not needed. Always be aware of possible threats and vulnerabilities to your right to privacy.

Wednesday, October 5, 2011

Louisville Info Sec ISSA NetKofTH Write Up

Hello,
As some of you may know I competed in the NetKofTH(Network King of the Hill) last year. But this year I had a better coordinated and better planned out stratedgy for the gameplay of the day during this competition. So without futher ado here is my writeup.

I have to give props to Adrian Crenshaw for an amazing competition setup once again I truly enjoyed the setup of this years network and cannot wait until next years competition. Also I would like to thank my competitors without you this competition each year wouldn't be nearly as exciting! Okay enough with the thanks time to get down to business.

The competition started out rather slow the first hour or two people were just scanning the boxes and trying to determine what exploits could be used to get root access to the machines on the network. My laptop has been repaired 3 weeks before this for a broken pc adapter and the adapter died again so my computer was out of commission. We only had Brandon Grindotti's laptop who was my teamate and Vice President of The Computer Security Group of IUS. So I immediatly booted backtrack up on his laptop and started hacking away at the machines on the network.

Joshua Atkins my Treasurer for our student group used his laptop to search for information and exploits that we could find for the machines on the network. Brandon had managed to get us a empty room very close to the NetKofTH competition. And Josh and Brandon kept swapping turns finding exploits and information for me while i was using backtrack to hack the machines.

I managed to get a meterpreter shell on the widnows box using the ms08_netapi exploit to hack the msrpc service on the machine. I migrated the meterpreter session immediatly to a critical system process that if shutdown restarts the computer. Thus preventing it from being easily killed by a opposing competitor. I then added multiple users and changed the password for the user i had hacked in the windows amchine.

I got a linux box through the vulnerable samba version. The same exploit that had worked last year worked this year for the linux box. I did allot of the same things to the linux box as the windows box. I then started to work on hacking the other boxes. Josh was checking the status of our pages and we notices Hackercon had gotten into one of our boxes. I then was stuck killing their process and replacing the website file for about the next hour or two till finally they reset it a few times changed root password and killed the vulnerable services and unrecognized services.

They started to gain on us and an hour before the competition was over they passed us in points. They got about 50 points ahead of us and 15 minutes before the competition was over when I finally decided to pull our last resort that the team uky last year had won using. To test if it was working I arpsoofed the router that was being scored to see if we would receive a point for it.

Low and behold the scoring box gave us a point for the router cause of our local apache server. So at that point I opened 7 more tabs and arp spoofed the remaining scored machines. In the period of 15 minutes we gained 120 points and got almost 100 points ahead of Hackercon before Adrian ended the competition and put static arp in place. His message was "I put static arp :)!!!!". But it was definatly exciting. Next year we will have even more tricks to pull cause were already coming up with new ways to win it :). I LOVED competing this year it was so high energy and fast paced it was amazing. I hope to see you all next year in a competition :).

Tuesday, August 16, 2011

Default Password Policies and Their Failure to Secure Clients

Hello,
I have been doing some research into the effectiveness of default password policies and the protection it offers its clients. An example I can give is a password that incorporates parts of the connection owners name and serial numbers from some hardware being used for the actual connection to their internet. You don't need to social engineer the network owners to narrow down the possibilities. In fact in most cases a simple word list and a good GPU is enough to thwart the security efforts of the company in question.

The problem with using names as part of the default password policy of your company is the fact that there is a very narrow margin of options for the attacker to have to go through to break the password. An attacker need only visit the Census website and download the list of 88,000 Last names. This list is already organized from the highest occurrence of names to the least amount. This makes it much easier to increase the speed and effectiveness of a wordlist based attack on the passwords of a client. The password policy for companies need to be more abstract to make brute force, and word list attacks infeasible. Relying on the encryption protocol to be slow enough to thwart the efforts of brute forcing is not an effective security strategy.

Also another note is that if a client is broadcasting the default name for a device then you can reassured that under most circumstances the following facts will be true. 1) The person most likely is not tech savvy enough to change the settings themselves or were just too lazy too. 2) The default password will most likely be used. 3) The client will most likely not be able to recognize that an intrusion of some sort has occurred.

Some effective means of thwarting these attack vectors would be to incorporate the following. 1) Make the default password policy more secure (Upper case letters, numbers, lower case numbers, and symbols). 2) The password must be a minimum of 12-14 characters to make brute forcing an almost impossible task. 3) Educate your clients in why it is important to customize the password to something different than the default policy.

Another important factor is for example wifi networks. If your company has a default policy for the wifi name of the network it shouldn't include any identifying information to link it to a real life owner of the account. The broadcasting of a default wifi network name for example is major target for a attacker. The attacker knows that one of the aforementioned vulnerabilities will be in place most likely. Also broadcasting something as important as the last 4 numbers of the account holder of the WiFi network is a dangerous thing to be doing. This should NEVER be an occurance. Anyone with WiFi range can exploit the publicity of those numbers to their own gain. Especially if they can manage to get into the personal network of the vulnerable network in question.

So all in all passwords have developed much needed complexity as time has progressed but still the security standards of corporations are still way too lax. We cannot allow clients to be vulnerable to attack for the sole purpose of the company not being inconvenienced for even the smallest amount of time. Improving the security standards of your corporation is a must or you will see a major public failure that will destroy your reputation as a good company to go through.

Friday, November 12, 2010

Email Scraping, removing anti-ocr protections, and fixing these problems

Okay I am going to just jump right in. There was a certain website which shall remain nameless. This website had a weakness in its function to search for people who were apart of the website. This vulnerability was that there was a folder which all the previous 9000+ email address images(with multi-colored anti-ocr protections) which had been loaded in the people searcher. Now the thing is I didnt really know there was that many till I had a program count them there was around 8500 but it kept increasing until they were all reset a day or to later and then new ones started appearing.

Okay anti-ocr mechnaisms that have a color different than the color of the text(aka black) PHAIL. These is a huge reason why first of all the fact is someone can EASILY go in and remove any colors other than white and black and turn each pixel white effectivaly removing all those protections. Secondly using a common font for the images also phails. A better option would be to have the software that generates the image randmize between 3-5 fonts which are different enough to through off OCR programs. aspriseOCR is highly recommened if you know java its VERY easy ti implement and extremly accurate. The final step though guys into this ocr process us ti read out ALL the images text into a text file and then you have a list of thousands of email addresses. Remember do not use this information for malicious purposes.

Also I found a second vulnerabilty search for the last part of the email in the page finder application on this site allowed you to list something like 15,000 email addresses in plain text along with the persons name who owns it and the homepage that is their personal homepage. This being the case a program could easily be created to capture only the email, name, homepage name, and homepage link and link all of that information together possibly even under a database.

Finally this folder that listed all the images also had an Apache version of 1.3.3.1 which is over 5 years old and vulnerable to multiple attacks(just google exploit-db) and search on the site for that apache version. Anyways you get my point a server hosting this set of images most likely stores other private information which should not be released.

Anyways I would like to state that I have talked with the security staff of this website and they informed me they have/will soon fix these bugs so noone else who is more malicious will exploit said vulnerabilities. Hope you guys enjoyed this read I will be attaching the example source code(which works) on how to remove anti-ocr protection and also it implements aspriseOCR which is not free but if you use an autoclick program you can have it automatically click the nag-window so it will actually go through your images and output the text from them.

Sourcecode in java - http://www.mediafire.com/file/j1bxwdl7f880j8b/OcrSourceCode7z

===============================Disclaimer============================================
I would like to state at no time will I disclose to what party this vulnerabilty(set of vulnerabilities) were found at. I wish to keep the party's details anonymous due to the unknown effects that could happen if I were to release the parties information. Also everything I am discussing here should ONLY be done for educational purposes to study such possibilities. Do not and I repeat do not use any of this for malicious purposes.

Saturday, October 9, 2010

Windows Updates via the Command Line - The easy way

There have been many ways to try and update windows from the command line. All of which range from medium difficulty to very difficult. Now it appears there is a free solution to install these updates via the command line all from one pre-coded program.

WUInstall allows you to run this program from a command prompt allowing you to update windows without needing a GUI environment. This tool could be very useful to those who have to update a box remotely. For example in a CTF event you could download and install the updates via the command line to help you lock down the box from access from anyone else.
The command to update via the command line is WuInstall.exe /install
It's that simple after the command it will automatically download and install all the windows security updates!!
I am going to post a link at the bottom of this post I hope it helps you out!
http://www.wuinstall.com/